Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Currports Utility


  • Please log in to reply
15 replies to this topic

#1 Tom_Slick

Tom_Slick

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 14 July 2008 - 11:31 PM

Hi all, I've just run this program for the first time and I have some entries that I'm not sure about. I'm hoping someone with experience with "CurrPorts" can help. I don't expect that these entries are any threat, but you never know. According to this: http://www.auditmypc.com/port/tcp-port-5400.asp Could be a sign of trojan activity? Thanks for looking! Sorry if this is in the wrong section.
Process name/ID--Protocol----Local Port------Local Address -RemotePort ---Remote Add-Rem.Host name State
Unknown 0 TCP 5400 127.0.0.1 2079 127.0.0.1 localhost Time Wait
Unknown 0 TCP 5400 127.0.0.1 2083 127.0.0.1 localhost Time Wait
Unknown 0 TCP 5400 127.0.0.1 2071 127.0.0.1 localhost Time Wait
Unknown 0 TCP 5400 127.0.0.1 2075 127.0.0.1 localhost Time Wait
Unknown 0 TCP 5400 127.0.0.1 2076 127.0.0.1 localhost Time Wait
Unknown 0 TCP 5400 127.0.0.1 2068 127.0.0.1 localhost Time Wait
Unknown 0 TCP 5400 127.0.0.1 2080 127.0.0.1 localhost Time Wait
Unknown 0 TCP 5400 127.0.0.1 2084 127.0.0.1 localhost Time Wait
Unknown 0 TCP 5400 127.0.0.1 2072 127.0.0.1 localhost Time Wait
Unknown 0 TCP 5400 127.0.0.1 2069 127.0.0.1 localhost Time Wait
Unknown 0 TCP 5400 127.0.0.1 2081 127.0.0.1 localhost Time Wait
Unknown 0 TCP 5400 127.0.0.1 2077 127.0.0.1 localhost Time Wait
Unknown 0 TCP 5400 127.0.0.1 2073 127.0.0.1 localhost Time Wait
Unknown 0 TCP 5400 127.0.0.1 2074 127.0.0.1 localhost Time Wait
Unknown 0 TCP 5400 127.0.0.1 2082 127.0.0.1 localhost Time Wait
Unknown 0 TCP 5400 127.0.0.1 2078 127.0.0.1 localhost Time Wait
Unknown 0 TCP 5400 127.0.0.1 2070 127.0.0.1 localhost Time Wait

Edited by Tom_Slick, 14 July 2008 - 11:32 PM.


BC AdBot (Login to Remove)

 


#2 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:59 AM

Posted 15 July 2008 - 08:14 PM

No clue about CurrPorts, but an unknown program trying multiple
connections back to itself can't be good.
Try running TCPView and see if it can identify that "unknown" entry.
http://technet.microsoft.com/en-us/sysinte...s/bb897437.aspx

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#3 Tom_Slick

Tom_Slick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 16 July 2008 - 08:49 AM

Hi raw. I ran TCPView but I'm not sure what to make of what I'm seeing. And the list changes each time I switch pages or refresh the page in IE7. I ran TCPView while here at BC after reading your reply. I see some entries that are red and some that are yellow and they disappear and reappear when I refresh etc. I tried to save the list while the red entries were showing in the list. This is the first list I saw:

