Sign in with
Sign up | Sign in
Your question

mysterious open ports

Last response: in Windows XP
Share
January 18, 2005 2:10:19 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Can anyone please tell me why my system has opened all of
these UDP ports(output from MS PortReporter):
==========================================
Operating System: Windows XP
TCP/UDP Port to Process Mappings at service start-up
22 mappings found
PID:p rocess Port Local IP State Remote IP:p ort
4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
4:System UDP 445 0.0.0.0 *:*
824:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
888:svchost.exe UDP 123 24.86.74.167 *:*
888:svchost.exe UDP 123 127.0.0.1 *:*
888:svchost.exe UDP 1934 127.0.0.1 *:*
888:svchost.exe UDP 1935 127.0.0.1 *:*
888:svchost.exe UDP 1937 127.0.0.1 *:*
888:svchost.exe UDP 1938 127.0.0.1 *:*
888:svchost.exe UDP 1940 127.0.0.1 *:*
888:svchost.exe UDP 1941 127.0.0.1 *:*
888:svchost.exe UDP 1943 127.0.0.1 *:*
888:svchost.exe UDP 1944 127.0.0.1 *:*
944:svchost.exe UDP 1044 0.0.0.0 *:*
944:svchost.exe UDP 1206 0.0.0.0 *:*
944:svchost.exe UDP 1617 0.0.0.0 *:*
944:svchost.exe UDP 3182 0.0.0.0 *:*
1500:iexplore.exe TCP 1136 24.86.74.167 CLOSE WAIT 69.50.166.212:80
1500:iexplore.exe UDP 2885 127.0.0.1 *:*
1684:iexplore.exe TCP 3455 24.86.74.167 CLOSE WAIT 24.69.255.240:8080
1684:iexplore.exe TCP 3456 24.86.74.167 CLOSE WAIT 24.69.255.240:8080
1684:iexplore.exe UDP 3312 127.0.0.1 *:*
=======================

I only have these applications running: IE and Outlook Express.
I deactivated netbios over tcpip to minimize attack surfaces, and all my
anti spyware, antitrojan, and other
security ware say my system is clean, so I'm puzzled by all these open
ports.
Please help.

More about : mysterious open ports

Anonymous
January 18, 2005 2:10:20 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Please try another tool...

1) Download the following two items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt351.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM .

2) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...
3) Reboot your PC into Safe Mode then shutdown as many applications as possible.
4) Using the Trend Sysclean utility, perform a Full Scan of your platform and
clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform
6) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) Create a new Restore point

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html




"TomH" <th54@hotmail.com> wrote in message news:vBXGd.104596$Xk.87014@pd7tw3no...
| Can anyone please tell me why my system has opened all of
| these UDP ports(output from MS PortReporter):
| ==========================================
| Operating System: Windows XP
| TCP/UDP Port to Process Mappings at service start-up
| 22 mappings found
| PID:p rocess Port Local IP State Remote IP:p ort
| 4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
| 4:System UDP 445 0.0.0.0 *:*
| 824:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
| 888:svchost.exe UDP 123 24.86.74.167 *:*
| 888:svchost.exe UDP 123 127.0.0.1 *:*
| 888:svchost.exe UDP 1934 127.0.0.1 *:*
| 888:svchost.exe UDP 1935 127.0.0.1 *:*
| 888:svchost.exe UDP 1937 127.0.0.1 *:*
| 888:svchost.exe UDP 1938 127.0.0.1 *:*
| 888:svchost.exe UDP 1940 127.0.0.1 *:*
| 888:svchost.exe UDP 1941 127.0.0.1 *:*
| 888:svchost.exe UDP 1943 127.0.0.1 *:*
| 888:svchost.exe UDP 1944 127.0.0.1 *:*
| 944:svchost.exe UDP 1044 0.0.0.0 *:*
| 944:svchost.exe UDP 1206 0.0.0.0 *:*
| 944:svchost.exe UDP 1617 0.0.0.0 *:*
| 944:svchost.exe UDP 3182 0.0.0.0 *:*
| 1500:iexplore.exe TCP 1136 24.86.74.167 CLOSE WAIT 69.50.166.212:80
| 1500:iexplore.exe UDP 2885 127.0.0.1 *:*
| 1684:iexplore.exe TCP 3455 24.86.74.167 CLOSE WAIT 24.69.255.240:8080
| 1684:iexplore.exe TCP 3456 24.86.74.167 CLOSE WAIT 24.69.255.240:8080
| 1684:iexplore.exe UDP 3312 127.0.0.1 *:*
| =======================
|
| I only have these applications running: IE and Outlook Express.
| I deactivated netbios over tcpip to minimize attack surfaces, and all my
| anti spyware, antitrojan, and other
| security ware say my system is clean, so I'm puzzled by all these open
| ports.
| Please help.
|
|
|
|
|
Anonymous
January 18, 2005 12:21:12 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

