Port 135 excess of traffic, XP SP1 updated

[wetwet]

I got an eccess of port 135 traffic on my XP SP1 box with latest update applyed.
I have the latest avast! and grisoft antivirus and latest pestpatrol and spybot search and destroy. No infection is detected.

I had to stop 135 tcp traffic using an advanced rule on my sygate firewall. When the rule is disable the box starts to connect other IPs on the net.
I also tryed to sniff the connections.

Anyone else detected this situation?

[Eddy]

Port 135 is used by DCE endpoint resolution as well as msblast. www.sysinternals.com has a utility that can show you what file/application is using what. See if that can tell you what is using the port.

[wetwet]

Both Tcpview and Fport report that port 135 emap is used by
C:\WINDOWS\system32\svchost.exe
command line
C:\WINDOWS\system32\svchost -k rpcss
version
5.01.2600.0000

Nevertheless, as soon as i remove the port 135 block rule on my firewall,
i notice dozens of connections from my pc to the outside world.

Any suggestion ? can i monitor and report something else?
Thank you in advance

[Eddy]

Same webiste as earlier, also has a util that tells exactly what is using svchost, I think it is called prcview (not sure). use it to find out more.

[wetwet]

This is a dump of the process binded on the emap port

Process: svchost.exe Pid: 900

Type   Name
Directory   \BaseNamedObjects
Section   \BaseNamedObjects\__R_00000000001c_SMem__
Section   \BaseNamedObjects\RotHintTable
Event   \BaseNamedObjects\ScmCreatedEvent
Mutant   \BaseNamedObjects\ShimCacheMutex
Section   \BaseNamedObjects\ShimSharedMemory
Event   \BaseNamedObjects\userenv:  User Profile setup event
Desktop   \Default
File   \Device\Afd\Endpoint
File   \Device\Afd\Endpoint
File   \Device\Afd\Endpoint
File   \Device\Afd\Endpoint
File   \Device\Afd\Endpoint
File   \Device\Afd\Endpoint
File   \Device\Ip
File   \Device\Ip
File   \Device\Ip
File   \Device\KsecDD
File   \Device\NamedPipe\net\NtControlPipe2
File   \Device\NamedPipe\svcctl
File   \Device\NamedPipe\Winsock2\CatalogChangeListener-384-0
File   \Device\Tcp
File   \Device\Tcp
File   \Device\Tcp
File   \Device\Tcp
File   \Dfs
KeyedEvent   \KernelObjects\CritSecOutOfMemoryEvent
Directory   \KnownDlls
Port   \RPC Control\epmapper
Directory   \Windows
WindowStation   \Windows\WindowStations\Service-0x0-3e7$
WindowStation   \Windows\WindowStations\Service-0x0-3e7$
Process   BttnServ.exe(1384)
File   C:\WINDOWS\SYSTEM32\
Key   HKCR
Key   HKCR
Key   HKCR
Key   HKCR
Key   HKCR\AppID
Key   HKCR\CLSID
Key   HKCR\CLSID
Key   HKCR\CLSID
Key   HKLM
Key   HKLM\SOFTWARE\Microsoft\COM3
Key   HKLM\SOFTWARE\Microsoft\COM3
Key   HKLM\SOFTWARE\Microsoft\COM3
Key   HKLM\SOFTWARE\Microsoft\COM3
Key   HKLM\SOFTWARE\Microsoft\COM3
Key   HKLM\SOFTWARE\Microsoft\COM3
Key   HKLM\SOFTWARE\Microsoft\Ole
Key   HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key   HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key   HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key   HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key   HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key   HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key   HKU
Key   HKU
Key   HKU
Key   HKU
Token   MOBILEGHOST\gulli
Token   MOBILEGHOST\gulli
Token   MOBILEGHOST\gulli
Token   MOBILEGHOST\gulli
Token   MOBILEGHOST\gulli
Token   MOBILEGHOST\gulli
Token   MOBILEGHOST\gulli
Token   NT AUTHORITY\SERVIZIO LOCALE
Token   NT AUTHORITY\SYSTEM
Token   NT AUTHORITY\SYSTEM
Token   NT AUTHORITY\SYSTEM
Token   NT AUTHORITY\SYSTEM
Thread   svchost.exe(900): 1968
Thread   svchost.exe(900): 2260
Thread   svchost.exe(900): 2772
Thread   svchost.exe(900): 3868
Thread   svchost.exe(900): 904
Thread   svchost.exe(900): 908
Thread   svchost.exe(900): 908
Thread   svchost.exe(900): 916
Thread   svchost.exe(900): 916
Thread   svchost.exe(900): 920
Thread   svchost.exe(900): 920
Thread   svchost.exe(900): 920
Thread   svchost.exe(900): 964
Process   WISPTIS.EXE(2000)

[whocares]

Hi,

are these Port-135 INBOUND or OUTBOUND connections ?

if Inbound, it's just Blaster or something knocking on your door..

