Reoccurring TCPIP EventID 4227

djkav · 8 Nov 2011 at 14:51

Hi, this error is now annoying me somewhat.

I keep getting TCPIP EventID 4227 frequently. I just rebooted and within 3 minutes my streaming radio just stopped. I looked in the Windows Logs > System and keep finding that error.

Error description:
"TCP/IP failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint. This error typically occurs when outgoing connections are opened and closed at a high rate, causing all available local ports to be used and forcing TCP/IP to reuse a local port for an outgoing connection. To minimize the risk of data corruption, the TCP/IP standard requires a minimum time period to elapse between successive connections from a given local endpoint to a given remote endpoint."

I never had it on my older hardware q6600 @3.4 / P5K Premium and 8gb Ram.

Both systems were using Windows 7 x64 Ultimate.

Any help would be great.

SourChipmunk · 10 Nov 2011 at 13:51

Just a guess, but check your system date/time and time zone.

Maybe try updating your NIC drivers also.

pellet · 10 Nov 2011 at 14:19

do a netstat -a? see if there's any suspicious ports in use?

Lunesta · 10 Nov 2011 at 14:28

You havn't really told us what is happening when you get this error... You said your radio stream stopped, but dose anything else stop working? (EG Internet?)

If it dose, how do you fix it? By restarting your computer?

Microsoft TechNet's fix is to disable and re-enable your network card? (http://technet.microsoft.com/en-us/library/dd408475(WS.10).aspx)

As suggested, maybe a upgrade in Network Card drivers?

djkav · 28 Jan 2012 at 17:25

Lunesta said:
You havn't really told us what is happening when you get this error... You said your radio stream stopped, but dose anything else stop working? (EG Internet?)

If it dose, how do you fix it? By restarting your computer?

Microsoft TechNet's fix is to disable and re-enable your network card? (http://technet.microsoft.com/en-us/library/dd408475(WS.10).aspx)

As suggested, maybe a upgrade in Network Card drivers?

All internet traffic gets killed.

davethe11 · 28 Jan 2012 at 19:48

first impression is you've got a trojan on your machine trying to listen for an attempted remote connection, have you done a full virus scan and malwarebytes scan? If not a trojan then try booting into safe mode with networking support and see if your connection drops out there.

ecksmen · 28 Jan 2012 at 19:56

You're running out of ephemeral ports (http://en.wikipedia.org/wiki/Ephemeral_port)

Run the following command

Code:

netsh int ipv4 show dynamicport tcp

and

Code:

netsh int ipv4 show dynamicport udp

You should have 49152 + 16,000 ish (forget the exact value).

If that looks ok, and its not set to something tiny, you want to find out what is using all the ports.

Code:

netstat -nao > c:\netstat.txt

Then open c:\netstat.txt - one column is the PID (Process ID) you can use taskmanager to locate what the process is (add PID column into view).

Sounds like either ports have got screwed, or you are infected.

EDIT -

Code:

netstat -nao

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       804
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:912            0.0.0.0:0              LISTENING       2844
  TCP    0.0.0.0:990            0.0.0.0:0              LISTENING       3304
  TCP    0.0.0.0:1110           0.0.0.0:0              LISTENING       1824
  TCP    0.0.0.0:2869           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:7456           0.0.0.0:0              LISTENING       1200
  TCP    0.0.0.0:7457           0.0.0.0:0              LISTENING       1200
  TCP    0.0.0.0:19780          0.0.0.0:0              LISTENING       1824
  TCP    0.0.0.0:32111          0.0.0.0:0              LISTENING       2612
  TCP    0.0.0.0:50000          0.0.0.0:0              LISTENING       456
  TCP    0.0.0.0:50001          0.0.0.0:0              LISTENING       876
  TCP    0.0.0.0:50002          0.0.0.0:0              LISTENING       1016
  TCP    0.0.0.0:50003          0.0.0.0:0              LISTENING       532
  TCP    0.0.0.0:50007          0.0.0.0:0              LISTENING       516
  TCP    0.0.0.0:50450          0.0.0.0:0              LISTENING       1612
  TCP    127.0.0.1:1110         127.0.0.1:50520        ESTABLISHED     1824
  TCP    127.0.0.1:1110         127.0.0.1:50522        ESTABLISHED     1824
  TCP    127.0.0.1:1110         127.0.0.1:50527        ESTABLISHED     1824
  TCP    127.0.0.1:1110         127.0.0.1:50530        ESTABLISHED     1824
  TCP    127.0.0.1:1110         127.0.0.1:50532        ESTABLISHED     1824
  TCP    127.0.0.1:1110         127.0.0.1:50534        ESTABLISHED     1824
  TCP    127.0.0.1:1110         127.0.0.1:50776        TIME_WAIT       0
  TCP    127.0.0.1:1110         127.0.0.1:50788        TIME_WAIT       0
  TCP    127.0.0.1:1110         127.0.0.1:50855        CLOSE_WAIT      1824

