Anyone ever get this pop-up? [Resolved]

I never got this question before, but for the past day or so it came out of nowhere and I just found it odd.

http://img.villagephotos.com/p/2005-10/1090669/WindowsOperatingSystem.jpg

could be another pc on your lane if you have one

All the time. Its normal. There are several threads about it. Make it outgoing only. See here.

https://forums.comodo.com/empty-t14948.0.html

I take it you’re not running your machine as an “Internet Connection Server” (ICS) host.

“Windows Operating System” is the system idle process, and often receives traffic from a LAN for things like Windows networking broadcast traffic.

However, I’m not aware of a case where it would initiate outbound HTTP traffic. So, this does not strike me as normal.

A couple of things to check:

First, is there anything in the CFP logs, for either Firewall or for Defense+?

Second, can you post the output of a “netstat -an” run from a command prompt? That will show any open ports on your machine.

Are you running on an XP or a Vista box?

Hi Grue, not sure what you mean, by ICS, sorry.

I’m running XP-Pro and I’m looking as I type, but where are the logs? lol

As for “netstat-an”, you got me Grue.
Do I type “netstat-an” from the command prompt?

Thanks

You will also have this behavior if your running VirtualPC or VMWare on you system. Every thing is then running trough the Windows Operating System. Also running an Nmap Scan uses the “Windows Operating System” to connect to the outside world. Did you have any of these running at that moment ?

Hi Ronny,
The only thing virtual that I had running in the past week or so was daemon tools lite, but I disabled it at the moment.
So not sure if that’s a factor still?

Do you have the ip address of the host it would like to connect to, maybe we can do a whois to find out to who that ip space belongs, maybe that will give us a hint. If you don’t want to post it here, send me a PM.

Well when I had avast installed before, it was said to be blocking a DCOM exploit, but that apparently was fixed by Microsoft years ago with an update, but again, Avast gave me a warning saying it was blocking it.

So no idea who or what is trying to connect where.

So where do I begin in trying to figure this out?

When I do a HiJackThis scan, I notice in line 17 a TCP/IP address listed.
looks like
017-HKLM\System\CC3\Services\Tcpip..(bunch of letters and numers here}:NameServer = ip number listed here.

Again, thanks Ronny.

017 Nameserver should only contain the ip addresses of your DNS Servers.
Depending on your network setup it should show up if you run a command box and type ipconfig /all.

Well the NameServer and my DNS do match, both pairs.
So I’m assuming I’m okay then?

Depends, did this change all of a sudden ?
How’s your network setup ? (router ? dialup modem ? etc).

I have a speedstream router that I log online with, that’s it.
No other routers or anything, just click an icon, connect and I’m on.

This router isn’t the router my ISP provided me with, it’s from California (and me being from Canada) and I remember my ISP telling me that they found it odd that it worked for me since it had its own IP address or something along those lines - forgot the explanation.

Anyways, it works and they were surprised, that’s all I know. lol

And the DNS Server address on you system is the ip address of the Speedstream ?, then everything should be ok.
Although there are several know cases of malware changing DNS entries on routers also, do you have the “default” password still in it, i suggest to change it to something not default just in case.

If you were running as an ICS host, you’d know. It takes some setup to make it work. Your asking the question tells me you’re not an ICS host. :smiley:

To see the CFP logs, open CFP and click Firewall → Common Tasks, View Firewall Events. There is a similar log for the Defense+ events.

A “netstat -an” (with a space before ‘-an’) is run from a Windows command prompt. Click Start → All Programs, Accessories, Command Prompt.

Thanks.

Ronny, I tried to access the router before but didn’t get far as the original ISP company I believe locked the firmware up somehow. It’s a Speedstream 5100 and I tried the 192.168.0.1 route and the browser kept looking and looking…no luck in accessing it at all.

Grue, I have quite a few things in the logs actually.

As for netstat, what should I be looking for exactly?

Thanks for your help guys, very much appreciated.

Just a suggestion found this on a website about Speedstream 5100 hope it helps.
Dennis

Real 5100s use 192.168.254.254 and early (no longer available) 5100a that SBC first used have an IP of 10.0.0.1 and NONE of those have the IP address printed on the bottom. Then there is a odd 5100 that uses 192.168.1.1 so you have no way of telling what the IP is if you do not have a 5100b from SBC.

The netstat report will show what ports are in use at that moment. What you’d be looking for, is a port in use that you can not understand why the port is in use. It’s a first basic check to see if there is something running around in the background that’s not really supposed to be there.

Got your PM regarding the logs. Adobe stuff is chatty, as I’ve discovered doing a recent Acrobat install. Filesharing traffic may or may not show a problem. That would depend on the nature of the traffic. At this point probably not a worry. If some strange application shows up the logs, now that would be a worry. Evidently such isn’t present.

Regarding the IP address of the Speedstream. Try checking the Windows arp table. Command prompt time again, with a “arp -a” (space before ‘-a’). If the Speedstream label has the hardware MAC address, you should be able to match that label verbage to the arp report, and that should give you an IP address.

Well I did it and have a few things going, but how do I know what’s what?
What should be running and what shouldn’t be running?
I have quite a few “time waits”, a few “established”, 4 are “listening”

Thanks…