[System Process]:0 TCP home-desktop:5400 localhost:1767 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1776 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1771 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1772 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1768 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1775 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1779 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1796 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1788 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1800 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1804 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1783 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1787 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1795 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1799 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1791 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1803 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1780 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1797 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1785 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1813 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1792 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1784 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1812 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1820 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1816 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1808 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1807 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1815 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1793 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1777 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1809 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1805 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1773 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1817 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1781 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1769 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1789 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1821 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1801 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1824 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1814 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1790 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1774 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1810 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1794 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1778 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1802 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1818 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1822 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1770 TIME_WAIT
[System Process]:0 TCP home-desktop:5400 localhost:1806 TIME_WAIT
alg.exe:1892 TCP home-desktop:1028 home-desktop:0 LISTENING
ashMaiSv.exe:1024 TCP home-desktop:12143 home-desktop:0 LISTENING
ashMaiSv.exe:1024 TCP home-desktop:12110 home-desktop:0 LISTENING
ashMaiSv.exe:1024 TCP home-desktop:12025 home-desktop:0 LISTENING
ashMaiSv.exe:1024 TCP home-desktop:12119 home-desktop:0 LISTENING
ashWebSv.exe:956 TCP home-desktop:12080 home-desktop:0 LISTENING
iexplore.exe:1496 UDP home-desktop:1556 *:*
lsass.exe:516 UDP home-desktop:isakmp *:*
lsass.exe:516 UDP home-desktop:4500 *:*
svchost.exe:1064 UDP home-desktop:1900 *:*
svchost.exe:1064 UDP home-desktop:1900 *:*
svchost.exe:764 TCP home-desktop:epmap home-desktop:0 LISTENING
svchost.exe:860 UDP home-desktop:ntp *:*
svchost.exe:860 UDP home-desktop:ntp *:*
System:4 TCP home-desktop:microsoft-ds home-desktop:0 LISTENING
System:4 UDP home-desktop:microsoft-ds *:*
toastcore.exe:1644 TCP home-desktop:1565 localhost:1566 ESTABLISHED
toastcore.exe:1644 TCP home-desktop:1566 localhost:1565 ESTABLISHED
toastcore.exe:1644 TCP home-desktop:1568 65.196.203.20:7000 ESTABLISHED
toastcore.exe:1644 TCP home-desktop:5400 home-desktop:0 LISTENING
toastcore.exe:1644 TCP home-desktop:5400 home-desktop:0 LISTENING
toastcore.exe:1644 TCP home-desktop:5400 home-desktop:0 LISTENING
toastcore.exe:1644 TCP home-desktop:5400 home-desktop:0 LISTENING
toastcore.exe:1644 TCP home-desktop:5400 home-desktop:0 LISTENING
toastcore.exe:1644 TCP home-desktop:5400 home-desktop:0 LISTENING

#4 nigglesnush85

nigglesnush85

  • Members
  • 4,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:59 AM

Posted 16 July 2008 - 09:27 AM

currports and tcpview are pretty much identical.

The port can be used for malware, what security products are you using? Also you may want to run some free online virus scanners just to be safe.

http://housecall.trendmicro.com/uk/
http://www.eset.com/onlinescan/
http://www.kaspersky.com/virusscanner
Regards,

Alan.

#5 Tom_Slick

Tom_Slick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 16 July 2008 - 12:03 PM

currports and tcpview are pretty much identical.

The port can be used for malware, what security products are you using? Also you may want to run some free online virus scanners just to be safe.

http://housecall.trendmicro.com/uk/
http://www.eset.com/onlinescan/
http://www.kaspersky.com/virusscanner

I'm currently using the WindowsXP Firewall, avast antivirus(recent install, fully updated), SuperAntiSpy Free (also recent install, fully updated), AVG AntiRootkit, Windows Defender, And HijackThis.
All scans are clean, with the exception of 3 tracking cookies found and removed by SuperAntiSpy.
I'll run some online scans and see what happens. I'll post the results here.
Thanks!

#6 nigglesnush85

nigglesnush85

  • Members
  • 4,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:59 AM

Posted 16 July 2008 - 01:31 PM

Also, open currports and double click on one of the entries to display more information about the connection.
Regards,

Alan.

#7 Tom_Slick

Tom_Slick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 16 July 2008 - 03:53 PM

Also, open currports and double click on one of the entries to display more information about the connection.

I double clicked on a few of the Unknown entries and I only see the same information in the box that opens as I do in the CurrPorts list.
Also, I've tried and failed to run any online scans. When I try the Housecall scan I get to the part where it says, "initializing and starting housecall" and it just sits on that page for over an hour and goes no further.
When I try the Kaspersky scan I get a Java error but it still tries to download and install the updates but after about an hour of that I inevitably lose my internet connection.
While trying the eset scan I got an internet explorer error that said "Internet Explorer has encountered a problem and needs to close". Error report was sent to Microsoft.
Suggestions?
Thanks!

#8 nigglesnush85

nigglesnush85

  • Members
  • 4,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:59 AM

Posted 16 July 2008 - 04:13 PM

That is strange, Try using https://psi.secunia.com/ to update the system. then try the scanners again.
Regards,

Alan.

