Port 135 excess of traffic, XP SP1 updated

I got an eccess of port 135 traffic on my XP SP1 box with latest update applyed.
I have the latest avast! and grisoft antivirus and latest pestpatrol and spybot search and destroy. No infection is detected.

I had to stop 135 tcp traffic using an advanced rule on my sygate firewall. When the rule is disable the box starts to connect other IPs on the net.
I also tryed to sniff the connections.

Anyone else detected this situation?

Port 135 is used by DCE endpoint resolution as well as msblast. www.sysinternals.com has a utility that can show you what file/application is using what. See if that can tell you what is using the port.

Both Tcpview and Fport report that port 135 emap is used by
C:\WINDOWS\system32\svchost.exe
command line
C:\WINDOWS\system32\svchost -k rpcss
version
5.01.2600.0000

Nevertheless, as soon as i remove the port 135 block rule on my firewall,
i notice dozens of connections from my pc to the outside world.

Any suggestion ? can i monitor and report something else?
Thank you in advance

Same webiste as earlier, also has a util that tells exactly what is using svchost, I think it is called prcview (not sure). use it to find out more.

This is a dump of the process binded on the emap port

Process: svchost.exe Pid: 900

Type Name
Directory \BaseNamedObjects
Section \BaseNamedObjects_R_00000000001c_SMem_
Section \BaseNamedObjects\RotHintTable
Event \BaseNamedObjects\ScmCreatedEvent
Mutant \BaseNamedObjects\ShimCacheMutex
Section \BaseNamedObjects\ShimSharedMemory
Event \BaseNamedObjects\userenv: User Profile setup event
Desktop \Default
File \Device\Afd\Endpoint
File \Device\Afd\Endpoint
File \Device\Afd\Endpoint
File \Device\Afd\Endpoint
File \Device\Afd\Endpoint
File \Device\Afd\Endpoint
File \Device\Ip
File \Device\Ip
File \Device\Ip
File \Device\KsecDD
File \Device\NamedPipe\net\NtControlPipe2
File \Device\NamedPipe\svcctl
File \Device\NamedPipe\Winsock2\CatalogChangeListener-384-0
File \Device\Tcp
File \Device\Tcp
File \Device\Tcp
File \Device\Tcp
File \Dfs
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Directory \KnownDlls
Port \RPC Control\epmapper
Directory \Windows
WindowStation \Windows\WindowStations\Service-0x0-3e7$
WindowStation \Windows\WindowStations\Service-0x0-3e7$
Process BttnServ.exe(1384)
File C:\WINDOWS\SYSTEM32
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR\AppID
Key HKCR\CLSID
Key HKCR\CLSID
Key HKCR\CLSID
Key HKLM
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\Ole
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key HKU
Key HKU
Key HKU
Key HKU
Token MOBILEGHOST\gulli
Token MOBILEGHOST\gulli
Token MOBILEGHOST\gulli
Token MOBILEGHOST\gulli
Token MOBILEGHOST\gulli
Token MOBILEGHOST\gulli
Token MOBILEGHOST\gulli
Token NT AUTHORITY\SERVIZIO LOCALE
Token NT AUTHORITY\SYSTEM
Token NT AUTHORITY\SYSTEM
Token NT AUTHORITY\SYSTEM
Token NT AUTHORITY\SYSTEM
Thread svchost.exe(900): 1968
Thread svchost.exe(900): 2260
Thread svchost.exe(900): 2772
Thread svchost.exe(900): 3868
Thread svchost.exe(900): 904
Thread svchost.exe(900): 908
Thread svchost.exe(900): 908
Thread svchost.exe(900): 916
Thread svchost.exe(900): 916
Thread svchost.exe(900): 920
Thread svchost.exe(900): 920
Thread svchost.exe(900): 920
Thread svchost.exe(900): 964
Process WISPTIS.EXE(2000)

Hi,

are these Port-135 INBOUND or OUTBOUND connections ?

if Inbound, it’s just Blaster or something knocking on your door…

:wink:

outbound and established connections!!! :cry:

to which IP’s ?

