Hi, I have some concerning activity that I could use some help with. I run X-NetStat Pro and it’s telling me that several files are connecting to the same IP address every 10 minutes or so. Not sure about the exact time, but it is several times a hour. The files are kernel32.dll, lsass,exe, spoolsv.exe, and svchost.exe. The connections are not very long. Most are outgoing except I just witnessed kernel32.dll taking 80 bytes on the inbound side from the same IP address. This is the first time I’ve seen it incoming.
I tried using VisualRoute to see if it was Microsoft or something legit like that, but VisualRoute returns no information for the IP and I find that strange as well because I’ve never seen VR fail like that.
The IP address is 98.129.126.38. Does it look familiar to anyone? Is it legit? I’ve used Comodo to block all incoming and outgoing for spoolsv.exe. The other processes I’m not too sure I can block. You see I Remote Desktop into this machine in my garage from a computer on the second floor of my home. I don’t know what blocking traffic to lsass.exe or svchost will do to my Remote Desktop connection.
Kernell32.dll just connected outbound to the same IP again using 96 bytes.
Any help you guys could give me would really be appreciated.