Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tcpview-seeing weird things?


  • Please log in to reply
28 replies to this topic

#1 reaching

reaching

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 29 May 2015 - 01:09 PM

I see weird things in tcp view

In the local host column, I see something that, says , "boot computer", not an isp address.

There is a service process that does not have a PID number but all the other processes have one. Its in remote port 21322.

In the local address column, it says my computer name, missy-hp, sometimes it says, missy-hp.nyc.rr.com

It looks nothing like the sample tcpview I found on line

Also, the windows firewall will not let me block remote Ports (mentioned in another thread). I Block all three profiles: public, private and domain, but it keeps disabling the block rule for the private profiles.

Also on webroot under active processes, in the local address column, it has my computer name listed with numbers after it. So for example, it says, missy-HP: 49154, Missy HP:500, and Missy-HP:135. Each of these are listed twice(this is when I'm not online). 2 of the 3 are listening on tcp4 and the other one is open for "x" minutes on udp4.

I am using windows 7 home premium.

I hope I explained this okay: I'm trying to understand the computer and still learning.

Anyway, I fear that someone has acess to the computer.

Any help to figure out what's going on will be greatly appreciated.

Thanks.

BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 AM

Posted 01 June 2015 - 02:48 PM

In the local host column, I see something that, says , "boot computer", not an isp address.

There is a service process that does not have a PID number but all the other processes have one. Its in remote port 21322.

In the local address column, it says my computer name, missy-hp, sometimes it says, missy-hp.nyc.rr.com
 

 

Can you provide the complete row for each of these examples?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 reaching

reaching
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 01 June 2015 - 04:29 PM

Okay, I'll try.  I copied the note from tcp view in note pad.  I don't know if it will come out in columns though(I'm just learning how to do all this stuff). The "boot pc" is the fifth one from the bottom. I was connected to internet but not doing anything.

 

Here goes:

[System Process] 0 TCP missy-HP 49393 localhost 21322 TIME_WAIT          
iexplore.exe 2324 TCP missy-HP 49167 localhost 27019 ESTABLISHED          
iexplore.exe 2324 TCP missy-hp.nyc.rr.com 49309 74-50-122-103.static.hvvc.us 8176 ESTABLISHED   27,969 39,168,639  32,235  21  
iexplore.exe 2324 TCP missy-hp.nyc.rr.com 49310 74-50-122-103.static.hvvc.us 8176 CLOSE_WAIT          
lsass.exe 628 TCP missy-HP 49155 missy-HP 0 LISTENING          
lsass.exe 628 TCPV6 missy-hp 49155 missy-hp 0 LISTENING          
mbamservice.exe 1688 TCP missy-HP 43227 missy-HP 0 LISTENING          
SDFSSvc.exe 2024 TCP missy-HP 21320 missy-HP 0 LISTENING          
SDFSSvc.exe 2024 TCP missy-HP 21322 missy-HP 0 LISTENING          
SDFSSvc.exe 2024 TCP missy-HP 21323 missy-HP 0 LISTENING          
SDFSSvc.exe 2024 UDP missy-HP 21328 * *    4 456      
SDFSSvc.exe 2024 UDP missy-HP 49484 * *  4 456        
SDTray.exe 3612 TCP missy-HP 21327 missy-HP 0 LISTENING          
SDUpdSvc.exe 2180 TCP missy-HP 21321 missy-HP 0 LISTENING          
SeaPort.EXE 2268 TCP missy-hp.nyc.rr.com 49318 131.253.40.10 http ESTABLISHED 19,147 3,963,429 19,788 2,770,320      
services.exe 608 TCP missy-HP 49156 missy-HP 0 LISTENING          
services.exe 608 TCPV6 missy-hp 49156 missy-hp 0 LISTENING          
svchost.exe 916 TCP missy-HP epmap missy-HP 0 LISTENING          
svchost.exe 980 TCP missy-HP 49153 missy-HP 0 LISTENING          
svchost.exe 108 TCP missy-HP 49154 missy-HP 0 LISTENING          
svchost.exe 108 UDP missy-HP isakmp * *           
svchost.exe 108 UDP missy-HP ipsec-msft * *           
svchost.exe 1272 UDP missy-HP llmnr * *    4 88      
svchost.exe 916 TCPV6 missy-hp epmap missy-hp 0 LISTENING          
svchost.exe 980 TCPV6 missy-hp 49153 missy-hp 0 LISTENING          
svchost.exe 108 TCPV6 missy-hp 49154 missy-hp 0 LISTENING          
svchost.exe 108 UDPV6 missy-hp 500 * *           
svchost.exe 108 UDPV6 missy-hp 4500 * *           
svchost.exe 1272 UDPV6 missy-hp 5355 * *           
svchost.exe 980 UDP missy-hp.nyc.rr.com bootpc * *  1 300   300  1   
System 4 TCP missy-HP microsoft-ds missy-HP 0 LISTENING          
System 4 TCPV6 missy-hp microsoft-ds missy-hp 0 LISTENING          
wininit.exe 552 TCP missy-HP 49152 missy-HP 0 LISTENING          
wininit.exe 552 TCPV6 missy-hp 49152 missy-hp 0 LISTENING          
WRSA.exe 804 TCP missy-HP 27019 missy-HP 0 LISTENING          
WRSA.exe 804 TCP missy-HP 27019 localhost 49167 ESTABLISHED          
 

