Troubleshoot What's the program trying to connect to Taiwanese & other foreign computers on my system?

[conceptualclarity]

CurrPort and TCPView were interesting but did not resolve my issue. CurrPort created an HTML file I would like to be able to post here, but it's a long horizontal file that I don't believe I can properly convert.

Here is the weirdest and by far the most specifically identified site that something on my computer has tried to contact lately:

This is comical! @

Free Product Demo | IP2Location
IP Address 50.198.35.237
Location

United States, Illinois, Yorkville
Latitude & Longitude 41.620980, -88.431720 (41°37'16"N 88°25'54"W)
ISP Rosati's Pizza
Local Time 06 Jan, 2017 09:43 PM (UTC -06:00)
Domain comcastbusiness.net
Net Speed (COMP) Company/T1
IDD & Area Code (1) 630/815
ZIP Code 60560
Weather Station Yorkville (USIL1300)
Mobile Country Code (MCC) -
Mobile Network Code (MNC) -
Carrier Name -
Elevation 183m
Usage Type (COM) Commercial
Anonymous Proxy No
Shortcut http://www.ip2location.com/50.198.35.237
Twitterbot @ip2location 50.198.35.237
Slackbot /ip2location 50.198.35.237

http://whois.domaintools.com/50.198.35.237
IP Location

United States Yorkville Rosati's Pizza
ASN

AS7922 COMCAST-7922 - Comcast Cable Communications, LLC, US (registered Feb 14, 1997)
Resolve Host 50-198-35-237-static.hfc.comcastbusiness.net
Whois Server whois.arin.net
IP Address 50.198.35.237
NetRange: 50.198.0.0 - 50.198.63.255
CIDR: 50.198.0.0/18
NetName: CBC-ILLINOIS-14
NetHandle: NET-50-198-0-0-1
Parent: CCCH3-4 (NET-50-128-0-0-1)
NetType: Reallocated
OriginAS:
Organization: Comcast Cable Communications Holdings, Inc (CCCH-3)
RegDate: 2013-01-04
Updated: 2013-01-04
Ref: Whois-RWS

OrgName: Comcast Cable Communications Holdings, Inc
OrgId: CCCH-3
Address: 1800 Bishops Gate Blvd
City: Mt Laurel
StateProv: NJ
PostalCode: 08054
Country: US
RegDate: 2003-07-28
Updated: 2016-09-06
Ref: Whois-RWS

OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: +1-856-317-7200
OrgTechEmail:
OrgTechRef: Whois-RWS

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-888-565-4329
OrgAbuseEmail:
OrgAbuseRef: Whois-RWS

NetRange: 50.198.35.232 - 50.198.35.239
CIDR: 50.198.35.232/29
NetName: ROSATISPIZZA
NetHandle: NET-50-198-35-232-1
Parent: CBC-ILLINOIS-14 (NET-50-198-0-0-1)
NetType: Reassigned
OriginAS:
Customer: ROSATI'S PIZZA (C03301715)
RegDate: 2013-02-03
Updated: 2013-12-07
Ref: Whois-RWS

CustName: ROSATI'S PIZZA
Address: 1 Unavailable Street
City: YORKVILLE
StateProv: IL
PostalCode: 60560
Country: US
RegDate: 2013-02-03
Updated: 2013-02-03
Ref: Whois-RWS

OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: +1-856-317-7200
OrgTechEmail:
OrgTechRef: Whois-RWS

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-888-565-4329
OrgAbuseEmail:
OrgAbuseRef: Whois-RWS

NetRange: 50.128.0.0 - 50.255.255.255
CIDR: 50.128.0.0/9
NetName: CCCH3-4
NetHandle: NET-50-128-0-0-1
Parent: NET50 (NET-50-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS7922
Organization: Comcast Cable Communications, LLC (CCCS)
RegDate: 2010-10-21
Updated: 2016-08-31
Ref: Whois-RWS

OrgName: Comcast Cable Communications, LLC
OrgId: CCCS
Address: 1800 Bishops Gate Blvd
City: Mt Laurel
StateProv: NJ
PostalCode: 08054
Country: US
RegDate: 2001-09-18
Updated: 2008-10-04
Ref: Whois-RWS

Here are a couple of screenshots of TCPView on my system scrubbed for privacy.

Can someone direct me to a better ports program than these two? And more specifically can someone help me figure out how I can find out which program is making all these connection attempts? It seems like surely there ought to be a way for me to pin that down.