djkav · 28 Jan 2012 at 20:13

Hi,

Its been fine for a good few months, then in the last couple of hours its started again

I tried those commands and it shows around 49k / 16k for both.

I have Kaspersky ICS 12, that I got free from Barclays. Will leave it over night for a full scan. I have decided to rebuild windows next week, from a fresh format.

Results from Netscan:

Code:

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
 Can not obtain ownership information
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       308
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:1110           0.0.0.0:0              LISTENING       1844
 [avp.exe]
  TCP    0.0.0.0:3309           0.0.0.0:0              LISTENING       2416
 [mysqld.exe]
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4
 Can not obtain ownership information
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       692
 [wininit.exe]
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       656
  eventlog
 [svchost.exe]
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       120
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       1844
 [avp.exe]
  TCP    0.0.0.0:49174          0.0.0.0:0              LISTENING       744
 [services.exe]
  TCP    0.0.0.0:49176          0.0.0.0:0              LISTENING       760
 [lsass.exe]
  TCP    127.0.0.1:1110         127.0.0.1:49222        ESTABLISHED     1844
 [avp.exe]
  TCP    127.0.0.1:1110         127.0.0.1:50153        ESTABLISHED     1844
 [avp.exe]
  TCP    127.0.0.1:1110         127.0.0.1:50155        ESTABLISHED     1844
 [avp.exe]
  TCP    127.0.0.1:2559         0.0.0.0:0              LISTENING       5768
 [daemonu.exe]
  TCP    127.0.0.1:49157        0.0.0.0:0              LISTENING       3372
 [CurseClient.exe]
  TCP    127.0.0.1:49222        127.0.0.1:1110         ESTABLISHED     5104
 [wlcomm.exe]
  TCP    127.0.0.1:49243        0.0.0.0:0              LISTENING       2476
 [msnmsgr.exe]
  TCP    127.0.0.1:49243        127.0.0.1:49247        ESTABLISHED     2476
 [msnmsgr.exe]
  TCP    127.0.0.1:49247        127.0.0.1:49243        ESTABLISHED     2476
 [msnmsgr.exe]
  TCP    127.0.0.1:50153        127.0.0.1:1110         ESTABLISHED     896
 [iron.exe]
  TCP    127.0.0.1:50155        127.0.0.1:1110         ESTABLISHED     896
 [iron.exe]
  TCP    127.0.0.1:50157        127.0.0.1:1110         TIME_WAIT       0
  TCP    192.168.0.2:139        0.0.0.0:0              LISTENING       4
 Can not obtain ownership information
  TCP    192.168.0.2:49223      207.46.124.222:1863    ESTABLISHED     1844
 [avp.exe]
  TCP    192.168.0.2:50154      173.194.41.168:80      ESTABLISHED     1844
 [avp.exe]
  TCP    192.168.0.2:50156      209.85.147.99:443      ESTABLISHED     1844
 [avp.exe]
  TCP    192.168.0.2:50161      149.7.32.19:80         TIME_WAIT       0
  TCP    [::]:80                [::]:0                 LISTENING       4
 Can not obtain ownership information
  TCP    [::]:135               [::]:0                 LISTENING       308
  RpcSs
 [svchost.exe]
  TCP    [::]:1110              [::]:0                 LISTENING       1844
 [avp.exe]
  TCP    [::]:3309              [::]:0                 LISTENING       2416
 [mysqld.exe]
  TCP    [::]:5357              [::]:0                 LISTENING       4
 Can not obtain ownership information
  TCP    [::]:49152             [::]:0                 LISTENING       692
 [wininit.exe]
  TCP    [::]:49153             [::]:0                 LISTENING       656
  eventlog
 [svchost.exe]
  TCP    [::]:49154             [::]:0                 LISTENING       120
  Schedule
 [svchost.exe]
  TCP    [::]:49174             [::]:0                 LISTENING       744
 [services.exe]
  TCP    [::]:49176             [::]:0                 LISTENING       760
 [lsass.exe]
  UDP    0.0.0.0:427            *:*                                    4708
  HPSLPSVC
 [svchost.exe]
  UDP    0.0.0.0:500            *:*                                    120
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:3702           *:*                                    4624
  FDResPub
 [svchost.exe]
  UDP    0.0.0.0:3702           *:*                                    1156
  EventSystem
 [svchost.exe]
  UDP    0.0.0.0:3702           *:*                                    4624
  FDResPub
 [svchost.exe]
  UDP    0.0.0.0:3702           *:*                                    1156
  EventSystem
 [svchost.exe]
  UDP    0.0.0.0:4500           *:*                                    120
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:5355           *:*                                    1240
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:49809          *:*                                    4624
  FDResPub
 [svchost.exe]
  UDP    0.0.0.0:49811          *:*                                    1156
  EventSystem
 [svchost.exe]
  UDP    0.0.0.0:49813          *:*                                    1156
  EventSystem
 [svchost.exe]
  UDP    0.0.0.0:53152          *:*                                    3208
 [Steam.exe]
  UDP    127.0.0.1:1900         *:*                                    4624
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:44301        *:*                                    2584
 [PnkBstrA.exe]
  UDP    127.0.0.1:45301        *:*                                    2696
 [PnkBstrB.exe]
  UDP    127.0.0.1:48000        *:*                                    5768
 [daemonu.exe]
  UDP    127.0.0.1:48001        *:*                                    3672
 [nvtray.exe]
  UDP    127.0.0.1:50834        *:*                                    5104
 [wlcomm.exe]
  UDP    127.0.0.1:60456        *:*                                    4624
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:64205        *:*                                    3372
 [CurseClient.exe]
  UDP    127.0.0.1:64708        *:*                                    2476
 [msnmsgr.exe]
  UDP    192.168.0.2:9          *:*                                    2476
 [msnmsgr.exe]
  UDP    192.168.0.2:137        *:*                                    4
 Can not obtain ownership information
  UDP    192.168.0.2:138        *:*                                    4
 Can not obtain ownership information
  UDP    192.168.0.2:427        *:*                                    4708
  HPSLPSVC
 [svchost.exe]
  UDP    192.168.0.2:1900       *:*                                    4624
  SSDPSRV
 [svchost.exe]
  UDP    192.168.0.2:60455      *:*                                    4624
  SSDPSRV
 [svchost.exe]
  UDP    [::]:500               *:*                                    120
  IKEEXT
 [svchost.exe]
  UDP    [::]:3702              *:*                                    1156
  EventSystem
 [svchost.exe]
  UDP    [::]:3702              *:*                                    4624
  FDResPub
 [svchost.exe]
  UDP    [::]:3702              *:*                                    1156
  EventSystem
 [svchost.exe]
  UDP    [::]:3702              *:*                                    4624
  FDResPub
 [svchost.exe]
  UDP    [::]:4500              *:*                                    120
  IKEEXT
 [svchost.exe]
  UDP    [::]:5355              *:*                                    1240
  Dnscache
 [svchost.exe]
  UDP    [::]:49810             *:*                                    4624
  FDResPub
 [svchost.exe]
  UDP    [::]:49812             *:*                                    1156
  EventSystem
 [svchost.exe]
  UDP    [::]:49814             *:*                                    1156
  EventSystem
 [svchost.exe]
  UDP    [::1]:1900             *:*                                    4624
  SSDPSRV
 [svchost.exe]
  UDP    [::1]:60454            *:*                                    4624
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::d46:673c:897e:bad%11]:1900  *:*                                    4624
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::d46:673c:897e:bad%11]:60453  *:*                                    4624
  SSDPSRV
 [svchost.exe]

Porcess ID #4 comes up with System/NT Kernal

ecksmen · 28 Jan 2012 at 20:27

That's not many connections (>16,000).

