svchost.exe -k BITSgroup open port 1269. Is it normal?

[Ben]

My PC is Win2000 Pro.
I found my PC opened port 1269 to a remote address at port 80 with ESTABLISH
status.
Another process also open port 1269 for LISTENING.
"svchost.exe -k BITSgroup" open port 1269. But I don't know which program
load that "svchost.exe -k BITSgroup".
Is it a normal situation? How I can trace out which program load that
svchost.exe at port 1269?

Also port 1718,1720,1724 are opened via "svchost.exe -k wugroup". Are those
ports opend normally?

Do you have any ideal?

I scaned my PC for virus. Everything seems OK.

Do you know any open source or free firewall?
Or any software to detect what program load svchost.exe to open a certain
port?

You know, the sistuation is: If I doubt that port 1269 is a backdoor, I
cannot just simply stop svchost.exe

Thank you for any help

Ben

 

[Dave]

Hi Ben,

Try this program to scan for trojan horses.

http://www.trojanscan.com/

According to http://lists.gpick.com/portlist/portlist.htm there could be a
trojan on port 1269.

You can also try this

http://lavasoft.element5.com/software/adaware/

Dave

 

[Alan Illeman]

My PC is Win2000 Pro.
I found my PC opened port 1269 to a remote address at port 80 with ESTABLISH
status.
Another process also open port 1269 for LISTENING.
"svchost.exe -k BITSgroup" open port 1269. But I don't know which program
load that "svchost.exe -k BITSgroup".
Is it a normal situation? How I can trace out which program load that
svchost.exe at port 1269?

Also port 1718,1720,1724 are opened via "svchost.exe -k wugroup". Are those
ports opend normally?

Do you have any ideal?

I scaned my PC for virus. Everything seems OK.

Do you know any open source or free firewall?
Or any software to detect what program load svchost.exe to open a certain
port?

You know, the sistuation is: If I doubt that port 1269 is a backdoor, I
cannot just simply stop svchost.exe

Thank you for any help

Ben, what did you spend on your computer? A licenced copy of Kerio
only costs $55US, lifetime licence, that is. Included for the first year is
a $22 subscription for free updates.

I've had 12 TCP attacks on c:\winnt\system32\svchost.exe in the last
hour - and Kerio denied all of them. (www.kerio.com)

Network Security->Applications->c:\winnt\system32\svchost.exe
Trusted: IN:deny, OUT:deny
Internet: IN:deny, OUT:deny

I'm not sure I really understand all this stuff in the log, but the
'Remote point' (source of the attacks?) were:

64.10.124.131:1987
64.10.130.100:2057
64.10.92.21:3005
64.10.92.21:4388
64.10.99.103:1649
64.10.99.168:3653
64.2.132.69:3125
81.240.27.177:3835
64.10.130.12:2359
64.10.99.168:2623
64.10.130.75:3153
64.10.90..39:4000

I've had 5 more while I was typing this

 

[Steven L Umbach]

As suggested be sure to can your computer for parasites also. TCPView from
Sysinternals is extremely helpful in tracking down exactly what is going on
with IP traffic. You can select a process and get detailed info about it. It
may also help to manually enter the IP address in IE address bar to see if
it brings up a site that may give you a clue as to what is going on. ---
Steve

http://www.sysinternals.com/ntw2k/source/tcpview.shtml