IEXPLOR.EXE localhost: 3

Can anybody tell me why IEXPLORE.EXE keeps localhost: 3
open - it shows up in Norton Personal Firewall under

statistics
network connections

by the way it is

UDP

just wondering why iexplore.exe stays resident at all!

it is this stay resident after closing the program
listening on connection
localhost: 3

this iexplorer.exe TSR is keeping my localhost inbound constantly receiving data
nothing is showing in the outbound localhost!

[Pieter_Arntz]

Hi jump,

Please go to our downloads-section: http://www.wilders.org/downloads.htm and download startuplist.zip
Unzip and run the program and copy and paste the results in your next post. If there is anything in there you don´t want the world to know about, you´re welcome to mail or IM it to me.

Regards,

Pieter

I ran it with all windows of iexplore.exe closed - should IE normally remain running in the process list?
Here is the output of the program follows.


StartupList report, 19/11/2002, 22:31:13
StartupList version: 1.35.0
Started from : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\StartupList.EXE
Detected: Windows 2000 SP1 (WinNT 5.00.2195)
Detected: Internet Explorer v5.51 SP2 (5.51.4807.2300)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\PROGRA~1\NORTON~1\NORTON~3\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\PROGRA~1\NORTON~1\NORTON~3\alertsvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\PDesk.exe
C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\POPROXY.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\WINNT\System32\qttask.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
C:\Program Files\Big Pond Advance\BIGPOND.EXE
C:\Program Files\Creative\SBLive2k\Launcher\TaskGuide\updtray.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Norton Personal Firewall\iamstats.exe
C:\Program Files\Netscape\Communicator\Program\netscape.exe
C:\WINNT\System32\cmd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
A4Proxy.lnk = C:\Program Files\A4Proxy\A4Proxy.exe
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
Shortcut to BIGPOND.EXE.lnk = C:\Program Files\Big Pond Advance\BIGPOND.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
Matrox Powerdesk = C:\WINNT\System32\PDesk.exe /Autolaunch
UpdReg = C:\WINNT\Updreg.exe
Creative Launcher = C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe
AudioHQ = C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
ElbyCheckElbyCDFL = "C:\Program Files\Elaborate Bytes\NEWCloneCD\ElbyCheck.exe" /L ElbyCDFL
comsocks = C:\PROGRA~1\LinkByte\ComSocks\ComSocks.exe
NPS Event Checker = C:\PROGRA~1\NORTON~1\NORTON~3\npscheck.exe
NAV DefAlert = C:\PROGRA~1\NORTON~1\NORTON~3\defalert.exe
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
Norton eMail Protect = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\POPROXY.EXE
iamapp = "C:\Program Files\Norton Personal Firewall\IAMAPP.EXE"
QuickTime Task = C:\WINNT\System32\qttask.exe
HPDJ Taskbar Utility = C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
InCD = C:\Program Files\ahead\InCD\InCD.exe
FinePrint Dispatcher v4 = C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
NeroCheck = C:\WINNT\System32\NeroCheck.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

internat.exe = internat.exe
Attune Download = C:\PROGRA~1\Aveo\Attune\Updater1\Attunel.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINNT\System32\amcis.dll - {EBBFE27C-BDF0-11D2-BBE5-00609419F467}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[TDServer Control]
InProcServer32 = C:\WINNT\DOWNLO~1\tdserver.ocx
CODEBASE = http://www.evermore.com/wfplayer/tdserver.cab

[Pco3 Window (Commsec) Control]
InProcServer32 = C:\WINNT\DOWNLO~1\PCO3X_~1.OCX
CODEBASE = http://images.commsec.com.au/downloads/pco3/Pco3X_Commsec.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[MIT Stand Alone Player]
InProcServer32 = C:\WINNT\Downloaded Program Files\mitm0014.dll
CODEBASE = file://F:\Webfiles\Simulations\standalone\common1.2\mitm0014.cab

[YInstStarter Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[LRNPrint Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\lrniehlp.ocx
CODEBASE = file://F:\Webfiles\LRN Viewer\HTML\lrniehlp.cab

[GSDACtl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\gsda.dll
CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37578.5997106481

[IntraLaunch.MainControl]
InProcServer32 = C:\WINNT\Downloaded Program Files\INTRALAUNCH.OCX
CODEBASE = file://F:\SuperCD\IntraLaunch.CAB

