none
UDP port oppened

Jawaban

  • Hi,

    Please try the following command.

    netstat –ano

    You may see the PIDs of the opened UDP ports. From the PID you can determine which programs enable these ports.


    Arthur Xie - MSFT
    14 Agustus 2009 8:25
  • Hi,

    So we need to find which program will use this port. Did you disable this port in Windows Firewall? If so, I suggest that you remove the policies in Windows Firewall and track the status of the port with the command netstat -ano.

    Once you find the PID that enables UDP 63356 or some other specified ports, you may use the command tasklist to check information regarding that PID.

    If the program is a system program, such as IE, I suggest that you enter the following command:

    tasklist /m > %userprofile%\Desktop\task.txt

    Then open the file task.txt from Desktop. You view get the information of the loaded modules by each processes.

    The above information will help us to determine which program or module enables that port.

    Another utility that can be helpful is Network Monitor. In the case that when you access a website the port is enabled, we can use this tool to capture the trace to find this action.

    Network Monitor How To ... 

    You may save the result file to the SkyDrive of your Live Space.


    Arthur Xie - MSFT
    18 Agustus 2009 4:34

Semua Balasan

  • just READ an article about loopback address here : http://www.technoxx.com/127.0.0.1.html and i wonder why is this opened now? a few weeks ago it wasnt how can this happen? if i dont use anything for troubleshooting? i dont like the word PING and get terrorized by that any possible solution to get that closed?
    Will be looking forward ofr replies
    kind regards,
    RR
    11 Agustus 2009 19:26
  • Tried to disable it by going through this reg entry: remoteAccess\interfaces\0\Enabled it was set to 1 then i set to 0 but no success it stills remains opened when im connected...¬¬
    Still waiting for some support and am guessing that is where i get pings from...
    Regards,
    RR
    11 Agustus 2009 21:06
  • I dont know if changed anything but what i know is that my internet is incredibly faster,reallly fast even more than it used to be,maybe i was being aimed by the loopback interface is that possible? could that congestion the traffic or make it a bit slower? what i figure is that might be something on demand that opens loopback thing...
    Sorry about spamming the forum guys if im going beyond that i should let me know and warn me oka?
    Kind regards,
    RR
    11 Agustus 2009 21:33
  • This port should be closed. You can run the following command to check.

    netstat –an

    The UDP port 127.0.0.1:62656 should not be listed.

    However if it is shown as active, your may run the following command to check which program is using this port.

    Netstat –o

    The port may be enabled by this program.

    If you want to disable this port, please add a rule in your firewall. Windows Firewall is built-in firewall.

    1. Launch Windows Firewall.
    2. In the left pane, click Advanced settings. 
    3. Right-click on Inbound Rules, choose New Rule.
    4. Choose Port.
    5. Specify the port. It should be UDP port 62656.
    6. Select Block the connection.
    7. Choose all the three profiles.
    8. Name this rule.
    9. Finish.

    You may then create a such rule in Outbound Rules.


    Arthur Xie - MSFT
    13 Agustus 2009 9:11
  • Hi Arthur Xie really apreciate your feedback!!!

    and yeah that is a problem i think ie8 is opening that port and the bad thing is that port is not opened while connections are stabilished so i cant run netstat -o cause it shows like this : UDP    127.0.0.1:62069        *:* so cant figure out what is running this port and i already blocked all ports above 1024 up to 65535 also in windows registry i added an entry maxuserport=5000 and im really worried about it and that might be my main problem..=/
    is there anyway to remove that by using command line or something similar?
    and by the way everytime i connect that port is randomized as you noticed in the first lines =/
    thanks again and hope further feedback is possible
    Kind regards,
    RR
    13 Agustus 2009 15:07
  • Hi,

    Please try the following command.

    netstat –ano

    You may see the PIDs of the opened UDP ports. From the PID you can determine which programs enable these ports.


    Arthur Xie - MSFT
    14 Agustus 2009 8:25
  • Hi Dear Arthur Xie,
    Nice command and thanks a lot again for the feedback and it looks like IE is openning that port check this out:

    Active Connections

      Proto  Local Address          Foreign Address        State           PID
      TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       716
      TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       428
      TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       900
      TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       992
      TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       476
      TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       536
      TCP    xx.xx.xxx.xxx:49177    xxx.xxx.xxx.xx:80      ESTABLISHED     3360
      TCP    [::]:135               [::]:0                 LISTENING       716
      TCP    [::]:49152             [::]:0                 LISTENING       428
      TCP    [::]:49153             [::]:0                 LISTENING       900
      TCP    [::]:49154             [::]:0                 LISTENING       992
      TCP    [::]:49155             [::]:0                 LISTENING       476
      TCP    [::]:49156             [::]:0                 LISTENING       536
      UDP    0.0.0.0:500            *:*                                    992
      UDP    0.0.0.0:4500           *:*                                    992
      UDP    127.0.0.1:52880        *:*                                    3360
      UDP    [::]:500               *:*                                    992
      UDP    [::]:4500              *:*                                    992

    by that my guess is you the specialist might know how to close it which makes me feel relived! :D

