What got in when Comodo openned Port 445 , and how do I remove it ?

On 17 th February my son updated my firewall from 3.0.14 to 3.0.17.
I received a firewall alert that “svchost wants to receive a message on Port 139 from another computer”, and I chose to BLOCK. I thought this was a new feature after several revisions, and that it might be from my ISP administration because the “other” computer had a similar IP address.
It happened again, and I decided that if there was a message available it MIGHT indicate a global spam to everyone on the internet, OR it might indicate that I was specifically targeted because my presence was known !!!
Then a Messenger Service pop-up arrived from sbssoft@gmail;com offering “400-600 GBP per week to manage our UK customers payments”. That looked like a money laundering operation, and a semi-colon in “gmail;com” looked like forgery. So the bad guys are on to me !!!
I went to Shields Up! and my fears were confirmed.

Ports 139 and 445 were wide open.
Apart from them, the first 1056 ports were “stealthed”, but ONLY the first run of the test.
When I repeated the test, ports 7, 9, 13, 17, 19 were also open, and ports 1034 and 1036 were then closed but no longer stealthed - perhaps the Firewall was fatigued !!!
I inspected the Firewall rules, and found that the latest version of “Global” did absolutely nothing other than to block ICMP Echo Request. I immediately replaced this with the previous set of Global rules that allow IP OUT and ICMP Fragmentation etc, and concluded with a supreme “Block and Log IP IN any etc.”, and this restored perfect stealth to all ports.

A deep scan by ESET NOD32 antivirus found nothing nasty.
From Sophos I downloaded an anti-Rootkit detection which found nothing, and also their “Threat Detection” which also found nothing.
So nothing nasty got in - or did it ???

I have attached the Application Rules in effect when my Ports were open. I believe the “applications” were protected by their rules, with the notable exceptions that :-
svchost allows UDP IN from ANY, and
System allows IP IN from ANY.

Just in case something nasty and too new for detection did enter, I restored a Disc sector image that was captured just before the Firewall was “upgraded” !!!

Since then I have received one begging email via gmail asking for $10 to help with the cost of an operation to save the life of a daughter. This was aimed accurately at my personal email address, which gets low volume, and has been spam free for several years until yesterday. It was from gmail - what a coincidence. So the bad guys harvested my email address somehow !!!

My whole system is now exactly as it was BEFORE this open ports fiasco, EXCEPTING :-
hyberfil.sys and pagefile.sys are excluded from the Disc Sector image, so everything in my 1.25 GByte Ram is saved to disc upon shut-down, and is re-loaded back from Disc to RAM on start-up, so re-loading a virus free Disc Sector archive will only replace corrupted / suspect files on Disc, but not eradicate any memory resident virus;
any damage to data in CMOS Battery RAM or Bootstrap EEPROM etc will also not be corrected.

My system is Windows XP Home Edition with SP2 and .Net Framework 2.0.

I am sorry for the length of my explanations above, but that is nothing to the duration and extent of my recent suffering !!!

Now for my questions :-

  1. Should I alter my system settings to remove hyberfil.sys and pagefile.sys, and then WIPE (with a utility that carefully avoids zapping any files) the entire free space on drive C:\ before restoring hyberfil.sys etc. just to be sure there is no memory resident virus / key logger etc., or was Sophos anti-Rootkit scan etc. adequate ?
  2. If WIPE is appropriate I would appreciate recommendations on something suitable ?
  3. Is there any other precaution I should take before I resume Internet Banking and buying on a Credit Card ?
  4. I would appreciate advice upon what private information may have leaked or been stolen whilst the ports were open. Should I take any pro-active steps against Identity Theft which may have already happened ?

nb I phoned my bank and have been assured that “I” have not accessed my account since a week before the ports were opened.

As a matter of great interest to me, even though it its too late to do anything about it, I would note that
a) Comodo let through without warning or opposition a spam gmail pop-up - I GUESS no harm done, but it was inconvenient having to launch Windows Task Manager to close it down because I feared the pop-up “CLOSE” button might do something less desirable !
b) Even though the svchost application rule appears to allow it, Comodo did warn when svchost was ready to receive a message from Port 139, and presumably blocked as per my decision.
So, Comodo wins some, and loses some, presumably partial success in the region of Ports 135 to 139.

