Found this in IceSword. TCP 192.168.0.198 : 139 0.0.0.0 : 0 LISTENING 4 NT OS Kernel UDP 192.168.0.198 : 137 * : * 4 NT OS Kernel UDP 192.168.0.198 : 138 * : * 4 NT OS Kernel Through google I found that these ports are the most dangerous ports ever. And the NT OS Kernal means that something internal is going on in my kernal. This one too: RAW --- --- --- 4 NT OS Kernel "4" Is the PID. "RAW" is the protocol And for firefox it's showing things like: TCP 192.168.0.198 : 50782 0.80.0.0 : 24593 ESTABLISHED 3280 C:\Program Files\Mozilla Firefox\firefox.exe Localport 50782 and remote porn 24593....is that normal? FullLog: Port: Protocol Local Address Foreign Address State PID PathName TCP 0.0.0.0 : 135 0.0.0.0 : 0 LISTENING 800 C:\Windows\System32\svchost.exe TCP 192.168.0.198 : 139 0.0.0.0 : 0 LISTENING 4 NT OS Kernel TCP 0.0.0.0 : 49152 0.0.0.0 : 0 LISTENING 472 C:\Windows\System32\wininit.exe TCP 0.0.0.0 : 49153 0.0.0.0 : 0 LISTENING 904 C:\Windows\System32\svchost.exe TCP 0.0.0.0 : 49154 0.0.0.0 : 0 LISTENING 1124 C:\Windows\System32\svchost.exe TCP 0.0.0.0 : 49155 0.0.0.0 : 0 LISTENING 1008 C:\Windows\System32\svchost.exe TCP 0.0.0.0 : 49156 0.0.0.0 : 0 LISTENING 576 C:\Windows\System32\lsass.exe TCP 0.0.0.0 : 49158 0.0.0.0 : 0 LISTENING 560 C:\Windows\System32\services.exe TCP 127.0.0.1 : 50771 198.84.0.0 : 32512 ESTABLISHED 3280 C:\Program Files\Mozilla Firefox\firefox.exe TCP 127.0.0.1 : 50772 198.83.0.0 : 32512 ESTABLISHED 3280 C:\Program Files\Mozilla Firefox\firefox.exe TCP 127.0.0.1 : 50773 198.86.0.0 : 32512 ESTABLISHED 3280 C:\Program Files\Mozilla Firefox\firefox.exe TCP 127.0.0.1 : 50774 198.85.0.0 : 32512 ESTABLISHED 3280 C:\Program Files\Mozilla Firefox\firefox.exe UDP 0.0.0.0 : 123 * : * 1124 C:\Windows\System32\svchost.exe UDP 192.168.0.198 : 137 * : * 4 NT OS Kernel UDP 192.168.0.198 : 138 * : * 4 NT OS Kernel UDP 0.0.0.0 : 500 * : * 1008 C:\Windows\System32\svchost.exe UDP 127.0.0.1 : 1900 * : * 1124 C:\Windows\System32\svchost.exe UDP 192.168.0.198 : 1900 * : * 1124 C:\Windows\System32\svchost.exe UDP 0.0.0.0 : 3702 * : * 1124 C:\Windows\System32\svchost.exe UDP 0.0.0.0 : 3702 * : * 1124 C:\Windows\System32\svchost.exe UDP 0.0.0.0 : 4500 * : * 1008 C:\Windows\System32\svchost.exe UDP 0.0.0.0 : 5355 * : * 1204 C:\Windows\System32\svchost.exe UDP 0.0.0.0 : 49168 * : * 1124 C:\Windows\System32\svchost.exe UDP 127.0.0.1 : 49667 * : * 1008 C:\Windows\System32\svchost.exe UDP 192.168.0.198 : 49739 * : * 1124 C:\Windows\System32\svchost.exe UDP 127.0.0.1 : 49740 * : * 1124 C:\Windows\System32\svchost.exe RAW --- --- --- 4 NT OS Kernel
It seems that you have a rootkit/trojan. The IP 0.80.0.0 is an unallocated IP adress. Download PrevX and Avira. Probably they'll find something. Panagiotis
I think the real question is why are you running IceSword, an (outdated) rootkit detection tool that requires considerable knowledge of the subject from the user to be useful and not cause false alerts and scares? It's 4 AM here and my brain may be a "little" slow, but what I see there is just a bunch of traffic in your own private network. Got a home network, or a router? File / printer sharing in use in the network? That's what you're seeing. 192.168.0.198 is an IP address reserved for private networks. It is not routable on the open internet, just in your local network. As for those ports, TCP 139 does file and printer sharing, like for your local area network. It's not particularly dangerous as long as you're not showing it to the internet, just to your local network. Oh, and in your kernel there is always something 'internal' going on. The kernel is the core of the operating system. Nothing is more "internal" than that. And if there isn't something going on in there, then that means your computer is either shut down or frozen. You can download various anti-malwares and scan if you like, but that is unlikely to solve whatever problems you think your system has. Is there some reason that you think your system is infected? Have you executed suspect programs lately, or visited infected sites? I will head to bed now, and will pop back in this thread come morning if I remember to.