[National Internet Banking Images]
InProcServer32 = C:\WINNT\System32\MSJAVA.DLL
CODEBASE = http://national.com.au/rib/afs/v3002/cabinet/images.cab

[CV3 Class]
InProcServer32 = C:\WINNT\System32\wuv3is.dll
CODEBASE = http://windowsupdate.microsoft.com/R945/V31Controls/x86/nt5/en/actsetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[National Internet Banking Custom]
InProcServer32 = C:\WINNT\System32\MSJAVA.DLL
CODEBASE = http://national.com.au/rib/afs/v3002/cabinet/NABcustom.cab

--------------------------------------------------
End of report, 9,739 bytes
Report generated in 0.200 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

[Pieter_Arntz]

You might want to disable Attunel.exe It is not required and considered Adware.
In your BHO´s this entry C:\WINNT\System32\amcis.dll - {EBBFE27C-BDF0-11D2-BBE5-00609419F467} is made by Aureate
Now Go to Internet Options > Temp. Internet Files > Settings > Show Objects, and examine all ActiveX objects you see there.

Right-click each one in turn, chose 'properties', and check the Version tab.

If the company is anyone else but Macromedia, Apple, or Microsoft, right-click the file, and choose 'remove'.

You might also want to go to our downloads-section: http://www.wilders.org/downloads.htm and download spybotsd11.zip
Unzip and install Spybot S&D, make sure to update before running.
It cleans your system of all known spy-ware. In case I missed anything
If this does not stop IE from displaying the behavior you reported, there are some more possibilities:
I´m not sure about this, but a logical explanation could be the A4 proxy, which has to stay in contact to see if you´re being "contacted"
Other possible candidates that could keep IExplore alive are Bigpond and comsocks.
You could test this by stopping these programs in Task-manager.

Regards,

Pieter

[JacK]

Quote:

quoting: jump link=board=31;threadid=4996;start=0#32708 date=1037705656]
I ran it with all windows of iexplore.exe closed - should IE normally remain running in the process list?
Here is the output of the program follows.


StartupList report, 19/11/2002, 22:31:13
StartupList version: 1.35.0
Started from : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\StartupList.EXE
Detected: Windows 2000 SP1 (WinNT 5.00.2195)
Detected: Internet Explorer v5.51 SP2 (5.51.4807.2300)
* Using default options
==================================================

Running processes:


C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe Not needed
C:\Program Files\GetRight\getright.exe Not needed and spyware

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
A4Proxy.lnk = C:\Program Files\A4Proxy\A4Proxy.exe
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe Not needed at strarup
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Not needed at startup
GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe Not needed at startup Spyware
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE Not needed
--------------------------------------------------

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ElbyCheckElbyCDFL = "C:\Program Files\Elaborate Bytes\NEWCloneCD\ElbyCheck.exe" /L ElbyCDFL Not needed
NeroCheck = C:\WINNT\System32\NeroCheck.exe Not needed

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

internat.exe = internat.exe
Attune Download = C:\PROGRA~1\Aveo\Attune\Updater1\Attunel.exe


--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINNT\System32\amcis.dll - {EBBFE27C-BDF0-11D2-BBE5-00609419F467} Spyware

Hi,

You should have a close look here : http://www.blkviper.com/WIN2K/servicecfg.htm
adn disable useless services.

Rgds,

JacK

Thankyou so much - this site is great -lots of good info on the other threads in this forum - you all helped so much. The anti-spyware prog picked up and removed quite a few.

Some background to why I found this site.

This has all been because someone broke into my computer over the cable two nights ago and added a new user account which I had not put there! This has all been housecleaning since then. They also put an old log on my firewall dated back to 15th Nov. Also when I woke up in the morning the computer had switched itself off - nobody at home did that so I started checking my Event Logs - the event logs showed that my firewall reported it was in an invalid state - it still gave block/permission request alerts - ie. partly worked, but in the actual Firewall user interface it was not turned on!

---------
It appears the localhost port 3 was receiving but there was no localhost sending - if anyone can explain this I would most appreciate it.

please note: Before my original post here I had already uninstalled comsocks.

And now that I reinstalled comsocks which is a program from www.linkbyte.com there is a new localhost port sending and new one receiving.

NOW! only very little data appears to be received by localhost :3 . This port is opened by Internet Explorer - and was not considered unusual according to the programs you suggested were run.