 

This is one where I was on the internet:I just had an internet station playing.

 

[System Process] 0 TCP missy-HP 49158 localhost 27019 TIME_WAIT          
hpCaslNotification.exe 4776 TCP missy-hp.nyc.rr.com 49160 24.143.200.224 http ESTABLISHED          
iexplore.exe 4532 TCP missy-HP 49162 localhost 27019 ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49164 a-0003.a-msedge.net http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49165 a23-76-42-124.deploy.static.akamaitechnologies.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49166 a23-76-42-124.deploy.static.akamaitechnologies.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49167 a23-76-42-124.deploy.static.akamaitechnologies.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49168 65.52.108.11 http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49169 24.143.200.219 http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49170 137.116.81.24 http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49171 65.52.108.11 http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49172 a23-76-42-124.deploy.static.akamaitechnologies.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49173 a23-76-42-124.deploy.static.akamaitechnologies.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49174 65.55.121.246 http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49175 65.55.121.246 http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49176 a23-76-42-62.deploy.static.akamaitechnologies.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49179 199.27.76.249 http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49180 ec2-54-221-232-226.compute-1.amazonaws.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49181 a23-76-42-124.deploy.static.akamaitechnologies.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49183 a-0001.a-msedge.net http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49184 a-0001.a-msedge.net http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49186 137.116.81.24 http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49187 137.116.81.24 http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49188 137.116.81.24 http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49189 a-0003.a-msedge.net https ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49196 199.96.57.6 http CLOSE_WAIT          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49197 199.16.157.105 https ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49213 host.liveonlineradio.us http CLOSE_WAIT          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49215 a23-54-181-163.deploy.static.akamaitechnologies.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49216 a23-54-181-163.deploy.static.akamaitechnologies.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49217 a23-54-181-163.deploy.static.akamaitechnologies.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49218 a23-54-181-163.deploy.static.akamaitechnologies.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49219 a23-54-181-163.deploy.static.akamaitechnologies.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49220 a23-54-181-163.deploy.static.akamaitechnologies.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49221 a23-54-181-163.deploy.static.akamaitechnologies.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49222 a23-54-181-163.deploy.static.akamaitechnologies.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49223 a23-54-181-163.deploy.static.akamaitechnologies.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49224 a23-54-181-163.deploy.static.akamaitechnologies.com http ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49236 host.liveonlineradio.us http CLOSE_WAIT          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49237 host.liveonlineradio.us http CLOSE_WAIT          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49245 lga15s45-in-f13.1e100.net https ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49246 lga15s45-in-f13.1e100.net https ESTABLISHED          