Are many listed as time_wait, did you edit the list?

Default state for time_wait is something like 200seconds, you can reduce this to minium of 30seconds..

Copy and paste into notepad, save as .reg file and import into registery or alternatively manually create the key.

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]

"TcpTimedWaitDelay"=dword:0000001e

You can always true recreating the TCP stack with

Code:

netsh int ip reset

djkav · 28 Jan 2012 at 20:29

ecksmen said:
That's not many connections (>16,000).

Are many listed as time_wait, did you edit the list?

Default state for time_wait is something like 200seconds, you can reduce this to minium of 30seconds..

Copy and paste into notepad, save as .reg file and import into registery or alternatively manually create the key.

Code:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters] "TcpTimedWaitDelay"=dword:0000001e

You can always true recreating the TCP stack with

Code:

netsh int ip reset

I didnt touch the list, just copied all that was generated. Will try the reg key now

djkav · 29 Jan 2012 at 20:15

Revelation, I think its all caused by a web radio player I use at http://www.radioplayer.co.uk/

I only get the problems when i'm listening to net radio on that web app. Internet has been fine most of the day, within 5 minutes of listening to net radio. All my internet connections have been zapped. MSN goes offline, SWTOR kicks me from the server and radio stops working.

Netstat with the net radio player, using IRON browser:

Code:

