HFH Pt.2

Found this in IceSword.

TCP 192.168.0.198 : 139 0.0.0.0 : 0 LISTENING 4 NT OS Kernel

UDP 192.168.0.198 : 137 * : * 4 NT OS Kernel

UDP 192.168.0.198 : 138 * : * 4 NT OS Kernel

Through google I found that these ports are the most dangerous ports ever.

And the NT OS Kernal means that something internal is going on in my kernal.

This one too:

RAW --- --- --- 4 NT OS Kernel


"4" Is the PID.

"RAW" is the protocol


And for firefox it's showing things like:

TCP 192.168.0.198 : 50782 0.80.0.0 : 24593 ESTABLISHED 3280 C:\Program Files\Mozilla Firefox\firefox.exe


Localport 50782 and remote porn 24593....is that normal?


FullLog:

Port:

Protocol Local Address Foreign Address State PID PathName
TCP 0.0.0.0 : 135 0.0.0.0 : 0 LISTENING 800 C:\Windows\System32\svchost.exe
TCP 192.168.0.198 : 139 0.0.0.0 : 0 LISTENING 4 NT OS Kernel
TCP 0.0.0.0 : 49152 0.0.0.0 : 0 LISTENING 472 C:\Windows\System32\wininit.exe
TCP 0.0.0.0 : 49153 0.0.0.0 : 0 LISTENING 904 C:\Windows\System32\svchost.exe
TCP 0.0.0.0 : 49154 0.0.0.0 : 0 LISTENING 1124 C:\Windows\System32\svchost.exe
TCP 0.0.0.0 : 49155 0.0.0.0 : 0 LISTENING 1008 C:\Windows\System32\svchost.exe
TCP 0.0.0.0 : 49156 0.0.0.0 : 0 LISTENING 576 C:\Windows\System32\lsass.exe
TCP 0.0.0.0 : 49158 0.0.0.0 : 0 LISTENING 560 C:\Windows\System32\services.exe
TCP 127.0.0.1 : 50771 198.84.0.0 : 32512 ESTABLISHED 3280 C:\Program Files\Mozilla Firefox\firefox.exe
TCP 127.0.0.1 : 50772 198.83.0.0 : 32512 ESTABLISHED 3280 C:\Program Files\Mozilla Firefox\firefox.exe
TCP 127.0.0.1 : 50773 198.86.0.0 : 32512 ESTABLISHED 3280 C:\Program Files\Mozilla Firefox\firefox.exe
TCP 127.0.0.1 : 50774 198.85.0.0 : 32512 ESTABLISHED 3280 C:\Program Files\Mozilla Firefox\firefox.exe
UDP 0.0.0.0 : 123 * : * 1124 C:\Windows\System32\svchost.exe
UDP 192.168.0.198 : 137 * : * 4 NT OS Kernel
UDP 192.168.0.198 : 138 * : * 4 NT OS Kernel
UDP 0.0.0.0 : 500 * : * 1008 C:\Windows\System32\svchost.exe
UDP 127.0.0.1 : 1900 * : * 1124 C:\Windows\System32\svchost.exe
UDP 192.168.0.198 : 1900 * : * 1124 C:\Windows\System32\svchost.exe
UDP 0.0.0.0 : 3702 * : * 1124 C:\Windows\System32\svchost.exe
UDP 0.0.0.0 : 3702 * : * 1124 C:\Windows\System32\svchost.exe
UDP 0.0.0.0 : 4500 * : * 1008 C:\Windows\System32\svchost.exe
UDP 0.0.0.0 : 5355 * : * 1204 C:\Windows\System32\svchost.exe
UDP 0.0.0.0 : 49168 * : * 1124 C:\Windows\System32\svchost.exe
UDP 127.0.0.1 : 49667 * : * 1008 C:\Windows\System32\svchost.exe
UDP 192.168.0.198 : 49739 * : * 1124 C:\Windows\System32\svchost.exe
UDP 127.0.0.1 : 49740 * : * 1124 C:\Windows\System32\svchost.exe
RAW --- --- --- 4 NT OS Kernel

 

It seems that you have a rootkit/trojan.
The IP 0.80.0.0 is an unallocated IP adress.
Download PrevX and Avira.

Probably they'll find something.

Panagiotis

 

Nothing found with any scanners.

Any idea what/why/where about this?

 

I think the real question is why are you running IceSword, an (outdated) rootkit detection tool that requires considerable knowledge of the subject from the user to be useful and not cause false alerts and scares?

It's 4 AM here and my brain may be a "little" slow, but what I see there is just a bunch of traffic in your own private network. Got a home network, or a router? File / printer sharing in use in the network? That's what you're seeing.

192.168.0.198 is an IP address reserved for private networks. It is not routable on the open internet, just in your local network.

As for those ports, TCP 139 does file and printer sharing, like for your local area network. It's not particularly dangerous as long as you're not showing it to the internet, just to your local network.

Oh, and in your kernel there is always something 'internal' going on. The kernel is the core of the operating system. Nothing is more "internal" than that. And if there isn't something going on in there, then that means your computer is either shut down or frozen.

You can download various anti-malwares and scan if you like, but that is unlikely to solve whatever problems you think your system has. Is there some reason that you think your system is infected? Have you executed suspect programs lately, or visited infected sites? I will head to bed now, and will pop back in this thread come morning if I remember to.