loads of failed TCP/IP connections from Port 2869: spyware?

[Guest]

Hello,

I have experienced 2 crashes of windows XP Pro (I have the corresponding
..dmp log files). The logs of the event viewer showed the below error message:

Event Type: Warning
Event Source: Tcpip
Event Category: None
Event ID: 4226
Date: 12/08/2006
Time: 12:07:36
User: N/A
Computer: VELKY-DELL
Description:
TCP/IP has reached the security limit imposed on the number of concurrent
TCP connect attempts.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 54 00 ......T.
0008: 00 00 00 00 82 10 00 80 ....‚..€
0010: 01 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Then I checked using netstat and found at that each time I am connected to
my routeur, there are always dozens of connections from my pc:2869 to the
routeur with status TIME_WAIT. It looks like my port 2869 is scanning all
ports of my routeur, as you can see with the below:

C:\Documents and Settings\Velky>netstat -no

Active Connections

Proto Local Address Foreign Address State PID
TCP 192.168.1.65:1034 64.236.46.64:80 CLOSE_WAIT 588
TCP 192.168.1.65:2006 64.12.171.248:143 ESTABLISHED 2496
TCP 192.168.1.65:2869 192.168.1.254:3233 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3234 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3235 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3236 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3237 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3238 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3239 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3240 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3241 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3242 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3243 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3244 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3245 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3246 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3247 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3248 TIME_WAIT 0
TCP 192.168.1.65:3733 64.12.171.248:143 TIME_WAIT 0

C:\Documents and Settings\Velky>netstat -no

Active Connections

Proto Local Address Foreign Address State PID
TCP 192.168.1.65:1034 64.236.46.64:80 CLOSE_WAIT 588
TCP 192.168.1.65:1290 64.12.180.149:143 TIME_WAIT 0
TCP 192.168.1.65:1293 64.12.180.149:143 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3354 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3355 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3356 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3357 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3358 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3359 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3360 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3361 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3362 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3363 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3364 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3365 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3366 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3367 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3368 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3369 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3370 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3371 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3372 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3373 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3374 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:3375 TIME_WAIT 0

C:\Documents and Settings\Velky>

The problem is that I didn't manage to locate the program responsible for
this as the PID responsible seems to be 0, which is the PID for the System
Idle process in the task manager.

Of course, I have ran all the online AV scans in addition to my up-to-date
Norton AV, I also have McAffee Firewall, and Norton Worm Protection activated
all the time... Also I have a laptop that I connect through my wireless
routeur, and it doesn't display the same connection attempts at all.

Would you have an idea please ?
I would much appreciate if someone could kindly help me: plse send me your
suggestions here: mpasc9(At)aolnospam(dOt)com

Thanks

Pascal

 

[Colin Nash [MVP]]

Hello,

I have experienced 2 crashes of windows XP Pro (I have the corresponding
.dmp log files). The logs of the event viewer showed the below error
message:

Port 2869 is used by Universal Plug and Play. It's normal for it to be
connecting to things like your local router.

See:
http://www.microsoft.com/windowsxp/using/setup/expert/crawford_02july22.mspx
http://support.microsoft.com/kb/323713/en-us

 

[Guest]

Thanks Colin for your reply.
I appreciate that UPNP should connect to my router, but it seems not normal
to try to open 50 tcp/ip connections on 50 different ports of my router, and
that it keeps opening new connections continuously all day long on all the
ports of the router.
Besides, my laptop, which is operated by Windows XP too, doesn't try to
connect to the router via 2869 at all.
The 3rd point which seems suspicious to me is the PID of 0 allocated to the
process that is creating all these connections.
Plse have a look at the below 2 screenshots that were taken at 3 min
interval (it goes like that the whole day: all the ports of the router are
scanned): that doesn't look normal to me:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Velky>netstat

Active Connections

Proto Local Address Foreign Address State
TCP VELKY-DELL:1251 wwwtkttest3.microsoft.com:http ESTABLISHED
TCP VELKY-DELL:1253 wwwtkttest3.microsoft.com:http ESTABLISHED
TCP VELKY-DELL:1255
a205-188-221-40.deploy.akamaitechnologies.net:ht
tp ESTABLISHED
TCP VELKY-DELL:1256
a205-188-221-40.deploy.akamaitechnologies.net:ht
tp ESTABLISHED
TCP VELKY-DELL:1258
a205-188-221-30.deploy.akamaitechnologies.net:ht
tp ESTABLISHED
TCP VELKY-DELL:1259 65.54.194.118:http ESTABLISHED
TCP VELKY-DELL:1265 64.236.47.45:http ESTABLISHED
TCP VELKY-DELL:1271 207.46.248.248:http ESTABLISHED
TCP VELKY-DELL:1272 207.46.248.248:http ESTABLISHED
TCP VELKY-DELL:1275 207.46.248.248:http ESTABLISHED
TCP VELKY-DELL:1499 64.236.46.64:http CLOSE_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20419 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20420 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20421 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20422 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20423 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20424 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20425 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20426 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20427 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20428 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20429 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20430 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20431 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20432 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20433 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20434 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20435 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20436 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20437 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20438 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20439 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20440 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20441 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20442 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20443 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20444 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20445 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20446 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20447 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20448 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20449 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20450 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20451 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20452 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20453 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20454 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20455 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20456 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20457 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20458 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20459 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20460 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20461 TIME_WAIT
TCP VELKY-DELL:2869 speedtouch.lan:20462 ESTABLISHED

C:\Documents and Settings\Velky>netstat -no

Active Connections

Proto Local Address Foreign Address State PID
TCP 192.168.1.65:1499 64.236.46.64:80 CLOSE_WAIT 588
TCP 192.168.1.65:2869 192.168.1.254:20590 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20591 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20592 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20593 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20594 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20595 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20596 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20597 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20598 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20599 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20600 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20601 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20602 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20603 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20604 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20605 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20606 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20607 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20608 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20609 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20610 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20611 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20612 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20613 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20614 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20615 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20616 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20617 TIME_WAIT 0
TCP 192.168.1.65:2869 192.168.1.254:20618 TIME_WAIT 0

C:\Documents and Settings\Velky>

Thanks 4 your help

Regards

Pascal

 

[Colin Nash [MVP]]

Thanks Colin for your reply.
I appreciate that UPNP should connect to my router, but it seems not
normal
to try to open 50 tcp/ip connections on 50 different ports of my router,
and
that it keeps opening new connections continuously all day long on all the
ports of the router.
Besides, my laptop, which is operated by Windows XP too, doesn't try to
connect to the router via 2869 at all.
The 3rd point which seems suspicious to me is the PID of 0 allocated to
the
process that is creating all these connections.
Plse have a look at the below 2 screenshots that were taken at 3 min
interval (it goes like that the whole day: all the ports of the router are
scanned): that doesn't look normal to me:

PID 0 is normal to see when the session is in TIME_WAIT. UPNP/SSDP are
fairly chatty but I don't think it really impacts performance. Looks like
your router is also talking UPNP- you could probably go into the router
settings page and disable that feature if you don't want it and then Windows
will stop bugging it. Maybe your other XP laptop has a different firewall
configuration or has these services disabled.

Start-> Run-> SERVICES.MSC and set SSDP Discovery Service and Universal Plug
and Play Device Host to disabled and stopped if you want to see if that
clears it up. (Try disabling it on the router first though.)