noah_sq
asked on
open port warning
I have a security problem. There's no sane way to fit it into one question. So I might be providing too little information or too much: Vista32(sp2) - Spyware Doctor, Norton, Malwarebytes - was not using a router (I am now) - early port scans were clean - later scans showed open port tcp 9000. Do you know of any current malware that has an affinity for tcp 9000? What current applications use this port legitimately? Last week, tcp 9000 was very active. I was able to get some screen shots. Since adding the router, 9000 is unusually quiet. I am a home user and do not have formal IT education. I appreciate your help.
I would also recommend running an antiroot-kit to clear out your trojans.
Sophos makes a good one: http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
Sophos makes a good one: http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
Run ShieldsUp! to give you more info on what ports are open
https://www.grc.com/x/ne.dll?bh0bkyd2
Also run process explorer.
In it ,hit options and select "verify image signatures"
Then hit view,select columns and check "verified signer"
Get a screen shot of process and attach images in a folder attachment
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Attach Malwarebytes logfiles here.
Open Mbam and go to logs section to get them.
https://www.grc.com/x/ne.dll?bh0bkyd2
Also run process explorer.
In it ,hit options and select "verify image signatures"
Then hit view,select columns and check "verified signer"
Get a screen shot of process and attach images in a folder attachment
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Attach Malwarebytes logfiles here.
Open Mbam and go to logs section to get them.
TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, and XP, TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
madunix
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
madunix
ASKER
Hi optoma. Sorry I didn't respond sooner. The Steve Gibson site is great. Didn't know about it. Thanks. Ran ShieldsUp! and got a very good report - due to having added the router. I have the items you requested. Hope I am able to transmit them correctly. Know about TCPView. There is still one TCP 9000 listening (also there is one TCPV6 listening, not active) but still have seen no further activity since adding router. Downloaded Sysinternals PortMon, too, but cannot get it to run. The process owner for both 9000s is System:4. Got AutoRuns also, and there are a couple of odd Services entries that bring no Google results at all.
Malwarebytes' Anti-Malware 1.43
Database version: 3506
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865
1/6/2010 10:25:31 PM
mbam-log-2010-01-06 (22-25-31).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 269829
Time elapsed: 1 hour(s), 59 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
process-explorer-1.JPG
process-explorer-2.JPG
Malwarebytes' Anti-Malware 1.43
Database version: 3506
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865
1/6/2010 10:25:31 PM
mbam-log-2010-01-06 (22-25-31).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 269829
Time elapsed: 1 hour(s), 59 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
process-explorer-1.JPG
process-explorer-2.JPG
ASKER
Didn't send the images correctly - sorry. Can you tell me how to do that? Thanks.
Images are ok that way.
You mention that strange services in autoruns.
Run autoruns.
In Autoruns:
Hit options and check "verify code signatures" and rescan (F5 key)
Don't make any other changes...
Within Autoruns,select the file tab and select save(Ctrl+S) and save as AutoRuns Data (*.arn) -Output file is a few megs in size
Once saved then right click autoruns.arn and rename to autoruns.txt to upload
Have to go for a bit but be back to look at all :)
You mention that strange services in autoruns.
Run autoruns.
In Autoruns:
Hit options and check "verify code signatures" and rescan (F5 key)
Don't make any other changes...
Within Autoruns,select the file tab and select save(Ctrl+S) and save as AutoRuns Data (*.arn) -Output file is a few megs in size
Once saved then right click autoruns.arn and rename to autoruns.txt to upload
Have to go for a bit but be back to look at all :)
ASKER
Refreshed it with "hide Microsoft and Windows entries" checked. Let me know if you want me to uncheck this box and resend. Thanks.
autoruns.txt.txt
autoruns.txt.txt
ASKER
I messed up on the file name (extra .txt). Hope it worked.
ASKER
Maybe this is better. I scanned again and saved again.
