TechSpot

ZoneAlarm messages

By DeathsDesign
Apr 23, 2009
  1. I see on my ZA log that there are a few connections, incoming and outgoing from svchost.exe. Was wondering if i could get some help in figuring out if this is an issue or not. I know they are blocked so I am safe, but what are they trying to do?


    program: svchost outgoing to IP 124.40.51.144:3478 blocked


    program svchost incoming from IP 124.40.51.145:3478 blocked

    program svchost incoming from IP 77.67.10.134:3478 blocked

    program svchost incoming from IP 69.26.190.118:3478 blocked SourceDNS: unknown.nscnap.net

    program svchost incoming from IP 69.26.190.119:3478 blocked SourceDNS: unknown.nscnap.net

    program svchost incoming from IP 69.26.190.127:3478 blocked SourceDNS: unknown.nscnap.net

    program svchost incoming from IP 96.17.157.44:3478 blocked SourceDNS: cn1.redswoosh.akadns.net

    program svchost incoming from IP 96.17.157.48:3478 blocked SourceDNS: a96-17-157-48.deploy.akamaitechnologies.com

    program svchost incoming from IP 124.40.51.144:3478 blocked

    program svchost incoming from IP 124.40.51.148:3478 blocked

    TIA.

    I have searched amnd searched and cannot find anything, anyone have any ideas?

    TIA
     
  2. captaincranky

    captaincranky TechSpot Addict Posts: 10,824   +922

    Dunno what the rest of them are but isn't >> akamaitechnologies << The verisign secure server (https) for banking and credit card approvals?
     
  3. DeathsDesign

    DeathsDesign TS Rookie Topic Starter Posts: 31

    why would it be asking for a incoming connection when i am not on my bank website? i dont get it.... anyways its blocked so i guess that is good
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I would be concerned about what process you have in YOUR computer that is calling Japan and waiting for answers!
    IF you are doing the media thing-voice, video, messanging and interactive functions, I would be concerned about this IP. More here on STUN: http://en.wikipedia.org/wiki/STUN


    Your firewall is blocking both incoming and outgoing, so you're safe.

    77.67.10.134>> same port Incoming
    IP is in OrgName: RIPE Network Coordination Centre
    OrgID: RIPE
    Address: P.O. Box 10096
    City: Amsterdam
    Specifically:
    netname: AKAMAI-TINET
    descr: Akamai Technologies
    country: NL

    IP :96.17.157.44>> same port incoming.
    OrgName: Akamai Technologies
    OrgID: AKAMAI
    Address: 8 Cambridge Center
    City: Cambridge
    StateProv: MA

    The others are normal internet traffic.
     
  5. DeathsDesign

    DeathsDesign TS Rookie Topic Starter Posts: 31

    The process that it is trying to connect to is svchost. Dunno... not sure why it is doing it
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    svchost.exe is usually a legitimate process and can be found in various Services. But malware can present as this also. I recommend you run the system through the Steps HERE

    Attach the logs and let us review them for malware.

    Although you firewall has blocked the out and in attempts, it would be wise to follow up with what is on your system, making the out attempt.
     
  7. DeathsDesign

    DeathsDesign TS Rookie Topic Starter Posts: 31

    here are the logs you requested.




    How would I go about doing that exactly? Some are trying to make an outgoing connection, and then I am also getting something that is incoming wanting to access it.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No malware seen on these logs. the only 2 entries I see that MIGHT be calling Japan are:
    PokerStarsUpdate.exe
    Windows Messenger

    There is also an online scanner running in the background:
    O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

    To stop the scanner: Open IE> Tools> Manage add-ons? look for an highlight the f-secure online scanner> Disable.

    You can remove the cleaning tools:

    Download OTCleanIt HERE & save it to your desktop.
    Stay clean. Let the firewall do it's job. Enjoy your computing!
     
  9. jobeard

    jobeard TS Ambassador Posts: 13,449   +324

    if I may offer my $0.02 ---

    https://www.speedguide.net/port.php?port=3478 shows port 3478 being used for
    firewall traversal -- that ought to scare the A%$&^# out of everyone!

    Code:
    3478  	tcp,udp  	stun  	Simple Traversal of UDP Through NAT (STUN) port. It operates on port 3478 tcp/udp. It is usually supported by newer VoIP devices.  	SG
    3478 	tcp,udp 	stun 	Session Traversal Utilities for NAT (STUN) port [RFC5389] 	IANA
    3478,3479,3074,3075 	udp 	applications 	Call of Duty - World at War 	Portforward
    3478-3479,3658 	udp 	applications 	PlayStation Network 	Portforward
    3478,3479,3658 	udp 	applications 	PS3 NAT Type 3 to 2
    http://www.voip-info.org/wiki-STUN has some details.

    If you have the CoD game, PS2/3 device, then this should be expected.

    the comments re akamaitechnologies are correct and the Unix/Linux WHOIS sees
    all of these IPs being associated with distributed akamaitechnologies servers --
    even the ones in Japan.
    YEP! Things are good -- perhaps set NO LOGGING to avoid the need for further analysis :)
     
  10. DeathsDesign

    DeathsDesign TS Rookie Topic Starter Posts: 31

    Thanks all!! Good to know!
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.