Connections, remote & local ports and addresses--got an article or PDF explaining it better?

[conceptualclarity]

I get frequent notifications from ESET of an unidentified application on my computer trying to communicate with a remote site.

I thought at one point I had figured out it was my Maxthon browser that was to blame for all these connections, but then I started to see notifications of them when Maxthon was not running, as in the second screenshot.

I posted about this at Need Help - What's the program trying to connect to Taiwanese & other foreign computers on my system?. (I'm going to go back and re-read that carefully.) I was advised there to try Wireshark and Fiddler. I haven't gotten around to that, but I intend to. I'm concentrating more on this now because my ESET subscription ends soon. I'll probably go to Bitdefender TS at that point (already having a license), but I don't know what level of detail its firewall will be providing me.

I have a trial of X-NetStat Pro, seen above. It's a lot better than CurrPorts and TCPView, but it still doesn't solve all mysteries.

I have scanned my system with ESET. It found only harmless adware.

It's embarrassing to admit this, but I still don't feel I have have an adequate grasp of connections, local and remote ports, local and remote addresses, etc. If anybody knows of a good article or white paper or PDF that explains it all well for the layman, not the IT specialist, please link me to it.



Computer: DELL Dimension 2400
CPU: Intel Pentium 4-2667 (Northwood, D1)
2666 MHz (20.00x133.3) @ 2658 MHz (20.00x132.9)
Motherboard: DELL 0G1548
Chipset: Intel 845GEV (Brookdale-GEV) + ICH4
Memory: 2048 MBytes @ 166 MHz, 2.5-3-3-7
- 1024 MB PC3200 DDR-SDRAM - Kingston K
- 1024 MB PC3200 DDR-SDRAM - Kingston K
Graphics: Intel 82845G/GL/GV Graphics Controller [DELL]
Intel i845G(L) Integrated, 64 MB
Drive: WL120GPA872, 117.2 GB, E-IDE (ATA-7)
Drive: HGST HTS545050A7E380, 488.4 GB, Serial ATA 3Gb/s <-> USB
Drive: SAMSUNG CD-R/RW SW-252S, CD-R Writer
Sound: Creative Technology SB Live! Series Audio Processor
Network: RealTek Semiconductor RTL8139 PCI Fast Ethernet NIC [A/B/C]
Network: Broadcom 4401 10/100 Integrated Controller
OS: Microsoft Windows XP Home Edition Build 2600
Antivirus: ESET Smart Security 9.0.408.0
Firewall: ESET Smart Security 9.0.408.0
Default Browser: Maxthon 4.4.7.3

 

[Amelith Nargothrond]

Both IPs listed in the warnings point to chinese servers.
I would post in the malware removal thread, so somebody authorized there can first help you verify/clean your PC.

The thing is XP is extremely vulnerable, not supported by MS at all anymore, no more updates of any kind for this OS. It's not difficult to get something not particularly nice from the internet or any other media, even with an AV installed.

Even third party product developers are dropping support for XP, like Chrome. As technology advances and XP stays in the same spot without updates, soon nobody will offer anything new for XP.

I don't want to sound like an arrogant *ss, but I think you should consider getting an updated OS, maybe some new hardware that supports it. I'm saying this because it is extremely difficult to keep XP safe and your online word could crash any time.

 

[509322]

Once again, the program is not trying to contact those IPs; those IPs are attempting to contact an unknown program on your system. The direction of the network traffic is in-bound.

IP 61.63.178.186 directs to http://61.63.178.186/WebClient.html where WebClient.exe which is digitally signed by Chipspoint Electronics Ltd (China) can be manually downloaded. WebClient.exe checks out as a clean file.

Malware scan of webclient_exe 702a04d0c41c0ee09bf54b2ca8f822000d06c4aa - Reason Core Security Labs

IP 59.127.10.131 directs to http://59.127.10.131/WebClient.html which appears to do nothing.

X-NetStat Pro is not showing anything useful.

You have two very easy options:

1. Malware Removal Assistance; or
2. Clean install the OS

 

[Amelith Nargothrond]

Yeah, DVR client for a surveillance appliance with a webserver which probably got hacked.
Thing is, it should not connect to @conceptualclarity 's PC, at the most, it would be the opposite, if conceptualclarity would have a location with a DVR in China or his OS is infected

 

[conceptualclarity]

Thank you very much gentlemen. I am looking forward to moving to a new and better computer and using Windows 7.

