what doce this mean?

sentra8777 · Post by **sentra8777** » Wed Dec 15, 2004 11:25 pm

I get this everyonce in a while in my system event viewer. I do a full system scan weekly and also update my virus and firewall projection. It never finds anything.

Details
Product: Windows Operating System
ID: 4226
Source: Tcpip
Version: 5.2
Symbolic Name: EVENT_TCPIP_TCP_CONNECT_LIMIT_REACHED
Message: TCP/IP has reached the security limit imposed on the number of concurrent (incomplete) TCP connect attempts.

Explanation
The TCP/IP stack in Windows XP with Service Pack 2 (SP2) installed limits the number of concurrent, incomplete outbound TCP connection attempts. When the limit is reached, subsequent connection attempts are put in a queue and resolved at a fixed rate so that there are only a limited number of connections in the incomplete state. During normal operation, when programs are connecting to available hosts at valid IP addresses, no limit is imposed on the number of connections in the incomplete state. When the number of incomplete connections exceeds the limit, for example, as a result of programs connecting to IP addresses that are not valid, connection-rate limitations are invoked, and this event is logged.

Establishing connection–rate limitations helps to limit the speed at which malicious programs, such as viruses and worms, spread to uninfected computers. Malicious programs often attempt to reach uninfected computers by opening simultaneous connections to random IP addresses. Most of these random addresses result in failed connections, so a burst of such activity on a computer is a signal that it may have been infected by a malicious program.

Connection-rate limitations may cause certain security tools, such as port scanners, to run more slowly.

User Action
This event is a warning that a malicious program or a virus might be running on the system. To troubleshoot the issue, find the program that is responsible for the failing connection attempts and, if the program might be malicious, close the program as follows.

To close the program

At the command prompt, type
Netstat –no
Find the process with a large number of open connections that are not yet established.
These connections are indicated by the TCP state SYN_SEND in the State column of the Active Connections information.
Note the process identification number (PID) of the process in the PID column.
Press CTRL+ALT+DELETE and then click Task Manager.
On the Processes tab, select the processes with the matching PID, and then click End Process.
If you need to select the option to view the PID for processes, on the View menu, click Select Columns, select the PID (Process Identifier) check box, and then click OK.

--------------------------------------------------------------------------------

Currently there are no Microsoft Knowledge Base articles available for this specific error or event message. For information about other support options you can use to find answers online, see http://support.microsoft.com/default.aspx.

mccoffee · Post by **mccoffee** » Thu Dec 16, 2004 5:30 am

if i'm not mistake you need this patch microsoft changed somethings in the stack so that you cannot connect to so many servers at one time this patch should resolve if i'm thinking it out right.

http://www.speedguide.net/read_articles.php?id=1497

sentra8777 · Post by **sentra8777** » Fri Dec 17, 2004 5:48 pm

Ok so it dont realy mean iam infected somehow. Just a kind of bug were i need a patch??

mnosteele52 · Post by **mnosteele52** » Fri Dec 17, 2004 6:05 pm

sentra8777 wrote:Ok so it dont realy mean iam infected somehow. Just a kind of bug were i need a patch??

The link mccoffee posted explains it all in great detail, did you read it?

sentra8777 · Post by **sentra8777** » Sun Dec 19, 2004 5:55 pm

Yes i know it says that sp2 limits the number of connections to 10.

mnosteele52 · Post by **mnosteele52** » Sun Dec 19, 2004 6:11 pm

sentra8777 wrote:Yes i know it says that sp2 limits the number of connections to 10.

Then what don't you understand?

sentra8777 · Post by **sentra8777** » Sun Dec 19, 2004 6:50 pm

Iam sorry u are right i have been looking what i have been asking latly. What i have been asking is pretty dump. Most of time i have been answearing my own questions. I will look into things before i ask one. But u guys do help me alot. When it doce come to stuff like this iam pretty clueless. The only thing with computers iam good with is hardware.

Far-N-Wide · Post by **Far-N-Wide** » Wed Dec 22, 2004 5:00 pm

sentra8777

I walk around the house lots of time looking for my car keys when... They are in my hand

paraviya · Post by **paraviya** » Sat Apr 30, 2005 3:11 pm

I wish the source for this patch was available. Without that, you're not sure what you're doing to your system. Find a little more info about what's happening under the covers here:

http://paraviya.blogspot.com/2005/04/in ... tcpip.html