Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Don't Understand Event Viewer Info


  • Please log in to reply
9 replies to this topic

#1 Bub12

Bub12

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 16 November 2009 - 10:00 PM

Well, after posting here then being directed to "Am I Infected", I was directed back here :-) I/we seem to think I am clean.

So, I've been doing some fiddling in areas of which I know little & am causing myself various levels of panic blink.gif & I thought you might be able to help.

Anyway, I have been continuing to look in my event viewer for signs of issues pertaining to the following threads: (before you waste time reading the BC threads, you may want to just read below beginning with "Today I noticed", as I believe that the issues I listed in the linked threads are worked out)

http://www.bleepingcomputer.com/forums/t/270180/cannot-scan-selected-files/

http://www.bleepingcomputer.com/forums/t/269492/dr-watson-post-mortum-debugging-error/

Today I noticed a couple of warnings that I thought I would investigate which led me here,

http://www.microsoft.com/technet/support/e...p&LCID=1033

Well, I did not have any "TCP state SYN_SENT in the State column of the Active Connections information" so I figured I was ok but I started to poke around & searched for some of the IP addresses that did appear in the command prompt after typing in "Netstat -no" & the results made me nervous, although I do not understand what the results mean. Some IP's were Google, which I assumed were ok but one IP, for example, led me to the following:

OrgName: Level 3 Communications, Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US

Seems to be a large, reputable company but some folks at McAfee Site Advisor have negative things to say, which is common with large companies.

So, would you be able to clarify some of this for me? Any help would be greatly appreciated

I am still thinking that I am not infected but just having some Windows & program questions. What do you think?

UPDATE: AVAST SAYS THEIR WARNING & ERRORS MESSAGES ARE NOT SIGNS OF INFECTIONS & NOTHING TO WORRY ABOUT.

But I still have confusion pertaining to the above Event Viewer info in this post. I am assuming that the Postmortem Debugger issue worked itself out & were related to the spooler error however, I am not sure & may never be. Any thoughts would be appreciated. I take that back...any thoughts that are not insulting & are pertinent would be appreciated.

Edited by Bub12, 16 November 2009 - 10:47 PM.


BC AdBot (Login to Remove)

 


#2 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:01:58 AM

Posted 16 November 2009 - 10:37 PM

"TCP state SYN_SENT" - The SYN flag is used when establishing a TCP connection.

As it was pointing to Level 3 Communications, it is trying to tell you your computer was establishing a connection with a router or some other piece of network equipment in the Level 3 Communications network.

The information posted here may give you a little more insight as to what all of the flags ( SYN, FIN, RESET, PUSH, URG, and ACK ) mean and or point to.

As for Level 3 Communications, more information can be learned about them from here. As this link will tell you, "The company operates one of the largest communications and Internet backbones in the world". This means that any one of thousands of TCP connections could go through or connect directly to a piece of equipment owned and or operated by Level 3 Communications.

I hope this helps clear things up a bit.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#3 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 16 November 2009 - 10:52 PM

Hi & thanks for the reply. So, the sort of info in my EV is normal?

I just realized that the Microsoft link in my original post above was bad so I amended it. Here is a blurb from the link...

"This event is a warning that a malicious program or a virus might be running on the system. To troubleshoot the issue, find the program that is responsible for the failing connection attempts and, if the program might be malicious, close the program as follows."

This is why I became concerned over some of the info I obtained in Event Viewer. Now that you have a valid link, can you tell me if my Event Viewer info listed in the above post is a problem or does it seem normal? Of course, there were other items in the EV as well, but the one I listed got my attention.

Thanks!

Edited by Bub12, 16 November 2009 - 10:53 PM.


#4 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:01:58 AM

Posted 16 November 2009 - 11:08 PM

Event ID 4226 in my experience normally shows when one machine it trying to make multiple connections to one address.

To explain: In Windows XP SP2 the implementation of TCPIP.sys limited the amount of TCP connections to 10 per second. When this maximum is reached, an event id 4226 is logged in the event viewer.

This link will explain in more detail what the limitation on TCPIP.SYS does to Windows XP. That link is here.

Now, you can opt to remove this limit and "possibly" notice an increase in network speed but the thinking at Microsoft is to keep this.

As for Windows XP SP3, I'm not sure if thie limitation was lifted or not but I've not taken the time myself to check logs on any of my SP3 machines to find out.

In short, when I first started noticing these errors in Windows XP, I too read alot about this event id message and what it all means. My advice would be to watch your system closely for the next few days and make note of any "anomolies" resembling any of your earlier problems. If you do not see them and your computer is running as it should, I would say that you can safely disregard these messages in event viewer.

Hope this helps,

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#5 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 17 November 2009 - 12:45 PM

Thank Techextreme,

Having read all of that I do have a better understanding but am still left with the question of what, for example, on my machine could cause repeated unsuccessful connection attempts as I am not running a server or any P2P networks?

Can you give me some examples? ...if you don't mind :-)

Thanks!

#6 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:01:58 AM

Posted 17 November 2009 - 01:44 PM

You can actually find out exactly what is trying to talk to what by using netstat -no and task manager.

When you run netstat -no this shows you the address to and from and also the process ID that it is originating from.

Once you have this information you can then open up task manager. Normally, Task Manager does not show the process ID by default but that can be changed. Open Task manager, click on the processes tab. Now, click on View across the top then select columns. Put a check nest to "PID ( Process Identifier ) and click OK.

Now task manager shows an extra column with the process id's in it. The information from netstat -no can now be tracked back to what process id in task manager.

Examples of programs that just talk: Printer software, windows update, any kind of weather software ( weather channel, local tv station software, etc. ).
Things like this will talk at any interval and can be unpredictable. But with this new information you should be able to track back to the Process ID what is talking.

Hope this helps,

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#7 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 18 November 2009 - 12:56 AM

Thanks!

I do already have my task manager set to show the PID but in order for this to work, I would need to catch the process in the act, no?

I am probably fine...just running with this too far...I hope! Although Avast shows no signs of infection, nor do any other scans that I run, there are still an abnormal amount of warnings & errors showing in the Avast logs. Back to Avast I go...

Thanks again

#8 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:01:58 AM

Posted 18 November 2009 - 08:45 AM

If you want to be sure your computer is ok, it may be worth while to open another topic in the Am I Infected forum and post your avast logs. Let someone take a look at them and be sure.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#9 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 19 November 2009 - 01:34 PM

THANKS for your assistance!

#10 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:01:58 AM

Posted 19 November 2009 - 01:40 PM

You're very welcome

:thumbsup:

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users