    Thanks again for the feedback,
    Kind regards,
    RR

    14 Agustus 2009 15:21
  • Hi
    If you are interested in whats going on with your network I have written a utillity (Tillynet) which is free to anyone although its still a beta which shows various network commands at the click of a button. I have tested it on windows 7 and I know it works. After you have clicked get info it gives tabs on the window that shows ipconfig, netstat, tasklist, tasklist services and route. Just run it and click the getinfo button and you can see what is connecting at that instant in time. If you want to give it a go download it from www.tillythecat.co.uk. Please dont hit the website to hard as its still under construction and I have a limited bandwidth. There is an email address given in the setup that you can let me know if its ok and if there are any improvements you suggest Please remember i am not a commercial software developer as i do not sell anything its all free.
    all the best
    malc 
    14 Agustus 2009 19:18
  • Hi mein,
    i really apreciate your big help but i already use process explorer and am happy with it , but i really need to know how to finish closing all things is getting on my way,not that im an easy target but as much as i can cut things out i might be doing so ¬¬
    but thanks for the link wont click on that cause u messed with the paranoia man so hardly ever will be visiting unknown web sites unless im at least 99% sure of where im heading(please dun get me wrong its just precaution)!!
    Now will be waiting for Arthur's Xie reply !
    Best regards,
    RR
    14 Agustus 2009 19:59
  • Hi
    The connection is to the loopback connecter. It is not going anywhere as far as i know. I also have UDP connections in Vista to ports in this range from iexplore.exe. The loopback connector is the local machine it is used to check that the newtwork conmection is ok. If you ping 127.0.0.1 it just goes to the network card and returns. I have not found a reason why iexplore.exe needs to do this or indeed open a port for it. Good information on ports can be got from www.grc.com and they have an excellent utility that I use to test firewalls called shields up. I know you do not like clicking links so I am asking for other users to verify that the grc are ok for curious kat to check his ports. If you want to close this port for access (even though its not going anywere and it may upset internet explorer) then I suggest that you do it in advanced windows firewall as described above. You can use the wizard and specify the port is not to be used in both incoming and outgoing connections,
    All the best 
    malc
    ps I can understand you do not want to visit my site as I am always carefull but it only contains the tillynet software and some software specially written for people who maintain system X digital telephone exchanges.  
    14 Agustus 2009 20:38
  • hi Malcp i knew you wouldnt take that to personal thing which makes me feel better :D,in speak of ping testing that name "ping" just makes me go nuts just by reading that,i had big hard times in past and i sortta feel unconfortable with those things opened considering im a 24 hrs target , about GRC i already visited that site months ago not sure if i remember, but that site is kind of confusing aint that? i mean not too organized eyes got tired at some point lol, but i might as well visit that later and see if i can find sum goodies ^^, but i really feel like must have some way from registry more specificly in internet settings Key set, for closing that!
    at least i hope hehe or even via command line...

    Kind regards,
    RR
    14 Agustus 2009 20:57
  • Hi again
    Sometimes internet programs like internet explorer need to use other services on the local machine to perform thier functions. They can use the loopback connector to do this as any traffic sent to 127.0.0.1 comes straight back to your machine. It could be a plug in of internet explorer or internet explorer itself. Try going into manage add ons in the tools menu of internet explorer and disable all the add ons to see if it disapears. You can also run internet explorer add on free by right clicking its entry in the start button and choosing run internet explorer add on free.
    malc
    • Disarankan sebagai Jawaban oleh malcp 14 Agustus 2009 21:00
    14 Agustus 2009 20:59
  • Hi Malcp :D,
    Good call man but unfortunately didnt work so i decided to check when exactly this happens(shoulda done that even b4 posting but...) ,and i realized that only when i have connections estabilished or opened the loopback opens that port but as soon as no connections remain opened the port gets closed which is weird and enforcing the tese that its only for IE checking or it could be the modem opening which i dont 100% believe on that but you never know!!!
    either way i dont like that opened even if shows no danger AHHHHHHH things like that freaks me out prolly cause im never 100% sure im safe lol not really but dunno something makes me wonder always!!!!
    Urgent help plix pl0x ^^
    Kind regards ,
    RR
    Ps: thanks dude for clearing things out even more...

    14 Agustus 2009 22:18
  • Hi
    As this address goes no where other than your local computer opening a port to it should not cause any problems as it is not going out to the big wide internet or connecting to the internet. Do you have a private network connected to your computer as it could be the way internet explorer checks for an intranet as opposed to the internet. It could also be the way IE checks the hosts file located at  %windir%\system32\drivers\etc\hosts.
    If you have a look at this the default unaltered host should be as follows.

    # Copyright (c) 1993-2006 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    #      102.54.94.97     rhino.acme.com          # source server
    #       38.25.63.10     x.acme.com              # x client host

    127.0.0.1       localhost
    ::1             localhost

    In the same directory there are also a file called services. If you look at this in notepad you can see there are a lot of services that can be acessed via the local host. If yours is not listed then I suspect it is an add on that is accessing its service. Are you running an anti virus program that checks the websites you visit. It may be IE8 doing its checks. As I have said before this ip address does not leave your machine. If you are still concerned then block the port as above in windows firewall but I think this may affect your browsing.
    malc.

    15 Agustus 2009 9:52
  • Hi man,
    Nice piece of info and in addition to that i found other host files which i would like to share later with you and you guys can analyze the lines to see if something's wrong!
    what i can comment now is that these lines:
    127.0.0.1       localhost
    ::1             localhost

    are commented in my host file like this"#" with that symbol before those values!!!

    i also found some weird host files which i suspect they from winpcap some left over after uninstalling (PS: could not restore to an earlier point so had to uninstall)!!!

