Open Ports

Hi
I have just installed Avast and noticed that I have many more open ports that usual. As I write, just this page open, there are 20 open ports. More to the point, I noticed that my computer was connected to a know problem server (reverse the planet), thought to be a bot colletting email address and more (there is a suggestion of on line banking fraud on some forums). What I need to know is wether this is normal when Avast AV is installed and if so is it necessary.
Thanks Tuck

No, that’s certainly not normal.
Maybe an undetected malware is running on background… I’d suggest to check what application has actually opened these ports (e.g. using TcpView).

Hi Tuck,

When removing malware, one anti-virus program never catches everything. I suggest you take these steps:

  1. Ensure avast! and your anti-spyware programs are up to date.
  2. Download Ewido anti-Trojan Program, install and update.
  3. Download Trend Micro Sysclean and the latest definitions file.
  4. Download a free firewall if you don’t have one.
  5. Go off line.
  6. Run an avast! boot time scan. (If your OS doesn’t allow this, run a normal scan.) When this is done, reboot into safe mode and run Sysclean and Ewido.
  7. Install the firewall. If you have a firewall, check which application has opened the connection if it’s still active -as Igor said- and block it.
  8. Run Process Explorer and check for suspicious processes: bots sometimes have an evil icon in ProcessExplorer. (Nice!)
  9. Post a HijackThis log so we can check you’re clean.

Ewido anti-Trojan:

http://www.ewido.net/en/

Trend Micro Sysclean:

For the TSC package to be effective, you must download and use the latest pattern file. Place the pattern file in the same folder as the Trend Micro System Cleaner Package.

http://uk.trendmicro-europe.com/enterprise/support/tsc.php

Select the one which says: If you are not a Trend Micro customer…

Sysclean definitions (pattern file):

http://uk.trendmicro-europe.com/enterprise/support/pattern.php

Instructions and link for HijackThis!

http://www.bleepingcomputer.com/forums/tutorial42.html

Process Explorer:

http://www.sysinternals.com/Utilities/ProcessExplorer.html

::slight_smile:

Hi
Thanks for the help. I have run everything suggested - found nothing! - phew!

Does Avast run any servers? Just a thought. The connection from reverse the planet was momentary. However there was a connection. I gathered some more info - it may not be that usefull, but it may illustrate whats happening:

(THIS IS POLLING CONTINUOUSLY,IS IT PART OF AVAST)
explorer.exe:300 824E4D00 IRP_MJ_DEVICE_CONTROL TCP: SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX (THIS IS POLLING CONTINUOUSLY,IS IT PART OF AVAST)

(IS THIS AVAST POLLING THROUGH LOCALHOST)
3472 82489EF8 TDI_SEND TCP:127.0.0.1:1372 127.0.0.1:1373 SUCCESS Length:1
1501 48.54470163 firefox.exe:3472 8246BB38 TDI_EVENT_RECEIVE TCP:0.0.0.0:1373 127.0.0.1:1372 MORE_PROCESSING_REQUIRED Length:0 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
1502 48.54471387 firefox.exe:3472 826A2F00 TDI_RECEIVE TCP:0.0.0.0:1373 127.0.0.1:1372 SUCCESS

(FIREWALL CLOSED, NO BROWSER OPEN)
ashWebSv.exe:1696 TCP sonscomputer:1359 67.15.193.147:http ESTABLISHED

(FIREWALL UP, BROWSER OPEN WITH BLANK PAGE)
ashWebSv.exe:1696 TCP sonscomputer:1359 ev1s-67-15-193-147.ev1servers.net:http FIN_WAIT1

Ev1Servers.net
390 Benmar Drive
Suite 200
Houston, TX 77060
US

Domain name: EV1SERVERS.NET

Administrative Contact:
Manager, Domain domainmanager@ev1.net
390 Benmar Drive
Suite 200
Houston, TX 77060
US
+1.7133337873 Fax: +1.7139429332

Technical Contact:
Manager, Domain domainmanager@ev1.net
390 Benmar Drive
Suite 200
Houston, TX 77060
US
+1.7133337873 Fax: +1.7139429332

Registration Service Provider:
EV1Servers.net / Everyones Internet, domainmanager@ev1.net
+1.713.333.7873

Registrar of Record: TUCOWS, INC.
Record last updated on 03-May-2005.
Record expires on 31-Jul-2006.
Record created on 31-Jul-2003.

Domain servers in listed order:
NS1.EV1SERVERS.NET 207.218.245.135
NS2.EV1SERVERS.NET 207.218.247.135

Connects to microsoft, but why is is it connecting to mvps.org wich appears to be an association of microsoft experts?. This address is also associated with dns, but not my isp’s dns?

