|
|
| rjisinspired |
| Posted: Mar 14 2012, 12:00 AM |
 |
|
Advanced Member
Group: Members
Posts: 1256
Member No.: 20008
Joined: 12-October 06
|
Not long ago I posed the question about my firewall constantly bombarding me with TCP/OUT connections, requesting "*" (SYSTEM) for TCP/OUT. I have been having this problem for months. The IP addresses and port numbers vary each time.
When I use a disable rule for the above, everything is disconnected, including my web server. These requests can happen even right before I start my server, right after just logging on to windows.
I don't know what to do at this point. I have scanned my computer with just about many programs for antivirus, spyware, malware, trojans, etc, and I keep coming back as clean. Nothing shows as suspicious activity on my computer. These alerts happen at random and when they do they come at me. They also cause me to taskmgr kill my firewall and restart it because I cannot access it through systray. My system stalls until the dialog boxes from the prompts disappear.
I have also been getting my antivirus component "ipmGUI" keep shooting up with differing IP addresses, this is strange. |
|
| dloneranger |
| Posted: Mar 14 2012, 12:24 AM |
|
|
Moderator
Group: Moderators
Posts: 2366
Member No.: 22158
Joined: 26-September 07
|
That's an unusual one
Telnet shouldn't be accessing random ip's
You can google 'xp disable telnet' if it's not something you use
I'd be worried about it if it happened here, as it looks nastily like virus activity
Have you tried microsofts boot cd antivirus?
http://connect.microsoft.com/systemsweeper
The local port and remote ip/port would have been useful though, as it's uncertain from the screenshot if it's connecting from port 23->52914, or the other way around
--------------------
MultiAdjust JoinWav WavNormalize FFMPeg Input Plugin v1827 UnSharpMask
Windows7/8 Codec Chooser
All FccHandlers Stuff inc. Installers for acm codecs AAC, AC3, LameMp3 |
|
| rjisinspired |
| Posted: Mar 14 2012, 12:37 AM |
|
|
Advanced Member
Group: Members
Posts: 1256
Member No.: 20008
Joined: 12-October 06
|
It looks like something on my side wants to access out from my port 23 to a remote IP at port 52914 . The port numbers for local and remote can be different. The IP is some business address in Italy. The addresses range from anywhere it seems even to some secure LLC company.
I haven't tried MS's offline scanner yet. |
|
| rjisinspired |
| Posted: Mar 14 2012, 12:41 AM |
|
|
Advanced Member
Group: Members
Posts: 1256
Member No.: 20008
Joined: 12-October 06
|
I'm able to start my computer fine. This has been happening for a while now.. The application is "*" which is stumping me but from what I gather this means "all apps"? If I set a rule to disable then forget web serving and using other web related apps.
I have been using antivir for antivirus. I have used antipsy/malware apps, emsisoft, malwarebytes and superantispyware and all using full/deep scanning and nothing shows. |
|
| rjisinspired |
| Posted: Mar 14 2012, 01:47 AM |
|
|
Advanced Member
Group: Members
Posts: 1256
Member No.: 20008
Joined: 12-October 06
|
The interesting thing, now that it came to me, I change the services to different states after reinstalling a fresh OS. I disable a few of these services and telnet is actually one of those services that was/is disabled. |
|
| rjisinspired |
| Posted: Mar 14 2012, 04:33 AM |
|
|
Advanced Member
Group: Members
Posts: 1256
Member No.: 20008
Joined: 12-October 06
|
Another one, this time from local port 65533 to a remote port of 55512 to Enzu Inc? juinorsender.braslia.me
What the heck is this?
am I sending out to remote IPs or are they sending responses to me to send them something? |
|
| dloneranger |
| Posted: Mar 14 2012, 07:34 AM |
|
|
Moderator
Group: Moderators
Posts: 2366
Member No.: 22158
Joined: 26-September 07
|
Well it's not telnet, that'd be to remote port 23
* means it's coming from a system process - something that's part of the OS
Unfortunately, that could be genuine or from something nasty that's attached itself to a system process
It's unusual that it's using port 23 to go out from, normally anything going out is given a random port number from >1024 to <65536 and connects to a fixed port number at the other end
The only things I can think of that connect to a wide range of remote port numbers are p2p apps and malware/virus type apps
At http://technet.microsoft.com/en-us/sysinternals there are some useful apps that might help you track it down
ProcessExplorer can show you what dll's are used by svchost, you could check for odd dll's that may be in unusual places
TcpView can show all connections made to/from your pc
--------------------
MultiAdjust JoinWav WavNormalize FFMPeg Input Plugin v1827 UnSharpMask
Windows7/8 Codec Chooser
All FccHandlers Stuff inc. Installers for acm codecs AAC, AC3, LameMp3 |
|
| dloneranger |
| Posted: Mar 14 2012, 07:55 AM |
|
|
Moderator
Group: Moderators
Posts: 2366
Member No.: 22158
Joined: 26-September 07
|
If nothing suspicious turns up from all the scanners etc or checking it manually
Then you might be a conflict like eg the antivirus and firewall detecting each other
Some antivirus progs can have proactive functions where they will scan incoming web pages etc and check them
Others have network scanning as well
So.....
