mysterious open ports

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Can anyone please tell me why my system has opened all of
these UDP ports(output from MS PortReporter):
==========================================
Operating System: Windows XP
TCP/UDP Port to Process Mappings at service start-up
22 mappings found
PID:Process Port Local IP State Remote IP:Port
4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
4:System UDP 445 0.0.0.0 *:*
824:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
888:svchost.exe UDP 123 24.86.74.167 *:*
888:svchost.exe UDP 123 127.0.0.1 *:*
888:svchost.exe UDP 1934 127.0.0.1 *:*
888:svchost.exe UDP 1935 127.0.0.1 *:*
888:svchost.exe UDP 1937 127.0.0.1 *:*
888:svchost.exe UDP 1938 127.0.0.1 *:*
888:svchost.exe UDP 1940 127.0.0.1 *:*
888:svchost.exe UDP 1941 127.0.0.1 *:*
888:svchost.exe UDP 1943 127.0.0.1 *:*
888:svchost.exe UDP 1944 127.0.0.1 *:*
944:svchost.exe UDP 1044 0.0.0.0 *:*
944:svchost.exe UDP 1206 0.0.0.0 *:*
944:svchost.exe UDP 1617 0.0.0.0 *:*
944:svchost.exe UDP 3182 0.0.0.0 *:*
1500:iexplore.exe TCP 1136 24.86.74.167 CLOSE WAIT 69.50.166.212:80
1500:iexplore.exe UDP 2885 127.0.0.1 *:*
1684:iexplore.exe TCP 3455 24.86.74.167 CLOSE WAIT 24.69.255.240:8080
1684:iexplore.exe TCP 3456 24.86.74.167 CLOSE WAIT 24.69.255.240:8080
1684:iexplore.exe UDP 3312 127.0.0.1 *:*
=======================

I only have these applications running: IE and Outlook Express.
I deactivated netbios over tcpip to minimize attack surfaces, and all my
anti spyware, antitrojan, and other
security ware say my system is clean, so I'm puzzled by all these open
ports.
Please help.
5 answers Last reply
More about mysterious open ports
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Please try another tool...

    1) Download the following two items...

    Trend Sysclean Package
    http://www.trendmicro.com/download/dcs.asp

    Latest Trend signature files.
    http://www.trendmicro.com/download/pattern.asp

    Create a directory.
    On drive "C:\"
    (e.g., "c:\New Folder")
    or the desktop
    (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

    Download SYSCLEAN.COM and place it in that directory.
    Download the Trend Pattern File by obtaining the ZIP file.
    For example; lpt351.zip

    Extract the contents of the ZIP file and place the contents in the same directory as
    SYSCLEAN.COM .

    2) Disable System Restore
    http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    3) Reboot your PC into Safe Mode then shutdown as many applications as possible.
    4) Using the Trend Sysclean utility, perform a Full Scan of your platform and
    clean/delete any infectors found
    5) Restart your PC and perform a "final" Full Scan of your platform
    6) Re-enable System Restore and re-apply any System Restore preferences,
    (e.g. HD space to use suggested 400 ~ 600MB),
    7) Reboot your PC.
    8) Create a new Restore point

