Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TCP/IP Limiting on Concurrent Connect Attempts


  • Please log in to reply
2 replies to this topic

#1 DavyS

DavyS

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 10 July 2016 - 12:21 PM

With the help of this site I recently managed to remove some Adware Hijacker malware. Being more careful I now check my Event List daily. It looks clean except an Event Code 4226 "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts".  I understand that this might indicate a bad process that is trying tcp/ip addresses rapidly at random and so Windows has limited the number of attempts to 10 (per second?).

Neither Avast or Malwarebytes or AdwCleaner detected any problems.

The strange thing is that I get the Event Error every 24 hours and 8 minutes!!

Attached is what is displayed in the Command window 10 seconds before and 10 seconds after the event.

The difference between before and after is that PID 0 (shown as 'System Idle Process' in Windows Task Manager) has several TIME_WAITs to:

  • Loopback to local host 127.0.0.1 port 12110
  • 212.56.73.48:80 twice
  • 212.159.8.230&233 port 110
  • 77.234.43.85:443 - similar address to PID 1796 which is AvastSvc.exe

 As you can see there are no Syn_SENT statuses which MS say are associated with this problem.

 

Can anyone throw any light on this?

Attached Files



BC AdBot (Login to Remove)

 


#2 Trikein

Trikein

  • Members
  • 1,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, US
  • Local time:07:00 PM

Posted 10 July 2016 - 12:44 PM

212.56.73.48 is for a CDN on ISP PlusNet, probably for their website. 212.159.8.230 also belongs to Plusnet, or more specifically, mail.callnetuk.com and port 110 is for inbound POP3. What concerns me is it doesn't seem to have a PID attached. I would look at any email clients you have on the computer and see if they were infected. If you don't use any, uninstall them and see if the connections still open to port 110.



#3 DavyS

DavyS
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 15 July 2016 - 08:12 AM

Thanks Trikein, reassuring to know that the connections are to Plusnet my ISP. 

Yes strange that the process ID is 0; but then so are all the loopback checks so probably OK






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users