I use peerblock and I've found that my computer attempts to connect to the following IPs but is thankfully blocked by peerblock. I need help identifying which file in my Windows 7 computer is attempting these connections without actually letting the file make these connections.
& finally the following two attempted connections always happen together.
Thank you for any and all help.
Your browser perhaps? These two IP addresses are connected with level1techs.com. Do you have Desktop notifications turned on in your browser?
12/31/16 03:31:24 dns level1techs.com
Canonical name: level1techs.com
Open an elevated cmd.exe prompt, and run netstat -b, or maybe a netstat-ab for more info.
Actually figured out those two IPs belonged to level1 a few moments after I posted the question but I didn't edit the question because I didn't want to artificially bump the thread. Does editing bump the thread? I don't know.
Anyway, the other IPs are definitely not from my browser.
They will not show up in netstat because peerblock is blocking them from connecting. I don't want to let whatever it is that is attempting these connections to succeed. So, I won't be disabling the block. But I still want to find which process is triggering them.
:) There you go. I would not say useless. Just a start. Lets see ? Free /cheap games and bitcoin miners :(
I got that but I am trying to find the exact process that is triggering it, to find a methodology that will be forever consistent. I think this is what I want to do but don't quite know how. I want my computer to 'think' it's connected to the internet but not really. I think I need to change some router setting for that to happen. Then I will be able to lift the block of the aforementioned IPs in peerblock, reassured that they will never connect. And then use http://www.nirsoft.net/utils/network_traffic_view.html to catch them in the act.
I need help finding out which setting on my modem/router will trick my computer into thinking it's connected to the internet.
You just leaped over my limited skills. It seems to me this is simpler than that. An audit of what is on the system is in order. What do you use for antivirus. Do use something for malware scanning. Does it scan for PUP's. Was something installed with a third party installer ? (example: x software from cnet.ect..) What is your source for programs ? I will try and push someone with the better expertise in your direction. If they do not show up by themselves.
French domain hosting possible phishing email scam. anycast me
Using Flashplayer ?
I downloaded malwarebytes and it found the following.
I am waiting to see if those IPs popup again in my peerblock logs.
I honestly don't know how these got into my computer. I NEVER use Flash including Chrome. I don't use third party installers. I get the binary straight from the author and generate MD5, SHA1 and SHA256 and look it up online and see if it's good. And if it comes bundled with offers for installing other softwares, then I usually don't even install them at all. But if I do, then I untick those offers. And I actually read EULAs. And keep monitoring my peerblock logs before installing, after installing and during running to see if they attempt any connection I didn't intend/know about. And if they do ping any IPs, I look them up and see if they are necessary for the software's primary functions. If not, block it in peerblock.
I am not an antivirus kind of person. I used to be but not anymore. I prefer to prevent and isolate using firewalls, VMs and VPNs. I can't believe the very advice I used to give people a long time ago actually worked(probably, still haven't done monitoring my logs for a week yet). The thought of installing an antivirus didn't even cross my mind. So, thank you @Freaksmacker for reminding me these exist. And the miner's using a fake svchost.exe, the sneaky shit.
Can't believe I got saved(probably) by virus definitions. They still aren't completely dead apparently.
I should very much like to speak to them. Much appreciated if you can as I am still curious, and want to know how to trick my computer into thinking it's connected to the internet for software auditing purposes. Maybe I should start a new topic, I don't know.
Process explorer can display TCP/IP connections.
I would of laid money on a dodgy installer :) That is why security in layers is better. I realize some of the attitudes towards antivirus but not having and using one is a far greater ill. Something light on resources, stays updated regularly, and something that hardens the system and system files from changes. If it was me ? I would backup personal data and nuke and rebuild. Then scan all that data closely before bringing it back to the system. Considering your approach to things ? Maybe something like this is right up your alley.
oh nice, how many bitcoins did you get?
I wonder if you can search the windows event log, there might be a trace of the installation in there.
Just for sake of completeness, you can use the built-in Windows tool "Windows System Resource Manager" (if you want a GUI aforementioned netstat commands work too) to list IPs processes are connecting to.
You can invalidate your connection settings by changing DNS or even gateway for your network adapter, disable peerblock temporarily and be sure it can't connect to the Internet (because with these network modifications you can't either) to see where processes are trying to connect.
FWIW tcpview does exactly what you were looking for minus the stopping of connections.
All of the open connections and their associated executables.