Hi all,

Somebody remotely in another part of the world sent me email complaining I
have a "backdoor-g-1" trojan connecting to his computer. using port 1243...
I've also run Norton Security check from their website and found the
following port open along with the 1243 port...

> > PORT STATE SERVICE
> > 80/tcp open http
> > 443/tcp open https

Since Norton Antivirus and Norton Security Check did not find any virus...
or anything else. Perhaps there is nothing I can do and I can just close the
ports...

Suspciously, these ports should not open...

Now what shall I do? And how can I close the ports on XP sp2?

Thanks a lot!

From: "networm" <networm8848@yahoo.com>

| Hi all,
|
| Somebody remotely in another part of the world sent me email complaining I
| have a "backdoor-g-1" trojan connecting to his computer. using port 1243...
| I've also run Norton Security check from their website and found the
| following port open along with the 1243 port...
|
>>> PORT STATE SERVICE
>>> 80/tcp open http
>>> 443/tcp open https
|
| Since Norton Antivirus and Norton Security Check did not find any virus...
| or anything else. Perhaps there is nothing I can do and I can just close the
| ports...
|
| Suspciously, these ports should not open...
|
| Now what shall I do? And how can I close the ports on XP sp2?
|
| Thanks a lot!
|


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Ports by defaults are not open or closed they just sit there being ready to
be used by an application that needs them.

One of the roll of a Firewall is to keep ports closed for traffic unless one
of the application that you are using requesting a port for its own use,
therefore it is a very good idea to use Firewall.

The email that you received is a little odd, unless a Trojan is capable to
transmit your email address it is unlikely that he can infer you email
address from an IP number. In otherworld, it might be a “prank” email.

Basic Protection for Broadband Internet connection should consist of.

1. Router's NAT Firewall (even if you have only one computer).

2. Software Firewall (Why? See here, http://www.ezlan.net/firewall.html ).

3. Antivirus Program.

4. AntiSpy Program.

A good security suit can be assembled by using very good Free programs,
http://www.ezlan.net/security.html

Microsoft is currently Beta testing a comprehensive One Care program that
might be a good substitute to the software that is mentioned above.

http://beta.windowsonecare.com/Betaentry.aspx

If you are already infected this might help,

Internet Infestation: http://www.ezlan.net/infestation.html

Basic Steps in cleaning Internet "Junk" - http://www.ezlan.net/clean.html

Jack (MVP-Networking).





"networm" <networm8848@yahoo.com> wrote in message
news:erGbQ4u9FHA.3132@TK2MSFTNGP12.phx.gbl...
> Hi all,
>
> Somebody remotely in another part of the world sent me email complaining I
> have a "backdoor-g-1" trojan connecting to his computer. using port
1243...
> I've also run Norton Security check from their website and found the
> following port open along with the 1243 port...
>
> > > PORT STATE SERVICE
> > > 80/tcp open http
> > > 443/tcp open https
>
> Since Norton Antivirus and Norton Security Check did not find any virus...
> or anything else. Perhaps there is nothing I can do and I can just close
the
> ports...
>
> Suspciously, these ports should not open...
>
> Now what shall I do? And how can I close the ports on XP sp2?
>
> Thanks a lot!
>
>

You need to either disable or remove the application/process that is using
the port or use a firewall that can block outbound traffic. In your case you
really want to find the offending application/process and remove it using
additional malware and spyware detection and removal programs since your
initial attempt seems to have failed. You can use programs such as the free
one called TCPView that will show what process/executable is using the
offending port that may help you determine what is going on. Autoruns from
will show you your various startup programs and you might be able to disable
it there or see if it is installed as a service and stop and disable the
service. Though that may help you really want to try additional programs to
try and find and remove the rouge program. Also be sure to scan in Safe Mode
and check that any malware/spyware program you use is using the latest up to
date definitions that you can download from the vendors website. --- Steve

http://www.sysinternals.com/Utilities/TcpView.html --- TCPView
http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
http://www.microsoft.com/athome/secu...s/default.mspx --- MS info
on viruses and worms.