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
 Can not obtain ownership information
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       308
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:1110           0.0.0.0:0              LISTENING       1768
 [avp.exe]
  TCP    0.0.0.0:2869           0.0.0.0:0              LISTENING       4
 Can not obtain ownership information
  TCP    0.0.0.0:3309           0.0.0.0:0              LISTENING       2288
 [mysqld.exe]
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4
 Can not obtain ownership information
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       692
 [wininit.exe]
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       656
  eventlog
 [svchost.exe]
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       120
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       1768
 [avp.exe]
  TCP    0.0.0.0:49165          0.0.0.0:0              LISTENING       752
 [services.exe]
  TCP    0.0.0.0:49167          0.0.0.0:0              LISTENING       768
 [lsass.exe]
  TCP    127.0.0.1:1110         127.0.0.1:58518        ESTABLISHED     1768
 [avp.exe]
  TCP    127.0.0.1:1110         127.0.0.1:58626        ESTABLISHED     1768
 [avp.exe]
  TCP    127.0.0.1:1110         127.0.0.1:58628        ESTABLISHED     1768
 [avp.exe]
  TCP    127.0.0.1:1110         127.0.0.1:58629        ESTABLISHED     1768
 [avp.exe]
  TCP    127.0.0.1:1110         127.0.0.1:58640        ESTABLISHED     1768
 [avp.exe]
  TCP    127.0.0.1:1110         127.0.0.1:58643        TIME_WAIT       0
  TCP    127.0.0.1:1110         127.0.0.1:58645        ESTABLISHED     1768
 [avp.exe]
  TCP    127.0.0.1:1110         127.0.0.1:58647        ESTABLISHED     1768
 [avp.exe]
  TCP    127.0.0.1:1110         127.0.0.1:58650        ESTABLISHED     1768
 [avp.exe]
  TCP    127.0.0.1:2559         0.0.0.0:0              LISTENING       2748
 [daemonu.exe]
  TCP    127.0.0.1:49157        0.0.0.0:0              LISTENING       3372
 [CurseClient.exe]
  TCP    127.0.0.1:58518        127.0.0.1:1110         ESTABLISHED     2128
 [wlcomm.exe]
  TCP    127.0.0.1:58522        0.0.0.0:0              LISTENING       6380
 [msnmsgr.exe]
  TCP    127.0.0.1:58522        127.0.0.1:58535        ESTABLISHED     6380
 [msnmsgr.exe]
  TCP    127.0.0.1:58535        127.0.0.1:58522        ESTABLISHED     6380
 [msnmsgr.exe]
  TCP    127.0.0.1:58626        127.0.0.1:1110         ESTABLISHED     5540
 [iron.exe]
  TCP    127.0.0.1:58628        127.0.0.1:1110         ESTABLISHED     5540
 [iron.exe]
  TCP    127.0.0.1:58629        127.0.0.1:1110         ESTABLISHED     5540
 [iron.exe]
  TCP    127.0.0.1:58640        127.0.0.1:1110         ESTABLISHED     5540
 [iron.exe]
  TCP    127.0.0.1:58645        127.0.0.1:1110         ESTABLISHED     5540
 [iron.exe]
  TCP    127.0.0.1:58647        127.0.0.1:1110         ESTABLISHED     5540
 [iron.exe]
  TCP    127.0.0.1:58650        127.0.0.1:1110         ESTABLISHED     5540
 [iron.exe]
  TCP    192.168.0.2:139        0.0.0.0:0              LISTENING       4
 Can not obtain ownership information
  TCP    192.168.0.2:58519      64.4.34.77:1863        ESTABLISHED     1768
 [avp.exe]
  TCP    192.168.0.2:58612      159.153.75.186:20061   ESTABLISHED     4296
 [swtor.exe]
  TCP    192.168.0.2:58613      159.153.75.186:20062   ESTABLISHED     4296
 [swtor.exe]
  TCP    192.168.0.2:58627      173.194.41.163:80      ESTABLISHED     1768
 [avp.exe]
  TCP    192.168.0.2:58630      66.220.158.18:80       ESTABLISHED     1768
 [avp.exe]
  TCP    192.168.0.2:58631      208.81.234.97:80       ESTABLISHED     1768
 [avp.exe]
  TCP    192.168.0.2:58641      88.221.88.24:80        ESTABLISHED     1768
 [avp.exe]
  TCP    192.168.0.2:58646      173.194.41.167:443     ESTABLISHED     1768
