Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Started to notice some suspicious IP's connecting under explorer.exe


  • Please log in to reply
6 replies to this topic

#1 waspink

waspink

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 17 July 2016 - 02:39 AM

I am using windows 10.

 

While doing some checks I started to notice there are strange IP's (mostly registered to Sprint) connected under explorer.exe, the local ports are always different when the IP's come back around. I've come across these established connections through netstat commands, TCPview and system explorer.

 

Example:

explorer.exe 10.0.0.x:24744 - 198.70.66.48:http

 

explorer.exe 10.0.0.x:2965 - 198.70.66.48 port 80

 

sometimes a different such as 50 rather than 48 at the end

 

also often established under explorer.exe is xxx-xxx-xxx-xxx.deploy.static.akamaitechnologies.com:http which I don't like, but doesn't concern me as much.

 

 

when I did see a PID attached to these connections I could not find the matching PID in my processes. I scanned for hidden processes, which there are 1-3 hidden PIDs at different times, however non of those match either. I don't know how to figure out what these hidden PID's account for. I do my homework, but I still consider myself closer to a novice.

 

I tried blocking the IP within my firewall but still noticed the foreign IP afterwards.(it comes and goes and I've also seen a different suspicious IP)

 

I've scanned and cleaned my comp with malwarebytes, avast, iobit malware fighter, rogue killer, and iobit advanced system care.

 

Wish I did it sooner, but connecting to PIA vpn made these suspicious connections disappear.

 

I may be paranoid, but I'm worried I've got someone spying on me, and who knows what information they may have gathered by now.

 

The computer is not running slow, but there are some minor events, such as high CPU, or RAM, more than 1 instance of explorer.exe, and WMIprvSE.exe (under svhost, usually one in which jumps in cpu usage) TiWorker.exe and processes related to Zune folders seem odd too.. I do know these are legit but maybe not in my case?

 

I know there are other small things but I am trying not to fall asleep.

 

I just really want this figured out, it has been consuming my time, and I will very much appreciate any help!!



BC AdBot (Login to Remove)

 


#2 technonymous

technonymous

  • Members
  • 2,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:02 PM

Posted 17 July 2016 - 09:56 AM

https://en.wikipedia.org/wiki/Akamai_Technologies

 

EDIT: You will see a lot of connections to Akamai using Microsoft's App store. Akamai has close ties with Microsoft. I just firewall it and WinStore.Mobile.exe goes bye bye.


Edited by technonymous, 17 July 2016 - 10:30 AM.


#3 waspink

waspink
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 17 July 2016 - 10:53 AM

\

 

https://en.wikipedia.org/wiki/Akamai_Technologies

 

EDIT: You will see a lot of connections to Akamai using Microsoft's App store. Akamai has close ties with Microsoft. I just firewall it and WinStore.Mobile.exe goes bye bye.

Yes I'm not worried about akamaitechnologies, just was pointing out they're connected to explorer.exe a lot with the other suspicious IP's, do you happen to have any advice on the IP's associated to Sprint? They narrow down to random locations, for example a town in Virginia, that seems very suspicious to me!



#4 technonymous

technonymous

  • Members
  • 2,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:02 PM

Posted 17 July 2016 - 10:03 PM

You can do a online whois ip check. Just google whois ip. If you're checking your connection using netstat you can use a netstat -bfo command to see the FQDN name instead of IP's. To run the netstat -bfo the command line needs to be ran as admin. Most established connections are browser and windows services. Completely normal. Ports are going to open to the outside world if you use a browser to connect to the internet. That is just the way things work. Your computer initiates the connection out to begin the established session. Yes, viruses can connection out too. This is the reason to have NAT router/firewalls and a virus scanner suite that includes a software firewall as well. Those are the first line of defense so that your computer doesn't get infected in the first place. That is why the virus scanner is running in the background all the time doing real-time heuristic scanning and definition scanning. It squishes viruses as they come in or out. A virus may completely bypass the virus scanner definitions, but the heuristic scanning might catch it. With heuristics the virus scanner learns how viruses act in general. They are always trying to run at a higher admin elevated level or trying to bypass the UAC (User Access Control) which should not be turned off period. Many people turn off the UAC as it's just to annoying to have and claim it doesn't help anyway. That is completely untrue. It is to block keyboard macro scripts and network worms and CROM/USB dropped payloads. You can have all the security in the world, but if you allow a unsecured outdated Windows XP box on the same network with rights to access that uber secured machines files. Guess what? Your security means nothing. A secured system might still have a flaw in the Windows OS itself that has yet to be discovered by Microsoft, and that can be exploited to gain entry. Why try beating down the iron front door when I can knock down a straw back door? Make sense?


Edited by technonymous, 17 July 2016 - 10:05 PM.


#5 HairyApricot

HairyApricot

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 19 July 2016 - 06:29 AM

Is Sprint your internet provider? If it helps, I stopped explorer.exe making outbound connections many months ago and there were no adverse side effects to doing so.



#6 waspink

waspink
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 21 July 2016 - 10:07 AM

Is Sprint your internet provider? If it helps, I stopped explorer.exe making outbound connections many months ago and there were no adverse side effects to doing so.


No sprint isn't my ISP, that's not even an option where I live, the IPs locations are out of state, I can't figure these connections out, I find them very suspicious, it seems they belong to a residence and not a company.

#7 HairyApricot

HairyApricot

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 23 July 2016 - 09:46 AM

Well I am not sure about the resident ones, but akami is perfectly ordinary. Block outbound connections from explorer if you want, I did and it was fine.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users