?
Solved

How to close port 2000 TransScout?

Posted on 2004-11-10
36
Medium Priority
?
3,486 Views
Last Modified: 2013-11-16
Hello,

Does anyone know how to close Port 2000, also named TransScout? A firewall test on my business PC here revealed that this port is apparently open. We do not use a firewall, only a built-in router in our DSL modem. For some reason, this port seems to be open. Any ideas?
0
Comment
Question by:maritoboy
  • 11
  • 11
  • 10
  • +2
35 Comments
 
LVL 88

Expert Comment

by:rindi
ID: 12550554
Whic OS are you using on your PC?
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12551080
That is a port that is often intruded, see here:
http://www.speedguide.net/ports.php?sortby=protocol

I'd highly recommend that you scan your system with updated Viruscan program (deep scanning) with updated virus definition files and for spyware asap.
0
 

Expert Comment

by:testithman
ID: 12551081
Doesn't sound very nice..
http://www.pestpatrol.com/PestInfo/T/TransScout.asp

Maybe your admin is using remote access to control server from home or something?
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 27

Expert Comment

by:Asta Cu
ID: 12551086
As rindi said, it is important to know your Operating System and environment.  I've upgraded to XP SP2 and love the added protection and Firewall feature as well as Pop Up Blocker, if you want more about that let us know.  I also use a Router with a hardware firewall, but also use Software Firewall as well as Spyware.  These days there are too many bad news intrusions out there.

ALSO, important, turn off system restore before doing this and Spyware
fixes, or the problem will return. Once cleaned, you should enable System
Restore again.

If Pop Ups arise, and Browser is hijacked, the quickest way to close the
Browser window is ALT+F4.

This is a central link here compiled by a number of our Experts with Spyware
tools, links and cautions/recommendations:
http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html 
HijackThis can scan your system and create a log (and fix some things) ...
once this log is created, post the log results in this free analyzer:
http://www.hijackthis.de/index.php?langselect=english 
This is the HijackThis Guideline and process that makes sense to me:
http://www.experts-exchange.com/Web/Browser_Issues/Q_21149514.html 

Once you've run the log through the Analyzer, you're guided for the most
part with recommendations, and some can be fixed by HijackThis, but some may
show as "nasty" which aren't and may cause problems for you. So do
encourage you to read the above link for cautions on this. Let us know only
the line items which need further analysis by us.

My personal choices on the Spyware/Malware and Malicious BHO issue is to use
these two programs:
AdAware (I chose the paid version which is SE Professional) but both also
have free versions and always welcome contributions. Be sure it is the most
current and updated, also make sure you configure it to do Deep Scanning and
to include the HOSTS file. For Spybot S&D, if you choose that, be sure to
update it and use the Immunize function to block @ 2500 spyware/malware
intrusions.

Hope this is of help to you. Best wishes, let us know your progress.

":0) Asta
0
 

Expert Comment

by:testithman
ID: 12551092
Also: http://housecall.trendmicro.com if you can't currently purchase or don't currently own a virus scanner, free and online, though not exactly something you should rely on

http://www.computing.net/security/wwwboard/forum/4729.html - someone giving a bit of information (after a question about transscout) on filenames/registry keys etc.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12551094
Backdoor.Fearic is a backdoor Trojan horse that allows a hacker to use America Online Instant Messenger (AIM) or to open TCP/UDP ports to gain control of a computer.
Backdoor.Fearic is written in the Microsoft Visual Basic (VB) programming language. It will listen on ports 8811, 3456, and 2000.
NOTE: Symantec antivirus products detect the client portion of this Trojan as Backdoor.Fearic.Cli. The length of the client portion is 122,880 Bytes.
Also Known As:  Backdoor.Fear.15 [AVP]  
Type:  Trojan Horse
Infection Length:  39,936 bytes  
Systems Affected:  Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
More here.... http://sarc.com/avcenter/venc/data/backdoor.fearic.html
0
 

Author Comment

by:maritoboy
ID: 12555769
I am running Windows XP Pro SP2, as part of a server/client network. I turned off the Windows Firewall, I found it annoying. I am the only "system administrator," and I remember the guy who configured our network wanted to leave open the possibility for a remote connection from home (VPN or something), but we're not using it and don't plan to in the foreseeable future. It's possible that this port is protected by a username and password, but not that I know of.