"networm" <networm8848@yahoo.com> wrote in message
news:erGbQ4u9FHA.3132@TK2MSFTNGP12.phx.gbl...
> Hi all,
>
> Somebody remotely in another part of the world sent me email complaining I
> have a "backdoor-g-1" trojan connecting to his computer. using port
> 1243... I've also run Norton Security check from their website and found
> the following port open along with the 1243 port...
>
> > > PORT STATE SERVICE
> > > 80/tcp open http
> > > 443/tcp open https
>
> Since Norton Antivirus and Norton Security Check did not find any virus...
> or anything else. Perhaps there is nothing I can do and I can just close
> the ports...
>
> Suspciously, these ports should not open...
>
> Now what shall I do? And how can I close the ports on XP sp2?
>
> Thanks a lot!
>

networm wrote:
> Hi all,
>
> Somebody remotely in another part of the world sent me email complaining I
> have a "backdoor-g-1" trojan connecting to his computer. using port 1243...
> I've also run Norton Security check from their website and found the
> following port open along with the 1243 port...
>
> > > PORT STATE SERVICE
> > > 80/tcp open http
> > > 443/tcp open https
>
> Since Norton Antivirus and Norton Security Check did not find any virus...
> or anything else. Perhaps there is nothing I can do and I can just close the
> ports...
>
> Suspciously, these ports should not open...
>
> Now what shall I do? And how can I close the ports on XP sp2?
>
> Thanks a lot!
>
>

Port 80 is webserver just as the list tells you. Are you running apache
or another webserver?

--
http://www.americantechie.com

"Jack" <JackMDS@verizon.net> wrote in message
news:%23iZzMOv9FHA.2676@TK2MSFTNGP15.phx.gbl...
> Ports by defaults are not open or closed they just sit there being ready
> to
> be used by an application that needs them.
>
> One of the roll of a Firewall is to keep ports closed for traffic unless
> one
> of the application that you are using requesting a port for its own use,
> therefore it is a very good idea to use Firewall.
>
> The email that you received is a little odd, unless a Trojan is capable to
> transmit your email address it is unlikely that he can infer you email
> address from an IP number. In otherworld, it might be a “prank?email.
>
> Basic Protection for Broadband Internet connection should consist of.
>
> 1. Router's NAT Firewall (even if you have only one computer).
>
> 2. Software Firewall (Why? See here, http://www.ezlan.net/firewall.html ).
>
> 3. Antivirus Program.
>
> 4. AntiSpy Program.
>
> A good security suit can be assembled by using very good Free programs,
> http://www.ezlan.net/security.html
>
> Microsoft is currently Beta testing a comprehensive One Care program that
> might be a good substitute to the software that is mentioned above.
>
> http://beta.windowsonecare.com/Betaentry.aspx
>
> If you are already infected this might help,
>
> Internet Infestation: http://www.ezlan.net/infestation.html
>
> Basic Steps in cleaning Internet "Junk" - http://www.ezlan.net/clean.html
>
> Jack (MVP-Networking).
>
>
>


The email was forwarded by our security office. The sender found out our
organization and sent it to our security office...

Anyway, I am using Windows Fire Wall... How can i shut down these ports?

Using those sophiscated techniques to find which processes are using the
ports is too much for me...

I just want to close the ports...

Thanks a lot!

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:BpmdnZerDpb_WBLenZ2dnUVZ_tSdnZ2d@comcast.com. ..
> You need to either disable or remove the application/process that is using
> the port or use a firewall that can block outbound traffic. In your case
> you really want to find the offending application/process and remove it
> using additional malware and spyware detection and removal programs since
> your initial attempt seems to have failed. You can use programs such as
> the free one called TCPView that will show what process/executable is
> using the offending port that may help you determine what is going on.
> Autoruns from will show you your various startup programs and you might be
> able to disable it there or see if it is installed as a service and stop
> and disable the service. Though that may help you really want to try
> additional programs to try and find and remove the rouge program. Also be
> sure to scan in Safe Mode and check that any malware/spyware program you
> use is using the latest up to date definitions that you can download from
> the vendors website. --- Steve
>
> http://www.sysinternals.com/Utilities/TcpView.html --- TCPView
> http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
> http://www.microsoft.com/athome/secu...s/default.mspx --- MS
> info on viruses and worms.
>
>

I am using Windows Fire Wall... How can i shut down these ports?

Using those sophiscated techniques to find which processes are using the
ports is too much for me...

