What is this mix of Chinese/Arabic/Korean/Japanese user owning a process listening on port 139?
While using an open port checking tool (Technicians toolbox v1.1.0) I found a strange user name listening on port 139 hiding in PID 4 with a mix of Chinese and other Unicode characters as the user name:
There is no command line or creation date or an executable path or device path listed. Also the program won't let me trace the file path; it comes up with "Error". In Windows Task Manager, PID 4 shows as "System".
The Unicode characters are:
U+548B U+0824 U+428D U+8B0C U+E84A U+C833
U+ACE8 U+F8A9 U+B8FF U+F680 U+7318 U+29E9
U+FBBA U+22FF U+9305 U+0219 U+005C
The Google translator translated the Chinese portion as "Ye Ge mad dog" mixed with some form of Unicode.
According to unicode-table.com there is a mix of Arabic, Korean, Japanese, Latin and Chinese with private code blocks mixes throughout.
I am running my laptop through a Belkin 600 wifi range extender boosting off of a Linksys WRT54GS, both have no security.
Does anyone have any idea what this is? Should I kill this process?
Check the process with another tool such as TCPView from Microsoft. It will show process names with ports open with PID, protocol, local address, local port, remote address, remote port, as well as sent and received packets and bytes for each entry. Look for process ID 4 in its list. When you have located it, if you double-click on an entry, or right-click and choose "Process Properties", it will show the path and file name associated with the process. You could upload the file to Google's VirusTotal site, which checks uploaded files with multiple antivirus programs, to check whether it might be a system file that was replaced by malware, though it is possible that what you are seeing is due to some quirk of the tool. Once you have the location of the file associated with the process, you could right-click on it in the Microsoft Windows Explorer, choose "Properties", then select "Digital Signatures"; if it is a legitimate program, the name of the signer should be "Microsoft Corporation".
Another free tool that provides functionality similar to TCPView, is CurrPorts from NirSoft.