I suddenly have a file called "system" come up....

It has been asking to connect to the internet. When I click on the alert panel to find out what this file is and where it is located I get a file that is over 7gb in size and wants to connect to an IP address in Taiwan. Also, COMODO cannot tell me where this file is located.

I have searched the computer looking for files and folders called system of which there are a few folders but all of them belong to programs I know about.

This is the IP address it wants to connect to (I allowed it for a minute just to find out this information): destination ip 202.39.253.11

My computer has been mysteriously crashing of late and looking in the windows event monitor it blames the CCC.exe which is the panel for my graphics card.

I am repeatedly doing AV scans but to date nothing. I have the rootkit checkbox ticked. I also have malwarebytes and have found nothing.

“System” is a general “catch-all” for certain System applications (like ping.exe for example) I can’t remember why they grouped them up into one though, sorry.

How do you know that the program file trying to connect is over 7Gb if Comodo can’t locate it?

Allowing the connection was unwise. The information you need is in the firewall log even if the request is blocked.

Most AVs have a configurable maximum size of files to scan so if this file really is 7Gb it may not be checked.

I suggest you install and run HitmanPro (from surfright) for another opinion.
The Everything filename search program (from voidtools) is very fast and allows searching for files over a specified size. This might help you to find any unknown huge files on your system.

I know it is over 7gb because when the Comodo panel comes up asking what I want to do with it I click on the title and it brings it up with system32 greyed out in the identifying box, but not where it is located, if at all.

I have another little twist to add to the pile. I use Peerblock, it great for blocking whole countries like China.

Just looking through the lists I found the permallow list, which has companies like Microsoft and Comodo allowed though.

I found this: Comodo Group Inc Starting IP 202.39.253.11 Ending IP 202.39.253.11 This is the problem IP, which is a legitimate looking website in Taiwan, I used Tor to take a peek tonight.

At some point this address was blocked and I allowed it through permanently as it was identified as being from Comodo (When I bought Peerblock last year I watched the blocks because Skype was rubbish, Peerblock was blocking a lot of Microsoft IP’s).

So now I am perplexed, how come this IP address is identified as Comodo Group Inc in Peerblock?

I am going to delete all of the permallow list now and see what happens. It would be interesting to hear from Comodo on this though.

I’ll try hitman, thanks. I already use “everything” because of having an SSD drive.

Would it be possible to make a screenshot or was it a one off event?

I have another little twist to add to the pile. I use Peerblock, it great for blocking whole countries like China.

Just looking through the lists I found the permallow list, which has companies like Microsoft and Comodo allowed though.

I found this: Comodo Group Inc Starting IP 202.39.253.11 Ending IP 202.39.253.11 This is the problem IP, which is a legitimate looking website in Taiwan, I used Tor to take a peek tonight.

At some point this address was blocked and I allowed it through permanently as it was identified as being from Comodo (When I bought Peerblock last year I watched the blocks because Skype was rubbish, Peerblock was blocking a lot of Microsoft IP’s).

So now I am perplexed, how come this IP address is identified as Comodo Group Inc in Peerblock?

That sounds like an error in the block list you’re using. Please report it back to that community. Comodo does not have servers in Taiwan.

I could unblock it from the Application rules and then do a screenshot once it tries to connect to the internet. Yesterday it tried to connect over 20,000 times. I have a screenshot of some of the requests.

It just came up, identified as system32 but why is it trying to go out to Taiwan.

Anyway here are the shots.

[attachment deleted by admin]

The “System32 Properties” popup shows the size of your C:\windows\System32 folder and is NOT related to the size of the program file which is trying to connect. As stated above “system” is just a generic name for the unidentified-by-Comodo program.

I suggest you read other posts on this forum about “Windows Operating System” trying to connect to the Internet which sounds similar to your problem.

When CIS logs System as being involved with network traffic it means for incoming traffic it sees no program listening or for outgoing traffic it cannot see what process is requesting the network access. The latter can be caused because a driver of another program blocks view metaphorically speaking.

To be on the safe side scan with the following scanners to see if something malicious is lurking underneath:
gmer (rootkit scanner)
TDSS Killer (rootkit scanner)
Hitman Pro
Super Antispyware Free

System is not system32 folder as you assumed; we simply don’t know what process is asking outgoing traffic. If the problem started recently then we have to consider that a recently installed program may be causing it. Did you install a new program recently?

I found the answer, it is AI Suite by ASUS and here is the link to solving the issue. It’s funny, I disabled iNetwork about a year ago but just found out it was still active in Task Scheduler:

I disabled it, re-booted and hey presto, no more echo requests. What I cannot understand is why AI Suite would echo request to that IP and why so often.

Thanks for all of your help people.

Congratulations with finding the cause of your problem. Tackling unknown outgoing traffic can be a real chore.