You had the Java/ByteVerify Exploit Trojan.

JAVA is JAVA and the Sun Java was infected. I have seen this before, nothing new (te me at
least)

Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and Settings\limited\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-72615c50-5f72dbb6.class
Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and Settings\limited\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4f7a6e50-5a280a80.class
Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and Settings\limited\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-36d0366-38625aff.class
Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and Settings\limited\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1910af14-607cb935.zip,(Installe
r.class)
Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and Settings\limited\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5d0f29c3.zip,(Parse
r.class)

Often the .CLASS files are in ZIP files in the Java JAR or .CLASS files in the FILE cache so
it is a good idea to go to the Java Control Panel applet and select the "clear the cache"
function.

On another note, NETSTAT is a good Command Line utility but it is a static view, basically a
momentary snapshot. A better tool is a GUI called TCPView.exe --
http://www.sysinternals.com/ it will display the active changes in UDP and TCP and will
show the executable opening the port.

Thanx for posting the SYSCLEAN.LOG file !

--
Dave




"TomH" <th54@hotmail.com> wrote in message news:zh2Hd.107332$6l.60758@pd7tw2no...
| David, I did all of that. The summary says nothing found, but in the
| logfiles it seems to describe the removal of a java virus. But this virus
| is supposed to infect the MS java VM, which I don't have. I have the Sun
| Java implementation.
| Also there seems to have been a lot of problems accessing files, "Access
| denied", but the account under which I ran this has full admin privs, so it
| seems inconsistent. In any case, I have attached the sysclean.log text file
| (and that text file only) for you to look at. Please let me know what your
| opinion is.
| Thankyou for your useful help.
|
|
| ==========================================================
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| news:e9KEzMQ$EHA.2112@TK2MSFTNGP14.phx.gbl...
| > Please try another tool...
| >
| > 1) Download the following two items...
| >
| > Trend Sysclean Package
| > http://www.trendmicro.com/download/dcs.asp
| >
| > Latest Trend signature files.
| > http://www.trendmicro.com/download/pattern.asp
| >
| > Create a directory.
| > On drive "C:\"
| > (e.g., "c:\New Folder")
| > or the desktop
| > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| >
| > Download SYSCLEAN.COM and place it in that directory.
| > Download the Trend Pattern File by obtaining the ZIP file.
| > For example; lpt351.zip
| >
| > Extract the contents of the ZIP file and place the contents in the same
| > directory as
| > SYSCLEAN.COM .
| >
| > 2) Disable System Restore
| > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...
| > 3) Reboot your PC into Safe Mode then shutdown as many applications as
| > possible.
| > 4) Using the Trend Sysclean utility, perform a Full Scan of your
| > platform and
| > clean/delete any infectors found
| > 5) Restart your PC and perform a "final" Full Scan of your platform
| > 6) Re-enable System Restore and re-apply any System Restore
| > preferences,
| > (e.g. HD space to use suggested 400 ~ 600MB),
| > 7) Reboot your PC.
| > 8) Create a new Restore point
| >
| > * * * Please report back your results * * *
| >
| >
| > --
| > Dave
| > http://www.claymania.com/removal-trojan-adware.html
| >
| >
| >
| >
| > "TomH" <th54@hotmail.com> wrote in message
| > news:vBXGd.104596$Xk.87014@pd7tw3no...
| > | Can anyone please tell me why my system has opened all of
| > | these UDP ports(output from MS PortReporter):
| > | ==========================================
| > | Operating System: Windows XP
| > | TCP/UDP Port to Process Mappings at service start-up
| > | 22 mappings found
| > | PID:p rocess Port Local IP State Remote IP:p ort
| > | 4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
| > | 4:System UDP 445 0.0.0.0 *:*
| > | 824:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
| > | 888:svchost.exe UDP 123 24.86.74.167 *:*
| > | 888:svchost.exe UDP 123 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1934 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1935 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1937 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1938 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1940 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1941 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1943 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1944 127.0.0.1 *:*
| > | 944:svchost.exe UDP 1044 0.0.0.0 *:*
| > | 944:svchost.exe UDP 1206 0.0.0.0 *:*
| > | 944:svchost.exe UDP 1617 0.0.0.0 *:*
| > | 944:svchost.exe UDP 3182 0.0.0.0 *:*
| > | 1500:iexplore.exe TCP 1136 24.86.74.167 CLOSE WAIT 69.50.166.212:80
| > | 1500:iexplore.exe UDP 2885 127.0.0.1 *:*
| > | 1684:iexplore.exe TCP 3455 24.86.74.167 CLOSE WAIT
| > 24.69.255.240:8080
| > | 1684:iexplore.exe TCP 3456 24.86.74.167 CLOSE WAIT
| > 24.69.255.240:8080
| > | 1684:iexplore.exe UDP 3312 127.0.0.1 *:*
| > | =======================
| > |
| > | I only have these applications running: IE and Outlook Express.
| > | I deactivated netbios over tcpip to minimize attack surfaces, and all my
| > | anti spyware, antitrojan, and other
| > | security ware say my system is clean, so I'm puzzled by all these open
| > | ports.
| > | Please help.
| > |
| > |
| > |
| > |
| > |
| >
| >
|
|
|
Related resources
January 18, 2005 8:06:57 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave, thanks again.
Are you sure? Why did that av app not list that in the "viruses found"
category?
I don't use java for anything other than a cute little applet-in-a webpage
that calculates and displays the current position of the ISS, so I took it
right out.
Any idea why all my other av apps missed it? And, any idea what this one
does as a payload? or is it under complete control of its maker?