 [avp.exe]
  TCP    192.168.0.2:58649      173.194.41.163:80      ESTABLISHED     1768
 [avp.exe]
  TCP    192.168.0.2:58652      173.194.41.163:80      ESTABLISHED     1768
 [avp.exe]
  TCP    192.168.0.2:58657      85.159.184.6:1935      ESTABLISHED     7484
 [iron.exe]
  TCP    192.168.0.2:58666      117.79.92.44:443       TIME_WAIT       0
  TCP    192.168.0.2:58667      117.79.92.41:443       TIME_WAIT       0
  TCP    192.168.0.2:58668      117.79.92.35:443       TIME_WAIT       0
  TCP    192.168.0.2:58670      130.117.190.195:443    TIME_WAIT       0
  TCP    192.168.0.2:58671      130.117.190.198:443    TIME_WAIT       0
  TCP    192.168.0.2:58672      130.117.190.201:443    TIME_WAIT       0
  TCP    192.168.0.2:58673      130.117.190.204:443    TIME_WAIT       0
  TCP    192.168.0.2:58674      130.117.190.207:443    TIME_WAIT       0
  TCP    192.168.0.2:58675      130.117.190.210:443    TIME_WAIT       0
  TCP    192.168.0.2:58676      130.117.190.213:443    TIME_WAIT       0
  TCP    192.168.0.2:58678      202.177.216.227:443    TIME_WAIT       0
  TCP    192.168.0.2:58679      202.177.216.230:443    TIME_WAIT       0
  TCP    192.168.0.2:58680      202.177.216.233:443    TIME_WAIT       0
  TCP    192.168.0.2:58681      202.177.216.236:443    TIME_WAIT       0
  TCP    192.168.0.2:58682      38.113.165.68:443      TIME_WAIT       0
  TCP    192.168.0.2:58683      38.113.165.71:443      TIME_WAIT       0
  TCP    192.168.0.2:58684      38.113.165.74:443      TIME_WAIT       0
  TCP    192.168.0.2:58685      38.113.165.77:443      TIME_WAIT       0
  TCP    192.168.0.2:58686      38.113.165.80:443      TIME_WAIT       0
  TCP    192.168.0.2:58687      38.113.165.83:443      TIME_WAIT       0
  TCP    192.168.0.2:58688      38.113.165.86:443      TIME_WAIT       0
  TCP    192.168.0.2:58690      79.141.216.17:443      TIME_WAIT       0
  TCP    192.168.0.2:58691      79.141.216.19:443      TIME_WAIT       0
  TCP    192.168.0.2:58692      79.141.216.29:443      TIME_WAIT       0
  TCP    192.168.0.2:58693      79.141.216.64:443      TIME_WAIT       0
  TCP    192.168.0.2:58694      79.141.216.65:443      TIME_WAIT       0
  TCP    192.168.0.2:58695      79.141.216.66:443      TIME_WAIT       0
  TCP    192.168.0.2:58696      79.141.216.67:443      TIME_WAIT       0
  TCP    192.168.0.2:58697      79.141.216.68:443      SYN_SENT        1768
 [avp.exe]
  TCP    [::]:80                [::]:0                 LISTENING       4
 Can not obtain ownership information
  TCP    [::]:135               [::]:0                 LISTENING       308
  RpcSs
 [svchost.exe]
  TCP    [::]:1110              [::]:0                 LISTENING       1768
 [avp.exe]
  TCP    [::]:2869              [::]:0                 LISTENING       4
 Can not obtain ownership information
  TCP    [::]:3309              [::]:0                 LISTENING       2288
 [mysqld.exe]
  TCP    [::]:5357              [::]:0                 LISTENING       4
 Can not obtain ownership information
  TCP    [::]:49152             [::]:0                 LISTENING       692
 [wininit.exe]
  TCP    [::]:49153             [::]:0                 LISTENING       656
  eventlog
 [svchost.exe]
  TCP    [::]:49154             [::]:0                 LISTENING       120
  Schedule
 [svchost.exe]
  TCP    [::]:49165             [::]:0                 LISTENING       752
 [services.exe]
  TCP    [::]:49167             [::]:0                 LISTENING       768
 [lsass.exe]
  UDP    0.0.0.0:427            *:*                                    4652
  HPSLPSVC
 [svchost.exe]
  UDP    0.0.0.0:500            *:*                                    120
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:3702           *:*                                    4568
  FDResPub
 [svchost.exe]
