For the past 2 weeks or so my computer has been trying communicate on 1 specific port a few dozen times per day.

Each time it happens, it goes to a random bunch of IPs.

The port is UDP 32996.

I set up my firewall (Look n Stop) to block it, but im still worried about it.

Find below part my firewall log of the occurrences:

{QUOTE-> 10-09-09,12:57:56 U-65 'Hacker Attack? ' 96.20.109.248 UDP Ports Dest:26960 Src:32996
10-09-09,12:57:56 U-66 'Hacker Attack? ' 96.48.205.238 UDP Ports Dest:11621 Src:32996
10-09-09,12:57:56 U-67 'Hacker Attack? ' 216.130.68.142 UDP Ports Dest:37975 Src:32996
10-09-09,12:57:56 U-68 'Hacker Attack? ' 207.134.211.221 UDP Ports Dest:33033 Src:32996
10-09-09,12:57:56 U-69 'Hacker Attack? ' 142.162.151.208 UDP Ports Dest:46825 Src:32996
10-09-09,12:58:03 U-70 'Hacker Attack? ' 189.164.148.160 UDP Ports Dest:19409 Src:32996
10-09-09,12:58:03 U-71 'Hacker Attack? ' 75.36.252.214 UDP Ports Dest:51013 Src:32996
10-09-09,12:58:03 U-72 'Hacker Attack? ' 189.92.206.4 UDP Ports Dest:3034 Src:32996
10-09-09,12:58:03 U-73 'Hacker Attack? ' 75.158.104.248 UDP Ports Dest:60796 Src:32996
10-09-09,12:58:06 U-74 'Hacker Attack? ' 159.178.12.50 UDP Ports Dest:443 Src:32996
10-09-09,12:58:06 U-75 'Hacker Attack? ' 99.32.23.168 UDP Ports Dest:443 Src:32996
10-09-09,12:58:08 U-76 'Hacker Attack? ' 189.164.148.160 UDP Ports Dest:19409 Src:32996
10-09-09,12:58:08 U-77 'Hacker Attack? ' 75.36.252.214 UDP Ports Dest:51013 Src:32996
10-09-09,12:58:13 U-78 'Hacker Attack? ' 189.164.148.160 UDP Ports Dest:19409 Src:32996
10-09-09,12:58:13 U-79 'Hacker Attack? ' 75.36.252.214 UDP Ports Dest:51013 Src:32996
10-09-09,12:58:18 U-80 'Hacker Attack? ' 189.164.148.160 UDP Ports Dest:19409 Src:32996
10-09-09,12:58:18 U-81 'Hacker Attack? ' 75.36.252.214 UDP Ports Dest:51013 Src:32996
10-09-09,12:58:23 U-82 'Hacker Attack? ' 189.164.148.160 UDP Ports Dest:19409 Src:32996
10-09-09,12:58:23 U-83 'Hacker Attack? ' 75.36.252.214 UDP Ports Dest:51013 Src:32996
10-09-09,12:59:18 U-84 'Hacker Attack? ' 96.25.155.154 UDP Ports Dest:51033 Src:32996 <-QUOTE}

Any idea what it is? Is that port safe? How do i find out which application is trying to access the internet? I have TCPView, but it only displays in real time.

You can use the Network tool, Whois, to look up the ip addresses you have posted.

-- Tom

{QUOTE-> For the past 2 weeks or so my computer has been trying communicate on 1 specific port a few dozen times per day.

Each time it happens, it goes to a random bunch of IPs.

The port is UDP 32996.

I set up my firewall (Look n Stop) to block it, but im still worried about it.

Find below part my firewall log of the occurrences:



Any idea what it is? Is that port safe? How do i find out which application is trying to access the internet? I have TCPView, but it only displays in real time. <-QUOTE}


I'm not a Look n Stop expert but you MAY have a parasite that is trying to send out to that port on various ip sites, Blocking the port is fine or even the various ip's but that is like putting your finger in the dam to stop a flood.