Thanks again

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:ugHm3jW$EHA.2540@TK2MSFTNGP09.phx.gbl...
> You had the Java/ByteVerify Exploit Trojan.
>
> JAVA is JAVA and the Sun Java was infected. I have seen this before,
> nothing new (te me at
> least)
>
> Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
> Settings\limited\Application
> Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-72615c50-5f72dbb6.class
> Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
> Settings\limited\Application
> Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4f7a6e50-5a280a80.class
> Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
> Settings\limited\Application
> Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-36d0366-38625aff.class
> Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
> Settings\limited\Application
> Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1910af14-607cb935.zip,(Installe
> r.class)
> Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
> Settings\limited\Application
> Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5d0f29c3.zip,(Parse
> r.class)
>
> Often the .CLASS files are in ZIP files in the Java JAR or .CLASS files in
> the FILE cache so
> it is a good idea to go to the Java Control Panel applet and select the
> "clear the cache"
> function.
>
> On another note, NETSTAT is a good Command Line utility but it is a static
> view, basically a
> momentary snapshot. A better tool is a GUI called TCPView.exe --
> http://www.sysinternals.com/ it will display the active changes in UDP
> and TCP and will
> show the executable opening the port.
>
> Thanx for posting the SYSCLEAN.LOG file !
>
> --
> Dave
>
>
>
>
> "TomH" <th54@hotmail.com> wrote in message
> news:zh2Hd.107332$6l.60758@pd7tw2no...
> | David, I did all of that. The summary says nothing found, but in the
> | logfiles it seems to describe the removal of a java virus. But this
> virus
> | is supposed to infect the MS java VM, which I don't have. I have the
> Sun
> | Java implementation.
> | Also there seems to have been a lot of problems accessing files, "Access
> | denied", but the account under which I ran this has full admin privs, so
> it
> | seems inconsistent. In any case, I have attached the sysclean.log text
> file
> | (and that text file only) for you to look at. Please let me know what
> your
> | opinion is.
> | Thankyou for your useful help.
> |
> |
> | ==========================================================
> | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> | news:e9KEzMQ$EHA.2112@TK2MSFTNGP14.phx.gbl...
> | > Please try another tool...
> | >
> | > 1) Download the following two items...
> | >
> | > Trend Sysclean Package
> | > http://www.trendmicro.com/download/dcs.asp
> | >
> | > Latest Trend signature files.
> | > http://www.trendmicro.com/download/pattern.asp
> | >
> | > Create a directory.
> | > On drive "C:\"
> | > (e.g., "c:\New Folder")
> | > or the desktop
> | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
> | >
> | > Download SYSCLEAN.COM and place it in that directory.
> | > Download the Trend Pattern File by obtaining the ZIP file.
> | > For example; lpt351.zip
> | >
> | > Extract the contents of the ZIP file and place the contents in the
> same
> | > directory as
> | > SYSCLEAN.COM .
> | >
> | > 2) Disable System Restore
> | > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...
