ccapp.exe in red

Discussion in 'Port Explorer' started by beethoven, Sep 16, 2005.

Thread Status:
Not open for further replies.
  1. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,043
    Just trialling PE and trying to see what is going on with my PC.
    One of the processes listed comes up in red. CCapp.exe on port 1033 with local address 127.0.0.1 and remote address 0.0.0.0.
    I realise that ccapp is part of symantec and that 127.0.0.1 is a loopback to my own pc but is this normal? Port 1033 shows up as being used by netspy?
    Any suggestions for a newbie how to check this further without expecting too much IT knowledge?
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    High bethoven, Items shown in red are usually hidden connections or connections that have a GUI but the GUI is not open on your desktop at the time. These are usually harmless but could be Trojanic so PE highlights them.

    As you rightly state 127.0.0.1 is your local machine so no problem there.
    If you see a 1032 port reference does it also refer to localhost? If so then this could be your hosts file at work stopping any direct connection for netspy.

    A screenshot of what you are seeing maybe helpful.

    Thanks. Pilli
     
  3. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,043
    I had read about that on one of the other threads and tested running NAV but that did not change anything. The CCapp.exe file shows up the same way irrespective of whether I only have the icon in the taskbar or actually do a scan with the Gui open.

    Here you are :)
     

    Attached Files:

    • PE1.jpg
      PE1.jpg
      File size:
      174.2 KB
      Views:
      650
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I think that those events shown are quite normal.
    Here is some information from the help file which may help you understand what you are seeing:

    Windows NT4/2K/XP/2003

    Under Windows 95/98 Port Explorer isn't able to map all sockets to their parent process (usually only the ones that are loaded very early by the system). Such processes will normally display with the process name of "--NETSTAT--", indicating that Port Explorer wasn't able to map the process, but it could still see the socket using standard netstat techniques. However, under Windows NT4, 2K, XP and 2003, Port Explorer is able to map ports to all processes by using undocumented functions that are built into the operating system. Sockets that would normally display as '--NETSTAT--' but have been resolved by Port Explorer using this technique will have an asterisk beside their name, for example:
    * c:\path\process.exe
    rather than...
    c:\path\process.exe


    Windows XP/2003

    In some rare circumstance, Windows XP doesn't clean up all its sockets correctly after an application has closed. This has the effect of Port Explorer showing a socket with an asterix and no filename because the application is closed yet Windows XP is reporting that the closed application owns the socket(s). Usually after your internet connection has been disconnected the 'blank' socket(s) will be cleaned up by Windows XP. This isn't a Port Explorer problem, it's a Windows XP issue. To check this, whenever you see a blank socket go to your command prompt and type "netstat -ano" (without quotes). You should see the sockets which have the same PID as the blank sockets in Port Explorer. If you look in Windows Task Manager (Ctrl+Alt+Delete | Task Manager) you will see no process that has the PID that netstat and Port Explorer report.
     
Thread Status:
Not open for further replies.