4OD service problems uTorrent

HI, Can anyone help me out there, I have a PC that a long time ago had 4OD (Channel 4 TV On Demand software) installed. I have heard on some forums that even when "Removed" by normal methods this peer to peer sharing (Like uTorrent) service leaves behind a remnent of files that actually still try and share what was downloaded (all the complete downloads have been removed).
I have a Netgear router that reports (as I have set a filter on the port numbers) uTorrent attempts and this is happening, and I think giving rise to spurrious port scans on my Router.
Any ideas on how to find these files that are producing these uTorrent requestes etc?

Help much appreciated as I do not know where to start on this one - thanks...

..it was suggested from Malware forum that kservice.exe from the kontiki suite of P2P software may be to blame as this comes with the 4OD service and stays functional in the background. I have searched for the .exe and "kontiki" but can find nothing on my PC related to these???? still a problem finding out what is causing this UDP traffic from this PC....????

 

Have ticked the "show hidden files" in the folder options, then searched for this, (also, select the show system files"?

Do a search perhaps with just part of the name, like kon and kser.

Check in your services, from run services.msc, anything in that list that looks like it may belong to the kservice? :wave:wave

 

..... did try looking in all areas, did not try the otherthings.....

JUst looked for "kon" and "Kser" and in the services.msc - nothing there that shows any connection with Kservice or Kontiki etc??

..... ..... any thing else you can think of checking, like is there a way of finding out what is sending the UDP packets??? (apart from at PC IP address level as I know what device is sending them..) ...????

 

Give this a try;

http://majorgeeks.com/Microsoft_Process_Monitor_d5553.html

It MAY show what process this is coming from. Did you search the hidden and system files? :wave

 

yes did try searching in system files ... nothing found.

Tried the Process Monitor and searched for "UDP Send" and found several instances of packets going out and replies (circa 47 and 234 in length out / in) from svchost.exe. I always get confused as to what this process is, I believe there was a spoof host process like this a few years ago?? --- I do not know what this actually tells us other than the Netgear router is correct in reporting this! as the port number highlighted in the screen shot is 56226 clearly in the uTorrent range. How is this related to an application on the PC ??

Attached the zip folder that contains the screen shot....

 

Is there still a 4oD or Kontiki folder in C:\Program Files?

 

Just looked - and no folder or files of those names etc!

?? still confused as to what is doing this....??:confused

 

FYI, svchost.exe is safe.

What happens if you block the high-end ports in your router firewall?

 

The ports on the router are blocked all baring two in the uTorrent dynamic range. If I block them all the PC I am sure will still do the same but obviously the UDP packets will not go anywhere. The reason I programmed a block like this was an attempt to limit P2P traffic from my sons PC that was hogging the bandwidth for others. This I later found was not working as I believe uTorrent application can us the multiplexing of data streams.
I notice on the monitor output that it defines a PID, does this PID refer to an application and is this a way of tracking what in the PC is generating these UDP packets? - or is there a way of looking at the Ethernet port and decoding the UDP packet for something that may be there to again identify the application ? (although the outbound UDP packet seems very short at 40 - 49 bytes allowing for address space is there any room for additional information - what does a UDP packet from uTorrent actually carry, has it any such additional information fields??