iexplore.exe 4532 TCP missy-hp.nyc.rr.com 49252 74-50-122-103.static.hvvc.us 8176 ESTABLISHED          
iexplore.exe 500 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49177 [2606:2800:11f:179a:1972:2405:35b:459] https ESTABLISHED          
iexplore.exe 500 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49178 [2606:2800:11f:179a:1972:2405:35b:459] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49185 [2600:141b:4:38d:0:0:0:eed] http ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49190 [2a03:2880:f012:1:face:b00c:0:1] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49195 [2a03:2880:f012:1:face:b00c:0:1] http ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49198 [2600:141b:5:0:0:0:b81d:688a] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49199 [2600:141b:5:0:0:0:b81d:688a] https CLOSE_WAIT          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49202 [2607:f8b0:400d:c08:0:0:0:9d] http ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49203 [2607:f8b0:4006:807:0:0:0:1019] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49204 [2607:f8b0:4006:807:0:0:0:1019] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49205 [2607:f8b0:4006:807:0:0:0:1019] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49206 [2607:f8b0:4006:807:0:0:0:1019] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49207 [2607:f8b0:4006:807:0:0:0:1019] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49208 [2607:f8b0:4006:80e:0:0:0:200e] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49209 [2607:f8b0:4006:80e:0:0:0:200e] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49210 [2607:f8b0:4006:80e:0:0:0:200e] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49211 [2607:f8b0:4006:80e:0:0:0:2001] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49212 [2607:f8b0:4006:80e:0:0:0:2002] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49214 [2600:141b:5:0:0:0:b81d:68f2] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49225 [2607:f8b0:4006:80f:0:0:0:200e] http ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49226 [2607:f8b0:4006:80b:0:0:0:1007] http ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49227 [2607:f8b0:4006:80e:0:0:0:200e] http ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49228 [2607:f8b0:4006:80d:0:0:0:100e] http ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49229 [2607:f8b0:4006:807:0:0:0:1004] http ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49230 [2607:f8b0:4006:80e:0:0:0:2002] http ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49231 [2607:f8b0:4006:80e:0:0:0:200e] http ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49232 [2607:f8b0:4006:80e:0:0:0:200e] http ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49233 [2607:f8b0:4006:807:0:0:0:1000] http ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49234 [2607:f8b0:4006:80d:0:0:0:100e] http ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49235 [2607:f8b0:4006:80b:0:0:0:1007] http ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49239 [2607:f8b0:4006:80e:0:0:0:2001] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49240 [2607:f8b0:4006:80e:0:0:0:2001] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49241 [2607:f8b0:4006:80e:0:0:0:2001] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49242 [2607:f8b0:4006:80e:0:0:0:200e] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49243 [2607:f8b0:4006:80f:0:0:0:2001] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49244 [2607:f8b0:4006:80e:0:0:0:200e] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49247 [2600:141b:5:0:0:0:b81d:68f2] https CLOSE_WAIT          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49248 [2600:141b:5:0:0:0:b81d:68f2] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49249 [2607:f8b0:4003:c07:0:0:0:63] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49250 [2607:f8b0:4003:c07:0:0:0:63] https ESTABLISHED          
