Open Ports

[Tuck]

Hi
I have just installed Avast and noticed that I have many more open ports that usual.  As I write, just this page open, there are 20 open ports.  More to the point, I noticed that my computer was connected to a know problem server (reverse the planet), thought to be a bot colletting email address and more (there is a suggestion of on line banking fraud on some forums).  What I need to know is wether this is normal when Avast AV is installed and if so is it necessary. 
Thanks Tuck

[igor]

No, that's certainly not normal.
Maybe an undetected malware is running on background... I'd suggest to check what application has actually opened these ports (e.g. using TcpView).

[FreewheelinFrank]

Hi Tuck,

When removing malware, one anti-virus program never catches everything. I suggest you take these steps:

1. Ensure avast! and your anti-spyware programs are up to date.
2. Download Ewido anti-Trojan Program, install and update.
3. Download Trend Micro Sysclean and the latest definitions file.
4. Download a free firewall if you don't have one.
5. Go off line.
6. Run an avast! boot time scan. (If your OS doesn't allow this, run a normal scan.) When this is done, reboot into safe mode and run Sysclean and Ewido.
7. Install the firewall. If you have a firewall, check which application has opened the connection if it's still active -as Igor said- and block it.
8. Run Process Explorer and check for suspicious processes: bots sometimes have an evil icon in ProcessExplorer. (Nice!)
9. Post a HijackThis log so we can check you're clean.

Ewido anti-Trojan:

http://www.ewido.net/en/

Trend Micro Sysclean:

For the TSC package to be effective, you must download and use the latest pattern file. Place the pattern file in the same folder as the Trend Micro System Cleaner Package.

http://uk.trendmicro-europe.com/enterprise/support/tsc.php

Select the one which says: If you are not a Trend Micro customer...

Sysclean definitions (pattern file):

http://uk.trendmicro-europe.com/enterprise/support/pattern.php

Instructions and link for HijackThis!

http://www.bleepingcomputer.com/forums/tutorial42.html

Process Explorer:

http://www.sysinternals.com/Utilities/ProcessExplorer.html

[Tuck]

Hi
Thanks for the help.   I have run everything suggested - found nothing! - phew! 

Does Avast run any servers?  Just a thought.  The connection from reverse the planet was momentary.  However there was a connection.  I gathered some more info - it may not be that usefull, but it may illustrate whats happening:

(THIS IS POLLING CONTINUOUSLY,IS IT PART OF AVAST)
explorer.exe:300   824E4D00   IRP_MJ_DEVICE_CONTROL   TCP:<none>      SUCCESS   IOCTL_TCP_QUERY_INFORMATION_EX   (THIS IS POLLING CONTINUOUSLY,IS IT PART OF AVAST)

(IS THIS AVAST POLLING THROUGH LOCALHOST)
3472   82489EF8   TDI_SEND   TCP:127.0.0.1:1372   127.0.0.1:1373   SUCCESS   Length:1    
1501   48.54470163   firefox.exe:3472   8246BB38   TDI_EVENT_RECEIVE   TCP:0.0.0.0:1373   127.0.0.1:1372   MORE_PROCESSING_REQUIRED   Length:0 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH    
1502   48.54471387   firefox.exe:3472   826A2F00   TDI_RECEIVE   TCP:0.0.0.0:1373   127.0.0.1:1372   SUCCESS   

   
(FIREWALL CLOSED, NO BROWSER OPEN)
ashWebSv.exe:1696   TCP   sonscomputer:1359   67.15.193.147:http   ESTABLISHED

(FIREWALL UP, BROWSER OPEN WITH BLANK PAGE)
ashWebSv.exe:1696   TCP   sonscomputer:1359   ev1s-67-15-193-147.ev1servers.net:http   FIN_WAIT1   

Ev1Servers.net
 390 Benmar Drive
 Suite 200
 Houston, TX 77060
 US

 Domain name: EV1SERVERS.NET

 Administrative Contact:
    Manager, Domain  domainmanager@ev1.net
    390 Benmar Drive
    Suite 200
    Houston, TX 77060
    US
    +1.7133337873    Fax: +1.7139429332

 Technical Contact:
    Manager, Domain  domainmanager@ev1.net
    390 Benmar Drive
    Suite 200
    Houston, TX 77060
    US
    +1.7133337873    Fax: +1.7139429332

 Registration Service Provider:
    EV1Servers.net / Everyones Internet, domainmanager@ev1.net
    +1.713.333.7873

 Registrar of Record: TUCOWS, INC.
 Record last updated on 03-May-2005.
 Record expires on 31-Jul-2006.
 Record created on 31-Jul-2003.

 Domain servers in listed order:
    NS1.EV1SERVERS.NET   207.218.245.135
    NS2.EV1SERVERS.NET   207.218.247.135

Connects to microsoft, but why is is it connecting to mvps.org wich appears to be an association of microsoft experts?.  This address is also associated with dns, but not my isp's dns?
   
