Hi. I never see anything like this. I usually see ports 445 and 135 listening, but that’s it, unless I have a program open that is listening on a specified port. Now I find that “Windows Operating System” is listening on:
[33097]- a port that I explicitly use for one application only in my Network Security Policy using Custom Policy Mode
[11143]- a port on which I may have allowed inbound TCP for a game, but have since closed the port
and [3312]- another port which i have no idea what is used for, and this is all making me very nervous.
Check out the screenshot. I also got an error message from cfp when rebooting. I have been getting this error from a few programs recently. Check out the other screenshot.
Hi, thank you. The error was at shutdown. After rebooting there is no longer listening on these ports from Windows Operating System. I’m still very concerned, however.
update: it’s now listening on TCP 1157, another port I have never used before nor seen listening before. I’m pretty sure I’m infected.
I’m going to format and reinstall. I’m getting a number of the same error in multiple programs and my hosts file has been modified. Wish I could be more conclusive about the origin of the problem… I’m pretty sure I have identified at least a part of the trojan and would be happy to direct anyone to it if they’re interested.
Hey. I am in similar situation. On computer definetly don’t exist any malware. Snapshot is attached bellow. I have Windows 7.
What is your opinion?
UPDATE: Check up also destination IP on svchost process: 88.221.3.235 → whois: AKAMAI Tehnologies. I ran some google search and find some links that shows connections between AKAMAI and spyware. But scans haven’t showed nothing.
There is no suspicious activity with using computer, only active connections makes me wondering:
Why System listens few ports all the time (picture in previous post)?
Second activity is new and not connected with first. It’s started yesterday. I wanted install NetCat for remote computer control via console. There was lots of alarms while I was extracting it from zip folder. So few times I clicked “Allow” or disable CIS. At the end I didn’t install NetCat because of win7, avg and comodo security. So I deleted all with NC connected files. Later I saw, that I have active System IGMP to destination 224.0.0.22!? Also there was some new strange application rules in CIS Network Security Policy, which were there because of my clicking of Allow. I think so. Then I deleted this new “to friendly” rules. Then I blocked System and made a rule to Block TCP/UDP In/Out on port range 224.0.0.0 - 235.255.255.255. There is also “defaults” Loopback zone by CIS which runs on 127.0.0.1 - 255.255.255.254. I cut it down to 220.0.0.1. I also have second LB Zone (I’m behind a router) from 192.168.2.1 - 192.169.2.5.
So with this second activity I’m wondering If you have tip, how can I stopped this System IGMP connection and consequently counting Blocked intrusion attempts? I already cut it down to 1 on every half hour. At te begining there were new blocked intrusion attempt every 5 seconds.
UPDATE I checked ARP in cmd. I have 5 entries (?!). First is my router, and then 224.0.0.22, 224.0.0.60, 239.255.255.250 etc. but I don’t know from where? I deleted them, but I couldn’t change my ARP router entry from dynamic to static. I run cmd.exe as administrator. And when I restart computer, all previous deleted ARP entries are back there.
Thx Ronny. I disabled IPv6 in Win 7. There is no more intrusions by System with IGMP 8) ARP table stays the same. I still can’t change router’s IP from dynamic to static, and all deleted entries comes back.
Do you think that this is it?
What about first problem…constant listening by System on TCP (ports 5357, 2869, 10243 with no bytes in/out)?
I’m getting the same “Windows Operating System” listening on ports xxxx. The occurance is random. Can go for days without coming up. The ports appear to be random in nature. When I use Sysinternal’s TcpView the ports are not shown. There are no outstanding different applications that are running when compared to when this listening event comes up. It does appear to come up after a period of inactivity. I log off and usually go into standby instead of powering off. When i log in again maybe a day later, there’s a good chance that it’ll be there. Today I logged on and there were 4 instances of the “Windows Operating System” and some instances had 2 listening ports. (see attached .GIF). I’m convinced I’ve got something brewing in there, but too determined to hunt it down rather than reformat.
Hi, I am also having the same kind of problem. In my active connections, I see “Windows Operating System” is listening on exactly 5 different ports. There are no errors, nothing else is out of the ordinary or malfunctioning is any way. I just re-formatted (including a “one-pass zeros” from Active KillDisk) because I suspected malware infection and wanted to be sure I could remove any possible rootkits (ok, next to sure anyway). My security used to be terrible, now I have installed, and am using, Comodo for the first time. I love it, but I am not sure what this could mean. The “Windows Operating System” isn’t actually connecting anywhere, it’s just listening. It won’t show the full path and when I try to “terminate the connection” of any of the ports its listening on, it doesn’t error, but it doesn’t stop it either (is this cause it isn’t actually a connection?) Anyway, I just think it seems suspicious. Any suggestions on how to tell whether this is malware produced or legit, please let me know. Thnx in advance!
I certainly hope so, thank you very much for the quick reply. Why then won’t it show the path to the actual executable? Sorry if this is a newbish question.