  UDP    0.0.0.0:3702           *:*                                    1160
  EventSystem
 [svchost.exe]
  UDP    0.0.0.0:3702           *:*                                    1160
  EventSystem
 [svchost.exe]
  UDP    0.0.0.0:3702           *:*                                    4568
  FDResPub
 [svchost.exe]
  UDP    0.0.0.0:4500           *:*                                    120
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:5355           *:*                                    1240
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:58628          *:*                                    4568
  FDResPub
 [svchost.exe]
  UDP    0.0.0.0:58634          *:*                                    3232
 [Steam.exe]
  UDP    0.0.0.0:59670          *:*                                    1160
  EventSystem
 [svchost.exe]
  UDP    127.0.0.1:1900         *:*                                    4568
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:44301        *:*                                    2440
 [PnkBstrA.exe]
  UDP    127.0.0.1:45301        *:*                                    2608
 [PnkBstrB.exe]
  UDP    127.0.0.1:48000        *:*                                    2748
 [daemonu.exe]
  UDP    127.0.0.1:48001        *:*                                    3708
 [nvtray.exe]
  UDP    127.0.0.1:52715        *:*                                    6380
 [msnmsgr.exe]
  UDP    127.0.0.1:54833        *:*                                    3372
 [CurseClient.exe]
  UDP    127.0.0.1:62389        *:*                                    4568
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:64464        *:*                                    2128
 [wlcomm.exe]
  UDP    192.168.0.2:9          *:*                                    6380
 [msnmsgr.exe]
  UDP    192.168.0.2:68         *:*                                    656
  Dhcp
 [svchost.exe]
  UDP    192.168.0.2:137        *:*                                    4
 Can not obtain ownership information
  UDP    192.168.0.2:138        *:*                                    4
 Can not obtain ownership information
  UDP    192.168.0.2:427        *:*                                    4652
  HPSLPSVC
 [svchost.exe]
  UDP    192.168.0.2:1900       *:*                                    4568
  SSDPSRV
 [svchost.exe]
  UDP    192.168.0.2:62388      *:*                                    4568
  SSDPSRV
 [svchost.exe]
  UDP    [::]:500               *:*                                    120
  IKEEXT
 [svchost.exe]
  UDP    [::]:3702              *:*                                    1160
  EventSystem
 [svchost.exe]
  UDP    [::]:3702              *:*                                    1160
  EventSystem
 [svchost.exe]
  UDP    [::]:3702              *:*                                    4568
  FDResPub
 [svchost.exe]
  UDP    [::]:3702              *:*                                    4568
  FDResPub
 [svchost.exe]
  UDP    [::]:4500              *:*                                    120
  IKEEXT
 [svchost.exe]
  UDP    [::]:5355              *:*                                    1240
  Dnscache
 [svchost.exe]
  UDP    [::]:58629             *:*                                    4568
  FDResPub
 [svchost.exe]
  UDP    [::]:59671             *:*                                    1160
  EventSystem
 [svchost.exe]
  UDP    [::1]:1900             *:*                                    4568
  SSDPSRV
 [svchost.exe]
  UDP    [::1]:62387            *:*                                    4568
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::d46:673c:897e:bad%11]:1900  *:*                                    4568
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::d46:673c:897e:bad%11]:62386  *:*                                    4568
  SSDPSRV
 [svchost.exe]

