Calls, for your peace of mind visit one of the forums mentioned by floplot to have your pc throughly checked.
Hello Calls
All you have to do is register at one of the Forums I mentioned and go to the section where they check out your computer. They will tell you what scans to run and if you have any questions, all you have to do is to ask them. Once you run and submit the results of the scans, they will analyze them and tell you if your computer is clean or not. If it is not clean, they will tell you how to get it clean.
You want to upgrade to NIS 2011 soon. IF your computer is infected and you try to upgrade it, you may have problems. I am saying IF here which is why I am suggesting to you to get it checked out and cleaned up if necessary. This will make it easier to install NIS 2011. If it gets a clean report from one of those Forums, then you will know it's just routine Norton activities that you are seeing.
Hi Calls,
Again, I am just grasping at straws here, but I think what you say may be essentially correct. A lot of traffic on port 3389 currently is the Morto worm and, since a service on your system is listening on that port, it would not be surprising if you are seeing some of this traffic. But Morto is looking for a Remote Desktop connection that has a weak password and so is passing you by.
Thanks for the links but I'm starting to think this is nothing for me to be concerned about.
I'll post a screen shot of the IPS Detection Statistical Submission, jus to see what all smart folks might think.
I have not see any programs listed in the program contro tht seem funky, nor have I seen any actual inbound connections
Would never even have noticed this if I did not look at logs, so wasn't even notified that this happened
Not really thinking I'm infected, but here is a screen shot of the latest entry of IPS Detection Statistical Submission
I know sometimes there is a delay in when the issue happened and when it gets submitted. but I looked at my firewall log and it goes back to late Thursday night 9/8/11 and nothing involving receiving any connection from th IP address noted in this log entry
So I have to assume that there was no connection to my PC right? I mean there would be some entry that indicated connection was made correct?
The log info was too large to submit on 1 shot, so the seconds shot shows the IP address that was making this attempt (connection?)
PLEASE let me know if the information contained on the Network Data portion of the entry, exposes me in an insecure way, so that way I'll remove the image
And again Remote assistance is UNCHECKED
Thanks
one additional spot of info.
I think port 3389 may be in “listening” status because about 3 years ago Required some remote help from Microsoft. So perhaps after that session, it left that port not open, but listening?
That make some sense?
again remote help is not active so that service is not on. Plus I’m also on a limited user account so admin password required to activate and such activity
A port does not listen. A program or service listen on a port. If you don't have that service on, it doesn't listen.
Your pictures don't show yet, btw. :)
Now they show, and they do not in any way show anything that exposes you in an insecure way.
thanks for clarification
well some program is “listening” on port 3389. when netstat -ano is run it shows port 3389 having a “listening” status. When I check the PID, it shows a svchost.exe. When I see the services run from that it shows like 4 different services including DNS cache. so maybe other services are using that port too?
because I know remote assistance is not enabled
so does the entry that I posted mean anything negative in that the IP address noted at the bottom, did it enter my computer?
I know that the items
IPS Detection Statistical Submission
Normally is nothing, but since the IP address was unsolicited does the log entry verify that it connected and accessed my computer?
sorry all cant edit from my phone and trying to do this on the sly from at work. causes less(very less) than well organized questions
but really the bottom line on my concern is
1)does the entry mean these IP addresses are entering my PC? Seeing as there is nothing that says blocked
or
2) is norton just saying this passer by looks suspicious even though they did not come in?
home and checked my PC. Had two more entries, always coming from a different IP address. Seems like this just started around September 5th 2011. Which would coincide with what SoJ was saying about attacks on port 3389
also here are the full services associated with the PID svchost.exe
Crypto Graphic Services
DNS Client
KtmRm
Network Location Awareness
Telephony
Terminal Services
I know some of that stuff has to do with Remote Access, but again mine is unchecked
anyways just wondered if anymore of this makes any sense to anyone
Will get a router when I get my cable internet in about 2 weeks
You require all of those things, Calls. Terminal Services is a Norton requirement. It has to be open, and listening.
Crytographic Services:
"Mainly, it confirms signatures of Windows files. You may always get a dialog box complaining about uncertified drivers if this is disabled. This service is required for Windows Update to function in manual and automatic mode. Windows Media Player and future .NET and Live applications may also require this service for some "features" to function."
DNS Client
"If you attempt to "repair" your network connection and a dialog box complains that the "DNS resolver failed to flush the cache," this service is the reason.
Only in extreme situations should you disable this service as caching DNS lookups reduces network traffic and makes internet surfing performance faster."
KtmRm
"KTM prevents a series of database operations from occurring only partially, so either all occur, or all do not occur. These functions are used in features such as Transactional NTFS, which assures that file and directory actions are handled properly in the event of a crash or failure. If no applications or components of Vista EVER crash, it’s probably OK to disable this one, but if you value your data, you’ll want to keep it running."
Network Location Awareness
"Windows Vista® and later versions of Windows support network location awareness, which enables network-interacting programs to change their behavior based on how the computer is connected to the network. In the case of Windows Firewall with Advanced Security, you can create rules that apply only when the profile associated with a specific network location type is active on your computer." (private, public, or domain)
Telephony
Computer telephony integration (CTI) enables computers to know about and control phone functions such as making and receiving voice, fax, and data calls with telephone directory services and caller identification. The integration of telephone software and computer systems is a major development in the evolution of the automated office.
We have discussed port scans ad nauseum, and you have already discovered that blocking this port knocks you off the internet. It's been three years, quit worrying about it. It doesn't all have to do with remote access.
Thanks for the feedback Del-
I feel good knowing that there is no remote access going on.
Just still wondering ifthe log entry shows the IP pasased by, was blocked, or entered my PC
I'm sure it was not blocked as it would have said so. Then the only two options are entered my PC or passed by.
Just wanting to make sure some yahoo(s) are not getting into my system for other reasons
And just a clarification, in the past I did block port 3389 but I did NOT lose internet access. In fact I left it at that staus until I installed NIS 2010. After installing NIS 2010 I chose not to make the block rule in 2010 and only in the last 3-4 weeks did this start showing again.