WHAT ABOUT PORT 145 ??? I received no warnings from/about Port 145. Does this mean nothing nasty visited Port 145 in 100 Hours of unprotected on-line surfing, or might Comodo have let something through ? Could I have been enrolled in a Trojan Army ?

Alan

[attachment deleted by admin]

First of all Shields Up checks your router first or if you have a modem with a build in hardware firewall. I made a post about this. Have you tried running the Stealth Port Wizard? Make sure your hardware firewall, if you have one is fully stealthed.

https://forums.comodo.com/empty-t20201.0.html

Hi

Sorry I forgot to mention. Comodo is my only Firewall. I have no hardware firewall. I use the Thomson ST330 Broadband Modem, and my ISP is TalkTalk.

I would note that today Shields UP! correctly identifies my Reverse DNS identity, where-as yesterday even that was perfectly shielded. I assume this stealth variablilty is not because Comodo has an “Off Day”, but something about TalkTalk who have acquired various other ISPs, and when I log on I always get a different dynamic IP address, and there are several different ranges of addresses due to the “inheritance” from several ISPs. Sometimes I suffer Traffic Management down at 500 KBps, and sometimes I get the full promised 2000 KBps. Shields UP! advise that some ISPs protect Port 445 for their customers - just possibly I too have sometimes had that benefit, depending upon which server farm I am allocated to when I log on.

When I find I am in a minefield my nature is to back out, hence after changing the global rules for perfect stealth I sat back, thought a while, and decided a further upgrade to the latest 3.0.18 was a step in the wrong direction !!!

After worrying about viruses, I have restored the system to a pre-disaster state, which happens to not only remove much of the virus / key logger hazard, but also puts me back to Comodo 3.0.14. which is a step in the right direction !!! Hence I no longer have a Stealth Port Wizard.

Some time in the future my nerves should calm down, and I will probably then try whatever is the latest version at that time, in which case I will remember to look at the Stealth Port Wizard

Alan

Hi Alan take a look at,

https://forums.comodo.com/general_security_questions_and_comments_not_product_related/securing_port_445_tcpudp-t20395.0.html

and this https://forums.comodo.com/frequently_asked_questions_faq_for_comodo_firewall/how_to_disable_netbios_on_the_internet_adapter_for_windows_2000xp2003-t14469.0.html

Matty

Those Messenger popups are there because someone has turned on Messenger Service (not to be confused with the IM program, MS Messenger (or Live Messenger, or whatever it is now)). Disable the service, stop the problem. Go to Start/Run, type in “services.msc” (no quotes). Find the entry titled “Messenger”, double-click to open and change Startup Type to Disabled.

When you reboot that issue should be taken care of (along with associated open ports).

As for the open ports on GRC issue. You’re on a cable provider, it looks like. Majority of the time, cable ISPs create a sort of “network” of their users, behind the ISP’s equipment. Some will even see traffic with network IP addresses such as 10.x.x.x. Chances are, the reason it keeps changing (your GRC results, that is) is because of your ISP - they’re being scanned, not you. There’s an easy way to test that…

Make sure you have only 3 global rules -

  1. Allow TCP/UDP Out
  2. Block IP Out
  3. Block & Log IP In
    note: All Source & Destination categories are Any.

Reboot, or Exit the firewall (from systray icon) and restart it. The rules should take on the go, but just to make sure you have a fresh start… Then do GRC. If it’s scanning your machine, you’ll pass.

LM

Because something ??? has turned on Messenger Service and because the firewall was configured incorrectly. There is no way that the messenger service spam could happen if the ports 139 and 445 were being blocked by the firewall.

Thanks for the information so far.

I am actually on a B.T. phone line sub-leased through my ISP TalkTalk, who have inherited further Server Farms by acquiring other ISPs. I have now seen that GRC advise
“When present, reverse DNS is supported by Internet service providers”,
hence I assume that the different groups of Server Farms still conform to policies laid down by their original owners, and when I log on it is a matter of luck which Server I am routed through, and hence whether or not it reveals my reverse DNS.