[System Process]:0   TCP   SonsComputer:12080   localhost:1104   TIME_WAIT   
[System Process]:0   TCP   SonsComputer:12080   localhost:1106   TIME_WAIT   
[System Process]:0   TCP   SonsComputer:12080   localhost:1091   TIME_WAIT   
[System Process]:0   TCP   SonsComputer:12080   localhost:1094   TIME_WAIT   
[System Process]:0   TCP   SonsComputer:12080   localhost:1100   TIME_WAIT   
[System Process]:0   TCP   sonscomputer:1082   mvps.org:http   TIME_WAIT   
[System Process]:0   TCP   sonscomputer:1088   207.46.19.30:http   TIME_WAIT   
[System Process]:0   TCP   sonscomputer:1090   65.54.194.118:http   TIME_WAIT   
[System Process]:0   TCP   sonscomputer:1097   207.46.19.30:http   TIME_WAIT   
firefox.exe:3700   TCP   SonsComputer:1098   localhost:1099   ESTABLISHED   
firefox.exe:3700   TCP   SonsComputer:1099   localhost:1098   ESTABLISHED   
lsass.exe:832   UDP   SonsComputer:isakmp   *:*      
lsass.exe:832   UDP   SonsComputer:4500   *:*      
svchost.exe:1252   UDP   SonsComputer:1093   *:*      
svchost.exe:1252   UDP   SonsComputer:1025   *:*      
svchost.exe:1252   UDP   SonsComputer:1054   *:*      
System:4   TCP   SonsComputer:microsoft-ds   SonsComputer:0   LISTENING   
System:4   TCP   sonscomputer:netbios-ssn   SonsComputer:0   LISTENING   
System:4   UDP   SonsComputer:microsoft-ds   *:*      
System:4   UDP   sonscomputer:netbios-dgm   *:*      
System:4   UDP   sonscomputer:netbios-ns   *:*

And Here's the Highjackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:59:33, on 17/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\ZYBAN\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:4001
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I notice that AVG did not uninstall cleanly.  I will now re-install the whole lot again - did some one mention Linux.

Thanks

Tuck

[lukor]

Tuck,
the list of opened ports can be easily viewed in TcpView (from Sysinternals.com, as Igor has already suggested). Please run that tool and show your results. It is more usefull than dumping TDI commands unless you are in the middle of TDI filter driver debugging.

I don't know why you should be concerned about IOCTL_TCP_QUERY_INFORMATION_EX - or is anything you don't like about this IOCTL call? 

If you don't like TcpView, the same info can be obtained from the following command:
netstat -a -o

combine with the output from:
tasklist

[Spiritsongs]

  Your HijackThis log indicates you have Spybot; have their scan(s) shown
     any problems ? Their net-integration.net forums have many HijackThis
     Experts willing to help their Users.

[cartel]

Hey all,
the ports are "normal"
You'll notice they are for the mail protection and are listening for incoming. If you go to on access control and more detail you can see which programs are running.
I used add\remove in windows9X and Changed settings, removing internet mail and the bat etc.
I have IM protection and Standard Shield since I have ZAP I don't need much else.
Now I still have 2 ports open and it looks like its protection for windows messenger but I don't have XP (thank God)
I'd like to see them closed too.

TCP   0.0.0.0:135   0.0.0.0:0   LISTENING   
TCP   127.0.0.1:1025   0.0.0.0:0   LISTENING   

[lukor]

Cartel,
1025 is opened only on localhost - as such it is not NETWORK port, only local communicatio channel inside your PC. Without the application name it a little tricky to guess, but I thinkg it is the internal communication port for ZoneAlarm firewall (it is choosen randomly on startup).

135 is used for Windows Networking. If your computer is not connected to LAN, you might uninstall or better disable Windows Networking for your network adapter.

[cartel]

Whatever it is, the ports are open AFTER installing avast so it must be part of it.
When I had the internet mail on I had even more ports open and when it shutdown avast the ports are gone too.

[igor]

As Lukor said - yes, avast! opens some ports, but for local access only. You cannot connect to them from outside.

[lukor]

As Lukor said - yes, avast! opens some ports, but for local access only. You cannot connect to them from outside.

True and I add and repeat: avast! does not open neither port 1025 nor 135.

But if you are SO concerned about opened ports, I don't understand, why don't you run TcpView and show us which process has the port opened!!!???

[Bullseye]

I know I'm rehashing an old thread but I now have
the reverse the planet email bug, or whatever it is.

It seems to be imbedded in my email, I'm using Thunderbird.
When I click get mail the little thundbird logo pops up in the sytem tray
with the ip address reverse.the.planet.com and some ip number.
Now I have ran Ewido, syclean and Avast at boot time and reformatted
my harddrive and the bloody thing is still there.
It must be in my email somewhere, I'm not sure if this is doing anything to my
machine or using my email address for spam or what its doing.

