concurrent connections limit in avast

[Maxx_original]

i think that the 270 open ports under your [System Process]:0 is the reason of concurrent connections warning... but i can't say where this strange thing got its beginning... i searched through google, but i got no reliable answers yet... so, if anybody knows something, what could cause this, pls post it here..

[Lisandro]

I've terminated the Internet Mail provider, closed all email programs, stop Stunnel service.
When TCPView start, it still query for high number ports.
The log is attached.
I'm surprised and curious... what is that?

[Maxx_original]

this is even stranger... <non-existent> process opening tons of ports

it looks like some rootkit is there, but the GMER log reported nothing so bad to me

[alanrf]

I have been concerned about the post from Tech. 

I think that Tech may have managed to get a nasty little something in his system.  It looks to me like something at startup (or very close to it) and it appears to be (possibly - perhaps thankfully) broken and looping.  The fact that TCPView reports the process name as "<non-existent>" is also of considerable concern - it appears it wants to remain hidden.   

Tech mentioned that this issue appeared close to the implementation of Comodo 3. I am not a Vista user but I have tested earlier today on my XP system loading Comodo 3 to see if I could replicate the problem.  Try as I did I could not create the excessive localhost port 110 connections that appear in Tech's TCPView post.

I do not want to go overboard and I hope there is a much more innocent explanation but a rootkit does seem a possibility.

Perhaps other tools like Panda anti-rootkit and AVG andti-rootkit might be worth trying.  I confess that after reviewing Tech's post today I have downloaded and run both (even after GMER gave me a clean report).     

I hope that Tech is a believer in regular system backups.

[Lisandro]

I'll try rootkit scanning with AVG, TrendMicro and F-Secure. Panda is not Vista compatible.
I'll try GMER again and avast at boot time.
I don't know what more can I do. No strange behavior of the computer.
It could be Comodo related but, a lot of time ago, Stunnel & avast have trouble from time to time. Booting and seeing if Google Inc. was blocked by PeerGuardian usually solves the problem.

[alanrf]

Silly point perhaps but Tech's avatar is becoming more and more overcome by black dots (flashing about a couple of times a second) as time goes on ... I just rebooted my system thinking it was just me but after a restart even more of the avatar is overtaken by black dots. 

Anyone else seeing the same thing?

This is what I'm seeing

[alanrf]

Sorry for the interruption on the avatars ... it was only on Firefox, not on my (rarely used) IE7. 

I brought up another system and there was no problem there.  I noticed that every time I restarted Firefox then the masking of Tech's avatar changed.  I also noticed that some other animated avatars in the forum changed today ... rejzor has got the (non-animated) Christmas spirit, avatar2005's animated avatar has disappeared. 

So, I cleared my cache on Firefox and now Tech is dripping his leaves as pristine as ever (I'm glad to say - nice one Tech!).

[Lisandro]

alanrf, any clue about my real problem?
AVG, TrendMicro and F-Secure antirootkits came back clean...
Panda is not Vista compatible...
Running TCPView without being connected, few lines appear, not the long listed of strange connections.
I'm lost. I can't be sure this is Comodo related as I never tested TCPView on Vista before.
I hate mysteries...

[Lisandro]

I've downloaded emails by MS Outlook. TCPView stripped.
The TCPView stay clean until I've opened the Windows Mail.
Then tons of [SystemProcess]:0 appeared, most of them from port 12110 to localhost:high ports.

I set Stunnel for 11110 and not 121110.
I've closed Windows Mail. Open TCPView again, clean.

It's Windows Mail + Internet Mail provider, for sure.
If I ignore local communication of the Internet Mail provider, i.e., do not scan, open Windows Mail, I can receive email and TCPView is clean.

Something is different with Internet Mail provider & Comodo & Stunell & Vista.

[Maxx_original]

Tech: can you discuss this with your local MS tech support? it looks really strange that Windows mail causes the huge port usage from [SystemProcess]:0

[Lisandro]

Tech: can you discuss this with your local MS tech support? it looks really strange that Windows mail causes the huge port usage from [SystemProcess]:0

You know they won't tell me anything... They won't debug, it's just loose of time...
MS Support will say it's my computer, my configuration, will say that I need to restore to manufacturer configurations and so on...

I'm quite sure it's Windows Mail... but the problem only occur when I uncheck ignore local communication in avast Internet Mail provider. They will say the problem is with you...

Using only Windows Mail, no problem...

[Lisandro]

Just to say that MS support is slightly better than Symantec... but not that much...
I won't have patience even to explain... they will start saying me to boot the computer

[Maxx_original]

ook, thanks God, you're (probably) not infected with the strangest rootkit ever ... anyway, there still remains the question what's the point of this strange behavior.. is it some conflict between Windows mail and Comodo? or is it a headache by MS?

[Dwarden]

little suggestion ... can you try run some packet sniffer ?

e.g. Wireshark http://www.wireshark.org

or SmartSniff http://www.nirsoft.net/utils/smsniff.html

and take look on the traffic ?

[Lisandro]

little suggestion ... can you try run some packet sniffer ?

How do they work? What should I do?

ook, thanks God, you're (probably) not infected with the strangest rootkit ever ... anyway, there still remains the question what's the point of this strange behavior.. is it some conflict between Windows mail and Comodo? or is it a headache by MS?

Maxx, do not laugh... it could be Internet Mail provider and the problem is on avast and not on Comodo...