I don’t understand any of this, so please respond at a beginner’s level. I appreciate any help you can give.
Under “Active Connections,” my firewall shows “Windows Operating System” listening at probably 100 or more ports. There are no bytes going in or out, but the listening is constant. There is a different number in brackets after each “Windows Operating System” entry, and below that each one is indicated to be listening on a different numbered port, as well.
I went to “Define a new blocked application” to see what would happen if I blocked “Windows Operating System.” When I select "running processes,"Windows Operating System is at the top of the list with a PID number of zero. There is no indication of the hundred other different numbers indicated in brackets for this program in the active connections box. I am able to block “Windows Operating System” PID 0 in my Network Security Policy, but the listening still occurs. I see in the firewall log that ICMP connections from 192.168.1.1, from source port “Type (3)” to destination Comodo servers (8.26.56.26 and 156.154.70.22) have been blocked a few times.
I have also noticed that there are often UDP Out connections carrying hundreds of bytes of information outward to an IP address within my network IP range, associated with the System or Svchost programs. I don’t know if that means anything, or if I explained it well enough.
I have run Malwarebytes with no malware found.
Is this as concerning as it feels to me?
I also noticed a program called conime.exe in the System 32 folder, which some sites online say is a legitimate Windows program and some say is a virus. I uploaded to TotalVirus and the scans were clean. I blocked it with the firewall anyway, as the legitimate program seems to have to do with Asian languages and I don’t use them. However, I am still concerned about its description online as a sometimes backdoor trojan if found in System 32.
Most of what you’ve described sounds fairly normal, however, would you mind posting some screenshots of the Active connections viewer and, if there any, related log entries (Firewall/View Firewall Events/More). You can attach images via additional options when you make a post.
When CIS sees incoming traffic that no application is listening it will block it and will say in the logs that WOS blocked the traffic. WOS is not a process it is a pseudo process sorta like System Idle Process in Task Manager.
If all scanners of Virus Total say the file is clean then you can believe that judgment. It probably got installed with Microsoft Office.
Edit: Conime from Office 2010 is digitally signed. You can check the signature using Sigcheck as described here in the following.
Download this zip archive and unpack it to C:\Program Files\SysinternalsSuite\ . When done run sigcheck.reg to add it to the registry.
When this is done navigate to the system32 folder, look up and select Conime click right and choose Signature from the context menu. A black command box will pop up. See if it is signed or not.
Thank you for your responses. They are very reassuring.
Radaghast, I appreciate your looking at the active connections and the event log. They are just partial snapshots, obviously. There are at least a hundred entries like this.
EricJH, it is good to be reassured re: the VirusTotal results. I will follow your directions for checking out conime.exe later tonight and am very glad to have a plan for reassuring myself about this file.
Thank you both very much for your help and for this site.
Thanks for the images. If these Windows Operating System connections are still occurring, I’d like you to do one more thing for me. Open a command prompt and type:
netstat -ano > c:\netstat.txt
followed by
tasklist /svc > c:\tlist.txt
Then post the files here as attachments.
From the logs, I notice you’re blocking UPnP discovery packets from your router (TCP port 2869) if you’re not using UPnP in your router, you can probably disable the service. However, you’d have to check the router documentation to find out how.
I blocked that by accident, I think. I thought I was using programs that use UPnP (like messenger programs, maybe?), but blocking the packets has not interfered with anything. Is it okay to leave it as is?
Here are the logs. Thank you very much for looking at them:
Oh, also… I followed the instructions to get Sigcheck, and it said the information was entered into the registry. However, when I navigate to and right-click on conime.exe or any other program, and then select “Signature,” I don’t get a command box. I get a box asking me which program i want to use to open the file. Can you help me figure out what I am doing wrong please?
One more paranoid and probably meaningless observation: When I run “Hijack This,” the scan pauses for quite a few seconds when it comes to “NT services,” as though it is taking a long time at that step. However, the only entries that come up for NT services are Avast, Comodo, and Superantispyware core service.
It won’t be the end of the world if you leave these as is, they’re only notification events. However, if you’re actively using applications that rely on UPnP/SSDP, it’s probably worth making things work correctly.
Here are the logs. Thank you very much for looking at them:
The logs show a great many connections linked to the loopback address (127.0.0.1) which is probably something to do with Avast - you have Superantispyware installed, is it resident or just on demand? - and these may be the cause of the Windows Operating System listening entries.
Unfortunately, The Active connections viewer in CIS is not that good, so it’s not always easy to relate what one sees there, to what’s actually happening on the network. If you want, you can take another image of the WOS connections in Active connections viewer and at the same time repeat the process for creating the logs mentioned above. Once done, post all three here, maybe we can find some correlation between them.
One more paranoid and probably meaningless observation: When I run "Hijack This," the scan pauses for quite a few seconds when it comes to "NT services," as though it is taking a long time at that step. However, the only entries that come up for NT services are Avast, Comodo, and Superantispyware core service.
Personally, I find a better alternative to Hijack This is OLT. You can fine a tutorial and download links here