Hi. I never see anything like this. I usually see ports 445 and 135 listening, but that’s it, unless I have a program open that is listening on a specified port. Now I find that “Windows Operating System” is listening on:
- a port that I explicitly use for one application only in my Network Security Policy using Custom Policy Mode
- a port on which I may have allowed inbound TCP for a game, but have since closed the port
and - another port which i have no idea what is used for, and this is all making me very nervous.
Check out the screenshot. I also got an error message from cfp when rebooting. I have been getting this error from a few programs recently. Check out the other screenshot.
[attachment deleted by admin]
Welcome to the forum licensed_to_ill
Was this from boot of your computer or had you logged off a user account and logged back on?
Hi, thank you. The error was at shutdown. After rebooting there is no longer listening on these ports from Windows Operating System. I’m still very concerned, however.
update: it’s now listening on TCP 1157, another port I have never used before nor seen listening before. I’m pretty sure I’m infected.
Definitely looks suspicious to me.
I would recommend you to follow this:
Post back your results.
I’m going to format and reinstall. I’m getting a number of the same error in multiple programs and my hosts file has been modified. Wish I could be more conclusive about the origin of the problem… I’m pretty sure I have identified at least a part of the trojan and would be happy to direct anyone to it if they’re interested.
Yes please PM me the details please so i can send it to the AV labs so they can make signatures from it.
Please don’t post live malware here…
Hey. I am in similar situation. On computer definetly don’t exist any malware. Snapshot is attached bellow. I have Windows 7.
What is your opinion?
UPDATE: Check up also destination IP on svchost process: 126.96.36.199 → whois: AKAMAI Tehnologies. I ran some google search and find some links that shows connections between AKAMAI and spyware. But scans haven’t showed nothing.
[attachment deleted by admin]
Akamai is used by many large companies to distribute load all over the globe, could be caused by Microsoft updates or other M$ traffic.
Do you have any other “suspicious” activity or where you just wondering why this traffic shows up?
There is no suspicious activity with using computer, only active connections makes me wondering:
Why System listens few ports all the time (picture in previous post)?
Second activity is new and not connected with first. It’s started yesterday. I wanted install NetCat for remote computer control via console. There was lots of alarms while I was extracting it from zip folder. So few times I clicked “Allow” or disable CIS. At the end I didn’t install NetCat because of win7, avg and comodo security. So I deleted all with NC connected files. Later I saw, that I have active System IGMP to destination 188.8.131.52!? Also there was some new strange application rules in CIS Network Security Policy, which were there because of my clicking of Allow. I think so. Then I deleted this new “to friendly” rules. Then I blocked System and made a rule to Block TCP/UDP In/Out on port range 184.108.40.206 - 220.127.116.11. There is also “defaults” Loopback zone by CIS which runs on 127.0.0.1 - 255.255.255.254. I cut it down to 18.104.22.168. I also have second LB Zone (I’m behind a router) from 192.168.2.1 - 22.214.171.124.
So with this second activity I’m wondering If you have tip, how can I stopped this System IGMP connection and consequently counting Blocked intrusion attempts? I already cut it down to 1 on every half hour. At te begining there were new blocked intrusion attempt every 5 seconds.
UPDATE I checked ARP in cmd. I have 5 entries (?!). First is my router, and then 126.96.36.199, 188.8.131.52, 184.108.40.206 etc. but I don’t know from where? I deleted them, but I couldn’t change my ARP router entry from dynamic to static. I run cmd.exe as administrator. And when I restart computer, all previous deleted ARP entries are back there.
They are Multicast entries probably from IPv6 etc…
Please read this post here:
Thx Ronny. I disabled IPv6 in Win 7. There is no more intrusions by System with IGMP 8) ARP table stays the same. I still can’t change router’s IP from dynamic to static, and all deleted entries comes back.
Do you think that this is it?
What about first problem…constant listening by System on TCP (ports 5357, 2869, 10243 with no bytes in/out)?
Found on the worldwideweb…
Port 2869 is used for SSDP Discovery Service and Univ. Plug & Play in certain cases.
The default address (in UrlPrefix format) that a WSDAPI host will use to listen for requests on port 5357.
Port 10243 TCP is used by WMC(Windows Media Connect) to actually stream the media to the PC.
I’m getting the same “Windows Operating System” listening on ports xxxx. The occurance is random. Can go for days without coming up. The ports appear to be random in nature. When I use Sysinternal’s TcpView the ports are not shown. There are no outstanding different applications that are running when compared to when this listening event comes up. It does appear to come up after a period of inactivity. I log off and usually go into standby instead of powering off. When i log in again maybe a day later, there’s a good chance that it’ll be there. Today I logged on and there were 4 instances of the “Windows Operating System” and some instances had 2 listening ports. (see attached .GIF). I’m convinced I’ve got something brewing in there, but too determined to hunt it down rather than reformat.
[attachment deleted by admin]
Welcome to the forum Gazoo
Which version of CIS are you using Miscellaneous / About 3.10?
Hi, I am also having the same kind of problem. In my active connections, I see “Windows Operating System” is listening on exactly 5 different ports. There are no errors, nothing else is out of the ordinary or malfunctioning is any way. I just re-formatted (including a “one-pass zeros” from Active KillDisk) because I suspected malware infection and wanted to be sure I could remove any possible rootkits (ok, next to sure anyway). My security used to be terrible, now I have installed, and am using, Comodo for the first time. I love it, but I am not sure what this could mean. The “Windows Operating System” isn’t actually connecting anywhere, it’s just listening. It won’t show the full path and when I try to “terminate the connection” of any of the ports its listening on, it doesn’t error, but it doesn’t stop it either (is this cause it isn’t actually a connection?) Anyway, I just think it seems suspicious. Any suggestions on how to tell whether this is malware produced or legit, please let me know. Thnx in advance!
I believe Ronnie can confirm, but this sounds like normal practice for Windows and Networking.
I certainly hope so, thank you very much for the quick reply. Why then won’t it show the path to the actual executable? Sorry if this is a newbish question.