1) Post this question over on the Look n Stop forum ASAP

2) You make no mention of your AV product or an ASW tool! Get a scan done on your PC ASAP you can use a free product like Antivir or a trial version of Nod32 or even go to a web based scan at McAfee or Norton.
That will deal with the possibility of a virus

3) Lacking any other name get the free version of SuperAntispyware and run it ASAP.

If Look N Stop logs can't help id the application doing the UDP get OnLine Amour free or Outpost Pro free as they will find bad applications on your set up.

I ran scans with Malware Bytes Anti-Malware, NOD 32, SuperAntiSpyware and Spybot S & D and they didnt detect anything.

Oddly enough though, when i try running an online scan at a place like Trend Micro. I get a java error saying installation failed.

{QUOTE-> I ran scans with Malware Bytes Anti-Malware, NOD 32, SuperAntiSpyware and Spybot S & D and they didnt detect anything.

Oddly enough though, when i try running an online scan at a place like Trend Micro. I get a java error saying installation failed. <-QUOTE}

Good, no parasite.

What did Look n Stop say as yet?

You may wish to run a Shields Up scan to see if any ports are still open.

Failing these, I'd consider posting a Hyjack this at one of those support sites, Wilder's no longer does those.

Another brut force method is to use a restore point from before the issue.

What was the website(s) from your DNS look ups from those ip's?

Please post an image of those here in the thread.

I restored my OS from a 4 month old ghost (i have Acronis True Image Home). I'm currently running it in safe mode and running a scan at Trend Micro Housecall. Once the scan completes, even if it doesnt find anything; i'll probably just reinstall windows.

I also have a SonicWall TZ 150 NAT router (its a SOHO router, stronger than the LinkSYS crap). It's configured to allow a small amount of ports to reach my network, i also configured it to block that port for an added layer of security.

It doesn't look like websites, it looks like home computers.

Here is the translation for your posted ip's.


Many counties many locations.


What was the direction of these packets? If they are all incoming then your PC is on a list somewhere and it is not a Trojan on your PC at all. Some are PC's located in businesses not home set ups.




IP Addresses Report


Created by using IPNetInfo (http://www.nirsoft.net/)

Order1 IP Address96.20.109.248 StatusSucceed CountryCanada Network NameVL-21BL Owner NameLe Groupe Videotron Ltee From IP96.20.0.0 To IP96.23.255.255 AllocatedYes Contact NameLe Groupe Videotron Ltee Address150 Beaubien Ouest
Montreal
Phone+1-514-281-8498 Whois SourceARIN Host Name Resolved Namemodemcable248.109-20-96.mc.videotron.ca
Order2 IP Address96.48.205.238 StatusSucceed CountryCanada Network NameSHAW-COMM Owner NameShaw Communications Inc. From IP96.48.0.0 To IP96.55.255.255 AllocatedYes Contact NameShaw Communications Inc. AddressSuite 800
630 - 3rd Ave. SW
Calgary
Phone+1-403-750-7420 Whois SourceARIN Host Name Resolved NameS0106000ea68986fb.vs.shawcable.net
Order3 IP Address216.130.68.142 StatusSucceed CountryCanada Network NameMTS-216-130-64-MB-CA Owner NameMTS Allstream Inc. From IP216.130.64.0 To IP216.130.95.255 AllocatedYes Contact NameMTS Allstream Inc. Address333 Main Street
Winnipeg
Phone+1-204-988-0219 Whois SourceARIN Host Name Resolved Namebrndmb0243w-ad01-68-142.dynamic.mts.net
Order4 IP Address207.134.211.221 StatusSucceed CountryCanada Network NameTELUS-207-134-0-0 Owner NameTELUS Communications Inc. From IP207.134.0.0 To IP207.134.255.255 AllocatedYes Contact NameTELUS Communications Inc. Address7 - 3777 Kingsway
Burnaby
Phone+1-877-310-8324 Whois SourceARIN Host Name Resolved Namec207.134.211-221.clta.globetrotter.net
Order5 IP Address142.162.151.208 StatusSucceed CountryCanada Network NameSTENTOR4 Owner NameStentor National Integrated Communications Network From IP142.162.0.0 To IP142.162.255.255 AllocatedYes Contact NameStentor National Integrated Communications Network Address110 O'Connor St.
Floor 3
Ottawa
Phone+1-613-781-9095 Whois SourceARIN Host Name Resolved Namemctnnbsa51w-142162151208.pppoe-dynamic.High-Speed.nb.bellaliant.net
Order6 IP Address189.164.148.160 StatusSucceed CountryMexico Network NameMX-GDUN-LACNIC Owner NameGestión de direccionamiento UniNet From IP189.164.148.0 To IP189.164.148.255 AllocatedYes Contact NameGESTION DE CAMBIOS AddressPeriferico Sur
3190

