Hi!
I'm afraid my PC has a trojan or virus on it!

Symptoms:
GRC ShieldsUp and Symantec scanner show port 1723 (pptp) open, whilst all others I can test are stealthed. I have found little on the internet about this port, but it seems it has been used by malware.

Since then, I have activated certain security auditing functions, and have seen a number of events (ANONYMOUS USER logon, IPsec failed to get complete list...,) logged. But I can't really interpret most of them!!

I'm running updated Norton IS 2005, and have set a rule to block communication on port 1723 (but the port is still open). I see no indications of use of the port in any logs I've looked at, but I'm no expert. So I attach a HijackThis file and ask for any help anyone can give.....

Some background (system protected by Norton IS 2005, Pest Patrol, SpyBot, all up-to-date) :
A few days ago the system disk crashed after the PC beeped and locked up during surfing. I couldn't get XP SP1 to run again, and there were errors in the partition table (may have in part come from Ghost, Partition Magic, Maxblastor some other program, since the disk had been in use a long time). Relacing the system disk, I could read the two partitions I had so could save the data. Reinstalling XP (with new partitions) would not work - eventually I had to fully repartition and delete all partitions (Partition Magic) and then I could reinstall XP SP1. Then downloaded and installed SP2 and other updates. Things seemed ok. But just to check......
Antivirus and other scans revealed notheing untoward. Doing the port scan, however, I found the PPTP port 1723 open! And that seems dangerous to me!

Looking forward to any replies
Haller:(

Logfile of HijackThis v1.99.1
Scan saved at 11:21:38, on 03-Jan-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\Common Files\Symantec Shared\Nmain.exe
C:\Program Files\Norton SystemWorks\Process Viewer\PrcView.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Messenger\msmsgs.exe
D:\programs non-install\hijackthis 030106\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: DeepSight Extractor Service for NPF03 (ExtractorServiceNPF03) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF03.exe
O23 - Service: DeepSight Extractor Service for NPF04 (ExtractorServiceNPF04) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Hi haller

Welcome to the forums.

Im not seeing any malware :)
I do suggest other opinions besides norton and ASquaredScan

Dont depend on any one antivirus program go get preferably two free onlines Now and weekly or bi-weekly

Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.
Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Save the report and post it back here please if there are any that it is unable to deal with.

TrendMicro™ HouseCall Java Scan

Please go HERE (http://www.trendmicro.com/hc_intro/default.asp) to run the Trend Micro™ HouseCall Scan.
Click Scan now. It's free!
Read and put a Check next to Yes I accept the terms of use.
Click the Launching HouseCall>> button.
If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
You may receive a Security Warning about the TrendMicro Java applet, click YES.
Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
Please be patient while it installs, updates, and scans your system.
Once the scan is complete, it will take you to the summary page.
Under Cleanup options, choose clean all detected infections automatically.
Click the Clean now>> button.
If anything was found you will prompted to run the scan again, you can just close the browser window.


http://www.bitdefender.com/scan/licence.php
http://www.bitdefender.com/scan8/ie.html
check the box to [x] autoclean

If there are any problems Copy there report's back here please.

Hello, this topic will now be archived.

Edited
Re-opend on request

Lonny

Hello, Lonny:

First, thanks for your reply to my problem with having port 1723 open. Unfortunately I have been tied up with other things, so it has taken me a while to try your suggestions.

So the results:

* ran Kapersky online: nothing

* ran panda active: nothing

* ran tenrdmicro: nothing

* ran bitdefender: this found 8 suspicious files - but it got lost in /systemvolumeinfo: 19 h to do and rising; so I had to abort this, but afterwards bitdefender didn't indicate which 8 files it had deleted; re-running found nothing. Also nothing after switching off system restore and rebooting. Subsequent error messages indicate that the missing files MAY include mscoree.dlll and mapi32.dll.

Regular use of other programmes such as adaware and spybot have revealed nothing untoward.

The machine generally seems to be behaving itself and is running smoothly, except.....

Except that port 1723 is still open!

And:
I am getting warnings (usually just on startup or shortly thereafter) from the Symantec Resource protector that protected Norton files are being accessed by, variously, winlogon.exe, thguard.exe and other files, and recently only ppactiveprotection.exe (PestPAtrol). I am in touch with Symantec technical service, but so far, although they respond promptly and friendly, seem unprepared to really address my problem (they don"t comment on port probes; can't respond when a German Norton is running on an English XPPro (?!),....).

So I am really quite lost and confused!? Maybe there's nothing wrong...
Any suggestions you or anyone else might offer would be appreciated (yours is the only response that has so far been of any help!).

Thanks+regards

Haller

Hi

Where on gibsons web site did a scan show results for port 1723 ?
Normaly its probes 0 - 1055

I think your seeing a false alarm

""Subsequent error messages indicate that the missing files MAY include mscoree.dlll and mapi32.dll.""

Can you explain that further please ?

Hi, Lonny:

The GRC site where I did the port probe is on:

https://www.grc.com/x/ne.dll?rh1dkyd2

The particular port range has to be specified (I think it was the other scanner that picked up that it was open - then I checked specifically using GRC).

Concerning the missing files:
Norton 1button-checkup found a false entry for mscoree.dll (missing file), and on booting, mapi32.dll could not be found. But since then I've had no more error messages.

I have further checked the PC with the rootkit searcher, Blacklight from F-portect. Fortunately it also found nothing.

So it may be that I am reacting to false alarms. But I would still like to get confirmation from some expert source that this is indeed the case.

Thanks again for your input

Haller

I suggest you ask here where there are more norton users
CastleCops General Symantec:
http://castlecops.com/f82-General_Symantec.html

Keep us informed please

Hello, this topic will now be archived to prevent others with similar issues posting in it.

If you need the thread re-opened, please pm me.