    Best regards,
    RR
    15 Agustus 2009 16:34
  • Hi again
    I have done some research into this and ports in this range are dynamic ports that is they appear to be opened used and closed. That is why you are seeing diferent values for the port number in  the tasklist command. I have found that various apps use this method of communication with the local host including wmplayer and internet connections sharing. As the listening app in your case is iexplore.exe this would indicate that it is legitmate.
    On my windows 7 machine which is running in a virtual pc the following are observed
    127.0.0.1:50806 this sidebar
    127.0.0.1:57876 this is svchost which my program shows as the services FDResPub, SSDPSRV, upnphost
    127.0.0.1:64125 which is iexplore.exe
    All these are legitimate.
    When I checked on my vista pc 127.0.0.1 also had ports open and they were also legitinate.
    This is a way apps can communicate with the local host which is your computer.
    You have to put out of your mind that the open port on 127.0.0.1 is open to the internet because its not.
    It is only open within your computer and its iexplore.exe that is listnening to it
    Your computer is at one end of the conversation and iexplore.exe on your computer is at the other end. Nothing sinister about that.
    malc 
    15 Agustus 2009 16:41
  • Hello
    They are commented out on my windows 7 pc as well. The ones above are from my vista pc which are not commented out.
    sorry for the confusion
    malc
    15 Agustus 2009 16:55
  • Hi Malc,
    Thanks for the fast reply as usual and thanks for the efforts in helping me out,Really apreciate that and yeah i think now i might chill out a bit about that as i read your last post and it makes much sense for me but just in case if you later on or anybody can add some comment my eyes will be wide opened to read those carefully!!!
    in addition to that ill post later all the host files such as:
    services,lmhosts.sam,network and protocols!

    i was wondering if i can exclude some protocols from those files like Icmp and those ports 7(echo) etc or they are just informative stuff and they dont change anything on my system!

    Thanks in advance dude
    Kind regards,
    RR
    15 Agustus 2009 16:59
  • Hello
    I wouldnt go altering any of these files as they are all there for a reason. The one that can alter your connections is the host file itself and yours seems perfectly ok. The protocols file lists all the protocols that can be used in various forms of transmission and I would well leave alone. My networks file does not have a lot in it and what it as are commented out apart from loopback but that may be different on windows 7 it mat be commented. My lmhosts.sam are all commented out on my vista system. The services file contains port numbers for well known services and I would also leave this well alone.
    all the best malc
    15 Agustus 2009 18:38
  • Hi Malcp,
    taking the advantage of your kindness and feeling like my proxy thread wont be answered i would like to ask you if you 'd happen to know any free proxy server with account password thing and by the way with a valid certificate coz none of the ones ive tried had a trusted cert ¬¬
    will be looking forward for answers!
    kind regards,
    RR
    15 Agustus 2009 20:26
  • Hi
    I cant help you with that one as I dont use proxy servers
    sorry
    malc
    16 Agustus 2009 14:22
  • Hi,

    UDP  127.0.0.1:62656   *:*  is not in the list. The result of netstat –ano includes all opened ports. May be it was not opened at that time.

    In Windows, ports are enabled by programs. All ports should be accessible. If some programs enable the ports which you would not like to active, you may need to change related settings, or change related Registry entries to modify which ports are used by the programs. If you would like to prevent a program, or a network access to access some specified ports, you need to work with the help from firewall programs.

    Therefore, I suggested you to create policies in Windows Firewall. Also, we are trying to know which program opened this port so we can change something for the program.


    Arthur Xie - MSFT
    17 Agustus 2009 6:53
  • Hi Arthur Xie,
    Again apreciate your help and yeah i really want to change the program behavior which is opening that port so i will do what it takes to give you more information,i already posted the netstat -ano as you see above so what else do i need to do to get you more information about this?
    i can even post registry entries and other stuff so you guys can have more detailed informations of it!!!!
    i believe the modem is opening that port cause when i open ie8 not connected to the internet that port doesnt open.....
    Any help i apreciated!!
    Kind regards,
    RR

    Ps: i already blocked that port in windows firewall but if possible i would like to close that as well.
    17 Agustus 2009 21:05
  • Hi,

    So we need to find which program will use this port. Did you disable this port in Windows Firewall? If so, I suggest that you remove the policies in Windows Firewall and track the status of the port with the command netstat -ano.

    Once you find the PID that enables UDP 63356 or some other specified ports, you may use the command tasklist to check information regarding that PID.

    If the program is a system program, such as IE, I suggest that you enter the following command:

    tasklist /m > %userprofile%\Desktop\task.txt

    Then open the file task.txt from Desktop. You view get the information of the loaded modules by each processes.

    The above information will help us to determine which program or module enables that port.

    Another utility that can be helpful is Network Monitor. In the case that when you access a website the port is enabled, we can use this tool to capture the trace to find this action.

    Network Monitor How To ... 

    You may save the result file to the SkyDrive of your Live Space.


    Arthur Xie - MSFT
    18 Agustus 2009 4:34
  • Hi Arthur Xie,
    thanks a lot for replying my thread, and i tried to run that command and all i get is :
    The system cannot find the path specified.
    tried couple other ways but didnt work,put the name of my current user profile and tried to change the path to documents but still no success =/
    i 'll look for the monitoring tool while you check this post!!
    Thanks in advance,
    RR

    PS: i already posted the netstat -ano results but i think you didnt see it and just in case ill put it here again:

    Active Connections

      Proto  Local Address          Foreign Address        State           PID
      TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       716
      TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       428
      TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       900
      TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       992
      TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       476
      TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       536
      TCP    xx.xx.xxx.xxx:49177    xxx.xxx.xxx.xx:80      ESTABLISHED     3360
      TCP    [::]:135               [::]:0                 LISTENING       716
      TCP    [::]:49152             [::]:0                 LISTENING       428
      TCP    [::]:49153             [::]:0                 LISTENING       900
      TCP    [::]:49154             [::]:0                 LISTENING       992
      TCP    [::]:49155             [::]:0                 LISTENING       476
      TCP    [::]:49156             [::]:0                 LISTENING       536
      UDP    0.0.0.0:500            *:*                                    992
      UDP    0.0.0.0:4500           *:*                                    992
      UDP    127.0.0.1:52880        *:*                                    3360
      UDP    [::]:500               *:*                                    992
      UDP    [::]:4500              *:*                                    992

    18 Agustus 2009 14:51
  • Hi
    The port is a dynamic port and is closed when the app is finished with it. When the app needs to access to the local machine the next time it may use another dynamic port. That is why you are not seeing the port appear again. You established previously that the app was iexplore.exe. This would be a genuine user of the port Each time iexplore.exe requires to communicate with the local machine it will open a dynamic port which may not be the same as the one it used last time. This is happening all the time with various apps and is quite legitimate. With dynamic ports the port is not tied to an app forever.
    malc.
    18 Agustus 2009 15:55
  • Hi
    dynamic ports are in the range 49152 to 65535 and these will not be permantly registered wiht an app but will be allocated for an instance.
    malc
    18 Agustus 2009 16:02
  • Malcp: thanks for the input and yes the app opens ports randomly indeed!!

    Arthur Xie: I read the how to resource you provided me and i found quite a bit confusing ,i was in doubt if i had that tool by adding a feature in the add and remove programs which i dont believe but i think i can install that with no problems so i found this link http://support.microsoft.com/kb/955998/en-us/ and wonder if that is the tool to be used, if so should i install that in compatibility mode (vista)?

    also briefly read about and some recommendation was saying that users should use this tool only for a short period of time so it doesnt retain too much data and some other reasons relative to internet speed i think (dont remember), is that true? also wonder if i permanently use this tool will make my network vulnerable? or this tool is only intended for troubleshooting purposes?

    Thanks in advance and will be look forward!
    Best regards,
    RR
    18 Agustus 2009 19:00
  • latest netstat -ano:


    Proto  Local Address          Foreign Address        State           PID
    TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       708
    TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       416
    TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       876
    TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       1004
    TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       472
    TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       532
    TCP    xx.xx.xxx.xx:49321     xxx.xxx.xxx.xx:80      ESTABLISHED     604
    TCP    [::]:135               [::]:0                 LISTENING       708
    TCP    [::]:49152             [::]:0                 LISTENING       416
    TCP    [::]:49153             [::]:0                 LISTENING       876
    TCP    [::]:49154             [::]:0                 LISTENING       1004
    TCP    [::]:49155             [::]:0                 LISTENING       472
    TCP    [::]:49156             [::]:0                 LISTENING       532
    UDP    0.0.0.0:500            *:*                                    1004
    UDP    0.0.0.0:4500           *:*                                    1004
    UDP    127.0.0.1:59399        *:*                                    604
    UDP    [::]:500               *:*                                    1004
    UDP    [::]:4500              *:*                                    1004

    Replaced the Ip's by "X" for my security!

    Regards,
    RR
    18 Agustus 2009 19:04
  • UPDATE: i tried to install only by running the aplication as administrator but not success,it asked me to click yes to proceed and would never start installing ,i forgot to install in compatibiliy mode dont know if thats why it didnt work....
    Downloaded the Network Monitor 3.3

    Best regards,
    RR
    18 Agustus 2009 21:00
  • Hi,

    Sorry for delay.

    The problematic PID is 604. Are you sure that it is IE process? You may run Task Manager to confirm. The command tasklist will also be helpful.

    The article I provided for Network Monitor may be not for our test. Network Monitor 3.3 is the best tool. The following steps introduces how to capture data. You need to restart after installing Network Monitor 3.3.

    1) Launch NetMon3.3.
    2) In the Microsoft Network Monitor 3.3 window, click Create a new capture tab …
    3) In the new tab, select all the Network Adapters in the Select Networks window.
    4) Go to sync time page. Then, switch to Network Monitor, press F5 to start NetMon.
    5) Try to sync time.
    6) Go back to the NetMon window and press F7 to stop the NetMon.
    7) Press Ctrl+S to save the Netmon file named test.

    Since the network trace contains your IP information, please submit it in the following network space.

    Transfer Files 
    Upload password is zHMiOioS7lZx-YC

    Please note the password can include "Space", so please do not remain a space at the end.


    Arthur Xie - MSFT
    24 Agustus 2009 4:05
  • Hi Arthur thanks for replying and i completely understand why the delay knowing you guys have a lot stuff to do !!
    But im going to try again to install netmon 3.3 but i couldnt install the first time and the instalation simply wouldnt proceed after clicking yes ,my guess is that something must be missing!!!
    but i'll try to install again and i may confess im a little anxious since many issues started happening to my pc even networking issues in the last 2 days!!
    apreciate your attentions!!!
    kind regards,
    RR
    24 Agustus 2009 17:59
  • Hi,

    Is NM3.3 installed properly?

    If we still have trouble with installing the tool, you may try another way to find the root cause. In Windows Firewall, create the rules to block the dynamic UDP ports  49152 to 65535. Then after one day or two, check the following event logs:

    Microsoft/Windows/Windows Firewall With Advanced Security/Connectionsecurity
    Microsoft/Windows/Windows Firewall With Advanced Security/ConnectionsecurityVerbose

    Good luck!


