Maybe I'm paranoid, but help, pls

[Apprentice]

On the dawn of the new year I was looking for device drivers all over the WEB to solve a problem in my computer.

I've downloaded one that was a really nasty trojan and had to reformat my HD (AVG free did not detect it).

Now I'm paranoid about anything that looks a bit unusual.

I have an old, little program that shows ports and it's connections (Active Ports).

When there's an IP stream going on, there may be "unknown" devices connected to my ports (uTorrent streams included) besides the usual apps and their IDs.

On uTorrent, I've been able to identify as the local side "ec1745eedca7477:2759". Could this ID be used by uTorrent?

Thanks,

[Ultima]

...? What program are you using to check the connections? Have you checked TCPView from sysinternals.com? µTorrent should show up as the executablename.exe:portnumber -- I don't think it uses any other name. That kind of ID definitely looks odd/suspicious to me ;o

[Apprentice]

Thanks, Ultima

First, I've found out that "ec1745eedca7477" is my computer name after the reinstall (?). But it's Ok.

Yes, I've checked TCPView also. TCPView names "unknown" as [system Process]0.

What is worrying me now is if it's it Ok to have "unknown" or [system Process]0. ? It happens with Firefox, Thunderbird or most programs that access the WEB.

During access, "unknown" may send or receive. Most of the times the other side address makes sense, such as my ISP pop (port 110), a WEB site I'm browsing, etc.

Some other "unknown" just point to my computer (LocalHost).

With uTorrent, as the communication is very dynamic, maybe when I monitor and try to check the peer it has already disconnected?

When I close the application that generated "unknown", the port goes in Time_Wait, and some time later closes.

[Lord Alderaan]

Most programs show

Local address, external address, Status

utorrent would show a lot of connections like:

computername:utport, someaddres:someport, variousstattusses

In other words, if µtorrent uses port 2759 then that line was indeed about µtorrent.

[Apprentice]

Thanks, Lord Alderaan

I've changed the AV program from AVG to Kaspersky; after a system scan it found an pornware dialer in the uninstall program of an old Win 98 backup ZIP archive I made when I stopped using it. That was all.

About uTorrent, [system_Process}:0

I went to dowload Open Office.

Lots of uTorrent connections were opened, correctly identified as uTorrent:port.

At the same time, [system_Process}:0 also opened many connections to peers, all in Time_Wait.

At the moment I'm typing, there are 2 [system_Process}:0 connections, to Local_Host ports 1190, 1191.all in Time_Wait (gone while I was typing)..

These [system_Process}:0 change colors in TCPView, yellow, green, and red - that's when they will be ended.

Could this somehow be related to Windows firewall?

[Apprentice]

Found this link:

http://www.mail-archive.com/incidents@securityfocus.com/msg00398.html