Are these Trojans?

Discussion in 'Port Explorer' started by Cyborg, Mar 25, 2004.

Thread Status:
Not open for further replies.
  1. Cyborg

    Cyborg Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    78
    Hi Guys,

    I have performed a c:/drive check disk operation and I checked :-

    "Automatically fix file system errors" and "Scan for and attempt recovery of bad sectors."

    I have never done this before and did so on advice that it is just good PC house keeping and to keep everything running sweet. After this operation was completed I was hit with a ZoneAlarm Alert which asked me to grant permission to "LiveUpdate Engine Com Module" and when I checked I had information outgoing to various IP address's which is concerning me.

    I have attached a screen print to show what is what and you will note that everything is related to Messenger and all are in red which suggests Trojans.

    One of the main highlighted Ports is Port 80. Can I close this Port down or does my PC need this open as most of the High alerts I get from ZoneAlarm refer to Port 80.

    You will also notice Port 7001 which I have read somewhere is also a known problem Port in respect of Trojans.

    Can somebody help me please. If I had said yes to "LiveUpddate Engine Com Module" I guess that non of these entries would have shown up. Is it safe to yes to "LiveUpdate Engine Com Module?"

    Do I haave a problem with Messenger and should I uninstall it and start over?

    Any help and advice would be greatly appreciated and the ease of which I can trace IP Addresses in Port Explorer is cool and has convinced me that is one piece of Software I really need.

    Finally what is "Enable Spying." Is it as it suggests a way of me watching those that are watching me?

    Hope to hear from you,

    Cyborg
     

    Attached Files:

  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    In the simplest terms, no. Look at the process NAME on the far right - personally I have the process name on the far left as its easier to see. MSN is not a trojan, it will have hidden windows and show up as something with hidden windows when running as ONLY a tray icon. You have nothing to worry about in regards to that process :)

    What port is being used all depends on whether it is the local port or the remote port. MSN will keep a connection open to HOTMAIL to tell you when you have mail, and probably some could be because you clicked on a link which then sent a request to port 80 on a webserver. Everything in the LOCAL ports looks normal, as internet applications use a randomly available port above 1025 in most cases. Ok MSN uses port 9 too but this is also normal, everyone sees this :)

    Socket spy will enable you to capture traffic from any socket and then see it in raw mode - showing the exact data that was sent to or from an application.
     
  3. Cyborg

    Cyborg Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    78
    Hi Gavin,

    Thanx for replying.

    I am just having to do all this again now. I wrote it up and submitted but failed to realise that the link had not logged me in and that I was a guest.

    In respect of all the entries that are red, yes I did notice that they were Messenger however what was bothering me was the Port numbers.

    Nearlly all the "high" log reports I get from ZoneZlarm are due to somebody trying to gain access via Port 80. I also am arware that Port 7001 is a problem Port so when I saw all these red entries I was concerned.

    The entries stayed Red for a couple of hours they are now balck once again. I noticed that when they were red the messenger version was 6.1.0211 and likewise so was MSN6.

    The above version of Messenger has a coloured icon i.e. with orange, blue and yelow in it. There is also another version of Messenger which has a green figure Icon; can you shed any light on this.

    For what ever reason in between me starting to write this the entries are now logged against version 7.02.00.10.1600 which was present for 3 minutes and now they have reverted back to version 6.1.0211. This is weird and if it happened to me it must be happening to others. What could this be; some kind of auto-update?

    I guess it is safe to say yes then should I get the log alert from ZoneAlarm for LiveUpdate Engine Com Module?

    Maybe parts of this thread need to be put in other areas. e.g. FireWalls. if needs be how do I do that in a link,

    Thanx again,

    Cyborg
     
  4. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    said by Gavin :
    Who knows Gavin, who know... :D

    Seriously Cyborg there is no need to worry, the changing behaviour of MSN is probably normal.
     
  5. Ok so the question still wasn't answered. Is it safe to allow LiveUpdate Engine COM Module?? IT just started popping today and I don't know why. It's a real pain in the neck. Can somebody answer in plain english please either yes or no. Thank You.
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yes, allow it if the location looks right, or check the file properties first. Its part of a Norton product and should be connecting to Symantec.com
     
  7. Dan Shutters

    Dan Shutters Guest

    The destination IP is 216.220.160.7:DNS

    How do I tell if that is Norton's IP?
     
  8. maps

    maps Guest

    Go into Norton Antivirus options & uncheck the monitoring for MS messenger, which should be under the instant messaging category. Or, better yet, if you're like me, just get rid of the damn thing for good. This can be done by typing "RunDll32 advpack.dll,LaunchINFSection%windir%\INF\msmsgs.inf,BLC.Remove" (without the quotes) in the run box (windows-key + R)

    hope that relieved ya.
     
  9. Dan Shutters

    Dan Shutters Guest

    Finding the source

    I do thank you for your help. I also found a site which tells who has the IP address. (Oh yes, Norton was the source for my own concern. Just goes to show how much paranoia I have). In any case this should help with any future problems of a similar nature.


    http://www.networksolutions.com/en_US/whois/index.jhtml
     
Thread Status:
Not open for further replies.