We're pretty well protected here, I have to say, using Panda BusinesSecure with TruPrevent for the network and I'm pretty sure there's no serious spyware on the my PC either, though I can do another scan using Ad-Aware.

So, is it possible that I can simply close the port by changing some settings on the server? We're using Microsoft Windows 2003 Small Business Server.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12555903
Sorry, at work and swamped; others may have just what you need.  This link can give you a quick overview for your environment and hopefully get you an interim solution by narrowing the scope.  There are a number of considerations noted here that will be a roadblock to this as you'll see when you check the results below.
http://search.microsoft.com/search/results.aspx?st=b&na=88&View=en-us&qu=windows+2003+small+business+server+ports
0
 
LVL 3

Expert Comment

by:ZeropointNRG
ID: 12558240
Go here and download "Active Ports". And close it with that...

http://www.download.com/3000-2085-10062969.html?part=65960&subj=dlpage&tag=button

Or, to do it manually...

1. Click Start, point to All Programs, then Accessories, then Communications then Network Connections. (Or you can right click My Network Places on the desktop and choose Properties).
2. Right-click the Local Area Network or the connection you are using, then click Properties.
3. Click the Advanced tab, and then click Settings.

Note: The Settings button is unavailable when ICF is disabled and all ports are already open.

4. Click Add to open a new port.
5. In the Description box, type a name. For example, type: File & Printer.
In the Name or IP address of the computer hosting this service on your network box, type 127.0.0.1.
6. In both the External and Internal port boxes, type the port number.
7. Click either TCP or UDP, and then click Ok.
8. Repeat steps 4 - 8 and allow the appropriate ports to be open for file and printer sharing. To allow file and print sharing traffic, create and enable the following service definitions. In the External and Internal Ports, allow these ports: UDP 137, UDP 138, UDP 445, and TCP 139, and TCP 445.

Good Luck
0
 

Author Comment

by:maritoboy
ID: 12560307
Thank you, Zero Point. I got Active Ports on my computer now, and it's not even showing Port 2000 as open. Now I'm confused. If I run a Symantec Security check, it tells me under "Trojan Horse Check" that port 2000, "TransScout, Remote Explorer" is open. Everything else on there is stealth.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12561110
Wonder if, at the bottom of this link, "submit virus samples" would be a way to escalate this to Norton for further help
http://www.symantec.com/avcenter/
0
 
LVL 3

Expert Comment

by:ZeropointNRG
ID: 12567464
Turn off system restore for your entire system, then reboot and turn it back on. Run the current version of an antivirus program to detect and eliminate the Trojan, and then install Norton Internet Security or Personal Firewall and re-scan your computer to confirm that the suspect port is now closed.

Any time you get a virus or Trojan on your system, you need to turn off system restore, then make sure you get at least 1 clean scan, then reboot, then create new restore point.

Also, I think XP's firewall closes ports for intrusion, not extrution, so you might want to download Zone Alarm since it does the job of a hardware firewall and detects intrusion as well as extrusion.

After all that...go here to be sure you're protected properly http://www.grc.com/PortDataHelp.htm and see what it tells you, then let me know what it says.

Should take care of it.

If not, I don't think I can help further unless I get detailed information about what's running and what's loaded etc...

Download HJT from here http://www.majorgeeks.com/download3155.html

Install it to this directory C:\HJT\HJT.exe, just to be sure we can restore backups it creates if I mess things up.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Turn off system restore. Boot into safe mode. Close everything in your open programs that normally run on startup (bottom right near your clock), simply close them all to make it easier for me to navigate the log that you'll post. Run HJT, click bottom left, "SCAN", the scan button will change to a "SAVE LOG" button, save that log to the desktop and open it, then copy and paste the text from that log to here...I will check your log.

