Question about my listening port's

[mjk]

To back up the registry:

1. Start -> Run -> regedit
2. Registry -> Export Registry File
3. Save the file somewhere

If you want to restore it, under the Registry menu click Import Registry File and browse to the file you saved.

But shouln't the cleaner be able to clean it up?

You're right, it should... Make sure it's up to date. Maybe you have to stop the process before you run it? I dunno.

I guess sometimes you just have to remove it manually. Do a search on your hard drive for aim.exe and delete the file if you find it. It will probably be in the system32 folder. That's where lots of trojans hide themselves. Good luck.

Oh, I guess I'd might as well give you this link as well. In case you didn't STFW

mjk

[The Duck]

Atticus, I know, I just got the cleaner a few days ago and I have those things running.

MJK, I already did a search for aim.exe and it led to a legit program, my aim program.

[mjk]

Hmmm... Well if you haven't already rebooted, do so then run fport again. If it's still listening, reinstall AIM. If that still doesn't work, I'm stumped.

mjk

[The Duck]

Ok, I also didn't find any of those things you or norton.com told me to look for in the registry, I think I should also inform you guys that I have this program for aim. It's a filter and it's purpose is to protect me from people booting me and crashing my aim client. But that connects to port 3333, and when I log in using aim and that I am logged in using port 3333 and 5190 but port 5180 is still listening. Also can anyone tell me what bootpc is? It shows up in my netstat readouts as a UDP port. It comes and goes so I have no idea what it is. It doesnt connect, it just has that *:* next to it, what does that mean again? I forgot .

[Tedob1]

if you used fport what was the folder aim was running from? if it was 'C:\PROGRAM FILES\AIM95\AIM.EXE' or somrthing similar have you gone to that folder, right clicked>properties>version on aim.exe to see whay it says?

this anti-punter probably is intercepting traffic from/to 5180 internally. you need to have you computer scanned from the outside.

[The Duck]

Yes, the fport path is similar to that, but what info am I looking for in the properties?

[Tedob1]

well if it says under version that is america online and not blank or something else renamed to aim its the original file.

its the same path as the file opening 5190?

i think your anti-punter doesn't 'change' AIM but acts as a proxy for it leaving the original port listening internally and communicating threw it. just my guess

[therenegade]

hmm..doesnt look like a trojan to me if it's got that path and if the registry entry corresponds to aim(or it could be a pretty sophisticated trojan cos it'd have to had messed with the original aim file..not really sophisticated even lol..it could've just bound itself with it..but nm all that)
What I'd like to know The_Duck,is whether you see anything sneaky in your firewall logs..if AIM's just connecting to the regular AIM server(which you can find out by reverse DNSing the ip on your firewall) ,I figure you should be in the clear...if it's another ip tho..then yep//you've got something..hope this helped a bit

[!mitationRust]

Originally posted here by The Duck
Hey guys, I have this question, it's about this program that is running on this specific port.

I did a netstat -a and it showed up that port 5180 was listening, I did a fport on it and it showed that aim.exe was on this port. So I connected my aim but my aim connects to port 5190, like most aim's I know. I did research on port 5180 and I found that a trojan uses this port. The trojan's name is Backdoor.Peeper. According to symantec this is a trojan that allows remote control of the computer. I used "The Cleaner" and it showed me that I had some trojans, but none of this type. So can anyone help me out?

Do the netstat commands in my tutorial and match the PID's to your task managers(ctrl-alt-del) PID's, but listen to Tedob1 first.

PS: Tedob1 that proxyrama is bad a$$

[Tedob1]

to bind two files you have to use some kind of packer and it wouldn't show aol's version information but i agree that checking the logs would be a good thing