Question about my listening port's

[The Duck]

Hey guys, I have this question, it's about this program that is running on this specific port.

I did a netstat -a and it showed up that port 5180 was listening, I did a fport on it and it showed that aim.exe was on this port. So I connected my aim but my aim connects to port 5190, like most aim's I know. I did research on port 5180 and I found that a trojan uses this port. The trojan's name is Backdoor.Peeper. According to symantec this is a trojan that allows remote control of the computer. I used "The Cleaner" and it showed me that I had some trojans, but none of this type. So can anyone help me out?

[mjk]

Quote:

Originally posted here by Soda_Popinsky
Google for fport, by foundstone

Best tool ever for this sort of thing.

Quote:

I did a fport on it and it showed that aim.exe was on this port

Uh oh! Read twice, post once (just jokin w/ ya)


Anyways it looks like the peeper trojan, as you said. The default server name is internt.exe.. but most of the time trojans will be renamed to look like a well-known application. Check in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
That's where it starts up from. If you see aim.exe remove it.

Hope this helps.

mjk

[The Duck]

But shouln't the cleaner be able to clean it up?
I hate goning into the registery...

Unfortunatly I don't know the registry that well... If you could be kind enough to walk me through the process I would be very greatful .

EDIT***

Well, I checked the registry and didn't see a aim.exe. I only saw things that looked like I needed. Any other idea's?

P.S. I knew how to get to the registry, I just don't feel confortable there .

[Atticus|1]

Start->run->regedit

Then use the path given to you.

Oh and if you find what you want to delete right click for option...and make a back up first.

[The Duck]

Will that back up the WHOLE registry?

[Atticus|1]

This will...assuming it`s nt/2000/xp...


Click Start > Programs > Accessories > System Tools > Backup.
Click Advanced Mode.
On the Welcome tab, click the Backup Wizard (Advanced) button.
Click Next.
Select Only back up the System State data, and then click next.
Click the Browse button.
Click Cancel if the "Insert Disk" warning message pops up.
In the Save As dialog box, choose a location to save your registry back up.
Click Save.
Click Next.
Review the information in this window. Your Contents should say "Back up only the system state." Click Finish.
When the back up completes click Close.
Your registry is now backed up. You may close the Backup Utility window.

Win9x

Click Start, click Run, type scanregw, and then click OK.
When you receive a prompt to back up the registry, click Yes.
When you receive the "Backup complete" message, click OK.

I used this link as quick reference BTW...

Symantec

[The Duck]

I don't have a "back up" option in my system tools menu. Is there another name that it would be called?

[Atticus|1]

The thing is ...you never said what OS you were using.

Don`t you have Spybot s&d or something it has an option to back it up i believe.

//2nd edit...If the Cleaner was updated and all, are you sure it didn`t make the necessary changes? What exact trojans did it find? Need more info i guess.

[The Duck]

Yes, I have spybot search and destroy and yes the cleaner is updated. It found 4 trojans that just tracked my internet activities, like spyware, and the other one was called...stumpy... I think. What stumpy does it open a connection to another server or ftp site and downloads other trojans. Before I ran the cleaner I did trend micro online scanner. It found a trojan to, but it just did small simple things like reset your homepage and stuff. Yesterday I ran spybot search and destroy in safe mode and it found something in the registry that was a "security hole". It removed it and yes I am up to date with my windows updates. BTW, I am running Windows XP.

[Atticus|1]

I always wonder when i read threads like this how in the hell people manage to pick up trojan(s) like this. You need some kinda real-time protection The Duck. From know on enable TC active and TC monitor (the cleaner)to start with windows and run. This will hopefully stop the registry from being altered.