Spam

[DKT27]

Install Prio - Download it from here(x64) - http://www.prnwatch....64_199_2091.exe

Then after installation, go into task manager, into a new tab called TCP/IP see hover on the unkown connection and see what it says.

[LeetPirate]

Those weird IP in your screen shots are generated from http://www.libero.it/ and http://www.orange.fr/

Looks like 2 ISP to me but I am not sure. It could just be random DHT connections to other users on those ISP, most likely harmless. The port used in uTorrent is for TCP traffic, UDP does not have to use that port and also UDP is meant to be connectionless so I do not believe it can be traffic shaped as with TCP packets.

[shought]

@LeetPirate

I believe these are the outgoing connections... So I don't think they're ok. Might be wrong, obviously.

[mara-]

Well, I installed Prio and it does not add any new tab to task manager. Do I need to reboot?

I downloaded TCPView from Microsoft page and all I can see that creates UDP connections is svchost.exe. I know that this can be a virus, but I scanned the whole computer and it's clean. Does anybody know some monitoring tool that can tie outgoing connection to specific process?

Cheers ;)

[Toshiro]

Could you hard reset your router? (see the manual)

This should clear all the ports. So you need to open one for Utorrent. Btw, Try deleting some torrents from Utorrent. I think seeding 100 torrents is a little to much :lol:

Cause a friend of mine got dissconnected for downloading to much. Maybe you're uploading to much?

You could also call them and ask them what the reason is..

[shought]

You should search for svchost.exe and check if it appears in any odd-looking locations ;)

[mara-]

Could you hard reset your router? (see the manual) This should clear all the ports. So you need to open one for Utorrent. Btw, Try deleting some torrents from Utorrent. I think seeding 100 torrents is a little to much :lol:Cause a friend of mine got dissconnected for downloading to much. Maybe you're uploading to much?You could also call them and ask them what the reason is..

These are just small torrents, under 50 KB, so I can gather points faster on pretome, nobody is even downloading it. And believe me, country where I live does not work anything to stop piracy. I know for some shops where you can buy games with cracks, so...

You should search for svchost.exe and check if it appears in any odd-looking locations ;)

I'll check that.

Cheers ;)

[HX1]

Well, I installed Prio and it does not add any new tab to task manager. Do I need to reboot?

I downloaded TCPView from Microsoft page and all I can see that creates UDP connections is svchost.exe. I know that this can be a virus, but I scanned the whole computer and it's clean. Does anybody know some monitoring tool that can tie outgoing connection to specific process?

Cheers ;)

Process Hacker.. right here on NsaneForums.. will show it.. ( on the Network Tab, not to mention it could shed some light on anything its connected to )

I dunno how this would help, BUT ESS BE > Protection Status > Network Connections.. gives exact specifics..

Information for the two addresses that it connected to..

% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.
% Information related to '151.15.0.0 - 151.15.255.255'
inetnum:      151.15.0.0 - 151.15.255.255
netname:      IUNET-BNET15
descr:        IUnet
descr:        Via Lorenteggio 257
descr:        Milano, I-20100
country:      IT
admin-c:      IIS1-RIPE
tech-c:       IIS1-RIPE
status:       ASSIGNED PA
mnt-by:       AS1267-MNT
mnt-lower:    AS1267-MNT
mnt-routes:   AS1267-MNT
source:       RIPE # Filtered
person:       Infostrada Internet Staff
address:      Infostrada SpA
address:      Via Lorenteggio 257
address:      I-20152 Milano
address:      Italy
phone:        +39 02 413311
e-mail:        <img src="/text2image.php?id=VSAFcQU3VDVVM1ERAGsGJlVuBTEAdFZ4CGAIdQ==" align="middle" alt="Email address protected from spam harvesters" />
nic-hdl:      IIS1-RIPE
mnt-by:       AS1267-MNT
source:       RIPE # Filtered
% Information related to '151.15.0.0/16AS1267'
route:        151.15.0.0/16
descr:        INFOSTRADA
origin:       AS1267
remarks:      removed cross-mnt:    AS1267-MNT
mnt-lower:    AS1267-MNT
mnt-routes:   AS1267-MNT
mnt-by:       AS1267-MNT
source:       RIPE # Filtered

OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv:
PostalCode: 1001EB
Country:    NL
ReferralServer: whois://whois.ripe.net:43
NetRange:   90.0.0.0 - 90.255.255.255
CIDR:       90.0.0.0/8
NetName:    90-RIPE
NetHandle:  NET-90-0-0-0-1
Parent:
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS2.LACNIC.NET
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:    2005-06-30
Updated:    2009-05-18
# ARIN WHOIS database, last updated 2010-01-04 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html

Found a referral to whois.ripe.net:43.

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.
% Information related to '90.2.196.0 - 90.2.196.255'
inetnum:        90.2.196.0 - 90.2.196.255
netname:        IP2000-ADSL-BAS
descr:          BSMSO753 Montsouris Bloc 2
country:        FR
admin-c:        WITR1-RIPE
tech-c:         WITR1-RIPE
status:         ASSIGNED PA
remarks:        for hacking, spamming or security problems send mail to
remarks:         <img src="/text2image.php?id=A3VTPAQkBnUFaAJjCXgFJFZmASIJSQZxUDADZAZjVj4EbQ1iA35SMwl7" align="middle" alt="Email address protected from spam harvesters" /> AND  <img src="/text2image.php?id=BmEMblZwWi4DZgFBBnMGMgI5V2cCZgRrVDoILwVnBXs=" align="middle" alt="Email address protected from spam harvesters" />
mnt-by:         FT-BRX
source:         RIPE # Filtered
role:           Wanadoo France Technical Role
address:        FRANCE TELECOM/SCR
address:        48 rue Camille Desmoulins
address:        92791 ISSY LES MOULINEAUX CEDEX 9
address:        FR
phone:          +33 1 58 88 50 00
e-mail:          <img src="/text2image.php?id=AGdRM1ZwAHQFYFMTVjtXcFFlBToEYwRhUH8Ab1Uj" align="middle" alt="Email address protected from spam harvesters" />

This could be the polling from your connection to ISP or DNS server...not for sure though.. the one in between from utorrent, is a Tor Onion Router Server in the Russian Federation.

[DKT27]

I think you will need reboot for Prio.

[mara-]

@ heath28m

I checked with Process Hacker, and it shows only svchost.exe. And how did you check that IP adresses? I just checked and one is from Italy, other France (I just sow, in your post is also Italy, and Netherlands, how come you mention Russian Federation). BTW, now there is any Unknown connection, uTorrent is running. It's seems that most of unknown connections is on startup and it dissapears latter. This is really strange. To me, everything looks clean. Maybe cFosSpeed just can not identify program, nothing else. But then again, it's strange because, uTorrent was not running when I took that picture. And I also notice that after I exit uTorrent, some new connection are still appearing related to uTorrent for some short time, maybe 2-3 minutes. I don't know, I'm really puzzled here.

I checked my system with:

NAV2010

MBAM

SuperAntispyware

Microsoft Malicious Removal Tool

Spybot

HijachLog didn't shot nothing

Everything is clean now, but I still can not understand how and why this unknown connections appear.

@DKT

OK, I'll see that tomorrow then.

Cheers ;)

[DKT27]

Well I was not mentioning it all the time cause I thought it would be solved the easy way. I would suggest you use Wireshark a free protocol analyzer.

I and my friends recommend it specially if you wanna catch a person who is responsible for keylogger or RAT on your computer.

Once installed and run, stop all the internet activity and see if that unknown program is caught. There's a video tut made by one of my friend on wireshak, but I doubt I can post it here.

[mara-]

Well, send me a link via PM. I already had this program, but I didn't know how to use it. Tutorial would be really useful.