Immediately GRC showed that Ports were open I left my Internet connection alive to my ISP so as to retain my existing dynamic IP Address, and set the Firewall to “Block All Mode”, and investigated Firewall rules.
I realised that “Block PING Requests” with no other Global rules appeared weak, so I changed the Global Rules to those just suggested by Little Mac because these were in use before the Firewall upgrade, set the Firewall back to “Custom Policy Mode”, and using the existing connection to GRC was able to get perfect stealth on all Ports. I was also then able to add permission for ICMP FRAGMENTATION etc. and a specific Source Address for ICMP ECHO and that permitted me to use a Traceroute service as before, and GRC still measured perfect stealth.

I was pleasantly surprised that correcting the Global Rules gave an immediate cure - I was fully expecting that I would have to shut down the P.C. and to reboot before I got an improvement.

You are correct that Messenger Service was turned on. It always has been on - but no more !!!

Alan

F U R T H E R R E Q U E S T S F O R I N F O R M A T I O N.

  1. For 110 hours at 10 hours a day for 11 days I was on-line, and unaware that Ports 445 etc. were open.
    What nastiness could have got in and stolen my passwords and information useful for Identity Theft purposes ?
    Could it have stolen and sent out data in my documents which were NOT password protected ?
    Could it have stolen and sent out Passwords held by PwAgent or Firefox which WAS password protected ?
    Although Comodo Firewall version 3.0.17.304 left Ports 445, 139 etc OPEN according to an innocuous test by GRC, Port 139 still had a measure of protection in that when svchost wanted to receive a message via Port 139 from some other computer, Comodo still gave me a warning and recommended I BLOCK, and I chose to BLOCK and so far as I know it was blocked. I wish to believe that Comodo would similarly have warned / blocked anything else that might have approached through any of the open Ports.
    Unfortunately Comodo permitted a spam Messenger Service message. Does this mean Comodo correctly determined that it was a harmless irritant, or does it mean it was not detected and that more harmful things could have entered, possibly via the same route.

  2. If anything evil did enter, would it have been detected and blocked by Defense+, or might it have been able to achieve at least some of its purposes ?

  3. If something entered and accessed my passwords, documents, or other information, would it have been able to then EXPORT that information to hackers, or would the FireWall have given perfect protection against anything OUTgoing even though its INcoming protection had failed.

I would really appreciate advice (and hopefully re-assurance) upon the above, or if relevant a warning upon what information could have been lost, corrupted, or stolen. I cannot think of any alternative to the Comodo Forum for this advice because I doubt that any other place would have detailed knowledge upon what protection remains from the residue of Comodo when Ports 445 etc. are open. At the time of weakness I was using Comodo Firewall 3.0.17.304 with Application rules as in my initial post, and a single global rule that blocked ICMP REQUEST (and did nothing else). The Firewall was set to “Custom Policy Mode”, and Defense+ to “Clean PC Mode”. Additionally I have been protected by ESET NOD32 Antivirus version 2.7.39. I am using Windows XP Home Edition with Service Pack 2, and have .NET 2.0 installed.

  1. I would also like advice upon any further measures I should take to ensure removal of anything nasty that may have entered. I have already restored a Disc Sector archive image that should over-write every sector with untarnished data captured BEFORE the Ports became open, BUT the archiving system actually bypasses hiberfil.sys and pagefile.sys, so I believe any memory resident virus could survive (though I hope ESET or SOPHOS would have found it - but I prefer “certainty” to “hope”.) I also remember reading that some viruses can enter CMOS RAM and BIOS FLASH/EEPROM - but maybe that was scare tactics by a company interested in selling a “solution” !!!
    I would like an answer to this question 4, but am expecting I may need to post this question elsewhere - I think forums other than Comodo may have far more experience of how to recover after a FireWall has allowed the unthinkable !!!