Seaching Google only comes up with a couple of entries, not
much help.

This is my TCPview log.

ashMaiSv.exe:1284   TCP   java-devil:12025   java-devil:0   LISTENING   
ashMaiSv.exe:1284   TCP   java-devil:12110   java-devil:0   LISTENING   
ashMaiSv.exe:1284   TCP   java-devil:12119   java-devil:0   LISTENING   
ashMaiSv.exe:1284   TCP   java-devil:12143   java-devil:0   LISTENING   
ashWebSv.exe:1436   TCP   java-devil:1788   java-devil:0   LISTENING   
ashWebSv.exe:1436   TCP   java-devil:1789   java-devil:0   LISTENING   
ashWebSv.exe:1436   TCP   java-devil:12080   java-devil:0   LISTENING   
ashWebSv.exe:1436   TCP   java-devil:12080   localhost:1666   ESTABLISHED   
ashWebSv.exe:1436   TCP   java-devil:12080   localhost:1751   ESTABLISHED   
ashWebSv.exe:1436   TCP   java-devil:1789   216.239.57.18:http   ESTABLISHED   
firefox.exe:3708   TCP   java-devil:1060   java-devil:0   LISTENING   
firefox.exe:3708   TCP   java-devil:1666   java-devil:0   LISTENING   
firefox.exe:3708   TCP   java-devil:1751   java-devil:0   LISTENING   
firefox.exe:3708   TCP   java-devil:1059   java-devil:0   LISTENING   
firefox.exe:3708   TCP   java-devil:1059   localhost:1060   ESTABLISHED   
firefox.exe:3708   TCP   java-devil:1060   localhost:1059   ESTABLISHED   
firefox.exe:3708   TCP   java-devil:1666   localhost:12080   ESTABLISHED   
firefox.exe:3708   TCP   java-devil:1751   localhost:12080   ESTABLISHED   
lsass.exe:844   UDP   java-devil:isakmp   *:*      
msmsgs.exe:1080   UDP   java-devil:1033   *:*      
msmsgs.exe:1080   UDP   java-devil:7267   *:*      
msmsgs.exe:1080   UDP   java-devil:62131   *:*      
svchost.exe:1028   TCP   java-devil:epmap   java-devil:0   LISTENING   
svchost.exe:1028   UDP   java-devil:epmap   *:*      
svchost.exe:1108   TCP   java-devil:1025   java-devil:0   LISTENING   
svchost.exe:1108   UDP   java-devil:1028   *:*      
svchost.exe:1108   UDP   java-devil:ntp   *:*      
svchost.exe:1108   UDP   java-devil:ntp   *:*      
svchost.exe:1252   UDP   java-devil:1029   *:*      
svchost.exe:1252   UDP   java-devil:1065   *:*      
svchost.exe:1252   UDP   java-devil:1067   *:*      
svchost.exe:1252   UDP   java-devil:1069   *:*      
svchost.exe:1252   UDP   java-devil:1071   *:*      
svchost.exe:1252   UDP   java-devil:1072   *:*      
svchost.exe:1252   UDP   java-devil:1073   *:*      
svchost.exe:1252   UDP   java-devil:1074   *:*      
svchost.exe:1320   TCP   java-devil:5000   java-devil:0   LISTENING   
svchost.exe:1320   UDP   java-devil:1900   *:*      
svchost.exe:1320   UDP   java-devil:1900   *:*      
System:4   TCP   java-devil:microsoft-ds   java-devil:0   LISTENING   
System:4   TCP   java-devil:netbios-ssn   java-devil:0   LISTENING   
System:4   UDP   java-devil:microsoft-ds   *:*      
System:4   UDP   java-devil:netbios-ns   *:*      
System:4   UDP   java-devil:netbios-dgm   *:*      
THUNDE~1.EXE:3456   TCP   java-devil:1054   java-devil:0   LISTENING   
THUNDE~1.EXE:3456   TCP   java-devil:1053   java-devil:0   LISTENING   
THUNDE~1.EXE:3456   TCP   java-devil:1053   localhost:1054   ESTABLISHED   
THUNDE~1.EXE:3456   TCP   java-devil:1054   localhost:1053   ESTABLISHED   

[Lisandro]

Bullseye, are you, for any reason, using Azureus (P2P)?

[alanrf]

Tech,

I rather think that it is just that this user has chosen to use as a system name "java-devil"

[alanrf]

Bullseye,

what is this "Thunderbird logo" that pops up in the system tray?  There is no Thunderbird icon that appears in the system tray to my knowledge.

Do you mean the "blue light" icon that is placed in the system tray by avast when it is intercepting e-mail?

Probably worth checking your email accounts in Thunderbird to make sure nothing unexpected is there.

Also worth checking your hosts file (in Win XP C:\Windows\System32\DRIVERS\etc folder) to make sure that no overrides have been placed in there.