HELP!!! not sure if I'm being attacked

Discussion in 'NOD32 version 2 Forum' started by kang0o, Jul 6, 2007.

Thread Status:
Not open for further replies.
  1. kang0o

    kang0o Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    14
    Hello,
    I seem to be having a bit of trouble. I've been using nod32 for 18months without any problems.
    The trouble is that I keep getting a svchost constantly receiving data from the internet. The PID is either 1216 or 1028. I am using zonealarm free firewall, and the tray icon always shows traffic even at idle, so does the routers activity light. Rebooting the router always fixes the problem for a while, but not for good.
    I understand 1028 is RPC and 1216 has lots of services, but I need to know whether either of these svchosts can be compromised? as nod32 hasn't found anything even using the deep scan option.

    Any help or advice would be much appreciated.
     
  2. goldenarmZ

    goldenarmZ Registered Member

    Joined:
    Jul 5, 2007
    Posts:
    12
    Do you have automatic updates switched on? The Microsoft Background Intelligent Transfer Service could be hiding in there. It 'drip feeds' data from the internet when you aren't using it.

    Turn off automatic downloading of updates and restart, then run "wuauclt /detectnow" from the command prompt (no quotes). If the data starts moving again, you've found your culprit. ;)
     
  3. kang0o

    kang0o Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    14
    No it's not windows update, that has a separate entry in Proc.exe
     
  4. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Go to your services (Start | Run | "services.msc" | enter) and see if you have these 2 services running:

    1) Automatic Updates
    2) BITS (Background Intelligent Transfer Service)
     
  5. kang0o

    kang0o Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    14
    No BITS, auto update is their, but as I said above it isn't that. The possible badness is using either PID 1028 RPC Remote Procedure Call, or more often PID 1216. Which as I stated above has lots of services.
    I have three XP machines here, all set up pretty much the same. It is only this one that has constant idle traffic.
    I just want to know if it is possible something bad is/could be using one of these services.
    I'll attach a picture to show the contents of svchost 1216.

    http://www.kang0o.net/images/1216_t.jpg
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Have you tried stopping the (Windows) Automatic update service to see if it makes a difference?
     
  7. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Thats the reason I asked him that.

    I have ZA free on my system running with NOD32 and I noticed the traffic as well, until I shut down the BITS and Auto Update services. now I don't see it anymore unless something is dl an update.
     
  8. kang0o

    kang0o Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    14
    No it really isn't that although I appreciate both your assistance.
    Ordinarily I wouldn't worry as both the above services and indeed others often auto update, so idle traffic isn't uncommon for short periods. However whats bothering me is that the traffic is inbound, at quiet a fast transfer rate, and will keep doing it regardless of system reboots. It will do this for hours if left. Only router reboots stops it for a while. Which again concerns me as it would appear it is not an outbound service connecting, but something on the internet connecting to me. The new IP stopping it for a while.
     
Thread Status:
Not open for further replies.