Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Dec 1st, 2008, 8:23pm
   Mischel Internet Security Forum
   TrojanHunter
   TrojanHunter Scanner (Moderators: Helena, Gavin_Coe, Magnus)
   Port 9999/TCP is open, how to correct?		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Port 9999/TCP is open, how to correct?  (Read 850 times)
PatrickJ
Newbie
*





   


Gender: male
 Posts: 7
Port 9999/TCP is open, how to correct?
« on: Jun 26th, 2007, 3:54pm »		 Quote Quote  Modify Modify
TH is telling me that this port is open w/8 different entries.  However, GRC test is telling me that its "stealth".  Is there a way to delete the 8 TH entries that show up EVERY time I do a scan?  How?
IP Logged
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4120
Re: Port 9999/TCP is open, how to correct?
« Reply #1 on: Jun 26th, 2007, 4:55pm »		 Quote Quote  Modify Modify
Is TrojanHunter saying which process is using the port?
IP Logged
PatrickJ
Newbie
*





   


Gender: male
 Posts: 7
Re: Port 9999/TCP is open, how to correct?
« Reply #2 on: Jun 26th, 2007, 6:40pm »		 Quote Quote  Modify Modify
It says:
 
(matches ForcedEntry.100)
(matches infra.100)
(matches Prayer.120)
(matches Prayer.130)
(matches Skipper.100)
(matches SpaceAce.100)
(matches TakeOver.200)
(matches TakeOver.300)
Then there is a notation out to the side of each one that says, (Tell me more about Port Alerts)  They all show up EACH time a quick scan is run.  Can't find a way to clear them up, r/click deletes, but then they come right back.  Is there a solution for this, or am I going to have to live w/it?
IP Logged
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4120
Re: Port 9999/TCP is open, how to correct?
« Reply #3 on: Jun 26th, 2007, 7:10pm »		 Quote Quote  Modify Modify
If you download and run TCPView from http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx - does it tell you which process is using port 9999?
IP Logged
PatrickJ
Newbie
*





   


Gender: male
 Posts: 7
Re: Port 9999/TCP is open, how to correct?
« Reply #4 on: Jun 26th, 2007, 8:22pm »		 Quote Quote  Modify Modify
Dl'd and ran.  Nothing shows up on that port.  Think this may be a False Positive, but its frustrating for those notifications pop up on every scan.  Ran GRC to specifically test that port and came up "Stealth".  Maybe much ado about nothing, huh?
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: Port 9999/TCP is open, how to correct?
« Reply #5 on: Jun 27th, 2007, 1:17am »		 Quote Quote  Modify Modify
Welcome to the forum PatrickJ,
 
I did a bit of checking concerning Port 9999.  It is difficult to determine if a non-malicious program might be opening this port.  The fact that the port re-opens after you reboot your computer is "unusual".  I recommend the following to "err on the safe side".
 
1.  Download/install/run F-Secure's Blacklight rootkit detector.
 
http://www.f-secure.com/blacklight/blacklight.html
 
Be sure to download Blacklight, not F-Secure Internet Security Suite.   Wink
 
2.  Run a remote total system scan with Kaspersky.  You will need to use Internet Explorer to access this site because it needs to download/install an ActiveX.  BE SURE your normal AV is closed down while doing this remote scan so that it does not conflict with Kaspersky.  
 
http://www.kaspersky.com/virusscanner
 
Please post back as to whether either of these two program find anything malicious and we can go from there.  
 
Keep in mind that a port that is reported as stealthed by GRC only means that the port is not responding to an external probe.  A program on your system could still be using 9999 to send out info or bring in something, etc.
« Last Edit: Jun 27th, 2007, 1:22am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
PatrickJ
Newbie
*





   


Gender: male
 Posts: 7
Re: Port 9999/TCP is open, how to correct?
« Reply #6 on: Jun 27th, 2007, 9:04am »		 Quote Quote  Modify Modify
Ok, dl'd and ran both of the programs.  Blacklight reported: No Hidden Files found.
 
On the Kaspersky scan, SAID it found 15 different infections, and they were all locked.  I really don't believe that as a number of the 15 were naming PREVX as the culprit and really had to laugh at that.  Prevx is a spyware/malware detector that has removed at least one difficult to remove infection and is a very sharp program.  Other notifications stated "Not a virus, no definition" so scratch those.  Computer is running smooth and I may have become paranoid in my old age.  Roll Eyes  I thank both of you for the help rendered but unless my machine just locks up, gonna let it do its thing for the time being.  Smiley
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: Port 9999/TCP is open, how to correct?
« Reply #7 on: Jun 27th, 2007, 11:23am »		 Quote Quote  Modify Modify
Security paranoia is a good thing to have at any age nowadays Wink
 
Kaspersky doesn't like it when there are other security programs trying to do their thing.   Cheesy
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
PatrickJ
Newbie
*





   


Gender: male
 Posts: 7
Re: Port 9999/TCP is open, how to correct?
« Reply #8 on: Jun 27th, 2007, 2:32pm »		 Quote Quote  Modify Modify
Guess it is.  Tell ya what I did:  made an image of my HD, then uninstalled NOD32, also had to uninstall Comodo FW, then installed trial version of Kapersky and ran it.  Said it found these three:
 
1. C:\SystemVolumeInfo\restore{522aa546-bde3-4168-a439-cc5b3810cc6} RP14\A0004445.exe
 
2. Documents and Settings \Services.exe
 
3.  C:\Recycler \ services.exe
 
All three pointed to: BackDoor.Win32.sdbot.bgy
 
When I tried to delete them, it only would get rid of the first one.  Other two were listed as "File Not Found".  When looking the stated trojan up for info was told on Kapersky's site that this could be just a offset of another trojan.  Yea, lotta work for nothing.
 
Wrote 'em all down, restored my image and am gonna forget this.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: Port 9999/TCP is open, how to correct?
« Reply #9 on: Jun 27th, 2007, 2:55pm »		 Quote Quote  Modify Modify
After you restored your system, do you have a files named Services.exe in the folder C:\Documents and Settings?  Services.exe should be in C:\Windows\System32.  
 
Services.exe in locations other than C:\Windows\System32 is most likely a malicious file.  
 
If you do have Services.exe in C:\Documents and Settings, would you please submit it to Mischel Internet Security for analysis.  The link below describes how to submit.
 
http://www.misec.net/forum/board/FAQ/1139308293
 
The link below describes how to get rid of the malicious file in your System Volume Information folder.
 
http://www.misec.net/forum/board/FAQ/1139255588
« Last Edit: Jun 27th, 2007, 2:57pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
PatrickJ
Newbie
*





   


Gender: male
 Posts: 7
Re: Port 9999/TCP is open, how to correct?
« Reply #10 on: Jun 27th, 2007, 3:23pm »		 Quote Quote  Modify Modify
No, the only one of that boy resides in the windows/system32 folder.  That was the first search I ran AFTER restoring my image to check it.  Sorry, should have mentioned that in my prior post.  I'm good to go!
 
Edit:  Also failed to mention the 2nd thing I did was stop System Restore, all restores deleted, rebooted and then turned it back on.   Wink
« Last Edit: Jun 27th, 2007, 3:26pm by PatrickJ » IP Logged
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register