Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Possible Trojans in Port 5000 ...please help with suggestions...5.5.42

Status
Not open for further replies.
imsohood8424

imsohood8424

Programmer
Apr 2, 2004
14
US
I just downloaded Anti-Trojan 5.5.420, and it searches ports, registry and drives and since I'm a newbie I was just wondering how I can solve this problem. The registry and drives came up clean but when it was searching ports, it came up with this log:

Port 135 open.
Port 139 open.
Port 445 open.
Port 1025 open.
Port 1027 open.
Port 1028 open.
Port 1029 open.
Port 1830 open.
Port 5000 open. Possible trojans. Sockets de Troie, Blazer 5

I'm not sure that the program did anything and this is what caused my concern, at the end of this log it said no Trojans found on your system. I went into view all ports and this is the log I found:

135 0.0.0.0:0 SC Listening
445 0.0.0.0:0 SC Listening
1025 0.0.0.0:0 SC Listening
1028 0.0.0.0:0 SC Listening
1029 0.0.0.0:0 SC Listening
1780 0.0.0.0:0 SC Listening
1786 0.0.0.0:0 SC Listening
1795 0.0.0.0:0 SC Listening
1826 0.0.0.0:0 SC Listening
1827 0.0.0.0:0 SC Listening
1830 0.0.0.0:0 SC Listening
5000 0.0.0.0:0 SC Listening
1027 0.0.0.0:0 SC Listening
1780 127.0.0.1:0 localhost Close Wait
1786 127.0.0.1:0 localhost Close Wait
1795 127.0.0.1:0 localhost Close Wait
1826 127.0.0.1:0 localhost Close Wait
1827 127.0.0.1:0 localhost Close Wait
1830 127.0.0.1:0 localhost Close Wait
139 0.0.0.0:0 SC Listening
139 0.0.0.0:0 SC Listening

If anyone is familiar with ports, please help me out, thanks in advanced!
 
Sort by date Sort by votes
I think in this case being a newbie and easy approach for you that would 1.) help you learn more and 2.) tell you if there is any applications that you are not aware trying to go to the internet is to download the free version on Zonelabs "zonealarm" This is a free firewall and a very good one. What zonealarm can do is tell you when applications and programs are trying to access the internet. You can then find that possible trojan if there is one and remove it. Also make sure you are running a good antivirus program and you keep it up to date.
Good Luck

"evil prospers when good men do nothing”
 
Upvote 0 Downvote
About the list of ports above that looks normal. You can bring up a command prompt at anytime and run a netstat -an and it will show you which ports are open and listening. Zonealarm will hide these ports from the internet so when probes and scans are occuring (all the time) your computer will be invisible to them.

"evil prospers when good men do nothing”
 
Upvote 0 Downvote
Thanks for recommending the product, ZomeAlarm, it's great. But just to make sure that the problem was gone, I ran Anti-Trojan 5.5.420 again with the firewall on and found the same results, and actually found another port that was causing problems. This is the log I got:

----------------------------------------------------
Initializing Anti-Trojan 5.5.420

Begin of search: 4/18/2004 11:56:08 PM

Portscan:

Port 135 open.
Port 139 open.
Port 445 open.
Port 1025 open.
Port 1026 open.
Port 1027 open.
Port 1040 open.
Port 5000 open. Possible trojans. Sockets de Troie, Blazer 5
Port 16691 open.

Registry-Scan:

Drive-Scan:


The following drives/folders have been scanned
c:Trojans found: Cain 1.5
Path: c:\hp\bin\win32all-146.exe->W32INST.DLL
Trojan removed!


Number of scanned files: 193150

Number of found trojan files: 1

End of search: 4/19/2004 2:19:12 AM

Finished searching.
A restart is necessary to remove all trojans. Please click on the Restart button to shutdown your computer.
----------------------------------------------------


Please tell me if I have anything to worry about and how I can solve this problem.
 
Upvote 0 Downvote
This may help, this is my hijackthis log, please take a look at this and tell me if you see any irregularities:

Logfile of HijackThis v1.97.7
Scan saved at 1:02:48 PM, on 4/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\PROGRA~1\Fix-It\mxtask.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Cleans_Cache\OOCCSVC.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Documents and Settings\All Users\Documents\My Music\Direct Connect\Ip Hider\ip hider.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\PROGRA~1\ZONELA~1\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Direct Connect\DCPlusPlus.exe
C:\Documents and Settings\Sushma chopra\Hijackthis_Adware_Removal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Pop-Up Stopper\CCHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Pop-Up Stopper\popupus.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WFIPS] C:\Documents and Settings\All Users\Documents\My Music\Direct Connect\Ip Hider\ip hider.exe -autoboot
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ Privacy Eraser] C:\Program Files\Privacy Eraser\PrivacyEraser.exe /ErIEIndex
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Control Pad (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - O17 - HKLM\System\CCS\Services\Tcpip\..\{9B785AFF-86D3-42A3-93FC-CA8A12F81297}: NameServer = 151.203.0.85 151.203.0.84


Appriciate everybody's help on this...thanks again!
 
Upvote 0 Downvote
Port 5000 is open by default on XP, due to the Universal Plug and Play service. While there are a few trojans that will run on that port, from the looks of your logs, you don't have these.
It's a good idea to shut the port down, however, and the easiest way to do this is with grc.com's free utility.
You can also manually close the port by stopping the service and uninstalling UPNP, but the Unplug and Pray program is alot easier.

 
Upvote 0 Downvote
Thank you so much Xemus, I greatly appreciate your help,...One quick question however, what about the other ports that came in red on the program, is there a way to close those programs

The unplug n' pray program was quick and easy, after I disable it, I don't need to have the program on my system or in the background to keep it disabled, do I?



Thanks again for everybody’s help including these guys: ericbrunson and glacierxx...Appreciate it...
 
Upvote 0 Downvote
I'm guessing it's not a big deal if it's not deleted, but after a search I found this file...
C:\WINDOWS\Prefetch\UNPNP[1].EXE-0456743B.pf
 
Upvote 0 Downvote
I accidently investigated why this port was open yesterday and it appears that that UPNP port can be heavily exploited (computer freeze and running code). I tested it with a linux proggy, but didn't manage to freeze my PC though :)
 
Upvote 0 Downvote
On ports 1025 - 1029 goto On ports 135-136 port 135 is also exploitable -> download @ for security patch.

On port 445 - also exploitable by virusses & worms

basically it's all normal they are open on a standard config. It's not for nothing they call in Microsoft WINDOWS. there's plenty of ways to get in heh.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
289
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
256
XLNTech1
XLNTech1
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
329
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
68
tklamb
tklamb
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
90
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top