    * * * Please report back your results * * *


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html


    "TomH" <th54@hotmail.com> wrote in message news:vBXGd.104596$Xk.87014@pd7tw3no...
    | Can anyone please tell me why my system has opened all of
    | these UDP ports(output from MS PortReporter):
    | ==========================================
    | Operating System: Windows XP
    | TCP/UDP Port to Process Mappings at service start-up
    | 22 mappings found
    | PID:Process Port Local IP State Remote IP:Port
    | 4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
    | 4:System UDP 445 0.0.0.0 *:*
    | 824:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
    | 888:svchost.exe UDP 123 24.86.74.167 *:*
    | 888:svchost.exe UDP 123 127.0.0.1 *:*
    | 888:svchost.exe UDP 1934 127.0.0.1 *:*
    | 888:svchost.exe UDP 1935 127.0.0.1 *:*
    | 888:svchost.exe UDP 1937 127.0.0.1 *:*
    | 888:svchost.exe UDP 1938 127.0.0.1 *:*
    | 888:svchost.exe UDP 1940 127.0.0.1 *:*
    | 888:svchost.exe UDP 1941 127.0.0.1 *:*
    | 888:svchost.exe UDP 1943 127.0.0.1 *:*
    | 888:svchost.exe UDP 1944 127.0.0.1 *:*
    | 944:svchost.exe UDP 1044 0.0.0.0 *:*
    | 944:svchost.exe UDP 1206 0.0.0.0 *:*
    | 944:svchost.exe UDP 1617 0.0.0.0 *:*
    | 944:svchost.exe UDP 3182 0.0.0.0 *:*
    | 1500:iexplore.exe TCP 1136 24.86.74.167 CLOSE WAIT 69.50.166.212:80
    | 1500:iexplore.exe UDP 2885 127.0.0.1 *:*
    | 1684:iexplore.exe TCP 3455 24.86.74.167 CLOSE WAIT 24.69.255.240:8080
    | 1684:iexplore.exe TCP 3456 24.86.74.167 CLOSE WAIT 24.69.255.240:8080
    | 1684:iexplore.exe UDP 3312 127.0.0.1 *:*
    | =======================
    |
    | I only have these applications running: IE and Outlook Express.
    | I deactivated netbios over tcpip to minimize attack surfaces, and all my
    | anti spyware, antitrojan, and other
    | security ware say my system is clean, so I'm puzzled by all these open
    | ports.
    | Please help.
    |
    |
    |
    |
    |
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    You had the Java/ByteVerify Exploit Trojan.

    JAVA is JAVA and the Sun Java was infected. I have seen this before, nothing new (te me at
    least)

    Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and Settings\limited\Application
    Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-72615c50-5f72dbb6.class
    Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and Settings\limited\Application
    Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4f7a6e50-5a280a80.class
    Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and Settings\limited\Application
    Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-36d0366-38625aff.class
    Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and Settings\limited\Application
    Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1910af14-607cb935.zip,(Installe
    r.class)
    Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and Settings\limited\Application
    Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5d0f29c3.zip,(Parse
    r.class)

    Often the .CLASS files are in ZIP files in the Java JAR or .CLASS files in the FILE cache so
    it is a good idea to go to the Java Control Panel applet and select the "clear the cache"
    function.

    On another note, NETSTAT is a good Command Line utility but it is a static view, basically a
    momentary snapshot. A better tool is a GUI called TCPView.exe --
    http://www.sysinternals.com/ it will display the active changes in UDP and TCP and will
    show the executable opening the port.

    Thanx for posting the SYSCLEAN.LOG file !

