Tcpip warnings

[Bill Sanderson MVP]

I'm not sure--I don't feel real confident about being able to spot software
which opens this kind of connection by the names on such a list--but if you
can do that--go right ahead--maybe something will jump right out.


--

 

[Guest]

Actually I've got it running now, though I'm not entirely sure what I'm
looking for (particularly since the overflow only happens once every few
days...) - I presume I'm hoping to spot a process with multiple 'SYN-SENT'
states in the state column? At present I'm seeing a bundle of TIME_WAITs, a
bundle of LISTENINGSs, one or two ESTABLISHEDs, and a load of things with
'x.x'. I suppose that's normal?

 

[Guest]

I'm not sure--I don't feel real confident about being able to spot software
which opens this kind of connection by the names on such a list--but if you
can do that--go right ahead--maybe something will jump right out.

Here goes (copied from Defender's list of currently running processes, which
it seems to smile upon quite happily):

MICROSOFT

msmsgs.exe
alg.exe
csrss.exe
svchost.exe (6 instances)
iexplore.exe
lsass.exe
msimn.exe
services.exe
spoolsv.exe
explorer.EXE
winlogon.exe
smss.exe
MsMpEng.exe
MSASCui.exe

ATI

Ati2evxx.exe (2 instances)

SYMANTEC

CcSetMgr.exe
Ccapp.exe
CcEvtMgr.exe
ALUSchedulerSvc.exe
navapsvc.exe
NPFmntor.exe
SPBBCSvc.exe
Symlcsvc.exe
SNDsrvc.exe

AOL

aoltray.exe
waol.exe
shellmon.exe
AOLAcsd.exe
aoltpspd.exe

EPSON

SAgent2.exe

ISDN CONNECTION (BT)

gisdnlog.exe
gsyno.exe
vstartx.exe

QUICKTIME

qttask.exe (need to disable it again!)

TCP VIEW (newly added)

tcpview.exe

 

[plun]

Hi Bill

It might be so... I have seen this notify a few times and one I
remember was when I watch the origami movie from Channel 9....I don´t
know what platform they are using for streaming movies and it must
probably also be a really loaded server with high traffic to get this
alarm.

The benefit with a real firewall and application rules is that you
easily can track different events within your firewall log.

WDs events are sometimes difficult to track.

regards
plun

 

[Bill Sanderson MVP]

I don't see anything there that jumps out at me. I'm not familiar with the
AOL items, so it is possible that one of them uses functionality that might
trigger this kind of message.

--

 

[Bill Sanderson MVP]

That's a useful tip. Alan D--if you are reading this, do you sometimes
watch video content online?

--

 

[Guest]

That's a useful tip. Alan D--if you are reading this, do you sometimes
watch video content online?

I've tried exploring Youtube on a few occasions recently, but I don't have a
fast enough connection, so it's really rather frustrating. Do you think that
could be the explanation? It sounds promising, doesn't it?

Bill, Plun - my thanks!

 

[Bill Sanderson MVP]

Yes--that seems a direction worth testing.

--

I've tried exploring Youtube on a few occasions recently, but I don't have
a
fast enough connection, so it's really rather frustrating. Do you think
that
could be the explanation? It sounds promising, doesn't it?

Bill, Plun - my thanks!

 

[Anonymous Bob]

I'll give that a try. Thank you.

Not too long ago, I switched to Outpost firewall from Agnitum. One of the
features I *really* like is the "Web History" which will tell you every site
you have ever contacted including those immediately after the first boot of
the day.

A caveat...sometimes the rDNS lookup for the remote address is wrong and it
may take some time and experience know what should cause you concern. Still
it would be useful in this case.

There's a 30 day trial period and a competitive upgrade.

Bob Vanderveen

 

[Guest]

Not too long ago, I switched to Outpost firewall from Agnitum. One of the
features I *really* like is the "Web History" which will tell you every site
you have ever contacted including those immediately after the first boot of
the day.

A caveat...sometimes the rDNS lookup for the remote address is wrong and it
may take some time and experience know what should cause you concern. Still
it would be useful in this case.

There's a 30 day trial period and a competitive upgrade.

Thanks for the suggestion Bob.

 

[Guest]

Yes--that seems a direction worth testing.

Just to close off this thread with a neat and tidy conclusion, I can now
report that yesterday I kept running videos online from You Tube in a
minimised window while I got on with something else. When I checked Event
Viewer later I found there were three Tcpip warnings during that time, but at
no other times during the last couple of days.

So although I didn't actually catch the culprit in the act, it's clear that
in this case these Tcpip warnings, as Plun suggested and Bill agreed, are
associated with online video, and not arising from malware activity. Maybe
this will be useful for anyone else who encounters them mysteriously
occurring. Thanks again folks.

 

[Bill Sanderson MVP]

Thanks very much for the investigation and closure--I think we've all
learned from this!
--

 

[Guest]

:
....My wgatray.exe is dated november 2005...... MS has NEVER told me or
any other user about the purpose of this application ie SPYWARE ! ... this
seems to be old fashioned Gates/Ballmer
"bullshit". I really hope that Ballmer finds something else to do ...

:
.... In the meantime I'm trying an experiment. I have an ATI graphics card,
and I notice that the ATI Catalyst Centre runs two versions of cli.exe which
- according to my Googling - have a habit of calling home ...

I write:
about Genuine Advantage Tool, MS (and Bill, Ballmer, etc) is pleaded and
hardly criticized by an OLD practice of software industry having information
over the web from their installed software, ranging from "HP updates" to
Adobe auto-update and the like. And I do NOT remember some of them be
"bestified" for those practices, neither be "forced" to disclose what info is
transmited... why would Microsoft (the mostly pirated) have to be? It seems
one more just-anti-MS-4-no-reason-but-antipathy

 

[plun]

I write:

about Genuine Advantage Tool, MS (and Bill, Ballmer, etc) is pleaded and
hardly criticized by an OLD practice of software industry having information
over the web from their installed software, ranging from "HP updates" to
Adobe auto-update and the like. And I do NOT remember some of them be
"bestified" for those practices, neither be "forced" to disclose what info is
transmited... why would Microsoft (the mostly pirated) have to be? It seems
one more just-anti-MS-4-no-reason-but-antipathy

Hi

No this is a human right for todays users to know about all traffic and
control it. Every connections should be acknowledged with an EULA.

Despite if it is MS,HP Bestoffers, Direct Revenue or a really dirty
trojan all trafic must be controlled.

Easy...... And with a modern firewall this IS easy...
I´m using PC cillin and it´s just to increase security level for all
connections.

We have had enough with "human stupidity" now and it´s time
to clean this stinking junk yard. Otherwise some users will be really
hurt and that´s a tragic !

I also don´t believe in "glory" Vista.....

Perhaps Intels La Grande or Blue secure from IBM.....TPM is probably
dead soon and maybe also Vista...

And this IS nothing to "mumble" about, it´s a disgrace to watch todays
cleaning forums... ;(


regards
plun