nbname(137) tries to OUT to different IP

diverxl · January 5, 2010, 10:56am

Hello
I found something like my problem in the archive section of this forum but could not add my issue there, so I do here:

My problem is that I notice some traffic I can not explain. I reckon that each time I boot my OS (Win7 64bit). I can see this, e.g. in PEERBLOCK log file. There are connection through my AVAST Webshield that want to connect with AMAZONAWS.com ?!?
So, there must be something that is initiating traffic on the standard way that is normally used by browsers. TCP port 80 redirected through my AVAST Webshield. This is what I can see in PEERBLOCK, since the AMAZONAWS.com is blocked.

In comodo I can see that too but it is allowed of course since Webshield is configured by the ‘browser rule’.

So, how can I hunt down the process that wants to connect to this AMAZONAWS ? I have no clue since I have no browser running after booting. I use Firefox & Opera and Win7 IExplorer.

Moreover I notice outgoing nbname connections to IP adr. that change but look the same. Like:
239.255.255.250 nbname(137) UDP ?`

Comodo telly me it is my ‘system’ ??? How can I definfe which part of my system wants to connect on nbname to the wild internet?

Heree is a screenshot I made. It shows more outgoing Webshield connections than there should be.

http://img509.imageshack.us/img509/9061/ss20100105114226.th.jpg

and these logs:

http://i50.tinypic.com/s2r874_th.jpg

Citizen_K · January 8, 2010, 1:26am

To see if you have malware on your system that is trying to call home start with What to do if you’re infected - eXPerience Rev.3.

The traffic blocked over port 137 to 239.255.255.250 is socalled NETBIOS traffic. First of all it gets blocked so no worries there. NETBIOS is a protocol to communicate on a local network between computers. It is using ports 137-139.

The address it is connecting to is a broadcast address for local networks. Broadcast is informing to all computers connected to the network your system is there. In it’s self not harmful. The local broadcast range is defined as 239.0.0.0 - 239.255.255.255.

When you don’t need NETBIOS you could consider disabling it. To do so read the following tutorial by Quill.

diverxl · January 14, 2010, 9:31am

Hello Eric

I made a screen shot of new connections my NetBios wanted to have this morning. I really annoys me. You said it is ok in local networks. So I assume I really do not need to have connect it to the outside world. I hope it is not needed for Microsoft and updates or so.

http://i47.tinypic.com/2j330bq_th.jpg

Citizen_K · January 14, 2010, 8:53pm

It is not needed Microsoft Updates. Can you tell me on what kind of connection you are and if you have a router in your network setup.

diverxl · January 15, 2010, 8:14am

Dear Eric,

I am behind a router (the German FritzBox 7170) and connected by cable not by wireless. My provider is 1&1 in Germany with a 16.000/1024 connection.

Here I offer you another screene I made from the tool Peerblock. It shows the connections my PC wants to have each time after reboot. Since Comodo is far more sophisticated I assume Peerblock sees theses only because I must already have allowed some processes or made some rules. Otherwise these would not show up in Peerblock as blockable outgoing conections.

I wonder now whether I can or could export my firewall settings and use another template settings from within Comodo or create a new one that blocks everything/asks/logging so I could hunt down my ‘phony guest’; and then afterwars of course go back to my exported ruleset since I created some port ranges and groups and zones I do not want to enter again for new.

Thanks alot

http://i48.tinypic.com/34ta238_th.jpg

Citizen_K · January 15, 2010, 6:46pm

The connections to Microsoft are probably related to Windows Updater and when enabled the Windows Application Experience. Read this topic for some additional information: https://forums.comodo.com/defense_help/rundll32dll_active_when_system_idle-t41620.0.html .

Regarding the https traffic to Amazon. Do you have searching in Amazon enabled in the search boxes of one of your browsers? Or do you have a Amazon toolbar?

diverxl · January 16, 2010, 2:29pm

Dear Eric,

I startet my pc in clear mode so to say and did some other things to hunt to the problem and then I reckoned that these Amazon connections are deriving from my sync tool called Syncplicity.

I asked in their support forum if their tool makes use of Amazon and here comes the answer:
"Syncplicity uses Amazon’s S3 storage. When you are uploading and downloading files, the Syncplicity client is making connections to Amazon. I hope this information helps! "…

Alas! That was a pain in my … Really annoying from the Company that there is no info at all on their site that they use Amazon another data miner as storage

At least I do know now that their is no maleware running but I do not know whether I want to storage my personal Data that I backup and sync with Syncplicity being hostet on Amazon’s servers since I suspect they are no more better or worse than Google and no user knows today what these big fishes will do in the future with our data.

best regards
and thanks for your help Eric!