    --
    Dave


    "TomH" <th54@hotmail.com> wrote in message news:zh2Hd.107332$6l.60758@pd7tw2no...
    | David, I did all of that. The summary says nothing found, but in the
    | logfiles it seems to describe the removal of a java virus. But this virus
    | is supposed to infect the MS java VM, which I don't have. I have the Sun
    | Java implementation.
    | Also there seems to have been a lot of problems accessing files, "Access
    | denied", but the account under which I ran this has full admin privs, so it
    | seems inconsistent. In any case, I have attached the sysclean.log text file
    | (and that text file only) for you to look at. Please let me know what your
    | opinion is.
    | Thankyou for your useful help.
    |
    |
    | ==========================================================
    | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    | news:e9KEzMQ$EHA.2112@TK2MSFTNGP14.phx.gbl...
    | > Please try another tool...
    | >
    | > 1) Download the following two items...
    | >
    | > Trend Sysclean Package
    | > http://www.trendmicro.com/download/dcs.asp
    | >
    | > Latest Trend signature files.
    | > http://www.trendmicro.com/download/pattern.asp
    | >
    | > Create a directory.
    | > On drive "C:\"
    | > (e.g., "c:\New Folder")
    | > or the desktop
    | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
    | >
    | > Download SYSCLEAN.COM and place it in that directory.
    | > Download the Trend Pattern File by obtaining the ZIP file.
    | > For example; lpt351.zip
    | >
    | > Extract the contents of the ZIP file and place the contents in the same
    | > directory as
    | > SYSCLEAN.COM .
    | >
    | > 2) Disable System Restore
    | > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    | > 3) Reboot your PC into Safe Mode then shutdown as many applications as
    | > possible.
    | > 4) Using the Trend Sysclean utility, perform a Full Scan of your
    | > platform and
    | > clean/delete any infectors found
    | > 5) Restart your PC and perform a "final" Full Scan of your platform
    | > 6) Re-enable System Restore and re-apply any System Restore
    | > preferences,
    | > (e.g. HD space to use suggested 400 ~ 600MB),
    | > 7) Reboot your PC.
    | > 8) Create a new Restore point
    | >
    | > * * * Please report back your results * * *
    | >
    | >
    | > --
    | > Dave
    | > http://www.claymania.com/removal-trojan-adware.html
    | >
    | >
    | >
    | >
    | > "TomH" <th54@hotmail.com> wrote in message
    | > news:vBXGd.104596$Xk.87014@pd7tw3no...
    | > | Can anyone please tell me why my system has opened all of
    | > | these UDP ports(output from MS PortReporter):
    | > | ==========================================
    | > | Operating System: Windows XP
    | > | TCP/UDP Port to Process Mappings at service start-up
    | > | 22 mappings found
    | > | PID:Process Port Local IP State Remote IP:Port
    | > | 4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
    | > | 4:System UDP 445 0.0.0.0 *:*
    | > | 824:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
    | > | 888:svchost.exe UDP 123 24.86.74.167 *:*
    | > | 888:svchost.exe UDP 123 127.0.0.1 *:*
    | > | 888:svchost.exe UDP 1934 127.0.0.1 *:*
    | > | 888:svchost.exe UDP 1935 127.0.0.1 *:*
    | > | 888:svchost.exe UDP 1937 127.0.0.1 *:*
    | > | 888:svchost.exe UDP 1938 127.0.0.1 *:*
    | > | 888:svchost.exe UDP 1940 127.0.0.1 *:*
    | > | 888:svchost.exe UDP 1941 127.0.0.1 *:*
    | > | 888:svchost.exe UDP 1943 127.0.0.1 *:*
    | > | 888:svchost.exe UDP 1944 127.0.0.1 *:*
    | > | 944:svchost.exe UDP 1044 0.0.0.0 *:*
    | > | 944:svchost.exe UDP 1206 0.0.0.0 *:*
    | > | 944:svchost.exe UDP 1617 0.0.0.0 *:*
    | > | 944:svchost.exe UDP 3182 0.0.0.0 *:*
    | > | 1500:iexplore.exe TCP 1136 24.86.74.167 CLOSE WAIT 69.50.166.212:80
    | > | 1500:iexplore.exe UDP 2885 127.0.0.1 *:*
    | > | 1684:iexplore.exe TCP 3455 24.86.74.167 CLOSE WAIT
    | > 24.69.255.240:8080
    | > | 1684:iexplore.exe TCP 3456 24.86.74.167 CLOSE WAIT
    | > 24.69.255.240:8080
    | > | 1684:iexplore.exe UDP 3312 127.0.0.1 *:*
    | > | =======================
    | > |
    | > | I only have these applications running: IE and Outlook Express.
    | > | I deactivated netbios over tcpip to minimize attack surfaces, and all my
    | > | anti spyware, antitrojan, and other
    | > | security ware say my system is clean, so I'm puzzled by all these open
    | > | ports.
    | > | Please help.
    | > |
    | > |
    | > |
    | > |
    | > |
    | >
    | >
    |
    |
    |
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Dave, thanks again.
    Are you sure? Why did that av app not list that in the "viruses found"
    category?
    I don't use java for anything other than a cute little applet-in-a webpage
    that calculates and displays the current position of the ISS, so I took it
    right out.
    Any idea why all my other av apps missed it? And, any idea what this one
    does as a payload? or is it under complete control of its maker?

