id="info"

General discussion

Locked

TCP port 2603 and service "servicemeter"

By JPLconsultant ·
I am running AVG Firewall on WinXP Pro. AVG is asking me to allow/deny Application "System" outbound access to localhost port 2603 (TCP). Destination is 207.46.245.33 port 80.

I searched for applications named "system" and don't find any. I have no applications running that should be accessing the Internet at that time. The destination IP resolves to MSNBCENESPANOL.COM. As far as I know, I've not accessed that website before.

From what I can gather, port 2603 is assigned to a service called "servicemeter".

I have denied access. Full A/V, spyware, adware, malware scans come up empty (using AVG, ad-aware, spybot, spywareblaster).

Can anyone tell me about "servicemeter", port 2603, and why an application named "System" might be trying to use that port/service?

Thanks!
JPLConsultant

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by JPLconsultant In reply to TCP port 2603 and service ...

I suspect the application "System" is probably referring to some system-level process. That doesn't seem good.

Also, I did not run netstat to check my port connections prior to denying access, so I wasn't able to glean more insight there. I should have looked, but forgot about netstat until it was too late. I don't know. If the firewall was waiting for permission to allow/deny the connection, would netstat even show relevent information at that time, or would I have had to approve it first through the FW?

Ok, I think that's all I have to update for now.

Thanks for any help you all can provide.

Thanks,
JPLConsultant

Collapse -

by HAL 9000 Moderator In reply to TCP port 2603 and service ...

First make sure that all your AV & Spy ware Apps are up to date and then reboot into Safe Mode and run both AV & Spy Ware Scans in there. If there is some infection involved here it will be picked up and possible removed while in Safe Mode where it can not be removed or even show up when you are running in Normal Mode.

The only reference that I can find to Servicemeter is in relation to some Dutch Government sponsored E Security here

http://tinyurl.com/rhto2

So either you are looking at the wrong service running or you have picked up some kind of infection. A System application is a basic Windows service that is attempting to run but it can also be some form of Spy Ware or Virus as well as these embed themselves deep in Windows and act like a normal service that should be running.

But just for further reference whenever you do a system scan for Spy Ware or AV you should always be in Safe Mode as you pick up far more and can remove what you pick up without doing any damage.

Col

Collapse -

by JPLconsultant In reply to

I got this message for the second time today. I updated everything again this evening (updates came down for the antivirus and spybot). Ran a/v, spybot and ad-aware in Safe Mode. All still came up empty.

I checked out http://tinyurl.com/rhto2, but that didn't seem to provide me any useful information as to what may be going on.

Collapse -

by HAL 9000 Moderator In reply to TCP port 2603 and service ...

Well as the system is showing up as clean and you already have confirmed that the correct software is installed enable the transfer from that port. It appears to be something critical to windows.

It wouldn't hurt to check any transmissions from that Port either after you enable it but by the sounds of things it's something to do with a necessary running service in Windows.

Of course hiding the thing behind a router wouldn't hurt any just to make sure that nothing important is leaving via that Port.

Col

Collapse -

by JPLconsultant In reply to TCP port 2603 and service ...

Col,
Thanks for your help. I gathered some interesting information over night. There were a total of 6 attempts yesterday/last night. Each was to a different URL. These attempts occured over a 11-hour period. They only occurred yesterday, and then seem to have stopped. Also, there is more activity than I initially thought. Reviewing my FW logs shows that this application attempted to access each of the six IP Addresses using my outgoing ports 2603, 2604, 2605, 2606, 2607, 2608, 2614, 2616, 2617, 2621, 2626. 11 different outgoing ports! Each attempt tried to hit the destination IP on port 80. All were blocked.

No activity since 12:00AM today.

I can't imagine what critical system resource would operate in this manner.

I've blocked communication from my machine, and will continue to monitor. I am behind a router, and have it locked down pretty well. I'll attempt to get more information and will update this site as I get any pertinent info. I'll close it in a week if I/we don't make any good progress.

Right now, I'm stumped.

Sites attempted to access yesterday:
207.138.234.57 - [none]
207.46.150.50 - msnbcenespanol.com
207.46.245.32 - msnbcbusiness.com
207.46.245.33 - thechrismatthewsshow.com
207.68.172.236 - x.sc.msn.ca
69.44.123.151 - 69-44-123-151.wcg.net

-JPLConsultant

Collapse -

by JPLconsultant In reply to TCP port 2603 and service ...

In reviewing my comment, I may be unclear about the number of attempts, so I'll try to clarify:

There were 6 unique IP Addresses used. Contact was attempted to each IP from 11 of my ports, for a total of 11 unique calls to each IP (66 total attempts).

The application would attempt IP1 from all ports. Then a while later tried IP2 from all ports, and so on.

Hope I've not made anything even more confusing.

Collapse -

by Jacky Howe In reply to TCP port 2603 and service ...

Have a look here it might shed some light.

http://www.auditmypc.com/port/udp-port-2603.asp

Collapse -

by Jacky Howe In reply to

Found some more info it might be worth checking. Particularly the info on netstat. You can get a lot of info when you follow the steps.

http://support.microsoft.com/kb/842242

Collapse -

Servicemeter is a red herring

by Madsmaddad In reply to TCP port 2603 and service ...

According to IANA, some ports have been given names of the facility that is intended to use them, so port 2603 is expected to be used by servicemeter.

But other things can use it as well.

http://www.iana.org/assignments/port-numbers

I came across this while searching for it myself as I discovered it in my wireshark trace on my computer.

Peter M.

Back to Security Forum
9 total posts (Page 1 of 1)  

Security Forums