iexplore.exe 4532 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49251 [2607:f8b0:4003:c07:0:0:0:63] https ESTABLISHED          
iexplore.exe 500 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49254 [2606:2800:11f:179a:1972:2405:35b:459] https ESTABLISHED          
iexplore.exe 500 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49255 [2606:2800:11f:179a:1972:2405:35b:459] https ESTABLISHED          
iexplore.exe 500 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49256 [2606:2800:11f:179a:1972:2405:35b:459] https ESTABLISHED          
lsass.exe 624 TCP missy-HP 49155 missy-HP 0 LISTENING          
lsass.exe 624 TCPV6 missy-hp 49155 missy-hp 0 LISTENING          
mbamservice.exe 132 TCP missy-HP 43227 missy-HP 0 LISTENING          
SDFSSvc.exe 1968 TCP missy-HP 21320 missy-HP 0 LISTENING          
SDFSSvc.exe 1968 TCP missy-HP 21322 missy-HP 0 LISTENING          
SDFSSvc.exe 1968 TCP missy-HP 21323 missy-HP 0 LISTENING          
SDFSSvc.exe 1968 UDP missy-HP 21328 * *           
SDFSSvc.exe 1968 UDP missy-HP 49152 * *           
SDTray.exe 4028 TCP missy-HP 21327 missy-HP 0 LISTENING          
SDUpdSvc.exe 2068 TCP missy-HP 21321 missy-HP 0 LISTENING          
SeaPort.EXE 2172 TCP missy-hp.nyc.rr.com 49264 131.253.40.10 http ESTABLISHED          
services.exe 608 TCP missy-HP 49156 missy-HP 0 LISTENING          
services.exe 608 TCPV6 missy-hp 49156 missy-hp 0 LISTENING          
svchost.exe 904 TCP missy-HP epmap missy-HP 0 LISTENING          
svchost.exe 968 TCP missy-HP 49153 missy-HP 0 LISTENING          
svchost.exe 520 TCP missy-HP 49154 missy-HP 0 LISTENING          
svchost.exe 1336 TCP missy-hp.nyc.rr.com 49260 24.143.200.224 http ESTABLISHED          
svchost.exe 520 TCP missy-hp.nyc.rr.com 49261 24.143.200.224 http ESTABLISHED          
svchost.exe 520 UDP missy-HP isakmp * *           
svchost.exe 520 UDP missy-HP ipsec-msft * *           
svchost.exe 1336 UDP missy-HP 57969 * *           
svchost.exe 904 TCPV6 missy-hp epmap missy-hp 0 LISTENING          
svchost.exe 968 TCPV6 missy-hp 49153 missy-hp 0 LISTENING          
svchost.exe 520 TCPV6 missy-hp 49154 missy-hp 0 LISTENING          
svchost.exe 1336 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49257 [2600:141b:5:0:0:0:b81d:6881] http ESTABLISHED          
svchost.exe 1336 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49258 [2600:141b:4:28e:0:0:0:2768] http ESTABLISHED          
svchost.exe 520 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49262 [2600:141b:5:0:0:0:b81d:695b] http ESTABLISHED          
svchost.exe 520 TCPV6 [2604:2000:bfc0:4:c1f3:72a3:9ad2:750f] 49263 [2a01:111:f307:1790:0:0:f001:6a1] https ESTABLISHED          
svchost.exe 520 UDPV6 missy-hp 500 * *           
svchost.exe 520 UDPV6 missy-hp 4500 * *           
System 4 TCP missy-HP microsoft-ds missy-HP 0 LISTENING          
System 4 TCPV6 missy-hp microsoft-ds missy-hp 0 LISTENING          
wininit.exe 556 TCP missy-HP 49152 missy-HP 0 LISTENING          
wininit.exe 556 TCPV6 missy-hp 49152 missy-hp 0 LISTENING          
WRSA.exe 840 TCP missy-HP 27019 missy-HP 0 LISTENING          
WRSA.exe 840 TCP missy-HP 27019 localhost 49162 ESTABLISHED          
WRSA.exe 840 TCP missy-hp.nyc.rr.com 49163 ec2-46-51-186-233.eu-west-1.compute.amazonaws.com https ESTABLISHED          
WRSA.exe 840 TCP missy-hp.nyc.rr.com 49238 ec2-54-165-161-177.compute-1.amazonaws.com https ESTABLISHED   