    Arthur Xie - MSFT
    27 Agustus 2009 9:14
  • Hello Arthur Xie,

    i have noticed this file in the library folder and am wondering if this is the command line i typed as recommended to see what processes my modem was using or what processes were opening those dynamic ports..
    the files decribes like this :


    Image Name                     PID Modules                                    
    ========================= ======== ============================================
    System Idle Process              0 N/A                                        
    System                           4 N/A                                        
    smss.exe                       276 N/A                                        
    csrss.exe                      364 N/A                                        
    wininit.exe                    416 N/A                                        
    csrss.exe                      428 N/A                                        
    services.exe                   472 N/A                                        
    winlogon.exe                   504 N/A                                        
    lsass.exe                      532 N/A                                        
    lsm.exe                        540 N/A                                        
    svchost.exe                    636 N/A                                        
    svchost.exe                    708 N/A                                        
    MsMpEng.exe                    776 N/A                                        
    svchost.exe                    876 N/A                                        
    svchost.exe                    932 N/A                                        
    svchost.exe                   1004 N/A                                        
    svchost.exe                   1132 N/A                                        
    svchost.exe                   1228 N/A                                        
    svchost.exe                   1328 N/A                                        
    SearchIndexer.exe              316 N/A                                        
    taskhost.exe                  1304 ntdll.dll, kernel32.dll, KERNELBASE.dll,   
                                       msvcrt.dll, ole32.dll, GDI32.dll,          
                                       USER32.dll, LPK.dll, USP10.dll, RPCRT4.dll,
                                       OLEAUT32.dll, IMM32.DLL, MSCTF.dll,        
                                       CRYPTBASE.dll, sechost.dll, ADVAPI32.dll,  
                                       uxtheme.dll, dwmapi.dll, dimsjob.dll,      
                                       SHLWAPI.dll, taskschd.dll, SspiCli.dll,    
                                       netprofm.dll, NSI.dll, nlaapi.dll,         
                                       CRYPTSP.dll, rsaenh.dll, RpcRtRemote.dll,  
                                       npmproxy.dll, PlaySndSrv.dll,              
                                       MsCtfMonitor.dll, MSUTB.dll, WINSTA.dll,   
                                       WTSAPI32.dll, HotStartUserAgent.dll,       
                                       slc.dll, WINMM.dll                         
    dwm.exe                        852 ntdll.dll, kernel32.dll, KERNELBASE.dll,   
                                       GDI32.dll, USER32.dll, LPK.dll, USP10.dll, 
                                       msvcrt.dll, UxTheme.dll, IMM32.dll,        
                                       MSCTF.dll, dwmredir.dll, dwmcore.dll,      
                                       ADVAPI32.dll, sechost.dll, RPCRT4.dll,     
                                       WindowsCodecs.dll, ole32.dll, d3d10_1.dll, 
                                       d3d10_1core.dll, dxgi.dll, VERSION.dll,    
                                       dwmapi.dll, WINTRUST.dll, CRYPT32.dll,     
                                       MSASN1.dll, D3D10Level9.dll, igdumd32.dll, 
                                       uDWM.dll, slc.dll                          
    explorer.exe                  1796 ntdll.dll, kernel32.dll, KERNELBASE.dll,   
                                       ADVAPI32.dll, msvcrt.dll, sechost.dll,     
                                       RPCRT4.dll, GDI32.dll, USER32.dll, LPK.dll,
                                       USP10.dll, SHLWAPI.dll, SHELL32.dll,       
                                       ole32.dll, OLEAUT32.dll, EXPLORERFRAME.dll,
                                       DUser.dll, DUI70.dll, IMM32.dll, MSCTF.dll,
                                       UxTheme.dll, POWRPROF.dll, SETUPAPI.dll,   
                                       CFGMGR32.dll, DEVOBJ.dll, dwmapi.dll,      
                                       slc.dll, gdiplus.dll, Secur32.dll,         
                                       SSPICLI.DLL, PROPSYS.dll, CRYPTBASE.dll,   
                                       comctl32.dll, WindowsCodecs.dll,           
                                       profapi.dll, apphelp.dll, EhStorShell.dll, 
                                       cscui.dll, CSCDLL.dll, CSCAPI.dll,         
                                       ntshrui.dll, srvcli.dll,                   
                                       IconCodecService.dll, CRYPTSP.dll,         
                                       rsaenh.dll, RpcRtRemote.dll, SndVolSSO.DLL,
                                       HID.DLL, MMDevApi.dll, timedate.cpl,       
                                       ATL.DLL, actxprxy.dll, ntmarta.dll,        
                                       WLDAP32.dll, shdocvw.dll, LINKINFO.dll,    
                                       msiltcfg.dll, VERSION.dll, msi.dll,        
                                       msutb.dll, USERENV.dll, SAMLIB.dll,        
                                       MsftEdit.dll, msls31.dll, authui.dll,      
                                       CRYPTUI.dll, CRYPT32.dll, MSASN1.dll,      
                                       urlmon.dll, iertutil.dll, gameux.dll,      
                                       XmlLite.dll, wer.dll, PSAPI.DLL, WINMM.dll,
                                       serwvdrv.dll, umdmxfrm.dll, wdmaud.drv,    
                                       ksuser.dll, AVRT.dll, AUDIOSES.DLL,        
                                       msacm32.drv, MSACM32.dll, midimap.dll,     
                                       stobject.dll, BatMeter.dll, WINSTA.dll,    