Almost all of the ESET notifications, including the two here, have involved Taiwanese outfits. I'm not as concerned about Taiwanese as about PRC.

Once again, the program is not trying to contact those IPs; those IPs are attempting to contact an unknown program on your system. The direction of the network traffic is in-bound.

Could Wireshark or Fiddler help me find the unknown program?

I have been running a herdProtect scan although unfortunately I had to interrupt it and will start all over. So far it seems only to have found benign adware/"PUP"s, almost all getting only 1 or 2 detections out of the over 60 scanners.

 

[Kiwimike]

I'm no expert but my best guess is your PC is infected with a RAT, perhaps the firewall alerts are either because the RAT is trying to refresh the connection or more likely because your part of a botnet.

My advice is to delete the executable that is triggering this. And run a full scan with Eset.

 

[Amelith Nargothrond]

Thank you very much gentlemen. I am looking forward to moving to a new and better computer and using Windows 7.

Almost all of the ESET notifications, including the two here, have involved Taiwanese outfits. I'm not as concerned about Taiwanese as about PRC.



Could Wireshark or Fiddler help me find the unknown program?

I have been running a herdProtect scan although unfortunately I had to interrupt it and will start all over. So far it seems only to have found benign adware/"PUP"s, almost all getting only 1 or 2 detections out of the over 60 scanners.

Both can help, Fiddler only if the connections are http (i used Fiddler a long time ago, i remember it as being an http proxy) and a lot easier to use, Wireshark in any type of connection, but if the software is contacting the servers rarely, it might take a while. Also, you can't keep Wireshark capturing forever even with capturing filters, as it will quickly eat up all your memory. I would fire up Wireshark when you get an ESET alert, and check the captured traffic, filter by "destination ip" as you already know that info.

As @Kiwimike said, i also agree you might be part of a botnet, as chinese servers and appliances are often easy victims for them.

 

[Deleted member 178]

You ran XP , you were asking for trouble...my advice, format + install something more recent.

Also why you show us X-Netstat pointing admuncher's process? related to the ESET warning?

I did some quick researches and the connection seems to be remated to the PUPs. so just delete them and see if the cnnections are still alive.

 

[shmu26]

Thank you very much gentlemen. I am looking forward to moving to a new and better computer and using Windows 7.

Don't switch to Windows 7. Switch to Windows 10. Because in a few years, Windows 7 will be like XP is now -- hopelessly outdated.

 

[Amelith Nargothrond]

Don't switch to Windows 7. Switch to Windows 10. Because in a few years, Windows 7 will be like XP is now -- hopelessly outdated.

And Win10 already has many more advanced security features than Win7.

Update:
This would be something to consider if changing your PC (if you stick to Intel): Intel® Processor Support for Microsoft Windows® 10

 

[conceptualclarity]

I'm no expert but my best guess is your PC is infected with a RAT, perhaps the firewall alerts are either because the RAT is trying to refresh the connection or more likely because your part of a botnet.

I'm taking this possibility seriously. I searched "Discovering remote access trojans RATs". An article at Combofix mentions:

View Processes Running
Right-click your Windows toolbar and select “Task Manager.” Click the “Processes” tab in Task Manager. This window gives you a list of programs running on your machine. Review them for any strange names or names that you don’t recognize as typical programs. If you don’t recognize the name, type it into Google. Several sites tell you if a process is malicious, so you know if you have a RAT on your system.

Odd Startup Programs
In some cases, the hacker might want another program to start when you boot your computer. If you notice any strange programs that start up when you boot your computer, you might have a RAT. These secondary programs are usually malicious software also, so you’ll need to remove them when you remove the RAT.

I keep a very close watch both on startup programs (StartupStar and WinPatrol) and on running processes via both Task Manager and Process Explorer. No intruders are showing up there. I'm starting up a fresh Belarc Advisor report and running a herdProtect scan..

 

[509322]

I get frequent notifications from ESET of an unidentified application on my computer trying to communicate with a remote site.

I thought at one point I had figured out it was my Maxthon browser that was to blame for all these connections, but then I started to see notifications of them when Maxthon was not running, as in the second screenshot.