Alan

If your OS is up to date then it’s unlikely

2. If anything evil did enter, would it have been detected and blocked by Defense+, or might it have been able to achieve at least some of its purposes ?

Most likely it would be detected by defense+

so I believe any memory resident virus could survive

Malware only in virtual memory cannot remain active after a shutdown/reboot as there is nothing that tells windows to read that address in memory

I also remember reading that some viruses can enter CMOS RAM and BIOS FLASH/EEPROM

AFAIK a BIOS Rootkit that works in many different cofigurations is more science fiction than reality

BTW I think that the spam e-mail was just a coincidence

Hi Alan,just a few things to remember,it wasn`t Comodo which left your ports open,they were open all the time.
For information to enter your computer it has to use an application which is listening on one of these ports,if it tried to alter another application Defence+ would have alerted you to this.
As the various scans you have done have all come back clean i would say your computer is ok.
I think a lesson for all here is to check all rules you have set up frequently and to allways be wary if you get an alert when you are not expecting it READ IT CAREFULLY and just block without remember if your not sure.

By the sound of it your were just the victim of a spam attack.

Good Luck Matty

Thank you ggf31416 for your advice - just in time for me to go to bed and sleep easy !!!

I usually permit Patch Tuesday a few days late, so M.S. have time to fix any major goofs. I was fully up to date with all security fixes when the Ports were exposed.

Thank you for the assurance that Defense+ would still have been effective.

When I read about viruses etc. targeting CMOS RAM etc. I took it with a pinch of salt - but irrational fears arise when I feel exposed to danger !!! Thank you for your assurance.

I still have an uncertainty about a memory resident virus, and would appreciate further assurance on this one aspect because :-
If the computer is NOT shut down, but put into hibernation, it ensures the existing state of the system is preserved by copying every byte in RAM to the hyberfil.sys file before it shuts off power and RAM loses its data. When the computer awakes from hibernation it copies the hiberfil.sys data back to RAM so that all applications, and even memory resident viruses, which were previously running will again be running.
I understand that people have been convicted for downloading child ■■■■■■■■■■■ etc. based upon the evidence of Computer Specialist Forensic Investigators who have the capability to remove the hard drive and duplicate its contents and to then scrutinise the contents without modifying the contents. I further understand that they are not limited to finding the viewable pornographic images, but can also analyse the contents of hiberfil.sys and determine what sites have been visited, files downloaded, and other actions by the culprit. I understand their investigation is NOT dependant upon receiving the computer in a hibernated condition, AND that they can look back over several days through several total shut-downs and reboots.
I therefore assume that when the computer power is removed, everything which had been in RAM is now in hiberfil.sys regardless of whether or not it has been hibernated, AND that upon Power Up everything in hiberfil.sys is copied back into RAM, and the only difference is that a flag somewhere then tells the computer whether it should resume operations with all the applications (and viruses) it now has back in RAM, or whether it should go through the normal start-up sequence of loading the things that are stipulated in the Start menu etc.

My fear that a memory resident virus can survive power down/up is based upon several assumptions, and I would appreciate an explanation of any error in my assumptions.

Summary - I fully accept 3 and a half out of 4 assurances !!! Thank you for that - I will sleep better tonight than I have for several days.

Alan

Also, Thank you Matty.

Now I really must get to bed !!!

Alan.

Comodo is a firewall and you still need a good AV. I use Comodo and NOD32. By the way have ports opened doesnt mean you will get immediately infected. I have never gotten anything in over 5 years and I surf and download everything. Hell there are people who don’t use an anti virus,firewall,anti spyware, or anything and they have never been infected. Also do you have a router or a modem with a built in hardware firewall? I have a 2Wire Gateway DSL modem with a fully stealthed firewall. If you want real protection and are so worried then get a hardware firewall. A good hardware firewall stops inbounds and a software firewall stops outbounds.

If you are so worried about hiber.sys then disable the hibernation feature to remove the file and then enable the feature again.

I actually never use hibernation mode. Kindda stupid if you ask me. My desktop is usually on 24/7 and my latop powers off by itself when need be but mainly its on so I can play WOW.