Port scan has me worried.

[zykur]

Hi,
I was downloading a file and Norton Antivirus gave me this error message: is infected with the Trojan dropper virus.
Access to the file was denied.

I'm assuming that NAV was unable to quarantine it because it's not listed under the quarantine log.
I have the latest definitions but NAV was unable to find anything, so I downloaded ANti_trojan 5.5 and this is what it tells me I have for open ports.
Port 80 open. Possible trojans. Webserver (possible Trojaner: Executor)
Port 1033 open. Possible trojans. NetSpy
Port 1243 open. Possible trojans. SubSeven
Port 4092 open. Possible trojans. WinCrash
Port 5000 open. Possible trojans. Sockets de Troie, Blazer 5

My question is what do I do next? I did a search of my drive for Netspy.exe and didn't find anything and NAV and Anti-Trojan both tell me that my system is clean.

I typed "netstat" from the command prompt and see some activity but nothing that is too alarming.

Does anyone have any advice?


Thanks,

J

[preep]

dont get too worried, although you telling me what o/s u use would have helped.

Port 80- http (internet explorer)

Port 1033- netspy, or W2k printer port monitor (Will send status request to SNMP community)

Port 1243- SubSeven Backdoor or SerialGateway (not sure about itm, sounds like a networking dongle)

Port 4092- WinCrash Alternate Trojan or Asp module for Apache servers (ports 3001 - 6001)

Port 5000- WindowsME ships with a program called "SSDPSRV.EXE", or Simple Service Discover Protocol Server, which is used for Universal Plug and Play. This process listens on TCP 5000 for XML exchange or Sockets De Troie Trojan

if you have your AV upto date, thats a start, but programs like Trojan First Aid kit, or the commertial "Cleaner".

Also see if you can get a port listener/honeypot, like netbuster for example, so you can listen to these ports and see if they are trying to access your system.

And a firewall program wouldnt go a miss so you can allow/disalow programs access to the net, ppl swear by Tiny firewall

but i get blocked access from sub7, netbus and deepthroat all the time, its either funny blocking restrictions by your firewall, or a skiddie sweeping the network

Preep

[zykur]

Sorry I'm running XP. I know that port 80 is the web browser but it's the othere ports that caught my eye. Is there a way to shut down the ports?

[Sgt_B]

If you're worried about ports being open and such, then you should DL a firewall for your machine. There are plenty of posts in the firewall forum that can point you in the right direction. ZoneAlarm and Tiny come to mind, but you should get what fits your needs.

[avenger_jcc]

also go to google and type in "the cleaner" - by Moosoft. Tis a great trojan cleaner that should help.

[preep]

i have edited it, sry i hit submit my mistake :P

dumb me

Preep

[th3>kLuTz]

The best firewall imho is sygate. I can completely configure it to do exactly what i need, and its free

[Euclid]

You can disable port 5000 by going to admin tools and then services stop the UpNP service and then go to the properties and set to disable. Some of the other ports can probably be closed here as well. Just go threw the list of services and stop and disable anything you dont need

[Tedob1]

get fport from:

www.foundstone.com

its freeware and will tell you the name of the service listening on those ports, not just what could or should be there.

[ucsubliminal]

correction: port 80 is not your web browser, its a web server.

windows xp does not come with a web server, if you did not install one yourself, you might want to look into where that comes from. not to scare you, but possibly a trojan.