                                       WTSAPI32.dll, WINTRUST.dll, es.dll,        
                                       prnfldr.dll, WINSPOOL.DRV, dxp.dll,        
                                       Syncreg.dll, netshell.dll, IPHLPAPI.DLL,   
                                       NSI.dll, WINNSI.DLL, nlaapi.dll,           
                                       AltTab.dll, wpdshserviceobj.dll,           
                                       PortableDeviceTypes.dll,                   
                                       PortableDeviceApi.dll, mssprxy.dll,        
                                       pnidui.dll, QUtil.dll, wevtapi.dll,        
                                       dhcpcsvc.DLL, WS2_32.dll, dhcpcsvc6.DLL,   
                                       credssp.dll, npmproxy.dll, srchadmin.dll,  
                                       SXS.DLL, webcheck.dll, IEFRAME.dll,        
                                       OLEACC.dll, MLANG.dll, SyncCenter.dll,     
                                       Actioncenter.dll, imapi2.dll, hgcpl.dll,   
                                       provsvc.dll, wkscli.dll, netjoin.dll,      
                                       netutils.dll, Wlanapi.dll, wlanutil.dll,   
                                       wwanapi.dll, wwapi.dll, QAgent.dll,        
                                       bthprops.cpl, wscinterop.dll, WSCAPI.dll,  
                                       wscui.cpl, werconcpl.dll, framedynos.dll,  
                                       wercplsupport.dll, msxml6.dll,             
                                       hcproviders.dll, ieproxy.dll,              
                                       UIAnimation.dll, DEVRTL.dll, MPR.dll,      
                                       drprov.dll, davclnt.dll, DAVHLPR.dll,      
                                       StructuredQuery.dll, SearchFolder.dll,     
                                       NaturalLanguage6.dll, NetworkExplorer.dll  
    msseces.exe                   1900 ntdll.dll, kernel32.dll, KERNELBASE.dll,   
                                       msvcrt.dll, WINTRUST.dll, CRYPT32.dll,     
                                       MSASN1.dll, RPCRT4.dll, WININET.dll,       
                                       SHLWAPI.dll, GDI32.dll, USER32.dll,        
                                       LPK.dll, USP10.dll, ADVAPI32.dll,          
                                       sechost.dll, Normaliz.dll, urlmon.dll,     
                                       ole32.dll, OLEAUT32.dll, iertutil.dll,     
                                       SHELL32.dll, gdiplus.dll, COMCTL32.dll,    
                                       VERSION.dll, IMM32.DLL, MSCTF.dll,         
                                       uxtheme.dll, CRYPTSP.dll, rsaenh.dll,      
                                       CRYPTBASE.dll, imagehlp.dll, ncrypt.dll,   
                                       bcrypt.dll, bcryptprimitives.dll,          
                                       USERENV.dll, profapi.dll, GPAPI.dll,       
                                       MpClient.Dll, MSFTEDIT.DLL,                
                                       WindowsCodecs.dll, dwmapi.dll, wuapi.dll,  
                                       Cabinet.dll, RpcRtRemote.dll, wups.dll,    
                                       SXS.DLL                                    
    igfxtray.exe                  1092 ntdll.dll, kernel32.dll, KERNELBASE.dll,   
                                       hccutils.DLL, USER32.dll, GDI32.dll,       
                                       LPK.dll, USP10.dll, msvcrt.dll,            
                                       ADVAPI32.dll, sechost.dll, RPCRT4.dll,     
                                       ole32.dll, OLEAUT32.dll, SHELL32.dll,      
                                       SHLWAPI.dll, IMM32.DLL, MSCTF.dll,         
                                       CRYPTBASE.dll, uxtheme.dll, dwmapi.dll,    
                                       CRYPTSP.dll, rsaenh.dll, RpcRtRemote.dll,  
                                       igfxsrvc.dll, igfxrPTB.lrc, igfxress.dll   
    hkcmd.exe                      872 ntdll.dll, kernel32.dll, KERNELBASE.dll,   
                                       hccutils.DLL, USER32.dll, GDI32.dll,       
                                       LPK.dll, USP10.dll, msvcrt.dll,            
                                       ADVAPI32.dll, sechost.dll, RPCRT4.dll,     
                                       ole32.dll, OLEAUT32.dll, SHELL32.dll,      
                                       SHLWAPI.dll, IMM32.DLL, MSCTF.dll,         
                                       CRYPTBASE.dll, uxtheme.dll, CRYPTSP.dll,   
                                       rsaenh.dll, RpcRtRemote.dll, igfxsrvc.dll, 
                                       dwmapi.dll, igfxrPTB.lrc                   
    igfxpers.exe                  1196 ntdll.dll, kernel32.dll, KERNELBASE.dll,   
                                       POWRPROF.dll, msvcrt.dll, RPCRT4.dll,      
                                       SETUPAPI.dll, CFGMGR32.dll, ADVAPI32.dll,  
                                       sechost.dll, GDI32.dll, USER32.dll,        
                                       LPK.dll, USP10.dll, OLEAUT32.dll,          
                                       ole32.dll, DEVOBJ.dll, SHELL32.dll,        
                                       SHLWAPI.dll, IMM32.DLL, MSCTF.dll,         
                                       CRYPTBASE.dll, uxtheme.dll, CRYPTSP.dll,   
                                       rsaenh.dll, RpcRtRemote.dll, igfxsrvc.dll, 
                                       dwmapi.dll, wtsapi32.dll, WINSTA.dll       
    igfxsrvc.exe                  1812 ntdll.dll, kernel32.dll, KERNELBASE.dll,   
                                       USER32.dll, GDI32.dll, LPK.dll, USP10.dll, 
                                       msvcrt.dll, ADVAPI32.dll, sechost.dll,     
                                       RPCRT4.dll, ole32.dll, OLEAUT32.dll,       
                                       IMM32.DLL, MSCTF.dll, CRYPTBASE.dll,       
                                       uxtheme.dll, CRYPTSP.dll, rsaenh.dll,      
                                       RpcRtRemote.dll, igfxsrvc.dll, igfxdev.dll,
                                       dxgi.dll, VERSION.dll, dwmapi.dll,         
                                       ntmarta.dll, WLDAP32.dll                   
    06 Oktober 2009 21:36
  • It continuous:

    MyModem.exe                  2452 ntdll.dll, kernel32.dll, KERNELBASE.dll,   
                                       Container.dll, MFC71U.DLL, MSVCR71.dll,    
                                       GDI32.dll, USER32.dll, LPK.dll, USP10.dll, 
                                       msvcrt.dll, SHLWAPI.dll, MSVCP71.dll,      
                                       isaputrace.dll, SkinMagicU.dll,            
                                       ADVAPI32.dll, sechost.dll, RPCRT4.dll,     
                                       SHELL32.dll, imagehlp.dll, COMCTL32.dll,   
                                       IMM32.DLL, MSCTF.dll, uxtheme.dll,         
                                       WINTRUST.dll, CRYPT32.dll, MSASN1.dll,     
                                       DeviceMgrPlugin.dll, DialupUIPlugin.dll,   
                                       gdiplus.dll, ole32.dll, NetInfoPlugin.dll, 
                                       iphlpapi.dll, NSI.dll, WINNSI.DLL,         
                                       RASAPI32.dll, rasman.dll, WS2_32.dll,      
                                       NetConnectPlugin.dll, DialUpPlugin.dll,    
                                       SETUPAPI.dll, CFGMGR32.dll, OLEAUT32.dll,  
                                       DEVOBJ.dll, TracePlugin.dll, rtutils.dll,  
                                       DetectDev.dll, atcomm.dll, XCodec.dll,     
                                       CRYPTBASE.dll, DeviceOperate.dll,          
                                       ConfigFilePlugin.dll,                      
                                       NetInfoUIExPlugin.dll, XFramePlugin.dll,   
                                       PSAPI.DLL, dwmapi.dll,                     
                                       DeviceMgrUIPlugin.dll, LocaleMgrPlugin.dll,
                                       MenuMgrPlugin.dll, ToolBarMgrPlugin.dll,   
                                       StatusBarMgrPlugin.dll, WindowsCodecs.dll, 
                                       LayoutPlugin.dll, SkinMagicExU.dll,        
                                       comctl32.DLL, SMSUIPlugin.dll, WINMM.dll,  
                                       AddrBookPlugin.dll, FileManager.dll,       
                                       SMSPlugin.dll, NotifyServicePlugin.dll,    
                                       profapi.dll, dsrole.dll, wkscli.dll,       
                                       TAPI32.dll, SspiCli.dll, CRYPTSP.dll,      
                                       rsaenh.dll                                 
    iexplore.exe                  2784 ntdll.dll, kernel32.dll, KERNELBASE.dll,   
                                       ADVAPI32.dll, msvcrt.dll, sechost.dll,     
                                       RPCRT4.dll, USER32.dll, GDI32.dll, LPK.dll,
                                       USP10.dll, SHLWAPI.dll, SHELL32.dll,       
                                       ole32.dll, iertutil.dll, urlmon.dll,       
                                       OLEAUT32.dll, CRYPT32.dll, MSASN1.dll,     
                                       IMM32.DLL, MSCTF.dll, IEFRAME.dll,         
                                       CRYPTSP.dll, PSAPI.DLL, OLEACC.dll,        
                                       comctl32.dll, WININET.dll, Normaliz.dll,   
                                       SspiCli.dll, profapi.dll, ntmarta.dll,     
                                       WLDAP32.dll, ws2_32.DLL, NSI.dll,          
                                       dnsapi.DLL, iphlpapi.DLL, WINNSI.DLL,      
                                       CRYPTBASE.dll, rsaenh.dll, RpcRtRemote.dll,
                                       comdlg32.dll, uxtheme.dll, Wpc.dll,        
                                       USERENV.dll, wevtapi.dll, samcli.dll,      
                                       SAMLIB.dll, netutils.dll, dwmapi.dll,      
                                       apphelp.dll, mshtml.dll, msls31.dll,       
                                       VERSION.dll, RASAPI32.dll, rasman.dll,     
                                       rtutils.dll, NLAapi.dll, rasadhlp.dll,     
                                       IEUI.dll, MSIMG32.dll, ieproxy.dll,        
                                       propsys.dll, mssprxy.dll, xmllite.dll,     
                                       explorerframe.dll, DUser.dll, DUI70.dll,   
                                       msfeeds.dll, SXS.DLL, MLANG.dll,           
                                       SETUPAPI.dll, CFGMGR32.dll, DEVOBJ.dll     
    iexplore.exe                  2824 ntdll.dll, kernel32.dll, KERNELBASE.dll,   
                                       ADVAPI32.dll, msvcrt.dll, sechost.dll,     
                                       RPCRT4.dll, USER32.dll, GDI32.dll, LPK.dll,
                                       USP10.dll, SHLWAPI.dll, SHELL32.dll,       
                                       ole32.dll, iertutil.dll, urlmon.dll,       
                                       OLEAUT32.dll, CRYPT32.dll, MSASN1.dll,     
                                       IMM32.DLL, MSCTF.dll, IEFRAME.dll,         
                                       CRYPTSP.dll, PSAPI.DLL, OLEACC.dll,        
                                       comctl32.dll, comdlg32.dll, IEShims.dll,   
                                       CRYPTBASE.dll, uxtheme.dll, WININET.dll,   
                                       Normaliz.dll, SspiCli.dll, profapi.dll,    