 

I don't know how to get a copy of webroot active processes   .    

 

Thanks for looking at it.
 



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 AM

Posted 02 June 2015 - 03:22 AM

I understand it now. You misreported what you saw. You wrote "boot computer" in the local host column.
But when I look at your tcpview, I see bootpc in the local port dolumn.

bootpc is not a boot computer, bootpc is a protocol. The bootpc protocol uses port 68. Since TCP view is resolving port names for you (you can disable this), it reports port 68 with name bootpc.

In short, it means your machine is acting as a DHCP server.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 reaching

reaching
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 02 June 2015 - 04:41 AM

Okay, thank you for explaining. I guess I interpreted "pc" as personal computer. I'm sorry.

So, is my pc acting as a dhcp the default configuration for windows 7? I tried to google your answer and didn't quite get it. It looked like the modem/router (I have an ethernet/public network connection) is supposed to be the dhcp.
In other words, is it okay?

I'll resolve the addresses and see.

#6 reaching

reaching
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 02 June 2015 - 05:25 AM

Okay, here's a resolved copy of the tcp view. The first process shows up all the time. It doesn't have a process number and
sometimes multiple instances of it shows up.

The help exe process is unknown according to who's it.

At the bottom are a whole bunch of zeroes where my ip address should be.

Here it is:

[System Process] 0 TCP 127.0.0.1 49283 127.0.0.1 21322 TIME_WAIT
HelpPane.exe 4520 TCP 74.73.77.175 49285 134.170.119.140 80 ESTABLISHED
HelpPane.exe 4520 TCP 74.73.77.175 49287 184.29.106.41 80 ESTABLISHED
iexplore.exe 4656 TCP 127.0.0.1 49173 127.0.0.1 27019 ESTABLISHED
lsass.exe 628 TCP 0.0.0.0 49155 0.0.0.0 0 LISTENING
lsass.exe 628 TCPV6 [0:0:0:0:0:0:0:0] 49155 [0:0:0:0:0:0:0:0] 0 LISTENING
SDFSSvc.exe 516 TCP 127.0.0.1 21320 0.0.0.0 0 LISTENING
SDFSSvc.exe 516 TCP 127.0.0.1 21322 0.0.0.0 0 LISTENING
SDFSSvc.exe 516 TCP 127.0.0.1 21323 0.0.0.0 0 LISTENING
SDFSSvc.exe 516 UDP 0.0.0.0 21328 * * 1 114
SDFSSvc.exe 516 UDP 0.0.0.0 49152 * * 1 114
SDTray.exe 3652 TCP 127.0.0.1 21327 0.0.0.0 0 LISTENING
SDUpdSvc.exe 1756 TCP 127.0.0.1 21321 0.0.0.0 0 LISTENING
SeaPort.EXE 1980 TCP 74.73.77.175 49161 65.55.2.82 80 ESTABLISHED 1,880 391,040 1,945 272,300 10,816 7,560 52 54
services.exe 604 TCP 0.0.0.0 49156 0.0.0.0 0 LISTENING
services.exe 604 TCPV6 [0:0:0:0:0:0:0:0] 49156 [0:0:0:0:0:0:0:0] 0 LISTENING
svchost.exe 908 TCP 0.0.0.0 135 0.0.0.0 0 LISTENING
svchost.exe 1004 TCP 0.0.0.0 49153 0.0.0.0 0 LISTENING
svchost.exe 456 TCP 0.0.0.0 49154 0.0.0.0 0 LISTENING
svchost.exe 1004 UDP 74.73.77.175 68 * * 6 1,800
svchost.exe 456 UDP 0.0.0.0 500 * *
svchost.exe 456 UDP 0.0.0.0 4500 * *
svchost.exe 1352 UDP 0.0.0.0 5355 * * 2 44
svchost.exe 908 TCPV6 [0:0:0:0:0:0:0:0] 135 [0:0:0:0:0:0:0:0] 0 LISTENING
svchost.exe 1004 TCPV6 [0:0:0:0:0:0:0:0] 49153 [0:0:0:0:0:0:0:0] 0 LISTENING
svchost.exe 456 TCPV6 [0:0:0:0:0:0:0:0] 49154 [0:0:0:0:0:0:0:0] 0 LISTENING
svchost.exe 456 UDPV6 [0:0:0:0:0:0:0:0] 500 * *
svchost.exe 456 UDPV6 [0:0:0:0:0:0:0:0] 4500 * *
svchost.exe 1352 UDPV6 [0:0:0:0:0:0:0:0] 5355 * *
System 4 TCP 0.0.0.0 445 0.0.0.0 0 LISTENING
System 4 TCPV6 [0:0:0:0:0:0:0:0] 445 [0:0:0:0:0:0:0:0] 0 LISTENING
wininit.exe 556 TCP 0.0.0.0 49152 0.0.0.0 0 LISTENING
wininit.exe 556 TCPV6 [0:0:0:0:0:0:0:0] 49152 [0:0:0:0:0:0:0:0] 0 LISTENING
WRSA.exe 804 TCP 0.0.0.0 27019 0.0.0.0 0 LISTENING
WRSA.exe 804 TCP 127.0.0.1 27019 127.0.0.1 49173 ESTABLISHED
WRSA.exe 804 TCP 74.73.77.175 49284 54.225.166.181 80 ESTABLISHED