    Thanks again

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:ugHm3jW$EHA.2540@TK2MSFTNGP09.phx.gbl...
    > You had the Java/ByteVerify Exploit Trojan.
    >
    > JAVA is JAVA and the Sun Java was infected. I have seen this before,
    > nothing new (te me at
    > least)
    >
    > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
    > Settings\limited\Application
    > Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-72615c50-5f72dbb6.class
    > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
    > Settings\limited\Application
    > Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4f7a6e50-5a280a80.class
    > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
    > Settings\limited\Application
    > Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-36d0366-38625aff.class
    > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
    > Settings\limited\Application
    > Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1910af14-607cb935.zip,(Installe
    > r.class)
    > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
    > Settings\limited\Application
    > Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5d0f29c3.zip,(Parse
    > r.class)
    >
    > Often the .CLASS files are in ZIP files in the Java JAR or .CLASS files in
    > the FILE cache so
    > it is a good idea to go to the Java Control Panel applet and select the
    > "clear the cache"
    > function.
    >
    > On another note, NETSTAT is a good Command Line utility but it is a static
    > view, basically a
    > momentary snapshot. A better tool is a GUI called TCPView.exe --
    > http://www.sysinternals.com/ it will display the active changes in UDP
    > and TCP and will
    > show the executable opening the port.
    >
    > Thanx for posting the SYSCLEAN.LOG file !
    >
    > --
    > Dave
    >
    >
    >
    >
    > "TomH" <th54@hotmail.com> wrote in message
    > news:zh2Hd.107332$6l.60758@pd7tw2no...
    > | David, I did all of that. The summary says nothing found, but in the
    > | logfiles it seems to describe the removal of a java virus. But this
    > virus
    > | is supposed to infect the MS java VM, which I don't have. I have the
    > Sun
    > | Java implementation.
    > | Also there seems to have been a lot of problems accessing files, "Access
    > | denied", but the account under which I ran this has full admin privs, so
    > it
    > | seems inconsistent. In any case, I have attached the sysclean.log text
    > file
    > | (and that text file only) for you to look at. Please let me know what
    > your
    > | opinion is.
    > | Thankyou for your useful help.
    > |
    > |
    > | ==========================================================
    > | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    > | news:e9KEzMQ$EHA.2112@TK2MSFTNGP14.phx.gbl...
    > | > Please try another tool...
    > | >
    > | > 1) Download the following two items...
    > | >
    > | > Trend Sysclean Package
    > | > http://www.trendmicro.com/download/dcs.asp
    > | >
    > | > Latest Trend signature files.
    > | > http://www.trendmicro.com/download/pattern.asp
    > | >
    > | > Create a directory.
    > | > On drive "C:\"
    > | > (e.g., "c:\New Folder")
    > | > or the desktop
    > | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
    > | >
    > | > Download SYSCLEAN.COM and place it in that directory.