01900 - México DF - DF
Phone+52 55 56244400 [] Whois SourceLACNIC Host Name Resolved Namedsl-189-164-148-160.prod-infinitum.com.mx
Order7 IP Address75.36.252.214 StatusSucceed CountryUSA - Texas Network NameSBCIS-082106131904 Owner NameAT&T Internet Services From IP75.36.248.0 To IP75.36.255.255 AllocatedYes Contact NameAT&T Internet Services Address2701 W. 15th St.
PMB 236
Plano
Phone+1-800-648-1626 Whois SourceARIN Host Name Resolved Nameadsl-75-36-252-214.dsl.pltn13.sbcglobal.net
Order8 IP Address189.92.206.4 StatusSucceed CountryBrazil Network Name040.432.544/0001-47 Owner NameClaro S/A From IP189.92.0.0 To IP189.95.255.255 AllocatedYes Contact NameCLaro - Voz/Dados Address Phone Whois SourceLACNIC Host Name Resolved Name189-92-206-4.3g.claro.net.br
Order9 IP Address75.158.104.248 StatusSucceed CountryCanada Network NameTELUS Owner NameTELUS Communications Inc. From IP75.152.0.0 To IP75.159.255.255 AllocatedYes Contact NameTELUS Communications Inc. Address7 - 3777 Kingsway
Burnaby
Phone+1-877-310-8324 Whois SourceARIN Host Name Resolved Named75-158-104-248.abhsia.telus.net
Order10 IP Address159.178.12.50 StatusSucceed CountryUSA - Florida Network NameUMCJACK Owner NameUniversity of Florida/University Medical Center From IP159.178.0.0 To IP159.178.255.255 AllocatedYes Contact NameUniversity of Florida/University Medical Center AddressComputing and Networking Services
room 112
ssrb
stadium road
po box 112050
Gainesville
Phone+1-352-392-2061 Whois SourceARIN Host Name Resolved Name
Order11 IP Address99.32.23.168 StatusSucceed CountryUSA - Texas Network NameSBCIS-SBIS Owner NameAT&T Internet Services From IP99.0.0.0 To IP99.95.255.255 AllocatedYes Contact NameAT&T Internet Services Address2701 N. Central Expwy # 2205.15
Richardson
Phone+1-800-648-1626 Whois SourceARIN Host Name Resolved Name99-32-23-168.uvs.evtnil.sbcglobal.net
Order12 IP Address96.25.155.154 StatusSucceed CountryUSA - Washington Network NameCLEARWIRE-DNS-NET Owner NameClearwire US LLC From IP96.24.0.0 To IP96.26.255.255 AllocatedYes Contact NameClearwire US LLC Address4400 Carillon Point
Kirkland
Phone+1-866-316-7575 Whois SourceARIN Host Name Resolved Name96-25-155-154.yak.clearwire-dns.net

They were all outgoing.

I forgot to mention, i did an online Virus/Trojan scan with ESET Online Scanner. It didnt detect anything.

I just installed a fresh copy of Vista and the Trend Micro Housecall online scan is finally working.

EDIT: Online Scan finished, it found a few trojan in some really old rar's i downloaded a few years ago (but havent executed in several years), i deleted them all.

I ran shields up test and all tests reported stealthed ports.