Something else... please help with this.
It appears that because I blocked aim1.adsoftware.com through to aim5.adsoftware.com, it slows IExplorer 10 seconds pause immediately after starting where it does nothing for 10 secs or so.

This pause does not occur with netscape.

Why does it take so long for IE to get going and what is aim1.adsoftware.com and why do the browsers (both IE and Netscape) want to contact it the first time they are run?



Once again - Thankyou for all your help!

Oh forgot to mention that this morning 3 entries at thie same time showed up
in my firewall log as follows. Could this be someone trying to log on with the user account they set up called administrator?
By the way my default administrator account had a different name.

Date: 11/21/2002 Time: 9:30:51
Unused port blocking has blocked communications. Details:
Inbound TCP connection
Remote address,local service is (66.157.164.74,microsoft-ds)

well not exactly the same time - these times
9:30:48
9:30:51
9:30:57

[Pieter_Arntz]

Hi jump,

Glad we could be of service.

A small part of my hosts file:
127.0.0.1 aim.adsoftware.com #
127.0.0.1 aim.aureate.com #
127.0.0.1 aim1.adsoftware.com #
127.0.0.1 aim1.aureate.com #
127.0.0.1 aim2.adsoftware.com #
127.0.0.1 aim2.aureate.com #
127.0.0.1 aim3.adsoftware.com #
127.0.0.1 aim3.aureate.com #
127.0.0.1 aim4.adsoftware.com #
127.0.0.1 aim4.aureate.com #
127.0.0.1 aim5.adsoftware.com #
127.0.0.1 aim5.aureate.com #
127.0.0.1 aim6.adsoftware.com #

I don´t know if you already have a hosts file, but it´s a very powerful and useful tool which I think is best explained here: http://accs-net.com/hosts/how_to_use_hosts.html

Regards,

Pieter

I also wish to advise that this all appears to have occured because I opened windows from an Outlook email and then left IE and Outlook open all night.
Also clicked on yahoo web site HP advertisement from within IE and left that open all night too.

Lesson learnt never uneccesary internet accessing software open - in particular IE browser or Outlook running unattended.

I advise read topic New IE exploit (from NS Clean) thread posted by John2g - and follow protective advice.

[Paul Wilders]

hi jump,

Quote:

Some background to why I found this site.

This has all been because someone broke into my computer over the cable two nights ago and added a new user account which I had not put there!

Since you do have a firewall installed (which one?), I wonder how this could have been done - apart from the fact your system has been infected with some malware server. Do you have a good updated antivirus and antitrojan installed, and perform a full deep scan?

Quote:

This has all been housecleaning since then.

Nevertheless, I would recommend changing all passwords. Chances are, these are well known by now and could be abused.

Quote:

They also put an old log on my firewall dated back to 15th Nov. Also when I woke up in the morning the computer had switched itself off - nobody at home did that so I started checking my Event Logs - the event logs showed that my firewall reported it was in an invalid state - it still gave block/permission request alerts - ie. partly worked, but in the actual Firewall user interface it was not turned on!

Another reason to perform a full deep system scan with an updated antitrojan and antivirus.

regards.

paul

To Forum Admin

All incorrect accounts were deleted and then all passwords were changed immediately I discovered the event log and altered firewall log which was 5 minutes after turning the computer on that morning.
and the rest of scanning tools followed through from this forum.

In answer to your first question - it is Norton Personal Firewall 2001.
Strange how it has a third status on the button where it asks you to active it
not just Enabled and Disabled.
even stranger how it still seems to request for manual block/permission decisions, when if you open the Firewall GUI, it is asking you to activate it.

Forum Admin

please note also the post just before yours

I'm going to become a member so I can have ability to edit my posts.

[Pieter_Arntz]

We strongly encourage you to register !!!

LOL

Pieter

[Paul Wilders]

jump,

Quote:

To Forum Admin

"Paul" will do

Quote:

All incorrect accounts were deleted and then all passwords were changed immediately I discovered the event log and altered firewall log which was 5 minutes after turning the computer on that morning.

Good call!

Quote:

and the rest of scanning tools followed through from this forum.

Good. Question stays up: do you have a good and updated antitrojan and antivirus installed, and performed a full system scan?

Quote:

In answer to your first question - it is Norton Personal Firewall 2001.