Read link “VirusRemoval” below and:

  • secure your system
  • do some onlinescans
  • post a hijackthis-Log

:wink:

This is just less than 20 sec after disabling the rule

Connessioni attive

Proto Indirizzo locale Indirizzo esterno Stato
TCP 82.51.43.191:135 82.48.91.129:3419 ESTABLISHED
TCP 82.51.43.191:135 82.51.22.4:3031 ESTABLISHED
TCP 82.51.43.191:135 82.51.44.56:1743 ESTABLISHED
TCP 82.51.43.191:135 82.51.49.10:4351 ESTABLISHED
TCP 82.51.43.191:135 82.51.59.116:3929 ESTABLISHED
TCP 82.51.43.191:135 82.51.60.70:3225 ESTABLISHED
TCP 82.51.43.191:135 82.51.73.40:2744 ESTABLISHED
TCP 82.51.43.191:135 82.51.95.247:2783 ESTABLISHED
TCP 82.51.43.191:135 82.51.112.23:3877 ESTABLISHED
TCP 82.51.43.191:135 82.51.160.99:3074 ESTABLISHED
TCP 82.51.43.191:135 82.51.166.219:1647 ESTABLISHED

I suddendly stopped it and reapplied the rule!

Logfile of HijackThis v1.97.7
Scan saved at 15.50.38, on 23/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\Programmi\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\Programmi\Network Associates\PGP for Windows 2000\PGPservice.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Compaq\Easy Access Button Support\cpqeadm.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\WINDOWS\tppaldr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Network Associates\PGP for Windows 2000\PGPtray.exe
C:\Programmi\InstallShield Software Corporation\802.11b Wireless Lan Utility\RtlWake.exe
C:\WINDOWS\COMMAND\putty.exe
C:\Programmi\RealVNC\vncviewer.exe
C:\Programmi\RealVNC\WinVNC\winvnc.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Documents and Settings\xxx\Desktop\Fport-2.0\procexp.exe
C:\Documents and Settings\xxx\Desktop\Fport-2.0\Tcpview.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Grisoft\AVG6\avgw.exe
C:\WINDOWS\COMMAND\putty.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\SYSTEM32\rasphone.exe
C:\Documents and Settings\xxx\Desktop\Fport-2.0\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn1\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn1\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [CPQEASYACC] C:\Programmi\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Programmi\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [AVG_CC] C:\Programmi\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM..\Run: [PestPatrol Control Center] C:\Programmi\PestPatrol\PPControl.exe
O4 - HKLM..\Run: [PPMemCheck] C:\Programmi\PestPatrol\PPMemCheck.exe
O4 - HKLM..\Run: [CookiePatrol] C:\Programmi\PestPatrol\CookiePatrol.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM..\RunOnce: [DELDIR0.EXE] “C:\DOCUME~1\gulli\IMPOST~1\Temp\DELDIR0.EXE” "C:\Programmi\McAfee\McAfee Shared Components\Guardian"
O4 - Global Startup: PGPtray.lnk = ?
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-sp.htm
O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-sp.htm
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Ricerche (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/ProductUpdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38180.9964699074
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{40D67BAF-7BBA-4999-8535-E15F5B864A86}: NameServer = 217.141.251.204 151.99.125.1
O17 - HKLM\System\CCS\Services\Tcpip..{497B8F73-828E-44BC-8F7D-EA1ACC5F517C}: Domain = xxxxxxxx

This is from someone who goes online via interbusiness.it and connects from somewhere near catanzaro/italy ?

This mean anything to you ?

Here’s the analysis:
http://www.hijackthis.de/logfiles/108999d9d27d67799d3d94be1fe7690e.html

read carefully

you have PGPnet & WinVNC (a RemoteAccessTool = RAT) running, is this known to you ? could be the cause for the connections…

:wink:

It is near the area where im located.
And yes i know i have PGPnet and VNC. I use them both since a long time (5 years or so).
Neither avast, nor avg nor online scanner trendmicro’s housecall are able to detect an infection. I will use another scanner and read your report.