Thanks for taking the time to reply. It did help to get some feedback.

#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 AM

Posted 02 June 2015 - 07:07 AM

So, is my pc acting as a dhcp the default configuration for windows 7? I tried to google your answer and didn't quite get it. It looked like the modem/router (I have an ethernet/public network connection) is supposed to be the dhcp.
In other words, is it okay?

 

No, that is not the default. Workstations do no act as DHCP servers. Maybe you have Internet Connection Sharing (ICS) enabled?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 AM

Posted 02 June 2015 - 07:15 AM

Okay, here's a resolved copy of the tcp view. The first process shows up all the time. It doesn't have a process number and
sometimes multiple instances of it shows up.

The help exe process is unknown according to who's it.

At the bottom are a whole bunch of zeroes where my ip address should be.

Here it is:

[System Process] 0 TCP 127.0.0.1 49283 127.0.0.1 21322 TIME_WAIT

 

wininit.exe 556 TCP 0.0.0.0 49152 0.0.0.0 0 LISTENING
wininit.exe 556 TCPV6 [0:0:0:0:0:0:0:0] 49152 [0:0:0:0:0:0:0:0] 0 LISTENING

 

The [System Process] has a number (PID): it is 0. This represents the kernel, and will always have PID 0.

 

helppane.exe is Microsoft Help And Support application.

 

0.0.0.0 is an IPv4 address that means that the process is listening on all of your network adapters (ethernet, loopback, wifi, ...)

[0:0:0:0:0:0:0:0] is an IPv6 address that means that the process is listening on all of your network adapters (ethernet, loopback, wifi, ...)


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 reaching

reaching
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 02 June 2015 - 10:51 AM

Hi,

I do not have ICS(Internet connection sharing).  I googled it and followed the steps to check. 

 

In fact, I have wifi disabled, file and printer sharing turned off, turned off remote access, and tried to block some ports, (135-139, 445 and some other ones based on an article I read..firewall won't let me, it seems).  There should be no sharing going on.

 

As for network adapters, I only have 2: The Ethernet and the wifi (I looked in device manager).  What is loopback? Should my computer be listening on loopback?

 

Am I hacked or something? 



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 AM

Posted 02 June 2015 - 11:19 AM

Loopback is localhost IP address 127.0.0.1. If you want to connect to the network of your computer from your computer, you use localhost or 127.0.0.1

 

No, there is no reason to believe that you are hacked.

 

We will try to figure out why your computer is listening on bootpc.

Are you familiar with Process Explorer?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 reaching

reaching
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 02 June 2015 - 11:45 AM

No, I've never heard of process explorer. I'll google it while I wait for your response.

#12 reaching

reaching
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 02 June 2015 - 12:11 PM

okay, I downloaded process explorer.  What now?  I can't figure out how to pause and print it.



#13 reaching

reaching
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 02 June 2015 - 01:16 PM

Okay, I figured out how to copy it so you can look at it.  The processes that have nothing in company or description column  say, " Path [error opening process] when you run the  mouse(pointer) over it.