I just want to close the ports...

Thanks a lot!

"AmericanTechie" <nomail@americantechie.com> wrote in message
news:Odpz6rv9FHA.2832@TK2MSFTNGP14.phx.gbl...
> networm wrote:
>> Hi all,
>>
>> Somebody remotely in another part of the world sent me email complaining
>> I have a "backdoor-g-1" trojan connecting to his computer. using port
>> 1243... I've also run Norton Security check from their website and found
>> the following port open along with the 1243 port...
>>
>> > > PORT STATE SERVICE
>> > > 80/tcp open http
>> > > 443/tcp open https
>>
>> Since Norton Antivirus and Norton Security Check did not find any
>> virus... or anything else. Perhaps there is nothing I can do and I can
>> just close the ports...
>>
>> Suspciously, these ports should not open...
>>
>> Now what shall I do? And how can I close the ports on XP sp2?
>>
>> Thanks a lot!
>
> Port 80 is webserver just as the list tells you. Are you running apache
> or another webserver?
>
> --
> http://www.americantechie.com


I am using Windows Fire Wall... How can i shut down these ports?

Using those sophiscated techniques to find which processes are using the
ports is too much for me...

I just want to close the ports...

Thanks a lot!

"networm" <networm8848@yahoo.com> a écrit dans le message de news:
ukAn0w59FHA.2324@TK2MSFTNGP11.phx.gbl...
> I am using Windows Fire Wall... How can i shut down these ports?

Control panel -> Windows firewall, Exceptions, uncheck the exceptions you do
not want.

> I just want to close the ports...

Closing everything blindly is bound to cause problems sooner or later.

In news:OesaGw59FHA.3760@TK2MSFTNGP14.phx.gbl,
networm <networm8848@yahoo.com> typed:
> "Jack" <JackMDS@verizon.net> wrote in message
> news:%23iZzMOv9FHA.2676@TK2MSFTNGP15.phx.gbl...
>> Ports by defaults are not open or closed they just sit there being
>> ready to
>> be used by an application that needs them.
>>
>> One of the roll of a Firewall is to keep ports closed for traffic
>> unless one
>> of the application that you are using requesting a port for its own
>> use, therefore it is a very good idea to use Firewall.
>>
>> The email that you received is a little odd, unless a Trojan is
>> capable to transmit your email address it is unlikely that he can
>> infer you email address from an IP number. In otherworld, it might
>> be a "prank?email. Basic Protection for Broadband Internet connection
>> should consist of.
>>
>> 1. Router's NAT Firewall (even if you have only one computer).
>>
>> 2. Software Firewall (Why? See here,
>> http://www.ezlan.net/firewall.html ). 3. Antivirus Program.
>>
>> 4. AntiSpy Program.
>>
>> A good security suit can be assembled by using very good Free
>> programs, http://www.ezlan.net/security.html
>>
>> Microsoft is currently Beta testing a comprehensive One Care program
>> that might be a good substitute to the software that is mentioned
>> above. http://beta.windowsonecare.com/Betaentry.aspx
>>
>> If you are already infected this might help,
>>
>> Internet Infestation: http://www.ezlan.net/infestation.html
>>
>> Basic Steps in cleaning Internet "Junk" -
>> http://www.ezlan.net/clean.html Jack (MVP-Networking).
>>
>>
>>
>
>
> The email was forwarded by our security office. The sender found out
> our organization and sent it to our security office...
>
> Anyway, I am using Windows Fire Wall... How can i shut down these
> ports?
> Using those sophiscated techniques to find which processes are using
> the ports is too much for me...
>
> I just want to close the ports...
>
> Thanks a lot!

Without knowing anything about your setup/network it's hard to tell you much
here. The windows firewall cannot block outbound traffic. You'd need
something else - either hardware (firewall appliance) or software. This is
not as simple a task as you clearly wish it to be, unfortunately - and I
also question whether it's actually necessary as you haven't provided enough
info for us to know whether your PC is actually compromised. You'd need to
have the recipient of the offending message copy/paste the Internet mail
headers and send this to you, so you could investigate it.

If you're on a company network, someone should be managing your network
security and you ought to ask them for help. If this is a home computer, you
need to provide a lot more info in order to get help.