Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keep seeing something hosted on port 9009


  • This topic is locked This topic is locked
11 replies to this topic

#1 herpderpton

herpderpton

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 14 March 2017 - 09:02 PM

when i reboot i keep seeing an allow port 9009 rule being added to the firewall.

 

i can see in resource monitor that "system" is listening on port 9009.

 

if i go to http://localhost:9009 i see this:

 

<?xml version="1.0"?>
<Folder_MAP>
	<List>
		<Item Type="Error" Phy_Folder="" Id="3" PWD="" Timelim="2099/12/31 上午 12:00:00" URL="Access Denied !" />
 </List>
</Folder_MAP>

 

attached are a few logs from hijack this, frst and malwarebytes.

 

i'd rather no re-install windows if i don't have to.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:03 PM

Posted 15 March 2017 - 09:00 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicy: Restriction <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
CHR Extension: (Chrome Web Store Payments) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-10]
CHR Extension: (Chrome Media Router) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-27]
U3 awlcqpog; C:\Users\Mark\AppData\Local\Temp\awlcqpog.sys [56584 2017-03-14] (GMER) [File not signed] <==== ATTENTION
S3 dbx; system32\DRIVERS\dbx.sys [X]
FirewallRules: [{9433401A-41BA-49EF-A5CF-C909AC186A71}] => (Allow) LPort=9009

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.


P.S.
Please have a moderator close this duplicate topic.
https://www.bleepingcomputer.com/forums/t/641884/something-adding-firewall-rules-on-boot/

#3 herpderpton

herpderpton
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 15 March 2017 - 05:45 PM

still seeing new allow 9009 rule after reboot.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:03 PM

Posted 16 March 2017 - 07:15 AM



I suspect that this Lport is required by:
(Golden Frog, GmbH.) C:\Program Files (x86)\VyprVPN\VyprVPNService.exe

Can you please check it out.

How do I enable port selection on Windows?
https://support.goldenfrog.com/hc/en-us/articles/204263448-How-do-I-enable-port-selection-on-Windows-

#5 herpderpton

herpderpton
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 16 March 2017 - 09:00 AM

I suspect that this Lport is required by:
(Golden Frog, GmbH.) C:\Program Files (x86)\VyprVPN\VyprVPNService.exe

Can you please check it out.

How do I enable port selection on Windows?
https://support.goldenfrog.com/hc/en-us/articles/204263448-How-do-I-enable-port-selection-on-Windows-

 

My account does not have access to Chameleon mode and the options are greyed out.

 

I removed the software, removed all existing firewall entries for port 9009, rebooted, and still see a new rule added on boot.

 

updated FRST attached.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:03 PM

Posted 16 March 2017 - 01:00 PM




The Uninstaller does not remove the Firewall setting all the times.

Try this.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

FirewallRules: [{9433401A-41BA-49EF-A5CF-C909AC186A71}] => (Allow) LPort=9009

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please restart the computer normally after the fix.
This will reset the registry.

How is it now?

#7 herpderpton

herpderpton
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 16 March 2017 - 02:30 PM

Doesn't seem to have worked, added updated FRST after reboot as well.

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:03 PM

Posted 17 March 2017 - 08:16 AM



I just found this site which you can you to check the port 9009

Find out why it's opened. Select the Advanced button to check your firewall.

http://www.ipfingerprints.com/portscan.php

===

This is realy not my forte. If you need additional information I suggest you ask in the Networking Forum.
https://www.bleepingcomputer.com/forums/f/21/networking/

#9 herpderpton

herpderpton
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 18 March 2017 - 09:56 AM

I'm not worried someone will connect on 9009, there is no port forwarding rules in my router to allow it, not even from upnp. From my first post it even seems like whatever is listening on 9009 didn't even set it self up correctly.

 

Is there a way to monitor or make a trace file during boot that can see what is applying the allow 9009 rule on boot?

 

if i don't delete them, it makes one per boot, when i first noticed it there was about 20 entries for allow 9009.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:03 PM

Posted 18 March 2017 - 10:39 AM

I suggest you ask this question in the Networking forum.

#11 herpderpton

herpderpton
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 18 March 2017 - 05:45 PM

OK so weird turn of events and it all turned out benign.

 

Windows got corrupted while enabling boot logging in ProcMon, Tried safe mode, startup repair, and system restore, nothing worked.

 

Turns out my new SSD died, sucks, its a 1TB Mushkin reactor. So I reinstall windows on my old 120GB Mushkin Chronos.

 

Thinking "lemme just check the firewall to make sure some NSA level bleep isn't perpetuating itself on my PC."

 

HOLY bleep the firewall rule was still there! So I ran boot logging in ProcMon. Filtered the details column for anything containing 9009 and et voilà there it was!

 

Turns out is a module of Gigabyte's AppCenter called gcloud, which is running a netshell command on boot.

 

Ran uninstall.exe from the folder to remove the module, rebooted, and no more rules being added on boot!

 

The tin foil hat has come off. Thanks for you help, you can mark this resolved.

Attached Files


Edited by herpderpton, 18 March 2017 - 05:50 PM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:03 PM

Posted 19 March 2017 - 08:18 AM

Thanks for the feedback.

I will help others in this situation.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users