                                       ws2_32.DLL, NSI.dll, dnsapi.DLL,           
                                       iphlpapi.DLL, WINNSI.DLL, RpcRtRemote.dll, 
                                       dwmapi.dll, propsys.dll, ntmarta.dll,      
                                       WLDAP32.dll, SETUPAPI.dll, CFGMGR32.dll,   
                                       DEVOBJ.dll, rsaenh.dll, ieproxy.dll,       
                                       apphelp.dll, MLANG.dll, mshtml.dll,        
                                       msls31.dll, VERSION.dll, ieapfltr.dll,     
                                       Secur32.dll, SXS.DLL, ImgUtil.dll,         
                                       jscript.dll, msimtf.dll, pngfilt.dll,      
                                       msimg32.dll, RASAPI32.dll, rasman.dll,     
                                       rtutils.dll, NLAapi.dll, rasadhlp.dll,     
                                       WINMM.dll, MMDevAPI.DLL, serwvdrv.dll,     
                                       umdmxfrm.dll, wdmaud.drv, ksuser.dll,      
                                       AVRT.dll, dsrole.dll, AUDIOSES.DLL,        
                                       peerdist.dll, USERENV.dll, AUTHZ.dll,      
                                       mswsock.dll, wshtcpip.dll, winrnr.dll,     
                                       napinsp.dll, pnrpnsp.dll, sensapi.dll,     
                                       msacm32.drv, MSACM32.dll, midimap.dll,     
                                       msxml3.dll, wintrust.dll, schannel.DLL,    
                                       credssp.dll, ncrypt.dll, bcrypt.dll,       
                                       bcryptprimitives.dll, GPAPI.dll,           
                                       cryptnet.dll, iepeers.dll, WINSPOOL.DRV,   
                                       Dxtrans.dll, ATL.DLL, ddrawex.dll,         
                                       DDRAW.dll, DCIMAN32.dll, igdumd32.dll,     
                                       Dxtmsft.dll, Flash10c.ocx, mscms.dll,      
                                       gdiplus.dll, D3DIM700.DLL, icardie.dll,    
                                       infocardapi.dll, MSVCR80.dll, MSVCP80.dll  
    cmd.exe                       3000 ntdll.dll, kernel32.dll, KERNELBASE.dll,   
                                       msvcrt.dll, WINBRAND.dll, USER32.dll,      
                                       GDI32.dll, LPK.dll, USP10.dll, IMM32.DLL,  
                                       MSCTF.dll, apphelp.dll                     
    conhost.exe                   3008 ntdll.dll, kernel32.dll, KERNELBASE.dll,   
                                       GDI32.dll, USER32.dll, LPK.dll, USP10.dll, 
                                       msvcrt.dll, IMM32.dll, MSCTF.dll,          
                                       ole32.dll, RPCRT4.dll, OLEAUT32.dll,       
                                       uxtheme.dll, dwmapi.dll, ADVAPI32.dll,     
                                       sechost.dll, comctl32.DLL, SHLWAPI.dll,    
                                       CRYPTBASE.dll                              
    FlashUtil10c.exe              3280 ntdll.dll, kernel32.dll, KERNELBASE.dll,   
                                       VERSION.dll, msvcrt.dll, WININET.dll,      
                                       SHLWAPI.dll, GDI32.dll, USER32.dll,        
                                       LPK.dll, USP10.dll, ADVAPI32.dll,          
                                       sechost.dll, RPCRT4.dll, Normaliz.dll,     
                                       urlmon.dll, ole32.dll, OLEAUT32.dll,       
                                       CRYPT32.dll, MSASN1.dll, iertutil.dll,     
                                       SHELL32.dll, IMM32.DLL, MSCTF.dll,         
                                       CRYPTBASE.dll, uxtheme.dll, CRYPTSP.dll,   
                                       rsaenh.dll, RpcRtRemote.dll, SXS.DLL       
    svchost.exe                   3484 N/A                                        
    TrustedInstaller.exe          2364 N/A                                        
    audiodg.exe                   3448 N/A                                        
    tasklist.exe                  3144 ntdll.dll, kernel32.dll, KERNELBASE.dll,   
                                       ADVAPI32.dll, msvcrt.dll, sechost.dll,     
                                       RPCRT4.dll, USER32.dll, GDI32.dll, LPK.dll,
                                       USP10.dll, ole32.dll, VERSION.dll, MPR.dll,
                                       OLEAUT32.dll, Secur32.dll, SSPICLI.DLL,    
                                       WS2_32.dll, NSI.dll, framedynos.dll,       
                                       WTSAPI32.dll, NETAPI32.dll, netutils.dll,  
                                       srvcli.dll, wkscli.dll, dbghelp.dll,       
                                       SHLWAPI.dll, IMM32.DLL, MSCTF.dll,         
                                       CRYPTBASE.dll, wbemprox.dll, wbemcomn.dll, 
                                       Winsta.dll, CRYPTSP.dll, rsaenh.dll,       
                                       RpcRtRemote.dll, wbemsvc.dll, fastprox.dll,
                                       NTDSAPI.dll, wmiutils.dll                  
    WmiPrvSE.exe                  3852 N/A                                        




    hope this log helps in anything..
    thanks in advance,
    RR

    06 Oktober 2009 21:36