> | > 3) Reboot your PC into Safe Mode then shutdown as many
> applications as
> | > possible.
> | > 4) Using the Trend Sysclean utility, perform a Full Scan of your
> | > platform and
> | > clean/delete any infectors found
> | > 5) Restart your PC and perform a "final" Full Scan of your
> platform
> | > 6) Re-enable System Restore and re-apply any System Restore
> | > preferences,
> | > (e.g. HD space to use suggested 400 ~ 600MB),
> | > 7) Reboot your PC.
> | > 8) Create a new Restore point
> | >
> | > * * * Please report back your results * * *
> | >
> | >
> | > --
> | > Dave
> | > http://www.claymania.com/removal-trojan-adware.html
> | >
> | >
> | >
> | >
> | > "TomH" <th54@hotmail.com> wrote in message
> | > news:vBXGd.104596$Xk.87014@pd7tw3no...
> | > | Can anyone please tell me why my system has opened all of
> | > | these UDP ports(output from MS PortReporter):
> | > | ==========================================
> | > | Operating System: Windows XP
> | > | TCP/UDP Port to Process Mappings at service start-up
> | > | 22 mappings found
> | > | PID:p rocess Port Local IP State Remote IP:p ort
> | > | 4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
> | > | 4:System UDP 445 0.0.0.0 *:*
> | > | 824:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
> | > | 888:svchost.exe UDP 123 24.86.74.167 *:*
> | > | 888:svchost.exe UDP 123 127.0.0.1 *:*
> | > | 888:svchost.exe UDP 1934 127.0.0.1 *:*
> | > | 888:svchost.exe UDP 1935 127.0.0.1 *:*
> | > | 888:svchost.exe UDP 1937 127.0.0.1 *:*
> | > | 888:svchost.exe UDP 1938 127.0.0.1 *:*
> | > | 888:svchost.exe UDP 1940 127.0.0.1 *:*
> | > | 888:svchost.exe UDP 1941 127.0.0.1 *:*
> | > | 888:svchost.exe UDP 1943 127.0.0.1 *:*
> | > | 888:svchost.exe UDP 1944 127.0.0.1 *:*
> | > | 944:svchost.exe UDP 1044 0.0.0.0 *:*
> | > | 944:svchost.exe UDP 1206 0.0.0.0 *:*
> | > | 944:svchost.exe UDP 1617 0.0.0.0 *:*
> | > | 944:svchost.exe UDP 3182 0.0.0.0 *:*
> | > | 1500:iexplore.exe TCP 1136 24.86.74.167 CLOSE WAIT
> 69.50.166.212:80
> | > | 1500:iexplore.exe UDP 2885 127.0.0.1 *:*
> | > | 1684:iexplore.exe TCP 3455 24.86.74.167 CLOSE WAIT
> | > 24.69.255.240:8080
> | > | 1684:iexplore.exe TCP 3456 24.86.74.167 CLOSE WAIT
> | > 24.69.255.240:8080
> | > | 1684:iexplore.exe UDP 3312 127.0.0.1 *:*
> | > | =======================
> | > |
> | > | I only have these applications running: IE and Outlook Express.
> | > | I deactivated netbios over tcpip to minimize attack surfaces, and
> all my
> | > | anti spyware, antitrojan, and other
> | > | security ware say my system is clean, so I'm puzzled by all these
> open
> | > | ports.
> | > | Please help.
> | > |
> | > |
> | > |
> | > |
> | > |
> | >
> | >
> |
> |
> |
>
>
January 19, 2005 2:15:11 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave

I checked out the tools at SysInternals that you suggested --- I'm
impressed. ProcessExplorer is the killer --- all the inter-dependencies and
relationships between threads, processes, applications and services
displayed in one place instead of four or five different utilities is very
useful.
Having seen all the inter-dependencies now, I'm inclined to agree that those
ports are legit --- I can see whats what now with that tool, and yes, they
are just little system processes that have the ports open to do things like
manage DCOM, remote proc calls, network time protocol, and stuff like that.
Thx.

