Windows OS connections

Hello. I am new here, although I’ve been using comodo (Inet sec suite) for a few years now. I’ve been receiving an unusually large amount of incoming connections (all blocked) all seemingly related to the Windows OS. No outgoing connections though, which I’d assume is a good sign. But anyway, over the space of a couple of hours, there can be up to 1500-2000 connection attempts, from hosts all over the world. Although a lot of them are from eastern Europe, and Russia. I’ve scanned using comodo, and malwarebytes. I’ve set my scanner to on-access, and turned the heuristic scanning level to high. I’ve also run HJT! and looked over the logs for anything suspicious. Nothing found. I’m wondering whether this could potentially be a bot or RAT. Any thoughts on this? Or am I just being paranoid?

Relevant information would be that

I am using windows 7 (x86, build 7600)
My firewall is on safe mode, defense + Clean PC mode and AV I already mentioned as being on-access
I’ve installed nothing from an unsafe source recently
I’ve tried turning it off and on again
No recent hardware changes
No recent windows updates (I tell my PC when it’s allowed to update)
All scans have come up clean, although HJT tells me my system is not very well kept.


Were you by any chance making some P2P activities before these intrusion attempts started?

Are you behind a router or do you connect directly to the web with a modem? Is the traffic at the same port? Is that a port used by a p2p you use?

Hi, thanks for the reply!

I do use p2p related softwares. Although the port I connect on is set to be randomised and doesn’t launch at startup. I haven’t used the program in about… 2-3 days I’d say. So I couldn’t really tell you what port I’m p2p’ing on, as it changes every time I start the software :frowning: . I’m behind a router, but the firewall on my router is disabled. Oh and I scanned some of the hosts attempting to connect to me while waiting for a reply. The machines making attempts to connect to my PC were also household computers. Some running windows operating systems, and some linux. I also ran whois on a few of these computers, nothing turned up but their ISP details :confused: so I’m assuming that they’re not windows update distribution servers.

[EDIT]: For the reference the port is 36765, so it is in the range for p2p connections. I don’t think it’s dedicated solely for anything to my knowledge.

The reason for asking about p2p programs is that they can open ports on the router as well as others think Live Messenger. These programs sometimes forget to close ports on the router upon closing; I was wondering if it was one of these ports where the access requests came from.

With p2p programs it will take several after you closed down the program for the incoming requests to stop.

Best thing to do is to close the port on the router. You may need to use the Universal Plug and Play interface (see image) for that or simply reboot the router.

What Global Rules do you have set?

[attachment deleted by admin]

Hi again,

Global rules are basically to block anything not on port 80 or 443 and using chrome.exe or opera.exe unless I personally permit it (Safe Mode) apart from a few other program exceptions, like xfire, and the p2p software being on this list. Although I don’t turn my router off very often, so your theory on it being that I could have remained in the seed list for p2p seems pretty good to me. I’ll reboot router and see how it goes. I’ll let you know in about 14 hours or so how it went, thanks for the help! :slight_smile:

It worked :smiley: Thanks a lot for the help, you can mark this thread as solved :slight_smile: