Concealed Trojan?

[Julesh]

My PC running Windows XP pro has a permanent connection to the internet
via a cable modem (which it shares using ICS) and is protected by the
Bitdefender software firewall and virus scanner which I keep
scrupulously up to date. Every couple of weeks I also run Spybot S&D,
which never finds anything except a few tracking cookies, and use GRC's
ShieldsUp to make sure the firewall is behaving.

Generally ShieldsUp gives me a clean bill of health with all ports
closed and stealthed so I was a bit horrified when I tried this last
night and found ports 23,80 and 1025 (among others)wide open. I've had
no reports from the firewall about unknown processes trying to
communicate and neither netstat or Fport ( a port usuage utility) are
reporting any processes as holding these ports open. I've run a
succession of Trojan detectors this afternoon but all of this have
failed to find the existance any active trojan.

I got a friend to remotely run a portscan on my IP address. He has
confirmed the results from ShieldsUp. He tried a web browser to port 80
on my address and got an error message that seemed to imply there was a
running web server. It also seems that a telnet server is running
although he could not log on to this. I can only presume I have
acquired a Trojan that can stealth itself as there is absolutely no
trace of it using the tools I have. Can anyone suggest where I should
start looking for this?


Thanks


Julesh

 

[Carey Frisch [MVP]]

Ports That Are Used by Windows Product Activation
http://support.microsoft.com/default.aspx?scid=kb;en-us;291983&Product=winxp

How to determine which program uses or blocks specific transmission control
protocol ports in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;281336&Product=winxp

Symantec Security Check
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.aspx

------------------------------------------------------------------------------------------

:

| My PC running Windows XP pro has a permanent connection to the internet
| via a cable modem (which it shares using ICS) and is protected by the
| Bitdefender software firewall and virus scanner which I keep
| scrupulously up to date. Every couple of weeks I also run Spybot S&D,
| which never finds anything except a few tracking cookies, and use GRC's
| ShieldsUp to make sure the firewall is behaving.
|
| Generally ShieldsUp gives me a clean bill of health with all ports
| closed and stealthed so I was a bit horrified when I tried this last
| night and found ports 23,80 and 1025 (among others)wide open. I've had
| no reports from the firewall about unknown processes trying to
| communicate and neither netstat or Fport ( a port usuage utility) are
| reporting any processes as holding these ports open. I've run a
| succession of Trojan detectors this afternoon but all of this have
| failed to find the existance any active trojan.
|
| I got a friend to remotely run a portscan on my IP address. He has
| confirmed the results from ShieldsUp. He tried a web browser to port 80
| on my address and got an error message that seemed to imply there was a
| running web server. It also seems that a telnet server is running
| although he could not log on to this. I can only presume I have
| acquired a Trojan that can stealth itself as there is absolutely no
| trace of it using the tools I have. Can anyone suggest where I should
| start looking for this?
|
|
| Thanks
|
|
| Julesh

 

[Guest]

That was a very informative reply, Carey, for me too. I've been curious
about this issue but had less success than I wanted navigating the knowledge
base to find the answers.

By the way, do you have to be a Symantic subscriber to use that security
check page listed third down in your links? I went there and set it up to
go, then the page just disappears. Curious.