Cheers ;)

[Bizarre™]

@mara-:

Try COMODO Firewall. Then go to Firewall > Common Tasks > View Active Connections.

It should show all process trying to make a connection.

[DKT27]

Sendin PM in a min.

It gives you some info on Wireshark.

[HX1]

@ heath28m

I checked with Process Hacker, and it shows only svchost.exe. And how did you check that IP adresses? I just checked and one is from Italy, other France (I just sow, in your post is also Italy, and Netherlands, how come you mention Russian Federation). BTW, now there is any Unknown connection, uTorrent is running. It's seems that most of unknown connections is on startup and it dissapears latter. This is really strange. To me, everything looks clean. Maybe cFosSpeed just can not identify program, nothing else. But then again, it's strange because, uTorrent was not running when I took that picture. And I also notice that after I exit uTorrent, some new connection are still appearing related to uTorrent for some short time, maybe 2-3 minutes. I don't know, I'm really puzzled here.

ElcroWhois program here on my computer.. The 'Russain Federation' was (its physical location) the UDP connection to uTorrent, it is an anonymity server for Tor.. that is what I found after Finding that the address came up as --something--, Inc. So I ran a search of the search engines and found it t be listed as used by Tor.

One last thought about 'Unknown' connections especially at Startup are some of the thousands of Scheduled tasks, some of which reach out to the Internet.. that are included in Windows 7 by default, some of which are as simple as scheduled RSS Feed Synchronization... Others for other reasons, the possible reason it is coming up as unknown being that 64 bit files have to have specific verification to be identified (same true of HJT logs in many cases.. ) I am also assuming that your running 64 Bit Windows as well.. SO essentially this truly could be running from svchost.exe or other system files.. Matching these running Task states may shed some light when matched with the occurrence of the connections themselves.

The connections that survive the shutdown of uTorrent, can be residual connections from running operations which were not 'Stopped' before shutdown. In PeerBlock and Peer Guardian I also, many times see connections in both directions and have with various builds seen that uTorrent can even stay in the Task Manager, even making sure that the program is closed, not hidden or minimized to the TaskTray.. So this could also be expected operation as well, and may not always be an apparent issue..(being that this may just be part of the nature of the protocol itself)

[SIRavecavec]

Watch out MIRC, it would be great to run a simple mIRC version or use irssi to be more secure. I know mIRC bots can infect you being infected you will infect others. Mostly they are situated in ini files. Also it can make you to spam.

[HX1]

Then maybe we will have to adapt the song 'Jizz in my Pants' that Lite posted in the Tavern to 'Spam in my Pantz'..

[mara-]

Well, it seems that cFosSpeed can not identify this. I just checked with Prio in Task Manager, which DKT recommended, and only svchost creates UDP connections. In Wireshark I see same connections, and most of it go to port called esmmanager. Anyone know what this is?

Cheers ;)

[Bizarre™]

@mara-:

The results from Google say it's from Symantec: Link

[mara-]

OK, then these connections are from Norton Antivirus 2010. It should be fine then. Thanks for the info. And thanks to everybody for help. I'll continue to monitor this for few day to make sure there is no any problems.

Cheers ;)

[DKT27]

If esmmanager is that connection. Then why it's connecting two different IPs to two different places? :think:

I would say it time to do what shought suggested.

[shought]

Call the ISP and verbally abuse them? :P

[DKT27]

Yea verbally, we don't wanna break any laws. :P And as far as I know, you can do anything with mouth till it's just verbally. :lol:

[mara-]

Well, I don't know if that's necessary. They said they will monitor me. It's the second day now, and the didn't contacted me or disconnected me, so I suppose that it's OK now.

@DKT

Well, I suspect on feature of Norton, it's called Insight Protection and it's connected with Norton Community Watch, so maybe this Community is located in more places in the world. Check the screen Shot:

Cheers ;)

[DKT27]

I think they will monitor you for a week.

It's best to ask them. It's really needed if we wanna come to a conclusion.