    > | > Download the Trend Pattern File by obtaining the ZIP file.
    > | > For example; lpt351.zip
    > | >
    > | > Extract the contents of the ZIP file and place the contents in the
    > same
    > | > directory as
    > | > SYSCLEAN.COM .
    > | >
    > | > 2) Disable System Restore
    > | > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    > | > 3) Reboot your PC into Safe Mode then shutdown as many
    > applications as
    > | > possible.
    > | > 4) Using the Trend Sysclean utility, perform a Full Scan of your
    > | > platform and
    > | > clean/delete any infectors found
    > | > 5) Restart your PC and perform a "final" Full Scan of your
    > platform
    > | > 6) Re-enable System Restore and re-apply any System Restore
    > | > preferences,
    > | > (e.g. HD space to use suggested 400 ~ 600MB),
    > | > 7) Reboot your PC.
    > | > 8) Create a new Restore point
    > | >
    > | > * * * Please report back your results * * *
    > | >
    > | >
    > | > --
    > | > Dave
    > | > http://www.claymania.com/removal-trojan-adware.html
    > | >
    > | >
    > | >
    > | >
    > | > "TomH" <th54@hotmail.com> wrote in message
    > | > news:vBXGd.104596$Xk.87014@pd7tw3no...
    > | > | Can anyone please tell me why my system has opened all of
    > | > | these UDP ports(output from MS PortReporter):
    > | > | ==========================================
    > | > | Operating System: Windows XP
    > | > | TCP/UDP Port to Process Mappings at service start-up
    > | > | 22 mappings found
    > | > | PID:Process Port Local IP State Remote IP:Port
    > | > | 4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
    > | > | 4:System UDP 445 0.0.0.0 *:*
    > | > | 824:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
    > | > | 888:svchost.exe UDP 123 24.86.74.167 *:*
    > | > | 888:svchost.exe UDP 123 127.0.0.1 *:*
    > | > | 888:svchost.exe UDP 1934 127.0.0.1 *:*
    > | > | 888:svchost.exe UDP 1935 127.0.0.1 *:*
    > | > | 888:svchost.exe UDP 1937 127.0.0.1 *:*
    > | > | 888:svchost.exe UDP 1938 127.0.0.1 *:*
    > | > | 888:svchost.exe UDP 1940 127.0.0.1 *:*
    > | > | 888:svchost.exe UDP 1941 127.0.0.1 *:*
    > | > | 888:svchost.exe UDP 1943 127.0.0.1 *:*
    > | > | 888:svchost.exe UDP 1944 127.0.0.1 *:*
    > | > | 944:svchost.exe UDP 1044 0.0.0.0 *:*
    > | > | 944:svchost.exe UDP 1206 0.0.0.0 *:*
    > | > | 944:svchost.exe UDP 1617 0.0.0.0 *:*
    > | > | 944:svchost.exe UDP 3182 0.0.0.0 *:*
    > | > | 1500:iexplore.exe TCP 1136 24.86.74.167 CLOSE WAIT
    > 69.50.166.212:80
    > | > | 1500:iexplore.exe UDP 2885 127.0.0.1 *:*
    > | > | 1684:iexplore.exe TCP 3455 24.86.74.167 CLOSE WAIT
    > | > 24.69.255.240:8080
    > | > | 1684:iexplore.exe TCP 3456 24.86.74.167 CLOSE WAIT
    > | > 24.69.255.240:8080
    > | > | 1684:iexplore.exe UDP 3312 127.0.0.1 *:*
    > | > | =======================
    > | > |
    > | > | I only have these applications running: IE and Outlook Express.
    > | > | I deactivated netbios over tcpip to minimize attack surfaces, and
    > all my
    > | > | anti spyware, antitrojan, and other
    > | > | security ware say my system is clean, so I'm puzzled by all these
    > open
    > | > | ports.
    > | > | Please help.
    > | > |
    > | > |
    > | > |
    > | > |
    > | > |
    > | >
    > | >
    > |
    > |
    > |
    >
    >
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Dave