 

[AtlBo]

cc...I recommend just blocking them, unless you are constantly getting warnings. Between the applications that must be allowed access to the internet and the ones you may have chosen to allow access, chances are you will see some unrecognized servers on the other end of internet transactions. This is why I don't allow programs access other than security. I just don't update until I absolutely have no other choice (for whatever reason) than to do so.

 

[509322]

CurrPort and TCPView were interesting but did not resolve my issue. CurrPort created an HTML file I would like to be able to post here, but it's a long horizontal file that I don't believe I can properly convert.

Here is the weirdest and by far the most specifically identified site that something on my computer has tried to contact lately:

This is comical! @

Free Product Demo | IP2Location
IP Address 50.198.35.237
Location

United States, Illinois, Yorkville
Latitude & Longitude 41.620980, -88.431720 (41°37'16"N 88°25'54"W)
ISP Rosati's Pizza
Local Time 06 Jan, 2017 09:43 PM (UTC -06:00)
Domain comcastbusiness.net
Net Speed (COMP) Company/T1
IDD & Area Code (1) 630/815
ZIP Code 60560
Weather Station Yorkville (USIL1300)
Mobile Country Code (MCC) -
Mobile Network Code (MNC) -
Carrier Name -
Elevation 183m
Usage Type (COM) Commercial
Anonymous Proxy No
Shortcut http://www.ip2location.com/50.198.35.237
Twitterbot @ip2location 50.198.35.237
Slackbot /ip2location 50.198.35.237

http://whois.domaintools.com/50.198.35.237
IP Location

United States Yorkville Rosati's Pizza
ASN

AS7922 COMCAST-7922 - Comcast Cable Communications, LLC, US (registered Feb 14, 1997)
Resolve Host 50-198-35-237-static.hfc.comcastbusiness.net
Whois Server whois.arin.net
IP Address 50.198.35.237
NetRange: 50.198.0.0 - 50.198.63.255
CIDR: 50.198.0.0/18
NetName: CBC-ILLINOIS-14
NetHandle: NET-50-198-0-0-1
Parent: CCCH3-4 (NET-50-128-0-0-1)
NetType: Reallocated
OriginAS:
Organization: Comcast Cable Communications Holdings, Inc (CCCH-3)
RegDate: 2013-01-04
Updated: 2013-01-04
Ref: Whois-RWS

OrgName: Comcast Cable Communications Holdings, Inc
OrgId: CCCH-3
Address: 1800 Bishops Gate Blvd
City: Mt Laurel
StateProv: NJ
PostalCode: 08054
Country: US
RegDate: 2003-07-28
Updated: 2016-09-06
Ref: Whois-RWS

OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: +1-856-317-7200
OrgTechEmail:
OrgTechRef: Whois-RWS

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-888-565-4329
OrgAbuseEmail:
OrgAbuseRef: Whois-RWS

NetRange: 50.198.35.232 - 50.198.35.239
CIDR: 50.198.35.232/29
NetName: ROSATISPIZZA
NetHandle: NET-50-198-35-232-1
Parent: CBC-ILLINOIS-14 (NET-50-198-0-0-1)
NetType: Reassigned
OriginAS:
Customer: ROSATI'S PIZZA (C03301715)
RegDate: 2013-02-03
Updated: 2013-12-07
Ref: Whois-RWS

CustName: ROSATI'S PIZZA
Address: 1 Unavailable Street
City: YORKVILLE
StateProv: IL
PostalCode: 60560
Country: US
RegDate: 2013-02-03
Updated: 2013-02-03
Ref: Whois-RWS

OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: +1-856-317-7200
OrgTechEmail:
OrgTechRef: Whois-RWS

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-888-565-4329
OrgAbuseEmail:
OrgAbuseRef: Whois-RWS

NetRange: 50.128.0.0 - 50.255.255.255
CIDR: 50.128.0.0/9
NetName: CCCH3-4
NetHandle: NET-50-128-0-0-1
Parent: NET50 (NET-50-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS7922
Organization: Comcast Cable Communications, LLC (CCCS)
RegDate: 2010-10-21
Updated: 2016-08-31
Ref: Whois-RWS

OrgName: Comcast Cable Communications, LLC
OrgId: CCCS
Address: 1800 Bishops Gate Blvd
City: Mt Laurel
StateProv: NJ
PostalCode: 08054
Country: US
RegDate: 2001-09-18
Updated: 2008-10-04
Ref: Whois-RWS

Here are a couple of screenshots of TCPView on my system scrubbed for privacy.