Good Luck.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12567766
As noted above, rather than posting your entire HijackThis log here, please use the free analyzer service and only post those line items that require our assistance; they are often huge and not needed in their entirety, therefore we've posted these guidelines.
This is the HijackThis Guideline and process that makes sense to me:
http://www.experts-exchange.com/Web/Browser_Issues/Q_21149514.html 
Free HijackThis analyzer.

Paste your log results in the link below, then choose Analyze (English by default, so if you have another language in use, change there prior to hitting the analyze function).
http://www.hijackthis.de/index.php?langselect=english

Also a bit confused about your comment here, ZeroPointNG, ........"Turn off system restore for your entire system, then reboot and turn it back on. Run the current version of an antivirus program to detect and eliminate the Trojan, and then install Norton Internet Security or Personal Firewall and re-scan your computer to confirm that the suspect port is now closed."  ....... since if you turn off system restore, reboot and turn it right back on prior to doing the cleanup, the problem will return.....

When System Restore is turned off in control panel - system applet; it removes restore points. Then scan with updated tools listed above and by others as well.  Once clean, turn system restore back on.
0
 

Author Comment

by:maritoboy
ID: 12571367
OK, thank you. Will let you know when I return to the office on Monday.
0
 
LVL 3

Expert Comment

by:ZeropointNRG
ID: 12571379
Do not get it analyzed by that site, it has nothing on me..I have the right to ask for the file if I think that the site has not got it right, in most cases, that site is not good enough. I have experience in dealing with logs and thousands of different spywares bhos scripts whatever...

astaec,

In any case, the log that he will post can be removed as it is stated in the rules, and I can either tell the moderator to keep certain bits if I feel they will be useful to someone else or give a good enough reason to keep it all. I am within my rights...And I'm only here to help not get points like most.

You're right in a way, but it's wrong information you have.

It is only a precaution. And it doesn't mean his restore point is infected. And no, it will not restore, only spyware restores from restore points. A virus doesn't do this, a trojan horse stays on the system until deleted, once deleted, it's gone, unless it's copied itself to another file in another directory or infected other files that that analyz site won't know is infected because it knows things to be safe too often when infact they're not, and that site only does spyware/malware etc, it doesnt scan your pc for infected files. Where's if it's maleware or spyware, if you miss anything it will either restore itself from different file types of the same file in windows-system-32-temp, or it will restore itself from a restore point it created itself. It doesn't attach itself to an already created restore point.

The restart is just clean the boot process, and release any hung dll's and running spyware so he can do a clean scan with AVS.

Spyware can take upto 30 seconds to reproduce if it's deleted, but we haven't yet deleted any spyware, only the virus. And remember, his restore point is still off, it only goes back on when I say turn it on, which would be after I've checked his log....Once the virus is gone if any, then his port will close as this trojan was keeping it open.

As safety and a greater insight into what caused this to happen and generally just helping keep his system clean I need a log. It will make things easier for me to see his system this way that's all. Might not have anything to do with anything, but that's all I can do for him if my second comment doesn't work that is.

All he wanted was to close port 2000, yet people posted comments about things he didn't ask for, making this thread a whole bunch of reading about nothing and no solutions for others that might have this same problem.

Now my first post didn't help, my second post might help, if not, the last resort is the log for me....And I can't really interact with a person that might go to that site, post the log, and think, "ohh, this site is easy, it tells me what to do, so I think I might do it myself" sorta thing, stuff their computer up worse and then come back with a whole heap of other questions that need not be asked if he just posted his log to me.

Hope this clears things up mate.

Regards
Zero
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12571482
Sounds good, maritoboy, look forward to hearing from you if more is needed here.

ZeropointNRG ->  What makes this site so great, is that we each come from our own experiences, I've shared mine, and you've shared yours.  We differ in our opinions somewhat, but feel our goal is to help provide "A" level results to all we try to assist.  Teamwork works best.

":0) Asta

 
0
 

Author Comment

by:maritoboy
ID: 12587627
Hey Zero,

OK, here's my Hijack This log. Please remember that I am on a client/server network entitled "rde.local" and the Netzero stuff is fine and can stay.

