open port warning

Netministrator is a Trojen Horse which runs on that port

http://www.glocksoft.com/trojan_list/Netministrator.htm

This is not a legitimate port for Microsoft software...

http://www.auditmypc.com/port/tcp-port-9000.asp

You need to scan for Virus's.. get AVG, its a free virus scanner... http://www.avg.com
also go to www.download.com and download Malwarebytes to get rid of any malware....

I would also recommend running an antiroot-kit to clear out your trojans.  

Sophos makes a good one:  http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Run ShieldsUp! to give you more info on what ports are open
https://www.grc.com/x/ne.dll?bh0bkyd2


Also run process explorer.
In it ,hit options and select "verify image signatures"
Then hit view,select columns and check "verified signer"
Get a screen shot of process and attach images in a folder attachment
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Attach Malwarebytes logfiles here.
Open Mbam and go to logs section to get them.

TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, and XP, TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

madunix

Hi optoma. Sorry I didn't respond sooner. The Steve Gibson site is great. Didn't know about it. Thanks. Ran ShieldsUp! and got a very good report - due to having added the router. I have the items you requested. Hope I am able to transmit them correctly. Know about TCPView. There is still one TCP 9000 listening (also there is one TCPV6 listening, not active) but still have seen no further activity since adding router. Downloaded Sysinternals PortMon, too, but  cannot get it to run. The process owner for both 9000s is System:4. Got AutoRuns also, and there are a couple of odd Services entries that bring no Google results at all.

Malwarebytes' Anti-Malware 1.43
Database version: 3506
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

1/6/2010 10:25:31 PM
mbam-log-2010-01-06 (22-25-31).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 269829
Time elapsed: 1 hour(s), 59 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



process-explorer-1.JPG
process-explorer-2.JPG

Didn't send the images correctly - sorry. Can you tell me how to do that?    Thanks.

Images are ok that way.
You mention that strange services in autoruns.

Run autoruns.
In Autoruns:
Hit options and check "verify code signatures" and rescan (F5 key)
Don't make any other changes...

Within Autoruns,select the file tab and select save(Ctrl+S) and save as AutoRuns Data (*.arn) -Output file is a few megs in size
Once saved then right click autoruns.arn and rename to autoruns.txt to upload

Have to go for a bit but be back to look at all :)

Refreshed it with "hide Microsoft and Windows entries" checked. Let me know if you want me to uncheck this box and resend.   Thanks.
autoruns.txt.txt

I messed up on the file name (extra .txt). Hope it worked.

Maybe this is better. I scanned again and saved again.
AutoRuns.txt

All looks ok from Process Explorer and dead ends are only left in Autoruns from previously removed viruses/malware .

In case there is something still hidden run Combofix.
Read + follow all of its running instructions.
Attach logfile here after
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

ComboFix  file. Thanks.
ComboFix.txt

Cant see anything obvious.
Could you plug the machine directly back into modem and run Active ports to see if it gives any indication..

http://majorgeeks.com/Active_Ports_d682.html

Hi. TCPView doesn't change when machine is plugged directly into modem (except for established remote connections.) Oddly, when plugged directly into the modem I couldn't reach the internet - got "can't find server" messages from both Google and Firefox. So I didn't do an online port scan minus the router.  Internet access is fine with router connected. The Combofix procedure had a footnote about loss of internet connection so I'll go back and look at that. Or maybe it has to do with installing the router? That did result in an immediate IP address change plus the addition of an internal address.

I've taken a lot of your time and I'm very grateful for your help. I've learned a lot. Let me know if you have any final advice and I will gladly 'accept as solution.' If there is a critter in my machine, I believe it can no longer communicate. I was fortunate to capture the IP address at the other end of the connection. If I can find out "who," it may be easier to find out "what." But that's a separate matter....
and it's getting interesting already. Thanks again.


 

When you connect your machine directly back into modem, the modem would firstly have to be powered down for 1min in order to give out Ip address. Machine ip adress may have to be renewed to pick it up or just reboot machine. If the port was active again then it wouldn't be wise to close this thread. Possibility that something is still present and could try other things then.

If you captured the "suspect" address, if you want, email it to me(check profile) and may be able to help with that, infowise.
DONT post it here due to terms :)

Hi. Followed your advice and accessed internet with no problem (no router.) The port is still open. I scanned with both ShieldsUp! and auditmypc. I think both scans, as well as both websites, have their strong points. The grc scan stops at 5000 - I scanned 9000 by a specific request. Auditmypc scan includes 9000 - don't know the complete range. I do know that I'm grateful for both. Will email on the IP. Thanks again.

I have been unable to email you at your address as written. I have not seen an address like this before.
Yahoo will not recognize it.

myname@gmail.com

Hi. Did emails arrive ok?

nothing as of yet. check in my profile for the email address. it is my username  @gmail.com  :)

Hi. Sent one on 13th, one on 14th to optoma@gmail.com. Yahoo reported them as sent. Got no "unable to deliver" notice. That's a little creepy... Wonder where they went. Your name is a bit different on your profile page. Did I use the wrong name?

yes, add "ee" at the end. -without quotes! Optoma is a projector company so maybe thats who they were sent to!

Optoma, thanks so much for your help! Will let you know final outcome.

:)