|
Post by laverne on Dec 16, 2013 22:31:59 GMT -5
I'm running Windows XP. In looking at Event Viewer (System), I often get a TCPIP Warning with Event 4226. The description says this: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. On a recent warning, I immediately did a command "netstat -no" which was recommended to see what was trying to access the network. Results are shown below. There were 116 entries. I pasted only the beginning of the list. Does this recurring Warning indicate someone trying to get into my computer? What should I do? Laverne Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Laverne Edwards>cd \ C:\>netstat -no Active Connections Proto Local Address Foreign Address State PID TCP 192.168.1.100:2268 74.125.196.84:443 TIME_WAIT 0 TCP 192.168.1.100:2270 74.125.21.139:443 TIME_WAIT 0 TCP 192.168.1.100:2271 74.125.21.95:443 TIME_WAIT 0 TCP 192.168.1.100:2272 54.245.247.234:80 TIME_WAIT 0 TCP 192.168.1.100:2273 54.245.247.234:80 TIME_WAIT 0 TCP 192.168.1.100:2274 54.245.247.234:80 TIME_WAIT 0 TCP 192.168.1.100:2275 54.239.172.82:80 TIME_WAIT 0 TCP 192.168.1.100:2276 54.239.172.82:80 TIME_WAIT 0 TCP 192.168.1.100:2277 54.239.172.82:80 TIME_WAIT 0 TCP 192.168.1.100:2278 23.218.156.200:80 TIME_WAIT 0 TCP 192.168.1.100:2279 23.218.156.200:80 TIME_WAIT 0 TCP 192.168.1.100:2284 190.93.246.77:80 TIME_WAIT 0 TCP 192.168.1.100:2291 190.93.244.76:80 TIME_WAIT 0 TCP 192.168.1.100:2292 190.93.244.76:80 TIME_WAIT 0 TCP 192.168.1.100:2293 190.93.244.76:80 TIME_WAIT 0 TCP 192.168.1.100:2294 190.93.244.76:80 TIME_WAIT 0 TCP 192.168.1.100:2298 74.125.21.113:80 TIME_WAIT 0 TCP 192.168.1.100:2299 74.125.21.113:80 TIME_WAIT 0 TCP 192.168.1.100:2300 74.125.21.113:80 TIME_WAIT 0 Attachments:
|
|
|
Post by drmark on Dec 17, 2013 3:34:03 GMT -5
|
|
|
Post by laverne on Dec 17, 2013 6:54:29 GMT -5
Thanks, Mark, for the site. I have looked at these instructions and the problem is that the PID in all 116 entries in my netstat list shows zero (0) -- that is the PID for "System." Any further advice? Laverne
These are the instructions: This event is a warning that a malicious program or a virus might be running on the system. To troubleshoot the issue, find the program that is responsible for the failing connection attempts and, if the program might be malicious, close the program as follows. To close the program 1. At the command prompt, type Netstat –no 2. Find the process with a large number of open connections that are not yet established. These connections are indicated by the TCP state SYN_SENT in the State column of the Active Connections information. 3. Note the process identification number (PID) of the process in the PID column. 4. Press CTRL+ALT+DELETE and then click Task Manager. 5. On the Processes tab, select the processes with the matching PID, and then click End Process. If you need to select the option to view the PID for processes, on the View menu, click Select Columns, select the PID (Process Identifier) check box, and then click OK.
|
|
|
Post by drmark on Dec 17, 2013 8:42:01 GMT -5
Have you noticed any other unusual things happening with you system such as high CPU use, computer seeming to run slower, hard drive spinning more often, etc. ? We can increase the amount of allowable connections and stop the events but would not want to do that if there is some more serious reason for this error. It is interesting that most of the addresses point to a location in Oregon and the address owned by Amazon.com!!??
|
|
|
Post by laverne on Dec 17, 2013 9:05:46 GMT -5
I haven't noticed anything unusual happening. I DO watch CPU usage very closely, having Task Manager open almost all the time so I can see its icon showing usage.
I read about increasing the number of requests allowable before the message appears -- but as you said, this is not a solution but rather just a way of saying "don't bother me with warnings."
I know so very little about Internet access -- so will ask this of you. Would it help if I used OpenDNS, do you think? I really don't understand it but have signed up for an account. Or is this totally disconnected from this problem?
Laverne BTW, this warning appeared today at 8:30 a.m., 6:46 a.m. and 5:55 a.m. Usually I don't get that many warnings -- so things may be getting worse. Regarding Amazon, I do order from them often but always clear the cookies and cache. I am using Chrome almost exclusively for the past month or more. But I got the warnings with IE8 also.
|
|
|
Post by blueboxer on Dec 17, 2013 18:04:49 GMT -5
FWIW, I got a similar warning a few days back, but when I used the Run command from the start menu the black box just flashed in the screen, not even long enough for me to see if netstat -no had been loaded. It's on my list of stuff to ask about. It was on my XP machine.
|
|
|
Post by laverne on Dec 17, 2013 18:18:09 GMT -5
Reply to blueboxer:
You must use the command prompt screen for netstat -no, not the Run box.
One way to get to the Command Prompt screen is to type in the Run box "cmd" without the quotes, then click OK
When the command prompt screen shows, type in "netstat -no" without the quotes and press Enter.
Laverne I'm still wondering about OpenDNS -- does anyone on the forum use it? Will it solve my TCPIP problem perhaps?
|
|
|
Post by drmark on Dec 17, 2013 23:20:02 GMT -5
OpenDNS will not resolve thus issue. The issue is with your operating system not with your ISP. OpenDNS simply reroutes your Internet servers for reportedly additional speed--which, by the way, I have never found that significant,
|
|
|
Post by laverne on Dec 18, 2013 6:36:29 GMT -5
Thanks, Mark, for letting me know that OpenDNS will not help my problem. I was under the impression that it was used for security and protective purposes.
Would you share how you got to "Amazon in Portland" in analyzing some of the IP addresses in my netstat list. I have tried whois.net and can get some information -- but not the location.
Laverne
|
|
|
Post by drmark on Dec 18, 2013 9:02:35 GMT -5
Laverne,
I used whois.net as well. Use the foreign address i.e. 54.239.172.82:80 for example. There was another that actually showed the address on a Google map but now I don't see it. I will try to find it as well.
|
|
drcard
Software Review Panel
Posts: 580
|
Post by drcard on Dec 18, 2013 20:45:38 GMT -5
Hi Laverne,
First, since your scans are clean and you do not notice any strange behavior, what you see in the event is normal for your setup.
Second, the best way to search an unknown IP address is to enter into a search engine (I use Google - advanced screen): IP 54.245.247.234 (an IP from your above list). Placing the IP before the address numbers tell the search engine that the numbers are an IP address rather than some math formula or computer read out. This will yield not only a link for whois but also many other IP address finders (try myip because I think it gives the most info as well as a small google map pin pointing the location of the IP address). When an IP address is linked to malware, such a search also yields links to postings about it and the problems associated with that IP address. Thus the above search yields who, where, what, and is it bad.
|
|
|
Post by laverne on Dec 20, 2013 8:33:21 GMT -5
Hi Dana,
It is reassuring to hear that the 4226 event is normal for my setup. Thank you so much. This has been haunting me for months before I asked about it. Thanks, too, for the information about looking up IP addresses. There is always more to learn!
Laverne
|
|