Tracking Down the Culprit PandoraService.exe
Sometimes when you monitor the net usage you might have come across some weird net usage.You might have said "How the hell did such bandwidth consumption occur ?"
Yes sometimes it happens. Today I am going to show you how you can encounter such problems and bring out solutions for such problems.
Here is a simple scenario that I am going to explain and demonstrate.This cannot be categorized as a tutorial but rather a method how you can find out more about services that consumes extensive bandwidth..I guess if you read this you can also take down such culprits too in a similar way.So here we go
I was playing around with Wireshark for a while,analyzing the packets in network.All of a sudden I noticed something weird in the traffic of the network.I found that lots of TCP-SYN packets are being sent from my local ip to a remote ip having an address 126.96.36.199.
I checked the inboud and outbound connections I found some more traffic which is directed to port 80 of 188.8.131.52. I found out that an "innocent" little program PandoraService.exe was involved in this.
I have seen this thing for some while but I never understood its origin as well its purpose.
So I browsed http://whois.domaintools.com/ to find more about this IP.
The IP seemed to be from Japan.It was the server of Japan Network Information Center. But still I was not fully convinced with this result.
I wanted to dig something more out.So I asked my 'old friend' Google about this ip.
And here is an interesting post from avast forum that drew my attention which stated that
"The address for this service Process: pandoraservice.exe, not related to Pandora av but actually a hidden service that was installed
by the open source video viewer, KMPlayer,
was blocked by MBAM just because it was related to Zeus.
Probably the host has finally removed it, so MBAM is considering to remove the IP block, "
Believe it or not indeed my KMPlayer was on !!!
I checked the process from task manager and I found the devil PandoraService.exe ! :D
On shutting down the process I found the traffic from 184.108.40.206 was simply neutralized !!!