If someone else has any suggestion.
You are welcome

In that list of connections I see portnumbers that are not in the IANA port list, that makes me always supicious towards them. See if you can find out what is using the unknow port numbers

http://www.iana.org/assignments/port-numbers

Local Port is 135. My ip was 82.51.43.191
What do you mean? how to check remote port?

Removing 135 rule on INCOMING and OUTBOUND traffic, My sygate firewall found this:

File Version : 5.1.2600.0 (xpclient.010817-1148)
File Description : Generic Host Process for Win32 Services (svchost.exe)
File Path : C:\WINDOWS\SYSTEM32\svchost.exe
Process ID : 0x384 (Heximal) 900 (Decimal)

Connection origin : remote initiated
Protocol : TCP
Local Address : 82.49.62.250
Local Port : 135 (EPMAP - Location service - Dynamically assign ports for RPC)
Remote Name :
Remote Address : 82.49.206.227
Remote Port : 4280

Ethernet packet details:
Ethernet II (Packet Length: 62)
Destination: 68-7a-72-02-00-00
Source: f0-ed-20-00-03-00
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1… = Don’t fragment: Set
…0. = More fragments: Not set
Fragment offset:0
Time to live: 123
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0xccd5 (Correct)
Source: 82.49.206.227
Destination: 82.49.62.250
Transmission Control Protocol (TCP)
Source port: 4285
Destination port: 135
Sequence number: 3953400007
Acknowledgment number: 0
Header length: 28
Flags:
0… … = Congestion Window Reduce (CWR): Not set
.0… … = ECN-Echo: Not set
…0. … = Urgent: Not set
…0 … = Acknowledgment: Not set
… 0… = Push: Not set
… .0… = Reset: Not set
… …1. = Syn: Set
… …0 = Fin: Not set
Checksum: 0x37bb (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 68 7A 72 02 00 00 F0 ED : 20 00 03 00 08 00 45 00 | hzr… …E.
0010: 00 30 77 BB 40 00 7B 06 : D5 CC 52 31 CE E3 52 31 | .0w.@.{…R1…R1
0020: 3E FA 10 BD 00 87 EB A4 : 18 C7 00 00 00 00 70 02 | >…p.
0030: FF FF BB 37 00 00 02 04 : 05 AC 01 01 04 02 | …7…

And i got again several connections

Proto Indirizzo locale Indirizzo esterno Stato
TCP mobileghost:epmap host100-26.pool8249.interbusiness.it:4342 ESTAB
LISHED
TCP mobileghost:epmap host238-45.pool8249.interbusiness.it:3938 ESTAB
LISHED
TCP mobileghost:epmap host137-71.pool8249.interbusiness.it:4531 ESTAB
LISHED
TCP mobileghost:epmap host99-76.pool8249.interbusiness.it:4130 ESTABL
ISHED
TCP mobileghost:epmap host13-126.pool8249.interbusiness.it:2824 ESTAB
LISHED
TCP mobileghost:epmap host14-135.pool8249.interbusiness.it:4604 ESTAB
LISHED
TCP mobileghost:epmap host189-187.pool8249.interbusiness.it:1984 ESTA
BLISHED
TCP mobileghost:epmap host117-188.pool8249.interbusiness.it:3026 ESTA
BLISHED
TCP mobileghost:epmap host227-206.pool8249.interbusiness.it:4312 ESTA
BLISHED
TCP mobileghost:epmap host56-211.pool8249.interbusiness.it:2524 ESTAB
LISHED
TCP mobileghost:4959 rs01.avast.com:http SYN_SENT

Under “Indirizzo esterno” you see the connections like 82.51.160.99:3074
That means you are connected to 82.51.160.99 using port 3074, check what these connections are and what the ports normally are used for.

The large part of them are unassigned!

Here is what my personal port database has on them, perhaps it helps. It doesn’t mean ofcourse that no other (harmfull?) applications can or are using those ports.

Result for port 3419 = Isogon SoftAudit
Result for port 3031 = Remote AppleEvents/PPC Toolbox : MyDoom.B@mm : MicroSpy
Result for port 1743 = Cinema Graphics License Manager
Result for port 4351 = PLCY Net Services
Result for port 3929 = AMS Port
Result for port 3225 = FCIP
Result for port 2744 = honyaku
Result for port 2783 = AISES
Result for port 3877 = XMPCR Interface Port
Result for port 3074 = Xbox game port
Result for port 1647 = tcp rsap

Some ideas:

  1. Remove the firewall and reinstall. Close ALL ports and open manually only those who are really needed to make the system work. While doing this, create a list (application, tcp/udp, portnr) so you can see for future reference what is using what and what is needed.

  2. Closes all those ports and see if there is applicatation that stops working correctly.

The problem evolved, now it stands listening on port 1025 and port 445

SVCHOST.EXE:1188 TCP mobileghost:1025 mobileghost:0 LISTENING
System:4 TCP mobileghost:microsoft-ds mobileghost:0 LISTENING
System:4 TCP mobileghost:netbios-ssn mobileghost:0 LISTENING
System:4 TCP mobileghost:netbios-ssn mobileghost:0 LISTENING

No antivirus (avast, norton, avg, on line scanner) is able to find a virus.

As soon as i remove my firewall rule for blocking incoming and outgoing traffic, i get a bunch of traffic such as:

netstat -n

Connessioni attive

Proto Indirizzo locale Indirizzo esterno Stato
TCP 82.49.63.42:445 4.4.211.199:2136 ESTABLISHED
TCP 82.49.63.42:445 62.39.240.5:3730 ESTABLISHED
TCP 82.49.63.42:445 68.163.200.94:3250 ESTABLISHED
TCP 82.49.63.42:445 68.190.253.120:3757 ESTABLISHED
TCP 82.49.63.42:445 145.254.127.2:4224 SYN_RECEIVED
TCP 82.49.63.42:445 200.150.245.74:2314 ESTABLISHED
TCP 82.49.63.42:445 208.133.141.179:4284 ESTABLISHED
TCP 82.49.63.42:445 213.254.72.164:1750 ESTABLISHED
TCP 127.0.0.1:4274 127.0.0.1:4275 ESTABLISHED
TCP 127.0.0.1:4275 127.0.0.1:4274 ESTABLISHED

ANY HELP WILL BE APPRECIATED!
Is this a new worm?

Let’s see if I can explain the things I want (english ain’t my native language) :-\

We are talking here about data traffic. Data traffic can be incomming and outgoing. Most applications are using them both. eg: a browser. You want to open a webpage so the browser sends data (outgoing), when the requisted page(site) is found it sends you the page (incomming). Nothing wrong with that, but the same goes for all aplications. So in order to find out if something is normal or not you need to know (find out) what application is causing the traffic, where it goes to and where it comes from and (if possible) what traffic it is. eg what the data content is.

At htis point, I think we better start from scratch since I got the impression you don’t know much about computers and how everyhting is working (no offense!)

  1. visit one of my webpages (click on the link in my signature)
  2. get/install the applications mentioned there
  3. Update them
  4. terminate the internet connection (unplug the cable)
  5. run them (after doing so your system will be clean of viruses, spy-/adware and such)
  6. Clean/remove everything harmfull things they find
  7. Reboot
  8. remove the firewall
  9. reboot
  10. install the firewall
  11. plug back in to the internet
  12. if the firewall asks if something is allowed, find out what exactly it is that is asking permission before saying yes/no

If you follow these steps, all traffic that still takes place should be ‘normal’ (not harmfull) I know I am asking a lot, but I truly believe this is what you should do at this point.