It's feasible that you might be in a catch22 situation
Antivirus check something on a remote port
Firewall blocks it
Antivirus sees something tampering with it and block the app that did it (the firewall)
Firewall now has to be killed and restarted
You could check that by disabling your antivirus for a while and see if it still happens
Should be safe enough (as long as you don't start running every app you can download while it's off)
If it is a virus, then you're not in any extra danger, as it hasn't detected it anyway
--------------------
MultiAdjust JoinWav WavNormalize FFMPeg Input Plugin v1827 UnSharpMask
Windows7/8 Codec Chooser
All FccHandlers Stuff inc. Installers for acm codecs AAC, AC3, LameMp3 |
|
| rjisinspired |
| Posted: Mar 14 2012, 08:21 AM |
|
|
Advanced Member
Group: Members
Posts: 1256
Member No.: 20008
Joined: 12-October 06
|
I did receive 2 TCP/OUT for system, just now, and nothing registered with TCPview during the hits. One came from Latvia? Port 23 wants to access the Latvia IP at port 13686. The other, port 1234 wants to access "unknown.prolexic.com" IP on port 80.
Oh, 3rd - port 50350 wants to connect to serverclub at port 80
I went to prolexic and I must say the logo is kind of humorous - DDoS attacks end here. Yeah what about the attacks I'm getting here?
In TCPview I have about a handful of system processes in TIME_WAIT, which were from using the browser, and two "systems" under microsoft-ds, one of them is listening in. ?
Everything else looks fine. I see my web server, my browser and what I'm connected to with those.
I went into ProcessExplorer but didn't find any out of the ordinary dlls within svchost. |
|
| rjisinspired |
| Posted: Mar 14 2012, 08:22 AM |
|
|
Advanced Member
Group: Members
Posts: 1256
Member No.: 20008
Joined: 12-October 06
|
If I disable Antivir's realtime protection module the stuff still happens.
I should had mentioned that I am using Filseclab firewall. Have for a very long time. Only had this stuff happening for some months. There are times where these connect attempts will not happen but when it does boy do I get nailed!
This firewall does have the tendency to not be responsive, interface-wise like trying to open it up from systray or it just locks up while the GUI is visible but the service still goes. You have to task kill it and reopen the GUI, have to do this kind of a lot when these attacks come my way. Doesn't matter if antivirus is on or not.
I stuck with Filseclab because it is light, small footprint, doesn't bog stuff down, until now that is. The computer is unresponsive until the prompts go away, lol. |
|
| rjisinspired |
| Posted: Mar 14 2012, 08:39 AM |
|
|
Advanced Member
Group: Members
Posts: 1256
Member No.: 20008
Joined: 12-October 06
|
If anyone has any firewall recommendations I'm open to suggestions. Maybe my firewall is the problem? Years ago I tried Zone Alarm but had stopped because it was going toward bloat and was hogging a little. Thing is I would like a really light firewall.
In my last thread I also had a Verizon issue but it was a separate issue and was fixed.
Boy, they don't make these things easy, do they? |
|
| dloneranger |
| Posted: Mar 14 2012, 03:41 PM |
|
|
Moderator
Group: Moderators
Posts: 2366
Member No.: 22158
Joined: 26-September 07
|
It doesn't look good
the pc shouldn't really be connecting to random ip addresses
Is there any way to narrow down what may be causing it?
eg
Does it only happen when you have a web browser open
Does it happen in 'safe mode with networking'
Other than that, the best bet's the microsoft scanner I linket to earlier
It makes a boot cd, so rootkits etc can be detected
Personally, I'd just wipe the os and reinstall if in doubt
--------------------
MultiAdjust JoinWav WavNormalize FFMPeg Input Plugin v1827 UnSharpMask
Windows7/8 Codec Chooser
All FccHandlers Stuff inc. Installers for acm codecs AAC, AC3, LameMp3 |
|
| rjisinspired |
| Posted: Mar 14 2012, 04:18 PM |
|
|
Advanced Member
Group: Members
Posts: 1256
Member No.: 20008
Joined: 12-October 06
|
I do know that I have received these hits some times even before turning my web server on. Right after logging on to the net.
I did try and play around with Antivir. Disabling the advanced protection of apps and processes, also too so that I could stop the real time service in services.msc. Was in a way hoping there might had been a conflict there but I'm not sure if Antivir is the culprit.
My start up items are as follows: Antivir, Ditto (Clipboard app), Device Detector 3 (Olympus detector for my digital audio recorder), ERUNT Autobackup.
Before I rebooted a little over 90 minutes ago I disabled the following: Filseclab Messenger (something to do with the firewall), FileZilla Server (had this for about a short time, FZ would load but not start and I kept forgetting to disable it), hkcmd and igfxpers. I disabled some things to see if that would had made any difference but it didn't.
I'm still looking into this. The last couple of hits I have had since after rebooting were headed toward Apple?, system TCP/OUT at local port 58585 to an Apple url at remote port 443. I have a screencap of that alert also. Why connect to Apple for? Guess my computer wants to go places and mingle with the movers and shakers I guess. |
|
| dloneranger |
| Posted: Mar 14 2012, 04:28 PM |
|
|
Moderator
Group: Moderators
Posts: 2366
Member No.: 22158
Joined: 26-September 07
|
Connecting to port 443 is an SSL connection
Probably one of apples things just checking for any updates
--------------------
MultiAdjust JoinWav WavNormalize FFMPeg Input Plugin v1827 UnSharpMask
Windows7/8 Codec Chooser
All FccHandlers Stuff inc. Installers for acm codecs AAC, AC3, LameMp3 |
|
| rjisinspired |
| Posted: Mar 14 2012, 04:30 PM |
|
|
Advanced Member
Group: Members
Posts: 1256
Member No.: 20008
Joined: 12-October 06
|
I don't even have quicktime on here. To my knowledge I don't have anything apple on here. |
|