 

Here it is:

Process CPU Private Bytes Working Set PID Description Company Name
System Idle Process 41.91 0 K 24 K 0  
System 1.69 196 K 1,160 K 4  
 Interrupts 3.07 0 K 0 K n/a Hardware Interrupts and DPCs 
 smss.exe  444 K 1,088 K 340  
csrss.exe 0.02 2,048 K 4,216 K 500  
wininit.exe  1,464 K 4,472 K 556  
 services.exe 0.11 5,372 K 9,212 K 608  
  svchost.exe 0.19 4,036 K 9,012 K 744 Host Process for Windows Services Microsoft Corporation
   WmiPrvSE.exe  2,848 K 6,988 K 3968  
   WmiPrvSE.exe  5,600 K 9,684 K 1812  
  WRSA.exe 1.08 21,172 K 4,104 K 800 Webroot SecureAnywhere Webroot
   WRSA.exe 0.22 6,904 K 908 K 2756 Webroot SecureAnywhere Webroot
  svchost.exe 0.25 3,920 K 7,608 K 904 Host Process for Windows Services Microsoft Corporation
  svchost.exe 2.24 17,328 K 18,924 K 952 Host Process for Windows Services Microsoft Corporation
  svchost.exe < 0.01 103,152 K 109,464 K 240 Host Process for Windows Services Microsoft Corporation
   dwm.exe 4.32 50,024 K 27,496 K 732 Desktop Window Manager Microsoft Corporation
  svchost.exe 17.98 7,932 K 12,228 K 428 Host Process for Windows Services Microsoft Corporation
  svchost.exe 0.24 20,536 K 34,828 K 460 Host Process for Windows Services Microsoft Corporation
   taskeng.exe  1,720 K 5,024 K 2636  
   wuauclt.exe  1,968 K 6,420 K 4976 Windows Update Microsoft Corporation
  svchost.exe  2,188 K 5,332 K 1088 Host Process for Windows Services Microsoft Corporation
  svchost.exe 0.82 10,256 K 14,052 K 1252 Host Process for Windows Services Microsoft Corporation
  spoolsv.exe  6,536 K 11,664 K 1528 Spooler SubSystem App Microsoft Corporation
  svchost.exe 0.01 11,404 K 12,228 K 1556 Host Process for Windows Services Microsoft Corporation
  armsvc.exe  1,164 K 3,964 K 1692 Adobe Acrobat Update Service Adobe Systems Incorporated
  AERTSr64.exe  968 K 2,664 K 1800 Andrea filters APO access service (64-bit) Andrea Electronics Corporation
  svchost.exe  4,740 K 10,132 K 1832 Host Process for Windows Services Microsoft Corporation
  HPClientServices.exe  3,460 K 7,624 K 1872 HP Client Services Hewlett-Packard Company
  HPDrvMntSvc.exe  1,016 K 3,640 K 2040 HP Quick Synchronization Service Hewlett-Packard Company
  HPWMISVC.exe  1,760 K 6,112 K 1160 HP Quick Launch WMI Service Hewlett-Packard Development Company, L.P.
  RIconMan.exe 0.07 1,868 K 5,872 K 1268 Realtek Card Reader Icon Tool. Realsil Microelectronics Inc.
  RNowSvc.exe 0.82 2,036 K 4,896 K 1504 Windows Service App Roxio
  SDFSSvc.exe 0.43 32,948 K 38,860 K 1648 Spybot-S&D 2 Scanner Service Safer-Networking Ltd.
  SDUpdSvc.exe 0.11 8,472 K 14,024 K 1900 Spybot-S&D 2 Background update service Safer-Networking Ltd.
  SeaPort.EXE 8.81 5,096 K 9,028 K 1380  
  sftvsa.exe  1,408 K 4,824 K 2200 Microsoft Application Virtualization Virtual Service Agent Microsoft Corporation
  svchost.exe  1,776 K 5,388 K 2220 Host Process for Windows Services Microsoft Corporation
  WLIDSVC.EXE 0.35 6,696 K 15,152 K 2256  
   WLIDSVCM.EXE  1,208 K 3,272 K 2416  
  SDWSCSvc.exe 0.35 5,280 K 9,920 K 2332 Windows Security Center integration. Safer-Networking Ltd.