[System Process]:0 TCP SonsComputer:12080 localhost:1104 TIME_WAIT
[System Process]:0 TCP SonsComputer:12080 localhost:1106 TIME_WAIT
[System Process]:0 TCP SonsComputer:12080 localhost:1091 TIME_WAIT
[System Process]:0 TCP SonsComputer:12080 localhost:1094 TIME_WAIT
[System Process]:0 TCP SonsComputer:12080 localhost:1100 TIME_WAIT
[System Process]:0 TCP sonscomputer:1082 mvps.org:http TIME_WAIT
[System Process]:0 TCP sonscomputer:1088 207.46.19.30:http TIME_WAIT
[System Process]:0 TCP sonscomputer:1090 65.54.194.118:http TIME_WAIT
[System Process]:0 TCP sonscomputer:1097 207.46.19.30:http TIME_WAIT
firefox.exe:3700 TCP SonsComputer:1098 localhost:1099 ESTABLISHED
firefox.exe:3700 TCP SonsComputer:1099 localhost:1098 ESTABLISHED
lsass.exe:832 UDP SonsComputer:isakmp :
lsass.exe:832 UDP SonsComputer:4500 :
svchost.exe:1252 UDP SonsComputer:1093 :
svchost.exe:1252 UDP SonsComputer:1025 :
svchost.exe:1252 UDP SonsComputer:1054 :
System:4 TCP SonsComputer:microsoft-ds SonsComputer:0 LISTENING
System:4 TCP sonscomputer:netbios-ssn SonsComputer:0 LISTENING
System:4 UDP SonsComputer:microsoft-ds :
System:4 UDP sonscomputer:netbios-dgm :
System:4 UDP sonscomputer:netbios-ns :

And Here’s the Highjackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:59:33, on 17/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\ZYBAN\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:4001
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O4 - HKLM..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM..\Run: [BCWipeTM Startup] “C:\Program Files\Jetico\BCWipe\BCWipeTM.exe” startup
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I notice that AVG did not uninstall cleanly. I will now re-install the whole lot again - did some one mention Linux.

Thanks

Tuck

Tuck,
the list of opened ports can be easily viewed in TcpView (from Sysinternals.com, as Igor has already suggested). Please run that tool and show your results. It is more usefull than dumping TDI commands unless you are in the middle of TDI filter driver debugging.

I don’t know why you should be concerned about IOCTL_TCP_QUERY_INFORMATION_EX - or is anything you don’t like about this IOCTL call? :stuck_out_tongue:

If you don’t like TcpView, the same info can be obtained from the following command:
netstat -a -o

combine with the output from:
tasklist

:slight_smile: Your HijackThis log indicates you have Spybot; have their scan(s) shown
any problems ? Their net-integration.net forums have many HijackThis
Experts willing to help their Users.

Hey all,
the ports are “normal”
You’ll notice they are for the mail protection and are listening for incoming. If you go to on access control and more detail you can see which programs are running.
I used add\remove in windows9X and Changed settings, removing internet mail and the bat etc.
I have IM protection and Standard Shield since I have ZAP I don’t need much else.
Now I still have 2 ports open and it looks like its protection for windows messenger but I don’t have XP (thank God)
I’d like to see them closed too.

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING

Cartel,
1025 is opened only on localhost - as such it is not NETWORK port, only local communicatio channel inside your PC. Without the application name it a little tricky to guess, but I thinkg it is the internal communication port for ZoneAlarm firewall (it is choosen randomly on startup).

135 is used for Windows Networking. If your computer is not connected to LAN, you might uninstall or better disable Windows Networking for your network adapter.

Whatever it is, the ports are open AFTER installing avast so it must be part of it.
When I had the internet mail on I had even more ports open and when it shutdown avast the ports are gone too.

As Lukor said - yes, avast! opens some ports, but for local access only. You cannot connect to them from outside.

True and I add and repeat: avast! does not open neither port 1025 nor 135.

But if you are SO concerned about opened ports, I don’t understand, why don’t you run TcpView and show us which process has the port opened!!!???

I know I’m rehashing an old thread but I now have
the reverse the planet email bug, or whatever it is.

It seems to be imbedded in my email, I’m using Thunderbird.
When I click get mail the little thundbird logo pops up in the sytem tray
with the ip address reverse.the.planet.com and some ip number.
Now I have ran Ewido, syclean and Avast at boot time and reformatted
my harddrive and the bloody thing is still there.
It must be in my email somewhere, I’m not sure if this is doing anything to my
machine or using my email address for spam or what its doing.

Seaching Google only comes up with a couple of entries, not
much help.