djkav · 29 Jan 2012 at 23:26

Grrr, its still occurring. I have noticed a pattern. It always occurs 2 minutes past the hour. The event log shows all Error 4227 occurred 1902, 2002, 2102, 2202, 2302 hrs.

Hmmm, deffo a windows rebuild 2moz i think. Kaspersky 12 still scanning away as i speak. No threats found in the Critical Areas Scan. Just waiting on the full scan now.

djkav · 30 Jan 2012 at 10:10

Interesting. Kaspersky 12 found no threats on my drives. Also, no Error 4227 after 2303h and through as at 1009.

This machine is getting more freaky. Flat out of answers and digging around now.

Do you think a windows rebuild should help?

davethe11 · 30 Jan 2012 at 10:43

have you tried a malwarebytes scan?

If an event occurs regularly then maybe you have a scheduled task occurring every hour?

djkav · 30 Jan 2012 at 10:54

davethe11 said:
have you tried a malwarebytes scan?

If an event occurs regularly then maybe you have a scheduled task occurring every hour?

Code:

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.30.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Ken :: KAV [administrator]

Protection: Enabled

30/01/2012 10:48:41
mbam-log-2012-01-30 (10-48-41).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 280025
Time elapsed: 1 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Nothing showing there either, and task scheduler is empty.

davethe11 · 30 Jan 2012 at 11:06

Try booting into 'safe mode with networking support' and see if the problem persists.

djkav · 30 Jan 2012 at 11:35

davethe11 said:
Try booting into 'safe mode with networking support' and see if the problem persists.

Only problem is that I don't know when it will occur. Like I mentioned earlier, my last Error 4227 was 2303 last night. That would mean running in safe mode indefinitely

davethe11 · 30 Jan 2012 at 11:52

sorry, I thought it was happening every hour? The reason I recommend trying safe mode with networking support is that the problem could be due to a particular service that keeps opening connections (either maliciously or because it is broken) - booting into safe mode with networking support is the fastest way to boot windows with minimal services running - you may get lucky and find all is well, so you know there is a service causing the problem in a normal Windows boot.

I seem to remember the limit on connections opening per second being introduced in Vista (maybe it was earlier) as a security feature against trojans, I remember a lot of discussion about it in the p2p world (unsurprisingly!).

Do you use a wireless or wired connection?

djkav · 30 Jan 2012 at 11:57

davethe11 said:
sorry, I thought it was happening every hour? The reason I recommend trying safe mode with networking support is that the problem could be due to a particular service that keeps opening connections (either maliciously or because it is broken) - booting into safe mode with networking support is the fastest way to boot windows with minimal services running - you may get lucky and find all is well, so you know there is a service causing the problem in a normal Windows boot.

I seem to remember the limit on connections opening per second being introduced in Vista (maybe it was earlier) as a security feature against trojans, I remember a lot of discussion about it in the p2p world (unsurprisingly!).

Do you use a wireless or wired connection?

I'm wired to a Virgin Media Superhub.

djkav · 29 Feb 2012 at 19:26

Update, I have just formatted and re-installed windows 7.

I've now had too of those pesky internet killing Error 4227 showing up in the logs.