0
 

Author Comment

by:maritoboy
ID: 12588425
By the way, I suppose I should add that I did the same Symantec Security check on another workstation of ours that is also part of our client/server network, and Port 2000 / TransScout was found "open" there as well. I think it may be that this port was configured to be open when a technician we hired set up our Small Business Server 2003. However, I don't know what benign purpose it would serve to have this port open. We're not doing any sort of remote connections into our network. If applicable, I would close the port on SBS 2003 if I knew how to do it.
0
 
LVL 27

Assisted Solution

by:Asta Cu
Asta Cu earned 450 total points
ID: 12589296
The sidebar security/firewall options don't exist for you?  More below..
Have you looked at the potentially needed updates?
http://www.microsoft.com/technet/downloads/sbs.mspx
First Look at SBS 2003 Security - http://www.winnetmag.com/Article/ArticleID/40830/40830.html
http://support.microsoft.com/default.aspx?scid=kb;en-us;825763
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12589327
I can't get over the fact that I have been unable to find anything specific for SBS 2003 and Port 2000, despite much research; really odd.  Sample:
http://www.google.com/search?hl=en&lr=&q=small+business+server+2003+port+2000&btnG=Search

Did find this on listening port 2000.
http://www.experts-exchange.com/Programming/Programming_Platforms/Win_Prog/Q_20137957.html?query=%22port+2000%22&clearTAFilter=true
They recommend this:
http://www.sysinternals.com/
0
 
LVL 3

Expert Comment

by:ZeropointNRG
ID: 12590554
Hi maritoboy,

By the looks of it, it looks like you have stuff installed that uses this port to counter spy...curious as to if this is what's holding that port open?

Are you able to remove this "netzero" to test? If not possible, I can't test any further.
If so, then before you do anything else, create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Desktop. This is required because HijackThis will create backups and this is to make sure they can be restored.

Afetr you've done this, then re-scan with HJT, then fix everything with "netzero". Note* this is to test, I know you said keep it, but I need to know if it's keeping your port open, if not, you can simply restore the backups HJT created. Once done, simply re-scan to see if it's still open. IF still open, then restore the backups, once restored, then fix in HJT or remove add remove programs called "sunbelt software", re-scan, see if the port is still open. If still open, restore the backups again.

It may be held open on purpose, and you may need it open, for whatever reason I'm not sure, but you should contact the person who installed your network to see what's up.

Well, I've found nothing here, the only thing I can think of is that, it's left open on purpose or the person who setup your network has left a backdoor.

But you can check these in HJT to clean up.

O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)


If none if this can resolve the issue, I seriously recommend that you install a firewall, and set it to high safety, then after a day or two, check its firewall log, and see if it has been accessed by checking its port number and IP address, then if you know who it is, investigate it.

Good Luck champ, sorry can't be of anymore service....

Zero

PS: If I come accross something in the future, I'll be sure to post back to you if this is still not solved.

PSS: HJT log can now be removed.
0
 

Author Comment

by:maritoboy
ID: 12598684
Thank you, Zero. I did as you said with the HJT, but the port still remained open. I contacted our ISP to see if maybe they needed port 2000 open for something, but they don't. So I have now downloaded a free trial of Norton's Personal Firewall 2005. Will let you know once I have completed all the updates, to see if Port 2000 is still open. Thanks!