Regards, Tom



--------------------------------------------------------------------------------------------------------------------------------------
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:o rqqQQY$EHA.3376@TK2MSFTNGP12.phx.gbl...
TomH:

Yes, I am sure...

I have no idea why the others miss the Java/ByteVerify. Maybe it is out of
dat, maybe it
isn't scanning archive files, maybe the AV software was shutdown when it
waqs infected. I
don't know.
But is the folowing patch on your PC --
http://www.microsoft.com/technet/security/bulletin/MS03...

Information below...
Exploit-ByteVerify -- http://vil.nai.com/vil/content/v_100261.htm

Finally I have attached a McAfee Scan Report log file in HTML format showing
a similar
infection.

--
Dave




"TomH" <th54@hotmail.com> wrote in message
news:RmbHd.111556$Xk.64214@pd7tw3no...
| Dave, thanks again.
| Are you sure? Why did that av app not list that in the "viruses found"
| category?
| I don't use java for anything other than a cute little applet-in-a webpage
| that calculates and displays the current position of the ISS, so I took it
| right out.
| Any idea why all my other av apps missed it? And, any idea what this one
| does as a payload? or is it under complete control of its maker?
|
| Thanks again
|
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| news:ugHm3jW$EHA.2540@TK2MSFTNGP09.phx.gbl...
| > You had the Java/ByteVerify Exploit Trojan.
| >
| > JAVA is JAVA and the Sun Java was infected. I have seen this before,
| > nothing new (te me at
| > least)
| >
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| >
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-72615c50-5f72dbb6.class
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| >
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4f7a6e50-5a280a80.class
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| >
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-36d0366-38625aff.class
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| >
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1910af14-607cb935.zip,(Installe
| > r.class)
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| >
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5d0f29c3.zip,(Parse
| > r.class)
| >
| > Often the .CLASS files are in ZIP files in the Java JAR or .CLASS files
in
| > the FILE cache so
| > it is a good idea to go to the Java Control Panel applet and select the
| > "clear the cache"
| > function.
| >
| > On another note, NETSTAT is a good Command Line utility but it is a
static
| > view, basically a
| > momentary snapshot. A better tool is a GUI called TCPView.exe --
| > http://www.sysinternals.com/ it will display the active changes in UDP
| > and TCP and will
| > show the executable opening the port.
| >
| > Thanx for posting the SYSCLEAN.LOG file !
| >
| > --
| > Dave
| >
| >
| >
| >
| > "TomH" <th54@hotmail.com> wrote in message
| > news:zh2Hd.107332$6l.60758@pd7tw2no...
| > | David, I did all of that. The summary says nothing found, but in the
| > | logfiles it seems to describe the removal of a java virus. But this
| > virus
| > | is supposed to infect the MS java VM, which I don't have. I have the
| > Sun
| > | Java implementation.
| > | Also there seems to have been a lot of problems accessing files,
"Access
| > | denied", but the account under which I ran this has full admin privs,
so
| > it
| > | seems inconsistent. In any case, I have attached the sysclean.log
text
| > file
| > | (and that text file only) for you to look at. Please let me know what
| > your
| > | opinion is.
| > | Thankyou for your useful help.
| > |
| > |
| > | ==========================================================
| > | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| > | news:e9KEzMQ$EHA.2112@TK2MSFTNGP14.phx.gbl...
| > | > Please try another tool...
| > | >
| > | > 1) Download the following two items...
| > | >
| > | > Trend Sysclean Package
| > | > http://www.trendmicro.com/download/dcs.asp
| > | >
| > | > Latest Trend signature files.
| > | > http://www.trendmicro.com/download/pattern.asp
| > | >
| > | > Create a directory.
| > | > On drive "C:\"
| > | > (e.g., "c:\New Folder")
| > | > or the desktop
| > | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| > | >
| > | > Download SYSCLEAN.COM and place it in that directory.
| > | > Download the Trend Pattern File by obtaining the ZIP file.
| > | > For example; lpt351.zip
| > | >
| > | > Extract the contents of the ZIP file and place the contents in the
| > same
| > | > directory as
| > | > SYSCLEAN.COM .
| > | >
| > | > 2) Disable System Restore
| > | >
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore...
| > | > 3) Reboot your PC into Safe Mode then shutdown as many
| > applications as
| > | > possible.
| > | > 4) Using the Trend Sysclean utility, perform a Full Scan of your
| > | > platform and
| > | > clean/delete any infectors found
| > | > 5) Restart your PC and perform a "final" Full Scan of your
| > platform
| > | > 6) Re-enable System Restore and re-apply any System Restore
| > | > preferences,
| > | > (e.g. HD space to use suggested 400 ~ 600MB),
| > | > 7) Reboot your PC.
| > | > 8) Create a new Restore point
| > | >
| > | > * * * Please report back your results * * *
| > | >
| > | >
| > | > --
| > | > Dave
| > | > http://www.claymania.com/removal-trojan-adware.html
| > | >
| > | >
| > | >
| > | >
| > | > "TomH" <th54@hotmail.com> wrote in message
| > | > news:vBXGd.104596$Xk.87014@pd7tw3no...
| > | > | Can anyone please tell me why my system has opened all of
| > | > | these UDP ports(output from MS PortReporter):
| > | > | ==========================================
| > | > | Operating System: Windows XP
| > | > | TCP/UDP Port to Process Mappings at service start-up
| > | > | 22 mappings found
| > | > | PID:p rocess Port Local IP State Remote IP:p ort
| > | > | 4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
| > | > | 4:System UDP 445 0.0.0.0 *:*
| > | > | 824:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
| > | > | 888:svchost.exe UDP 123 24.86.74.167 *:*
| > | > | 888:svchost.exe UDP 123 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1934 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1935 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1937 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1938 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1940 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1941 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1943 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1944 127.0.0.1 *:*
| > | > | 944:svchost.exe UDP 1044 0.0.0.0 *:*
| > | > | 944:svchost.exe UDP 1206 0.0.0.0 *:*
| > | > | 944:svchost.exe UDP 1617 0.0.0.0 *:*
| > | > | 944:svchost.exe UDP 3182 0.0.0.0 *:*
| > | > | 1500:iexplore.exe TCP 1136 24.86.74.167 CLOSE WAIT
| > 69.50.166.212:80
| > | > | 1500:iexplore.exe UDP 2885 127.0.0.1 *:*
| > | > | 1684:iexplore.exe TCP 3455 24.86.74.167 CLOSE WAIT
| > | > 24.69.255.240:8080
| > | > | 1684:iexplore.exe TCP 3456 24.86.74.167 CLOSE WAIT
| > | > 24.69.255.240:8080
| > | > | 1684:iexplore.exe UDP 3312 127.0.0.1 *:*
| > | > | =======================
| > | > |
| > | > | I only have these applications running: IE and Outlook Express.
| > | > | I deactivated netbios over tcpip to minimize attack surfaces, and
| > all my
| > | > | anti spyware, antitrojan, and other
| > | > | security ware say my system is clean, so I'm puzzled by all these
| > open
| > | > | ports.
| > | > | Please help.
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| > |
| >
| >
|
|
Anonymous
January 19, 2005 2:15:12 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

You're welcome Tom !

Anytime.

--
Dave




"TomH" <th54@hotmail.com> wrote in message news:3MgHd.116130$8l.21118@pd7tw1no...
| Dave
|
| I checked out the tools at SysInternals that you suggested --- I'm
| impressed. ProcessExplorer is the killer --- all the inter-dependencies and
| relationships between threads, processes, applications and services
| displayed in one place instead of four or five different utilities is very
| useful.
| Having seen all the inter-dependencies now, I'm inclined to agree that those
| ports are legit --- I can see whats what now with that tool, and yes, they
| are just little system processes that have the ports open to do things like
| manage DCOM, remote proc calls, network time protocol, and stuff like that.
| Thx.
|
| Regards, Tom
|
!