I am new to PE and when reading the documentation I practiced some commands. Utility Lookup (Services to Port/search for: MSN) gave the following: --Port 1863-- MSN Messenger - MSN Messenger Application --Port 16999-- RAT: MSN Log Thief --Port 60101-- RAT: MSN Log Thief I am concerned about the RAT lines. Does it means that my system has a RAT ? I made a check with PestPatrol that is supposed to dedect this RAT but nothing was found. How do I proceed ... Appreciate any help. Regards /Zkab
Hmm very interesting ! MSN log thief is a Spanish born (I think) stealer trojan.. or was it from Brasil.. Anyway please post your results by clicking File > Save Table. At least show the part which shows what process is using those ports. For safety you might want to kill the process if you arent sure what it is, then email me a copy. Since I'm at home, use gavindcs@iinet.net.au to send it but please CC it to submit@diamondcs.com.au as well And then after killing change your password. Dont reboot or it will run again, we can easily remove its startup if there is one with ASViewer. When you email me a log from it would also be a good idea http://www.diamondcs.com.au/index.php?page=asviewer
Hi, I read your post and checked and I had exactly the same thing. I formatted(wiping all information off computer although I've found that wipedrive or other products like it are the only things that can get rid of a tough trojan. That is one that is hidden in memory, for example, as it runs after you reboot.) then checked again and it was gone although it showed those same ports would be used if messenger were activated. I then downloaded messenger, checked and the log thief was showing. Therefore this is a microsoft program. Best, Grant
No need to reformat your system at all. First look what PE is showing. Is it local port, remote port, which application is connected to it on your system, is there traffic, look with the socket spy into those packets if there is traffic going on, you can disable all sending/receiving or kill the socket or process responsible for it, look into the application used, scan it extra with every tool you have, if the file is less then 1 MB you can even get a second online opinion at www.avp.ru > click on top for the english site version, at the bottom use the online virus check. And in the meantime send a zipped copy to the address Gavin mentioned for deeper advice. Only if Gavin would say there is not any hope for your system and other destructive occurances are there, it would be time to go back to a former restore point or drive image. Hope this helps; in case of panic, first read the forum and or the helpfile. BTW: the PE Utilities > LookUp > Service to ports tells you what is possible, it is not telling you have that stuff on your system. You can look up any port, IP, country, domain; if you look for domain to country on msn.com you will get US.
No one should be confused or worried about this, especially Gavin. Port-to-Service is just a reference; a simple table lookup. From the help file: "The Lookup utility is a simple database search engine that allows you to perform five (5) different search types". It searches a database (specifically, DAT files in the Port Explorer installation directory), not what is running on your system. That is, the "Port to Service" facility doesn't tell you what is running on your system; it merely tells you what processes use the port you entered--whether or not those processes exist on your system. For example, when I go to Utilities > Lookup > Port to Service and enter 23, I get this back: Does this mean I that have Telnet Protocol (RFC 854), WinGate, RAT: Fire HacKer, Tiny Telnet Server - TTS, Truva Atl, RTB666, TelnetPro 1.0, Swarm, Baron Night, AlphaDog, MMX, Net Coach, PEST, Manipulator Lite, and Mind Control all running on my system, on port 23? No! It just means that those processes exist, in general and are known to use port 23. It's the same with port 16999.