View attachment 131324

View attachment 131325


Can someone direct me to a better ports program than these two? And more specifically can someone help me figure out how I can find out which program is making all these connection attempts? It seems like surely there ought to be a way for me to pin that down.

Read the CurrPorts Help File - there is a way to enable Logging and output a Log File - I believe as a text file.

Other more in-depth tools are Wireshark and Fiddler.

 

[conceptualclarity]

Other more in-depth tools are Wireshark and Fiddler.

Thanks. What can you tell me about Wireshark and Fiddler, particularly how they could help me out here?

 

[AtlBo]

I have Wireshark on another PC. You might like it cc, but it's complex at first and will require a serious amount of scouring through help files. You can study connections over time and IPs and save a log of the connection analysis if you like, so it's a good tool. Might weigh on your system some. The capture logs can get pretty large if you run a capture for a long time, but you can tailor a capture to watch for and capture only certain things too, such as TCT/IP from port 80 (https) and so on.

 

[509322]

Thanks. What can you tell me about Wireshark and Fiddler, particularly how they could help me out here?

What @AtlBo said.

You want to search for connections within the assigned IP address range. Then you might be able to determine which program is connecting, but it might be a problem because of the GRE protocol. GRE is listed as the protocol in the ESET firewall alert. Look for GRE protocol in any reports - but it might not show up under the Protocol column. This is what I know about the GRE protocol:

Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network.

What is Generic Routing Encapsulation (GRE)? - Definition from WhatIs.com

Have you considered calling Rosati's and ordering a pizza to get to the bottom of this ?

Because what is presented in your OP provides an incomplete picture of the overall circumstances, and certainly "odd," my answer is only meant for your consideration - as a starting point.

ESET has its own logging. There are enough ESET users here that you can ask them to assist you in digging through the ESET logs as well.

Of course, if you begin to suspect something malicious, then ask @TwinHeadedEagle for malware removal assistance.

 

[AtlBo]

NetRange: 50.198.35.232 - 50.198.35.239
CIDR: 50.198.35.232/29
NetName: ROSATISPIZZA

Now that Jeff_T has mentioned it probably not a bad idea cc. MMMMMM pepperoni, green pepper, pineapple

 

[509322]

Now that Jeff_T has mentioned it probably not a bad idea cc

The most paranoid users would think it a front company for the NSA\CIA...

 

[AtlBo]

I was thinking the mafia or Jimmy Hoffa Jr. or maybe Putin is into this somehow, does that count ?

 

[509322]

I also forgot to mention, the ESET firewall alert is for Inbound, and not Outbound, connection.

Something using Rosati's Pizza IP address is attempting to connect to your system.

Block it !

Application "0" = SYSTEM

You have Lenovo system ?

 

[Exterminator]

I also forgot to mention, the ESET firewall alert is for Inbound, and not Outbound, connection.
Something using Rosati's Pizza IP address is attempting to connect to your system.
Block it !

I agree I would block Rosati's
Have you ever ordered anything online?
Anyway I would still order pizza from them I love their pizza
Small world almost neighbors.

The most paranoid users would think it a front company for the NSA\CIA...

If it is they sure make good pizza

 

[509322]

If it is they sure make good pizza

The better the pizza = The better the cover

Who would ever suspect such fantastic pizza could be malicious or some state surveillance program ?

 

[conceptualclarity]

Thank you gentlemen.

I have Wireshark on another PC. You might like it cc, but it's complex at first and will require a serious amount of scouring through help files. You can study connections over time and IPs and save a log of the connection analysis if you like, so it's a good tool. Might weigh on your system some. The capture logs can get pretty large if you run a capture for a long time, but you can tailor a capture to watch for and capture only certain things too, such as TCT/IP from port 80 (https) and so on.

If Wireshark is resource-heavy and has a steep learning curve, alternatives would be welcome.

You have Lenovo system ?

No, an old Dell.

Something using Rosati's Pizza IP address is attempting to connect to your system.

I understand that notification to mean that something on my computer was trying to contact Rosati's Pizza. In every other case the destination of the attempted contact given to me was some big hosting service rather than the specific computer on that service--not very helpful. My own conclusion about Rosati's Pizza is that somehow human error got intermingled in this matter and thatone or more wrong numerals was utilized

Because what is presented in your OP provides an incomplete picture of the overall circumstances, and certainly "odd," my answer is only meant for your consideration - as a starting point.

