Wednesday, November 22, 2017

security - What are these weird IP address connections in resource monitor?

I decided to check out Resource Monitor (on the 'Performance' tab in Task Manager, Windows 7) and I noticed in the "Network" section that the 'System' image name kept making a bunch (~5 at a time) of connections to random IP addresses, it would show anywhere from 1-500 bytes/sec 'sent'. They would stay connected for 1-2 minutes.


-All web browsers are closed


So, the first thing I did was run a trace from network-tools.com on some of these IP addresses. 8/10 were outside of US and did not resolve to any host name. Of the 10 IP addresses I traced, 2 were in US, 4 showed origins in China, and one each to Algeria, Russia, Pakistan, Korea. (!)


So, the next thing I did was turn off my wireless card, watch the connections disappear, then turn the card back on, and within 30 seconds more random connections were created by System, with different IP addresses from the first time.


The next thing I did was go open Task Manager, Show Processes From All Users, then I killed just about everything that wasn't (what appeared to be) a Windows process.


I turned on Wi-Fi, and again within 30 seconds, random IP addresses connect for ~ 1 min at a time, new ones coming and going.


I occasionally use BitTorrent on this machine, but there was definitely no process that seemed related to BitTorrent running after I went through Task Manager, and BitTorrent wasn't open to begin with.


So, any ideas on what these connections might be for?
I have been using Ad-Aware Free and AVG Free on this computer for a while now, always up to date.


UPDATE:
I ran netstat a few times with different options set, including netstat -a.
Even while I had the network resource monitor open and could see ~5 random IP addresses shown under the System process, netstat showed no connection containing any of these IP addresses.


Another interesting update: Yesterday, while random IPs existed, I downloaded and installed spyboy s&d. The random connections stopped, and I haven't seen them since. This happened before I even scanned using spybot s&d. The 'full scan' showed nothing other than 1 cookie.

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...