Solved

Where are these IP packets coming from? (blocked by AntiVir)

Posted on 2009-05-15
8
847 Views
Last Modified: 2013-11-22
I'll constantly get a pop up from Avira AntiVir Internet Security that its blocked an IP packet. Are these things dangerous? I'm doing a trial with the Internet Security package, and they pop up a lot that they're being blocked. I'm not exactly sure what they are or do, I don't have any spyware ro adware on my computer doing scans. I also made a note of the IP's as they popped up. Some will pop up constantly as the same number, some only seen once or so.

41.215.120.154
74.128.17.114
209.235.28.74
66.102.1.97
64.233.169.97
130.126.72.51
80.86.84.212
98.105.132.164
60.18.161.7

Do these pose any danger, and what do they originate from? Not necessarily the IP's themselves, but just IP packets in general. Thanks.
0
Comment
Question by:GOCARDSGO32
8 Comments
 
LVL 2

Assisted Solution

by:ccampbell15
ccampbell15 earned 75 total points
ID: 24401615
check
C:\WINDOWS\system32\drivers\etc
Below is a clean on
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
0
 

Author Comment

by:GOCARDSGO32
ID: 24405480
Thanks, mine looks exactly like that, so I'm still not understanding what the IP packets are (in general what is their use?) and where they're coming from. It continues to block them and I have no idea what their use is and haven't noticed any change whatsoever if they're being blocked or not.
0
 
LVL 2

Accepted Solution

by:
ccampbell15 earned 75 total points
ID: 24406108
. An ip packet is just a package of information sent via tcpip.
Proventia-Filter-Server is one of them.  = 80.86.84.212
41.215.120.154 does not ping
74.128.17.114 is unreachable
Server: denda6  = 209.235.28.74

64.233.169.97
pings but no site

download/run a quick scan of malwarebytes. http://malwarebytes.org/ 
0
Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

 

Assisted Solution

by:molard
molard earned 25 total points
ID: 24406415
I would also run an anti-malware scan.  It's possible a trojan or some other type of malware is installed on your computer and it's trying to communicate to the internet or try to download other files.  I would use a layered approach.  I would do like ccampbell15 said and download/run MalwareBytes.  I usually run the programs a couple of times so it removes everything.  I would also try a free online antivirus scan such as Panda http://www.pandasecurity.com/homeusers/solutions/activescan/.  Let us know what MalwareBytes and Panda finds.  
0
 
LVL 16

Assisted Solution

by:warturtle
warturtle earned 25 total points
ID: 24406627
Increase the security to highest level in your firewall to avoid such alerts in future. When you connect to Internet, its quite possible that a worm on some other computer on the internet is broadcasting and trying to find open ports to propogate to. Increasing the firewall security might help with that.

Do a scan with Avira in safe mode to help with any possible virus infections.

Hope that helps.
0
 

Author Comment

by:GOCARDSGO32
ID: 24408063
Thanks for the info, I'll try a few more times, but I've downloaded Malware Bytes and run to no detection, along with my Avira Antivirus scan I run each night, to no detection. Using WHOIS I identified the IP packets:

41.215.120.154 AFRICAN NETWORK INFO CENTER
74.128.17.114 INSIGHT
209.235.28.74 SPRINTLINK
66.102.1.97 GOOGLE
64.233.169.97 GOOGLE
130.126.72.51 UNIVERSITY OF  ILLINOIS CHICAGO
80.86.84.212
98.105.132.164
60.18.161.7
77.67.44.203
74.137.17.85 INSIGHT


Insight is my cable company, so I emailed them asking what the packets were and pasted the IP's, and with University of Illinois I emailed them asking too, I have no idea what they were from. Using this WHOIS site helped a lot. The other IP addresses seemed to be a wide server range. http://www.networksolutions.com/whois/index.jsp 
0
 
LVL 2

Expert Comment

by:ccampbell15
ID: 24408150
K,
You have issue
download Gmer
autoruns and process explorer
run a quick sac of Gmer
reste IE secirity and advanced under internet options
0
 

Author Comment

by:GOCARDSGO32
ID: 24408846
I just did a scan in GMER, I don't use IE but I changed the settings, so isn't a probem anyone. Nothing was flagged on GMER. These were the only files listed that I didn't even know where they came from. The rest were from AOL (for the AIM software), from Microsoft, or from Avira.

I think these are only system processes:

---- System - GMER 1.0.15 ----

SSDT            8C54B75C                                                                                                                   ZwCreateThread
SSDT            8C54B748                                                                                                                   ZwOpenProcess
SSDT            8C54B74D                                                                                                                   ZwOpenThread
SSDT            8C54B757                                                                                                                   ZwTerminateProcess
SSDT            8C54B752                                                                                                                   ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!KeSetTimerEx + 454                                                                                            81CFCA18 4 Bytes  [5C, B7, 54, 8C]
.text           ntkrnlpa.exe!KeSetTimerEx + 624                                                                                            81CFCBE8 4 Bytes  [48, B7, 54, 8C]
.text           ntkrnlpa.exe!KeSetTimerEx + 640                                                                                            81CFCC04 4 Bytes  [4D, B7, 54, 8C]
.text           ntkrnlpa.exe!KeSetTimerEx + 854                                                                                            81CFCE18 4 Bytes  [57, B7, 54, 8C]
.text           ntkrnlpa.exe!KeSetTimerEx + 8B4




I'm beginning to think the IP packets were harmless, because running WHOIS lookups, some were common, and another IP I had listed I found belonged to Avira, and a couple other were from google. They seem to be sent out on web surfing.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How does ESET Anti-Virus rate? 5 110
Virus softwares 11 85
PUP or Virus 6 74
quarantine versus delete 6 69
PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now