Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 342
  • Last Modified:

open port warning

I have a security problem. There's no sane way to fit it into one question. So I might be providing too little information or too much: Vista32(sp2) - Spyware Doctor, Norton, Malwarebytes - was not using a router (I am now) - early port scans were clean - later scans showed open port tcp 9000. Do you know of any current malware that has an affinity for tcp 9000? What current applications use this port legitimately? Last week, tcp 9000 was very active. I was able to get some screen shots. Since adding the router, 9000 is unusually quiet. I am a home user and do not have formal IT education. I appreciate your help.
0
noah_sq
Asked:
noah_sq
  • 12
  • 10
  • +2
1 Solution
 
ICaldwellCommented:
Netministrator is a Trojen Horse which runs on that port

http://www.glocksoft.com/trojan_list/Netministrator.htm

This is not a legitimate port for Microsoft software...

http://www.auditmypc.com/port/tcp-port-9000.asp

You need to scan for Virus's.. get AVG, its a free virus scanner... http://www.avg.com
also go to www.download.com and download Malwarebytes to get rid of any malware....
0
 
MagicFarmerCommented:
I would also recommend running an antiroot-kit to clear out your trojans.  

Sophos makes a good one:  http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
0
 
optomaCommented:
Run ShieldsUp! to give you more info on what ports are open
https://www.grc.com/x/ne.dll?bh0bkyd2


Also run process explorer.
In it ,hit options and select "verify image signatures"
Then hit view,select columns and check "verified signer"
Get a screen shot of process and attach images in a folder attachment
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Attach Malwarebytes logfiles here.
Open Mbam and go to logs section to get them.



0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
madunixChief Information Security Officer Commented:
TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, and XP, TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

madunix
0
 
noah_sqAuthor Commented:
Hi optoma. Sorry I didn't respond sooner. The Steve Gibson site is great. Didn't know about it. Thanks. Ran ShieldsUp! and got a very good report - due to having added the router. I have the items you requested. Hope I am able to transmit them correctly. Know about TCPView. There is still one TCP 9000 listening (also there is one TCPV6 listening, not active) but still have seen no further activity since adding router. Downloaded Sysinternals PortMon, too, but  cannot get it to run. The process owner for both 9000s is System:4. Got AutoRuns also, and there are a couple of odd Services entries that bring no Google results at all.

Malwarebytes' Anti-Malware 1.43
Database version: 3506
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

1/6/2010 10:25:31 PM
mbam-log-2010-01-06 (22-25-31).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 269829
Time elapsed: 1 hour(s), 59 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



process-explorer-1.JPG
process-explorer-2.JPG
0
 
noah_sqAuthor Commented:
Didn't send the images correctly - sorry. Can you tell me how to do that?    Thanks.
0
 
optomaCommented:
Images are ok that way.
You mention that strange services in autoruns.

Run autoruns.
In Autoruns:
Hit options and check "verify code signatures" and rescan (F5 key)
Don't make any other changes...

Within Autoruns,select the file tab and select save(Ctrl+S) and save as AutoRuns Data (*.arn) -Output file is a few megs in size
Once saved then right click autoruns.arn and rename to autoruns.txt to upload

Have to go for a bit but be back to look at all :)

0
 
noah_sqAuthor Commented:
Refreshed it with "hide Microsoft and Windows entries" checked. Let me know if you want me to uncheck this box and resend.   Thanks.
autoruns.txt.txt
0
 
noah_sqAuthor Commented:
I messed up on the file name (extra .txt). Hope it worked.
0
 
noah_sqAuthor Commented:
Maybe this is better. I scanned again and saved again.
AutoRuns.txt
0
 
optomaCommented:
All looks ok from Process Explorer and dead ends are only left in Autoruns from previously removed viruses/malware .

In case there is something still hidden run Combofix.
Read + follow all of its running instructions.
Attach logfile here after
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
noah_sqAuthor Commented:
ComboFix  file. Thanks.
ComboFix.txt
0
 
optomaCommented:
Cant see anything obvious.
Could you plug the machine directly back into modem and run Active ports to see if it gives any indication..

http://majorgeeks.com/Active_Ports_d682.html
0
 
noah_sqAuthor Commented:
Hi. TCPView doesn't change when machine is plugged directly into modem (except for established remote connections.) Oddly, when plugged directly into the modem I couldn't reach the internet - got "can't find server" messages from both Google and Firefox. So I didn't do an online port scan minus the router.  Internet access is fine with router connected. The Combofix procedure had a footnote about loss of internet connection so I'll go back and look at that. Or maybe it has to do with installing the router? That did result in an immediate IP address change plus the addition of an internal address.

I've taken a lot of your time and I'm very grateful for your help. I've learned a lot. Let me know if you have any final advice and I will gladly 'accept as solution.' If there is a critter in my machine, I believe it can no longer communicate. I was fortunate to capture the IP address at the other end of the connection. If I can find out "who," it may be easier to find out "what." But that's a separate matter....
and it's getting interesting already. Thanks again.


 
0
 
optomaCommented:
When you connect your machine directly back into modem, the modem would firstly have to be powered down for 1min in order to give out Ip address. Machine ip adress may have to be renewed to pick it up or just reboot machine. If the port was active again then it wouldn't be wise to close this thread. Possibility that something is still present and could try other things then.

If you captured the "suspect" address, if you want, email it to me(check profile) and may be able to help with that, infowise.
DONT post it here due to terms :)
0
 
noah_sqAuthor Commented:
Hi. Followed your advice and accessed internet with no problem (no router.) The port is still open. I scanned with both ShieldsUp! and auditmypc. I think both scans, as well as both websites, have their strong points. The grc scan stops at 5000 - I scanned 9000 by a specific request. Auditmypc scan includes 9000 - don't know the complete range. I do know that I'm grateful for both. Will email on the IP. Thanks again.
0
 
noah_sqAuthor Commented:
I have been unable to email you at your address as written. I have not seen an address like this before.
Yahoo will not recognize it.
0
 
optomaCommented:
myname@gmail.com
0
 
noah_sqAuthor Commented:
Hi. Did emails arrive ok?
0
 
optomaCommented:
nothing as of yet. check in my profile for the email address. it is my username  @gmail.com  :)
0
 
noah_sqAuthor Commented:
Hi. Sent one on 13th, one on 14th to optoma@gmail.com. Yahoo reported them as sent. Got no "unable to deliver" notice. That's a little creepy... Wonder where they went. Your name is a bit different on your profile page. Did I use the wrong name?
0
 
optomaCommented:
yes, add "ee" at the end. -without quotes! Optoma is a projector company so maybe thats who they were sent to!
0
 
optomaCommented:
Could you run active ports when machine connected directly into modem and see if there is a path to port 9000.

Also re run Process Explorer with printscreens to see if anything shows up :)

0
 
noah_sqAuthor Commented:
Optoma, thanks so much for your help! Will let you know final outcome.
0
 
optomaCommented:
:)
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 12
  • 10
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now