    I checked out the tools at SysInternals that you suggested --- I'm
    impressed. ProcessExplorer is the killer --- all the inter-dependencies and
    relationships between threads, processes, applications and services
    displayed in one place instead of four or five different utilities is very
    useful.
    Having seen all the inter-dependencies now, I'm inclined to agree that those
    ports are legit --- I can see whats what now with that tool, and yes, they
    are just little system processes that have the ports open to do things like
    manage DCOM, remote proc calls, network time protocol, and stuff like that.
    Thx.

    Regards, Tom


    --------------------------------------------------------------------------------------------------------------------------------------
    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:OrqqQQY$EHA.3376@TK2MSFTNGP12.phx.gbl...
    TomH:

    Yes, I am sure...

    I have no idea why the others miss the Java/ByteVerify. Maybe it is out of
    dat, maybe it
    isn't scanning archive files, maybe the AV software was shutdown when it
    waqs infected. I
    don't know.
    But is the folowing patch on your PC --
    http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx

    Information below...
    Exploit-ByteVerify -- http://vil.nai.com/vil/content/v_100261.htm

    Finally I have attached a McAfee Scan Report log file in HTML format showing
    a similar
    infection.

    --
    Dave


    "TomH" <th54@hotmail.com> wrote in message
    news:RmbHd.111556$Xk.64214@pd7tw3no...
    | Dave, thanks again.
    | Are you sure? Why did that av app not list that in the "viruses found"
    | category?
    | I don't use java for anything other than a cute little applet-in-a webpage
    | that calculates and displays the current position of the ISS, so I took it
    | right out.
    | Any idea why all my other av apps missed it? And, any idea what this one
    | does as a payload? or is it under complete control of its maker?
    |
    | Thanks again
    |
    | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    | news:ugHm3jW$EHA.2540@TK2MSFTNGP09.phx.gbl...
    | > You had the Java/ByteVerify Exploit Trojan.
    | >
    | > JAVA is JAVA and the Sun Java was infected. I have seen this before,
    | > nothing new (te me at
    | > least)
    | >
    | > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
    | > Settings\limited\Application
    | >
    Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-72615c50-5f72dbb6.class
    | > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
    | > Settings\limited\Application
    | >
    Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4f7a6e50-5a280a80.class
    | > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
    | > Settings\limited\Application
    | >
    Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-36d0366-38625aff.class
    | > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
    | > Settings\limited\Application
    | >
    Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1910af14-607cb935.zip,(Installe
    | > r.class)
    | > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
    | > Settings\limited\Application
    | >
    Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5d0f29c3.zip,(Parse
    | > r.class)
    | >
    | > Often the .CLASS files are in ZIP files in the Java JAR or .CLASS files
    in
    | > the FILE cache so
    | > it is a good idea to go to the Java Control Panel applet and select the
    | > "clear the cache"
    | > function.
    | >
    | > On another note, NETSTAT is a good Command Line utility but it is a
    static
    | > view, basically a
    | > momentary snapshot. A better tool is a GUI called TCPView.exe --
    | > http://www.sysinternals.com/ it will display the active changes in UDP
    | > and TCP and will
    | > show the executable opening the port.
    | >
    | > Thanx for posting the SYSCLEAN.LOG file !
    | >
    | > --
    | > Dave
    | >
    | >
    | >
    | >
    | > "TomH" <th54@hotmail.com> wrote in message
    | > news:zh2Hd.107332$6l.60758@pd7tw2no...
    | > | David, I did all of that. The summary says nothing found, but in the
    | > | logfiles it seems to describe the removal of a java virus. But this
    | > virus
    | > | is supposed to infect the MS java VM, which I don't have. I have the
    | > Sun
    | > | Java implementation.
    | > | Also there seems to have been a lot of problems accessing files,
    "Access
    | > | denied", but the account under which I ran this has full admin privs,
    so
    | > it
    | > | seems inconsistent. In any case, I have attached the sysclean.log
    text
    | > file
    | > | (and that text file only) for you to look at. Please let me know what
    | > your
    | > | opinion is.
    | > | Thankyou for your useful help.
    | > |
    | > |
    | > | ==========================================================
    | > | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    | > | news:e9KEzMQ$EHA.2112@TK2MSFTNGP14.phx.gbl...
    | > | > Please try another tool...