What additional would you like me to provide?

 

[AtlBo]

I understand that notification to mean that something on my computer was trying to contact Rosati's Pizza. In every other case the destination of the attempted contact given to me was some big hosting service rather than the specific computer on that service--not very helpful. My own conclusion about Rosati's Pizza is that somehow human error got intermingled in this matter and thatone or more wrong numerals was utilized

Think ESET means with the alert that Windows was trying to acknowledge (via a Windows Application) the transmission from the pizzaria. This is 100% normal for Windows to do. Maybe ESET's explanation is confusing you. Windows didn't seek the connection but is rather attempting to respond and shake hands with the prompt from the pizzaria. If you were using Windows Firewall it would block it too, but you wouldn't get an alert.

Jeff_T's statement below is what I am attempting to reinterate.

I also forgot to mention, the ESET firewall alert is for Inbound, and not Outbound, connection.

Something using Rosati's Pizza IP address is attempting to connect to your system.

 

[AtlBo]

If Wireshark is resource-heavy and has a steep learning curve, alternatives would be welcome.

Try it cc. It's open source so not dangerous. It's the only thing that does what you want I believe. You will have to read up on how to use it, but you should be able to find resources via Google. Lots of YouTube vids on Wireshark.

What additional would you like me to provide?

I think you provided everything possible. There are limitations to what anyone can have information-wise. Maybe Jeff_T knows of ways, but I don't know of any.

 

[conceptualclarity]

Think ESET means with the alert that Windows was trying to acknowledge (via a Windows Application) the transmission from the pizzaria. This is 100% normal for Windows to do. Maybe ESET's explanation is confusing you. Windows didn't seek the connection but is rather attempting to respond and shake hands with the prompt from the pizzaria. If you were using Windows Firewall it would block it too, but you wouldn't get an alert.

Jeff_T's statement below is what I am attempting to reinterate.

This puts a really different light on it if indeed the origination of all this is really from the outside and not really from an application on my computer. It's true that all this flood of notifications regards "application 0" and application 0 according to TCPView is "System Process".

Here is a screenshot of as much as I can give you from CurrPorts. I have scrubbed my email service, which appeared under the Remote Host Name column, and my IP Address, which appeared under the Local Address column for mDNSResponder.exe, svchost.exe, System, and Unknown. So here PID 0 is listed as "Unknown".

Does everybody agree that application 0 is not something on my system that's initiating contacts but something that's attempting to respond to external contacts?

 

[conceptualclarity]

Does everybody agree that application 0 is not something on my system that's initiating contacts but something that's attempting to respond to external contacts?

If that is the case, why is it that only just before New Year's I started getting all these Inbound network traffic notifications from ESET? Is it because ESET has taken up a different policy and is showing me more things? (My ESET settings did not change.) Or is something on my computer to blame for this rise in notifications especially regarding Taiwanese sites, particularly hinet.net? Or is it some other cause?

My log with ExeWatch does not indicate anything suspicious coming aboard my system recently.

 

[509322]

Does everybody agree that application 0 is not something on my system that's initiating contacts but something that's attempting to respond to external contacts?

If that is the case, why is it that only just before New Year's I started getting all these Inbound network traffic notifications from ESET? Is it because ESET has taken up a different policy and is showing me more things? (My ESET settings did not change.) Or is something on my computer to blame for this rise in notifications especially regarding Taiwanese sites, particularly hinet.net? Or is it some other cause?

My log with ExeWatch does not indicate anything suspicious coming aboard my system recently.

It could be any of a wide range of things.

I provided you with the best advice under the circumstances via PM.

 

[AtlBo]

More of the same cc. Not just you:

Question - Who is attacking me?

BTW, if you are considering why there isn't more about this issue, I think one reason may be that not very many notice it happening. I can't say, but it might be quite a bit more prevalent than it seems.

 

[conceptualclarity]

More of the same cc. Not just you:

Question - Who is attacking me?

BTW, if you are considering why there isn't more about this issue, I think one reason may be that not very many notice it happening. I can't say, but it might be quite a bit more prevalent than it seems.

Thank you for bringing that to my attention. I subscribed to that thread, and I'll be interested to see if anything develops.

I am wanting to scan my system myself before getting involved with a malware assistance forum, but an ESET scan failed prior to finishing. Maybe I'll try Zemana AntiMalware next.

The notifications are not as intense now, but they're still coming on about an hourly basis, and now it's almost always hinet.net from Taiwan.