Thanks for the info. I'll leave further comments and questions up to our knowledgeable moderators .

regards.

paul

[jump]

Thanks Paul

I use Norton Antivirus and Personal Firewall 2001 updated daily; and -->

Have now done:
· full update and scan done with Trojan Hunter and Spybot Search and Destroy;
· deleted suspicious activex controls in internet explorer;
· changed security zone to 'restricted sites' for Outlook and Outlook Express;
· reinstalled comsocks;
· reconsidered services config - btw server service was not listed in services;
· will also look at setting local security policy settings and alerts in win 2000; and,
· currently looking at hosts file.


Now am very interested in security.

[Pieter_Arntz]

Hi jump,

Glad to hear we haven another interested member. We´re looking forward to your contributions.
What´s still missing is an AV scan, if you don´t have one installed at the moment: try an on-line scan http://www.wilders.org/free_services.htm (Panda or Trend/Housecall)

Regards,

Pieter

[CrazyM]

Hi Jump

In regards to your original question, it is normal for IE to use a localhost (loopback) connection for UDP. You mention "3", is this the port it shows as listening on? It has been my experience that it will usually use ports in the range of 1024-5000 for this.

You also mention this ComSocks (ComTun) program. What is your purpose for running this program?

[CrazyM]

Quote:

quoting: jump link=board=31;threadid=4996;start=0#33008 date=1037893648]
Date: 11/21/2002 Time: 9:30:51
Unused port blocking has blocked communications. Details:
Inbound TCP connection
Remote address,local service is (66.157.164.74,microsoft-ds)

It is normal to see those types of scans show up in the logs. If you wanted to get more out of the information in your NIS logs, take a look at Log Viewer: http://home.debitel.net/user/svenschaef/logview/
It will allow you analyze your logs if you suspect a problem or particular repeat remote IP and much more.

[jump]

Thanks Pieter
- fully updated Norton Antivirus scan was done too.

CrazyM
well it shows up in the NPfirewall statistics as UDP connection localhost: 3
under 'network connections'
winword also seems to open localhost: 3 at the same time.

...at least when I close IExplorer.exe it closes the program properly now and port closes along with it.

here is a printout of netstat -a command output
doesn't seem to have localhost:3 show up on this.

C:\>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP crystal-ice379:http crystal-ice379:0 LISTENING
TCP crystal-ice379:epmap crystal-ice379:0 LISTENING
TCP crystal-ice379:microsoft-ds crystal-ice379:0 LISTENING
TCP crystal-ice379:1026 crystal-ice379:0 LISTENING
TCP crystal-ice379:1027 crystal-ice379:0 LISTENING
TCP crystal-ice379:5055 crystal-ice379:0 LISTENING
TCP crystal-ice379:pop3 crystal-ice379:0 LISTENING
TCP crystal-ice379:56501 crystal-ice379:0 LISTENING
TCP crystal-ice379:smtp crystal-ice379:0 LISTENING
TCP crystal-ice379:pop3 crystal-ice379:0 LISTENING
TCP crystal-ice379:1080 crystal-ice379:0 LISTENING
TCP crystal-ice379:8080 crystal-ice379:0 LISTENING
UDP crystal-ice379:epmap *:*
UDP crystal-ice379:microsoft-ds *:*
UDP crystal-ice379:1025 *:*
UDP crystal-ice379:1028 *:*
UDP crystal-ice379:1033 *:*
UDP crystal-ice379:1645 *:*
UDP crystal-ice379:1646 *:*
UDP crystal-ice379:radius *:*
UDP crystal-ice379:radacct *:*
UDP crystal-ice379:1029 *:*
UDP crystal-ice379:1030 *:*
UDP crystal-ice379:1774 *:*
UDP crystal-ice379:1808 *:*
UDP crystal-ice379:isakmp *:*
UDP crystal-ice379:isakmp *:*
UDP crystal-ice379:domain *:*
UDP crystal-ice379:isakmp *:*





----
using Comsocks (comtun) to provide proxy/NAT on small network.


will have a look at the logview page you suggested soon.

[CrazyM]

Jump

To clarify what you are seeing under View Statistics Network Connections...the IE UDP connection on localhost should similar to this. The localhost: xxxx number will vary and usually be in the 1024-5000 range.

As for comsocks/comtun, do you require the proxy features? Have you considered just using ICS and NIS on the systems in the lan?