AutoRuns.txt
AutoRuns.txt
All looks ok from Process Explorer and dead ends are only left in Autoruns from previously removed viruses/malware .
In case there is something still hidden run Combofix.
Read + follow all of its running instructions.
Attach logfile here after
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
In case there is something still hidden run Combofix.
Read + follow all of its running instructions.
Attach logfile here after
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
ASKER
ComboFix file. Thanks.
ComboFix.txt
ComboFix.txt
Cant see anything obvious.
Could you plug the machine directly back into modem and run Active ports to see if it gives any indication..
http://majorgeeks.com/Active_Ports_d682.html
Could you plug the machine directly back into modem and run Active ports to see if it gives any indication..
http://majorgeeks.com/Active_Ports_d682.html
ASKER
Hi. TCPView doesn't change when machine is plugged directly into modem (except for established remote connections.) Oddly, when plugged directly into the modem I couldn't reach the internet - got "can't find server" messages from both Google and Firefox. So I didn't do an online port scan minus the router. Internet access is fine with router connected. The Combofix procedure had a footnote about loss of internet connection so I'll go back and look at that. Or maybe it has to do with installing the router? That did result in an immediate IP address change plus the addition of an internal address.
I've taken a lot of your time and I'm very grateful for your help. I've learned a lot. Let me know if you have any final advice and I will gladly 'accept as solution.' If there is a critter in my machine, I believe it can no longer communicate. I was fortunate to capture the IP address at the other end of the connection. If I can find out "who," it may be easier to find out "what." But that's a separate matter....
and it's getting interesting already. Thanks again.
I've taken a lot of your time and I'm very grateful for your help. I've learned a lot. Let me know if you have any final advice and I will gladly 'accept as solution.' If there is a critter in my machine, I believe it can no longer communicate. I was fortunate to capture the IP address at the other end of the connection. If I can find out "who," it may be easier to find out "what." But that's a separate matter....
and it's getting interesting already. Thanks again.
When you connect your machine directly back into modem, the modem would firstly have to be powered down for 1min in order to give out Ip address. Machine ip adress may have to be renewed to pick it up or just reboot machine. If the port was active again then it wouldn't be wise to close this thread. Possibility that something is still present and could try other things then.
If you captured the "suspect" address, if you want, email it to me(check profile) and may be able to help with that, infowise.
DONT post it here due to terms :)
If you captured the "suspect" address, if you want, email it to me(check profile) and may be able to help with that, infowise.
DONT post it here due to terms :)
ASKER
Hi. Followed your advice and accessed internet with no problem (no router.) The port is still open. I scanned with both ShieldsUp! and auditmypc. I think both scans, as well as both websites, have their strong points. The grc scan stops at 5000 - I scanned 9000 by a specific request. Auditmypc scan includes 9000 - don't know the complete range. I do know that I'm grateful for both. Will email on the IP. Thanks again.
ASKER
I have been unable to email you at your address as written. I have not seen an address like this before.
Yahoo will not recognize it.
Yahoo will not recognize it.
myname@gmail.com
ASKER
Hi. Did emails arrive ok?
nothing as of yet. check in my profile for the email address. it is my username @gmail.com :)
ASKER
Hi. Sent one on 13th, one on 14th to optoma@gmail.com. Yahoo reported them as sent. Got no "unable to deliver" notice. That's a little creepy... Wonder where they went. Your name is a bit different on your profile page. Did I use the wrong name?
yes, add "ee" at the end. -without quotes! Optoma is a projector company so maybe thats who they were sent to!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Optoma, thanks so much for your help! Will let you know final outcome.
:)
http://www.glocksoft.com/trojan_list/Netministrator.htm
This is not a legitimate port for Microsoft software...
http://www.auditmypc.com/port/tcp-port-9000.asp
You need to scan for Virus's.. get AVG, its a free virus scanner... http://www.avg.com
also go to www.download.com and download Malwarebytes to get rid of any malware....