system trying to connect to unknown IPs

[originaljgf]

Recently I've been getting popups from my firewall that "NT Kernel & System" is trying to connect to various IPs; I do not respond so the request is automatically blocked until the next time.

I have tried several IP search and reverse DNS sites but all report "not found" or "error in entry" or "invalid IP".

These five keep recurring:

189 159 159 170
104 21 20 191
104 18 26 211
185 159 159 170
38 113 165 142

What exactly is initiating this and to what is it trying to connect? FTR Kaspersky and Malwarebytes say the system is clean.

 

[file3456]

All of those IP addresses look benign except 189.159.159.170. That IP looks like an ISP out of Mexico and could have been a former email server. It's possible it's due to a RAT (Remote Access Trojan). This is like a reverse shell used to view and interact with your computer. But I kinda doubt it. It also looks like you're running Kaspersky (failed to see your added text there mentioning your use of Russianware) which I wouldn't. Kaspersky Security Cloud Free AntiVirus - Still Using

I can tell you that damn near ALL software you install comes packed with telemetry BS or its basic update facility is what you're seeing. To the inexperienced user it's very hard to know what's what unless you run a tight ship and know what you're doing. One possible way of seeing what an IP is doing is by running Wireshark, but you need to know how to use it and all its options. There's another program by Nirsoft called Currports. And he's got a no thrills network packet sniffer called Smartsniff. In Currports you can turn on logging. I do this while the computer is idle from time to time.

You could try a full HDD anti-virus scan with the live bootable OS Hirens Boot CD. You can use Ventoy with a blank USB drive to boot Hirens.

Hard drive monitoring software like Disk Pulse or MultiMon can help. Go here and run SanityCheck. What are its conclusions?

All of this requires some know how however. In that I mean it may make your break paranoia if it's nothing at all. If you feel like you've been hacked or something you might want to check in with Bleepingcomputer. Or for me I'd just backup my important data to another HDD, scan that whole lot in a live bootable environment only using the Internet once for anti-virus updates, and reinstall Windows. But it's actually a bit more involved than that. Proper drive sanitation, and anti-virus scanning with Rings 0-3 hook scanning, alternative data streams, sandboxing the backed up data, you freaking name it.

I don't want to scare you, just pointing out some Info. you should learn about.

For future reference, VirusTotal can be used as an AID for IP checking and file checking. But again, you should know how to use it properly with the file relations and behaviors if provided.

If you're willing to learn firewalls, learn pfSense. Or maybe Untangle.

 

[originaljgf]

Thanks for the input; while not a complete noob (cursing computers since the days of an HP2000e and TTY terminals, online with windoze for thirty years now) I have little knowledge of networking, especially the intricacies of modem, firewall, and internet settings. I was leery of these requests because "NT Kernel & system" could be anything on my computer; this is like caller ID displaying "phone call" instead of a number. I much prefer the old PCTools Firewall Plus which would list the particular exe making the request, not officially supported for Win7 but allegedly works, it did here until a month or so ago when it stopped alerting to outgoing connections and used a constant 28%cpu when on.

As for anti-malware, over the past decade i've gone from Avira to Panda to Kaspersky to Avast and back to Kaspersky. Removed Kaspersky yesterday, only have Malwarebytes now while I ponder the next move. (Avast was miserable, thrashing my C drive every 10 minutes for 2-3 minutes of 3meg-4meg/sec reads/writes, it was gone after two weeks. But the new Kaspersky is Kaspersky Cloud, which irritated me so with constant popups to verify every move I made that it only lasted three days; for example every time I opened or closed my VPN Kaspersky would go ballistic about "new ethernet discovery" with a lot of technical jargon and "do you want to allow traffic on this network" ....no I just did this so we could have fun blocking it, of course allow it you nitwits, then the screen would grey out with another popup "click OK within 30 seconds to verify you made these changes".) I liked Kaspersky because it was light on resources and always scored at or near the top in detection and removal.

I'm tempted to revert to my old form of anti-malware - a pair of external 1tB USB drives alternating every 3-4 weeks for a full clone of the internal drives with incremental updates to a flashdrive; any infection that can't be cleared by a simple download/scan is handled by wiping the internal drives and reinstating the clones and backups, takes perhaps an hour ...and easier than dealing with these scanner/security programs every day.

Firewall is default windows but with Binisoft (now Malwarebytes) Firewall Control.

 

[file3456]

You might be interested in what I just wrote here: Kaspersky Security Cloud Free AntiVirus - Still Using

I realize that what I do is not for everyone though.

Yes, it's like caller-ID per say, but there's no real ANI.. Like trying to scope out an idiot who falsified the caller-ID via SIP trunk. AKA a VoIP server. I have a double "firewall" for my land line on that crap. LOL Yeah, I still use a land line. This is the number I give out to everyone knowing full well It'll eventually wind up on a crap list. Thus the double "firewall". I use Nomorobo (not the App) and PhoneTray.

Like I mentioned, pfSense is going to be VASTLY more efficient. Plus, if you're willing to learn there's an IDS called Snort for pfSense.


When you were messing with TTY, I was probably sending Morse code on a kid's walkie talkie (two-way radio) on ~49 MHz from the defunct antenna on the roof. LOL!


Negative Rings in Intel Architecture: The Security Threats That You’ve Probably Never Heard Of | by RealWorldCyberSecurity | The Startup | Medium