    | > | >
    | > | > 1) Download the following two items...
    | > | >
    | > | > Trend Sysclean Package
    | > | > http://www.trendmicro.com/download/dcs.asp
    | > | >
    | > | > Latest Trend signature files.
    | > | > http://www.trendmicro.com/download/pattern.asp
    | > | >
    | > | > Create a directory.
    | > | > On drive "C:\"
    | > | > (e.g., "c:\New Folder")
    | > | > or the desktop
    | > | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
    | > | >
    | > | > Download SYSCLEAN.COM and place it in that directory.
    | > | > Download the Trend Pattern File by obtaining the ZIP file.
    | > | > For example; lpt351.zip
    | > | >
    | > | > Extract the contents of the ZIP file and place the contents in the
    | > same
    | > | > directory as
    | > | > SYSCLEAN.COM .
    | > | >
    | > | > 2) Disable System Restore
    | > | >
    http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    | > | > 3) Reboot your PC into Safe Mode then shutdown as many
    | > applications as
    | > | > possible.
    | > | > 4) Using the Trend Sysclean utility, perform a Full Scan of your
    | > | > platform and
    | > | > clean/delete any infectors found
    | > | > 5) Restart your PC and perform a "final" Full Scan of your
    | > platform
    | > | > 6) Re-enable System Restore and re-apply any System Restore
    | > | > preferences,
    | > | > (e.g. HD space to use suggested 400 ~ 600MB),
    | > | > 7) Reboot your PC.
    | > | > 8) Create a new Restore point
    | > | >
    | > | > * * * Please report back your results * * *
    | > | >
    | > | >
    | > | > --
    | > | > Dave
    | > | > http://www.claymania.com/removal-trojan-adware.html
    | > | >
    | > | >
    | > | >
    | > | >
    | > | > "TomH" <th54@hotmail.com> wrote in message
    | > | > news:vBXGd.104596$Xk.87014@pd7tw3no...
    | > | > | Can anyone please tell me why my system has opened all of
    | > | > | these UDP ports(output from MS PortReporter):
    | > | > | ==========================================
    | > | > | Operating System: Windows XP
    | > | > | TCP/UDP Port to Process Mappings at service start-up
    | > | > | 22 mappings found
    | > | > | PID:Process Port Local IP State Remote IP:Port
    | > | > | 4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
    | > | > | 4:System UDP 445 0.0.0.0 *:*
    | > | > | 824:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
    | > | > | 888:svchost.exe UDP 123 24.86.74.167 *:*
    | > | > | 888:svchost.exe UDP 123 127.0.0.1 *:*
    | > | > | 888:svchost.exe UDP 1934 127.0.0.1 *:*
    | > | > | 888:svchost.exe UDP 1935 127.0.0.1 *:*
    | > | > | 888:svchost.exe UDP 1937 127.0.0.1 *:*
    | > | > | 888:svchost.exe UDP 1938 127.0.0.1 *:*
    | > | > | 888:svchost.exe UDP 1940 127.0.0.1 *:*
    | > | > | 888:svchost.exe UDP 1941 127.0.0.1 *:*
    | > | > | 888:svchost.exe UDP 1943 127.0.0.1 *:*
    | > | > | 888:svchost.exe UDP 1944 127.0.0.1 *:*
    | > | > | 944:svchost.exe UDP 1044 0.0.0.0 *:*
    | > | > | 944:svchost.exe UDP 1206 0.0.0.0 *:*
    | > | > | 944:svchost.exe UDP 1617 0.0.0.0 *:*
    | > | > | 944:svchost.exe UDP 3182 0.0.0.0 *:*
    | > | > | 1500:iexplore.exe TCP 1136 24.86.74.167 CLOSE WAIT
    | > 69.50.166.212:80
    | > | > | 1500:iexplore.exe UDP 2885 127.0.0.1 *:*
    | > | > | 1684:iexplore.exe TCP 3455 24.86.74.167 CLOSE WAIT
    | > | > 24.69.255.240:8080
    | > | > | 1684:iexplore.exe TCP 3456 24.86.74.167 CLOSE WAIT
    | > | > 24.69.255.240:8080
    | > | > | 1684:iexplore.exe UDP 3312 127.0.0.1 *:*
    | > | > | =======================
    | > | > |
    | > | > | I only have these applications running: IE and Outlook Express.
    | > | > | I deactivated netbios over tcpip to minimize attack surfaces, and
    | > all my
    | > | > | anti spyware, antitrojan, and other
    | > | > | security ware say my system is clean, so I'm puzzled by all these
    | > open
    | > | > | ports.
    | > | > | Please help.
    | > | > |
    | > | > |
    | > | > |
    | > | > |
    | > | > |
    | > | >
    | > | >
    | > |
    | > |
    | > |
    | >
    | >
    |
    |
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    You're welcome Tom !

    Anytime.

    --
    Dave


    "TomH" <th54@hotmail.com> wrote in message news:3MgHd.116130$8l.21118@pd7tw1no...
    | Dave
    |
    | I checked out the tools at SysInternals that you suggested --- I'm
    | impressed. ProcessExplorer is the killer --- all the inter-dependencies and
    | relationships between threads, processes, applications and services
    | displayed in one place instead of four or five different utilities is very
    | useful.
    | Having seen all the inter-dependencies now, I'm inclined to agree that those
    | ports are legit --- I can see whats what now with that tool, and yes, they
    | are just little system processes that have the ports open to do things like
    | manage DCOM, remote proc calls, network time protocol, and stuff like that.
    | Thx.
    |
    | Regards, Tom
    |
Ask a new question

Read More

UDP Svchost.Exe TCP/IP Windows XP