This is my TCPview log.

ashMaiSv.exe:1284 TCP java-devil:12025 java-devil:0 LISTENING
ashMaiSv.exe:1284 TCP java-devil:12110 java-devil:0 LISTENING
ashMaiSv.exe:1284 TCP java-devil:12119 java-devil:0 LISTENING
ashMaiSv.exe:1284 TCP java-devil:12143 java-devil:0 LISTENING
ashWebSv.exe:1436 TCP java-devil:1788 java-devil:0 LISTENING
ashWebSv.exe:1436 TCP java-devil:1789 java-devil:0 LISTENING
ashWebSv.exe:1436 TCP java-devil:12080 java-devil:0 LISTENING
ashWebSv.exe:1436 TCP java-devil:12080 localhost:1666 ESTABLISHED
ashWebSv.exe:1436 TCP java-devil:12080 localhost:1751 ESTABLISHED
ashWebSv.exe:1436 TCP java-devil:1789 216.239.57.18:http ESTABLISHED
firefox.exe:3708 TCP java-devil:1060 java-devil:0 LISTENING
firefox.exe:3708 TCP java-devil:1666 java-devil:0 LISTENING
firefox.exe:3708 TCP java-devil:1751 java-devil:0 LISTENING
firefox.exe:3708 TCP java-devil:1059 java-devil:0 LISTENING
firefox.exe:3708 TCP java-devil:1059 localhost:1060 ESTABLISHED
firefox.exe:3708 TCP java-devil:1060 localhost:1059 ESTABLISHED
firefox.exe:3708 TCP java-devil:1666 localhost:12080 ESTABLISHED
firefox.exe:3708 TCP java-devil:1751 localhost:12080 ESTABLISHED
lsass.exe:844 UDP java-devil:isakmp :
msmsgs.exe:1080 UDP java-devil:1033 :
msmsgs.exe:1080 UDP java-devil:7267 :
msmsgs.exe:1080 UDP java-devil:62131 :
svchost.exe:1028 TCP java-devil:epmap java-devil:0 LISTENING
svchost.exe:1028 UDP java-devil:epmap :
svchost.exe:1108 TCP java-devil:1025 java-devil:0 LISTENING
svchost.exe:1108 UDP java-devil:1028 :
svchost.exe:1108 UDP java-devil:ntp :
svchost.exe:1108 UDP java-devil:ntp :
svchost.exe:1252 UDP java-devil:1029 :
svchost.exe:1252 UDP java-devil:1065 :
svchost.exe:1252 UDP java-devil:1067 :
svchost.exe:1252 UDP java-devil:1069 :
svchost.exe:1252 UDP java-devil:1071 :
svchost.exe:1252 UDP java-devil:1072 :
svchost.exe:1252 UDP java-devil:1073 :
svchost.exe:1252 UDP java-devil:1074 :
svchost.exe:1320 TCP java-devil:5000 java-devil:0 LISTENING
svchost.exe:1320 UDP java-devil:1900 :
svchost.exe:1320 UDP java-devil:1900 :
System:4 TCP java-devil:microsoft-ds java-devil:0 LISTENING
System:4 TCP java-devil:netbios-ssn java-devil:0 LISTENING
System:4 UDP java-devil:microsoft-ds :
System:4 UDP java-devil:netbios-ns :
System:4 UDP java-devil:netbios-dgm :
THUNDE~1.EXE:3456 TCP java-devil:1054 java-devil:0 LISTENING
THUNDE~1.EXE:3456 TCP java-devil:1053 java-devil:0 LISTENING
THUNDE~1.EXE:3456 TCP java-devil:1053 localhost:1054 ESTABLISHED
THUNDE~1.EXE:3456 TCP java-devil:1054 localhost:1053 ESTABLISHED

Bullseye, are you, for any reason, using Azureus (P2P)?

Tech,

I rather think that it is just that this user has chosen to use as a system name “java-devil”

Bullseye,

what is this “Thunderbird logo” that pops up in the system tray? There is no Thunderbird icon that appears in the system tray to my knowledge.

Do you mean the “blue light” icon that is placed in the system tray by avast when it is intercepting e-mail?

Probably worth checking your email accounts in Thunderbird to make sure nothing unexpected is there.

Also worth checking your hosts file (in Win XP C:\Windows\System32\DRIVERS\etc folder) to make sure that no overrides have been placed in there.

Bullseye, in this case I would definitely run lspfix and/or hijackthis. I see several unknown open ports inside the WebShield process. WebShield does not open these ports, the only way how they can be opened inside webshield process is a dll loaded into in (e.g. LSP dll or some other hooking dll). However the same technique is used by some firewalls (eg. ZoneAlarm) - so this mere fact does not necessary mean it is something unwanted running on your pc. It might be interresting to know whose ports are these.

Lukas.

Thanks guys,
I’ll try lspfix and/or hijackthis and post my reports.

Alanrf: I don’t think its any host file, I’ve just reformated the drive,
so unless when I start thunderbird up its dropping a host file in the system32
directory. but I’ll check it out.

Okay, heres my Hijackthis log,
I don’t see any unfamiliar exe’s running.

I did a google for Ispfix and couldn’t find it,
have you got any links for it ?

cheers

Logfile of HijackThis v1.99.1
Scan saved at 10:42:49 AM, on 24/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\foobar2000\foobar2000.exe
\Wyndorf\Duncs\software\anti virus software\hijackthis\New\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Nor do I. Lspfix can be downloaded here:
http://www.cexx.org/lspfix.htm

It seems that we have come no closer to determining the cause of Bullseye’s unfortunate encounter with reverse.the.planet during the Thunderbird session.