#9 Tom_Slick

Tom_Slick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 17 July 2008 - 08:05 AM

That is strange, Try using https://psi.secunia.com/ to update the system. then try the scanners again.

Well nigglesnush85 I hope you're ready for a long story! :thumbsup:
I ran the PSI program. It showed that I had 3 "Insecure" programs, 1 "End of Life" program, and 36 "Patched" programs. The Insecure programs were: 2 Instances of Java, both of which were exactly the same as far as I could tell from the "Version" info.
The 3rd "Insecure" program was QuickTime. Which was set to run on Start Up.
I disabled QuickTime by running "msconfig", clicking on "StartUp" and then unticked the box for QT in the list.
Uninstalled Java from "Add/Remove Programs", only saw 1 entry for Java.
The 1 End of Life program was Adobe Acrobat Reader, I uninstalled it.
After rebooting I ran PSI again and I now see only 1 "Insecure" program which is still QuickTime even though it did not run on startup. The "End of Life" programs list is now empty.
So next, I connected to the internet and ran CurrPorts and I still see the Unknowns in the list. Next I tried to run the "eset" online scan again and again I got the "Internet Explorer has encountered a problem and needs to close" error. I reopened IE7 and tried the "Housecall" online scan. Since I had uninstalled Java, I chose the option "Use the HouseCall Kernel" to initiate the scan. After about 1.5 hours, I made it to the part where it is "updating grayware/malware" (step 3) and then I get an error saying that "an error occured and the updates could not be completed, do you want to try resending the information?", my choices were "ok" and "cancel". I chose "ok". About an hour later the same thing happened again. I tried 3 times, but after I got the error a 4th time I gave up on it and went to bed.
Part of the problem is that I'm on dialup, online scans seem to take too long. But I don't know what else to do.
Thanks for any additional help!

#10 nigglesnush85

nigglesnush85

  • Members
  • 4,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:59 AM

Posted 17 July 2008 - 08:56 AM

The secunia tool is probably reporting quicktime as insecure even when disabled because the file is still there. or out of date.

Have you tried another browser? http://www.mozilla-europe.org/en/firefox/
Regards,

Alan.

#11 Tom_Slick

Tom_Slick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 20 July 2008 - 09:58 AM

Have you tried another browser? http://www.mozilla-europe.org/en/firefox/

Yes. I'm now using Firefox3 as my default browser. But that didn't help with the online scans at all. Two of the online scanners will not work with Firefox, the third scanner uses java, but I do not have the latest Java installed. I've been trying to download it but each time I've tried I lose my connection before it finishes downloading.
I did however, determine that the Unknown entries that are using Local Port 5400 are actually due to the "Accelerator" program for my dialup connection. But I do have alot of Unknowns that I have yet to figure out.
Thanks for the help!

#12 nigglesnush85

nigglesnush85

  • Members
  • 4,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:59 AM

Posted 20 July 2008 - 01:15 PM

That is strange, where are you downloading Java from? Also, are you away from the computer while downloading? I remember that dial up disconnects when the computer is inactive after a certain amount of time.
Regards,

Alan.

#13 Tom_Slick

Tom_Slick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 21 July 2008 - 11:23 AM

I've been trying to download Java from the Java site.
In my dialup options, I have it setup to "Never" disconnect automatically. When I'm finished surfing, I close the connection. I don't surf while I'm downloading because that just slows down the download speed and makes it take even longer. I'm going to try the download again late at night, I seem to have better luck when not doing downloads during "peak" hours.
Thanks!

#14 nigglesnush85

nigglesnush85

  • Members
  • 4,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:59 AM

Posted 21 July 2008 - 05:57 PM

I may be wrong but I think Java can post a CD out to you with Java on it.
Regards,

Alan.

#15 Tom_Slick

Tom_Slick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 23 July 2008 - 08:19 PM

I may be wrong but I think Java can post a CD out to you with Java on it.

You're not wrong, well it's offered on the site but when I click on the link "Java software on a CD" I'm directed to a page that says "Sorry! We couldn't find the document requested."
You can see if it works for you, maybe it's me. Look for where it says "You can also choose to receive....."
http://www.java.com/en/download/help/auto_install.xml
Thanks!

Edited by Tom_Slick, 23 July 2008 - 08:23 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users