I posted about this at Need Help - What's the program trying to connect to Taiwanese & other foreign computers on my system?. (I'm going to go back and re-read that carefully.) I was advised there to try Wireshark and Fiddler. I haven't gotten around to that, but I intend to. I'm concentrating more on this now because my ESET subscription ends soon. I'll probably go to Bitdefender TS at that point (already having a license), but I don't know what level of detail its firewall will be providing me.

I have a trial of X-NetStat Pro, seen above. It's a lot better than CurrPorts and TCPView, but it still doesn't solve all mysteries.

I have scanned my system with ESET. It found only harmless adware.

It's embarrassing to admit this, but I still don't feel I have have an adequate grasp of connections, local and remote ports, local and remote addresses, etc. If anybody knows of a good article or white paper or PDF that explains it all well for the layman, not the IT specialist, please link me to it.



Computer: DELL Dimension 2400
CPU: Intel Pentium 4-2667 (Northwood, D1)
2666 MHz (20.00x133.3) @ 2658 MHz (20.00x132.9)
Motherboard: DELL 0G1548
Chipset: Intel 845GEV (Brookdale-GEV) + ICH4
Memory: 2048 MBytes @ 166 MHz, 2.5-3-3-7
- 1024 MB PC3200 DDR-SDRAM - Kingston K
- 1024 MB PC3200 DDR-SDRAM - Kingston K
Graphics: Intel 82845G/GL/GV Graphics Controller [DELL]
Intel i845G(L) Integrated, 64 MB
Drive: WL120GPA872, 117.2 GB, E-IDE (ATA-7)
Drive: HGST HTS545050A7E380, 488.4 GB, Serial ATA 3Gb/s <-> USB
Drive: SAMSUNG CD-R/RW SW-252S, CD-R Writer
Sound: Creative Technology SB Live! Series Audio Processor
Network: RealTek Semiconductor RTL8139 PCI Fast Ethernet NIC [A/B/C]
Network: Broadcom 4401 10/100 Integrated Controller
OS: Microsoft Windows XP Home Edition Build 2600
Antivirus: ESET Smart Security 9.0.408.0
Firewall: ESET Smart Security 9.0.408.0
Default Browser: Maxthon 4.4.7.3

Why won't you do any of these common sense things ?:

1. Ask TwinHeadedEagle to review your system in Malware Removal Assistance
2. Ask ESET about it
3. Clean install the OS

 

[conceptualclarity]

I did some quick researches and the connection seems to be remated to the PUPs. so just delete them and see if the cnnections are still alive.

I don't know what PUPs refers to. Ad Muncher, Thunderbird, and Weather Eye are certainly stellar programs.

Both can help, Fiddler only if the connections are http (i used Fiddler a long time ago, i remember it as being an http proxy) and a lot easier to use,

Wikipedia says Fiddler does HTTPS as well. I'm going to download it.

Ask ESET about it

I have indeed been thinking about that. Should I go the email route and send them lots of screenshots?

 

[Deleted member 178]

I don't know what PUPs refers to. Ad Muncher, Thunderbird, and Weather Eye are certainly stellar programs.

What PUP were detected?

 

[darko999]

I would first download MBAM update it and then restart and boot in safe mode without networking. Run a full scan with it not the default one which looks into regular places where malware tend to be found. Scan whole local disk and see what it catches. Safe boot without networking is a major friend when you want to remove malware.

 

[509322]

I have indeed been thinking about that. Should I go the email route and send them lots of screenshots?

I would submit support a request using whatever is their official method of getting support. Initially I would explain the issue and include an image of the ESET firewall alert. Then wait for whatever they request of you.

To be honest, your best bet would be to ask TwinHeadedEagle for Malware Removal Assistance first. He has a good system in-place that will give you an idea if anything is amiss. If it were me I would do it before anything else. Just saying that it is best to get a quick answer as to whether or not the system is infected. The longer you wait, the greater the potential of serious issues.

[MANDATORY] Preparation Guide Before Requesting Malware Removal Help

 

[Deleted member 178]

Or just don't bother, format + clean install of Win7 or Win10. Save time and gain a safer OS.

 

[509322]

Or just don't bother, format + clean install of Windows 7 or Windows 10. Save time and gain a safer OS.

 

[frogboy]

Or just don't bother, format + clean install of Windows 7 or Windows 10. Save time and gain a safer OS.

This looks like the plan to move forward.

 

[conceptualclarity]

clean install of Windows 7 or Windows 10

Unfortunately not possible on this old Dell.