Asta, we do not use the Windows Firewall in SBS 2003. The guy who configured our network didn't like that idea. Our workstations connect to the internet directly, not through the server. I am toying with the idea of purchasing a Symantec Gateway Security appliance for that so we have at least some sort of hardware firewall. Our ISP runs a firewall service on their end for us, though.
0
 

Author Comment

by:maritoboy
ID: 12608355
OK, friends, you're not going to believe this. I am running the Norton Firewall 2005 trial, and my PC still fails the Symante Security check (as well as security scans from other sites). That's understandable, I suppose, since Ports 23 and 80 are open from my ISP's end. They say they need those two open. They say it's not a problem. Can you confirm or deny this? As for Port 2000, the darn thing is still open, even with the Norton Firewall. My ISP says they don't need that port open. I don't either. It has nothing to do with any software running on my PC because it's open on the whole network, apparently. I'm ready to give up on it and forget about it. I could install a hardware firewall perhaps and see if that changes anything. Do you think hardware firewalls are a good idea? Maybe I should again talk to the guy who configured our SBS 2003. Speaking of which, do any of you know if there is a good manual out there on how to use SBS 2003? I mean for things like changing user permissions, adding/deleting users, configuring Active Directory settings, etc. I'd like to delete some services on our SBS 2003 that we're not using, but I wouldn't even know what we're using and what not. Thanks for all your help. I'd like to close this and see if I can split points between you two for the good advice you have given.
0
 

Author Comment

by:maritoboy
ID: 12608365
Oh, and if somebody could please delete the HJT log, since I think it's a bit of a privacy issue to post a company's log like that....
0
 
LVL 3

Expert Comment

by:ZeropointNRG
ID: 12611473
Did you check the firewalls log to see if that port was being accessed by any chance?

I'll keep an eye out for a guide if no one can get one quicker.

Regards

Zero
0
 
LVL 3

Expert Comment

by:ZeropointNRG
ID: 12611795
Oh and your ISP will have port 80 open to run their website - port 23 is telnet, they should be fine.
0
 
LVL 3

Accepted Solution

by:
ZeropointNRG earned 1050 total points
ID: 12611834
yup, the only way your going to be able to 'close' port 2000 locally without terminating the service using port 2000 (which we're unable to find out unless you check your log) is using a firewall..you will have to set a firewall rule to block all incoming traffic on TCP port 2000. If anything looks funny or doesn't work anymore, it may be need to be open for the network for some unknown reason..

I'm at my wits end..

Hope you figure it out..

Best Of Luck

Zero.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12614598
I hope the same.  ":0) Asta
0
 

Author Comment

by:maritoboy
ID: 12618816
Thank you. Yeah, checking my firewall logs does not turn up anything regarding Port 2000. It doesn't seem to be used by any program. So it probably isn't a problem. I am just worried that someone might be able to hack into our network using that open port. Is that possible? But you gave good advice. I will set my firewall to block everthing on port 2000 and see what happens. Thanks much!!
0
 

Author Comment

by:maritoboy
ID: 12618858
I am increasing the points to 500 here.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12625200
Thank you, maritoboy.  ":0) Asta
0
 
LVL 3

Expert Comment

by:ZeropointNRG
ID: 12637151
Anytime, post back on progress if you can. I'll update you in future.

Thanks for the points ;)
0
 
LVL 3

Expert Comment

by:ZeropointNRG
ID: 12637168
Sorry, yes, it's possible! Less is more...

0
 

Author Comment

by:maritoboy
ID: 12658690
Hi guys, I have an exciting update for you!
Today my Norton Firewall alerted me to a program trying to access Port 2000! It was Mozilla's Firefox, though. Anyway, here is the log:

Rule "Close Port 2000 Rule" blocked (data.coremetrics.com(63.241.72.116),https(443)).
Outbound TCP connection.
Local address,service is (0.0.0.0,2000).
Remote address,service is (data.coremetrics.com(63.241.72.116),https(443)).
Process name is "C:\Program Files\Mozilla Firefox\firefox.exe".

What does this tell us, basically? This happened while I was placing an online order. The browser then crashed, practically.

By the way, one of the features I find annoying about Norton's Firewall is that it never gives you the option of allowing a program to access the internet only once. It's always either never or always and on all ports or manually configure. Annoying! I use Panda's firewall at home. Got any comments on that?
0
 
LVL 3

Expert Comment

by:ZeropointNRG
ID: 12702491
Hi dude, sorry, havent been here in a while..

Right well, it seems that you need that port open for mozilla, that's why it's crashing..

It should be fine.

Zone Alarm gives the option you want.

Zero

0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question