  sftlist.exe  5,600 K 13,672 K 2644 Microsoft Application Virtualization Client Service Microsoft Corporation
  CVHSVC.EXE  6,820 K 14,204 K 2784  
  taskhost.exe 0.02 8,276 K 11,800 K 152 Host Process for Windows Tasks Microsoft Corporation
  SearchIndexer.exe 0.68 17,500 K 11,460 K 3228 Microsoft Windows Search Indexer Microsoft Corporation
  hpqWmiEx.exe  1,752 K 6,192 K 3604 hpqwmiex Module Hewlett-Packard Company
  HPHC_Service.exe  27,544 K 12,564 K 2404  
  HPWA_Service.exe < 0.01 46,080 K 34,112 K 2144  
  IAStorDataMgrSvc.exe 0.10 18,740 K 15,464 K 2464  
  svchost.exe 0.05 47,724 K 17,096 K 1640 Host Process for Windows Services Microsoft Corporation
 lsass.exe < 0.01 4,156 K 11,172 K 624 Local Security Authority Process Microsoft Corporation
 lsm.exe  2,376 K 4,072 K 632  
csrss.exe 1.18 3,240 K 10,992 K 568  
winlogon.exe  2,820 K 7,012 K 824  
explorer.exe 0.19 34,920 K 46,780 K 2892 Windows Explorer Microsoft Corporation
 igfxtray.exe  2,296 K 6,244 K 3312 igfxTray Module Intel Corporation
 hkcmd.exe  3,024 K 10,052 K 3328 hkcmd Module Intel Corporation
 igfxpers.exe  2,796 K 8,592 K 3340 persistence Module Intel Corporation
 RtkNGUI64.exe  9,964 K 9,560 K 3352 Realtek HD Audio Manager Realtek Semiconductor
 procexp.exe  2,388 K 7,168 K 3912 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
  procexp64.exe 12.22 17,668 K 33,872 K 420 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
SDTray.exe 0.40 12,104 K 22,736 K 3652 Spybot - Search & Destroy tray access Safer-Networking Ltd.
IAStorIcon.exe < 0.01 21,672 K 21,488 K 3668 IAStorIcon Intel Corporation
HPOSD.exe 0.01 9,132 K 11,708 K 3688 HP On Screen Display Hewlett-Packard Development Company, L.P.
HPMSGSVC.exe 0.01 2,152 K 7,552 K 3704 HP Message Service Hewlett-Packard Development Company, L.P.
GWX.exe  2,856 K 1,280 K 3928 GWX Microsoft Corporation
CCleaner64.exe 0.03 9,200 K 4,024 K 3128  
HPWA_Main.exe < 0.01 54,404 K 50,072 K 4832 HP Wireless Assistant Hewlett-Packard Company
 hpCaslNotification.exe  29,724 K 9,308 K 5060 hpCaslNotification Hewlett-Packard Development Company L.P.



#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 AM

Posted 02 June 2015 - 02:20 PM

Check the process that listens on the bootpc port. In your previous posts, it was svchost.exe PID 980.

 

In Process Explorer, select this process. But watch out, there are several svchost.exe processes, and if you've restarted your computer, the PID might no longer be 980. So get the PID from TCP View and then select this process in Process Explorer.

Right-click to open the Properties, and select the Services tab. Is there a service that contains the word DHCP?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 reaching

reaching
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 02 June 2015 - 03:03 PM

Yes, there is a service that says dhcp.

Sevice: dhcp
Display name: dhcp client
Path: C:\windows\system32\dhcpcore.dll

Also, process doesn't STAY on. It shows up on tcp for a little bit then goes away.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users