 

[wetwet]

outbound and established connections!!!!! :'(

[whocares]

outbound and established connections!!!!! :'(

to which IP's ?

Read link "VirusRemoval" below and:
- secure your system
- do some onlinescans
- post a hijackthis-Log

 

[wetwet]

This is just less than 20 sec after disabling the rule

Connessioni attive

  Proto  Indirizzo locale       Indirizzo esterno       Stato
  TCP    82.51.43.191:135       82.48.91.129:3419      ESTABLISHED
  TCP    82.51.43.191:135       82.51.22.4:3031        ESTABLISHED
  TCP    82.51.43.191:135       82.51.44.56:1743       ESTABLISHED
  TCP    82.51.43.191:135       82.51.49.10:4351       ESTABLISHED
  TCP    82.51.43.191:135       82.51.59.116:3929      ESTABLISHED
  TCP    82.51.43.191:135       82.51.60.70:3225       ESTABLISHED
  TCP    82.51.43.191:135       82.51.73.40:2744       ESTABLISHED
  TCP    82.51.43.191:135       82.51.95.247:2783      ESTABLISHED
  TCP    82.51.43.191:135       82.51.112.23:3877      ESTABLISHED
  TCP    82.51.43.191:135       82.51.160.99:3074      ESTABLISHED
  TCP    82.51.43.191:135       82.51.166.219:1647     ESTABLISHED

I suddendly stopped it and reapplied the rule!

[wetwet]

Logfile of HijackThis v1.97.7
Scan saved at 15.50.38, on 23/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\Programmi\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\Programmi\Network Associates\PGP for Windows 2000\PGPservice.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Compaq\Easy Access Button Support\cpqeadm.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\WINDOWS\tppaldr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Network Associates\PGP for Windows 2000\PGPtray.exe
C:\Programmi\InstallShield Software Corporation\802.11b Wireless Lan Utility\RtlWake.exe
C:\WINDOWS\COMMAND\putty.exe
C:\Programmi\RealVNC\vncviewer.exe
C:\Programmi\RealVNC\WinVNC\winvnc.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Documents and Settings\xxx\Desktop\Fport-2.0\procexp.exe
C:\Documents and Settings\xxx\Desktop\Fport-2.0\Tcpview.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Grisoft\AVG6\avgw.exe
C:\WINDOWS\COMMAND\putty.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\SYSTEM32\rasphone.exe
C:\Documents and Settings\xxx\Desktop\Fport-2.0\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn1\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn1\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Programmi\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\Programmi\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Programmi\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\Programmi\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\Programmi\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\gulli\IMPOST~1\Temp\DELDIR0.EXE" "C:\Programmi\McAfee\McAfee Shared Components\Guardian\"
O4 - Global Startup: PGPtray.lnk = ?
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-sp.htm
O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-sp.htm
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Ricerche (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/ProductUpdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38180.9964699074
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40D67BAF-7BBA-4999-8535-E15F5B864A86}: NameServer = 217.141.251.204 151.99.125.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{497B8F73-828E-44BC-8F7D-EA1ACC5F517C}: Domain = xxxxxxxx

[whocares]

This is just less than 20 sec after disabling the rule

Connessioni attive

  Proto  Indirizzo locale       Indirizzo esterno       Stato
  TCP    82.51.43.191:135       82.48.91.129:3419      ESTABLISHED
 

This is from someone who goes online via interbusiness.it and connects from somewhere near catanzaro/italy ?

This mean anything to you ?

Here's the analysis:
http://www.hijackthis.de/logfiles/108999d9d27d67799d3d94be1fe7690e.html

read carefully

you have PGPnet & WinVNC (a RemoteAccessTool = RAT) running, is this known to you ? could be the cause for the connections..



 

[wetwet]

It is near the area where im located.
And yes i know i have PGPnet and VNC. I use them both since a long time (5 years or so).
Neither  avast, nor avg nor online scanner trendmicro's housecall are able to detect an infection. I will use another scanner and read your report.

If someone else has any suggestion.
You are welcome

[Eddy]

In that list of connections I see portnumbers that are not in the IANA port list, that makes me always supicious towards them. See if you can find out what  is using the unknow port numbers

http://www.iana.org/assignments/port-numbers

[wetwet]

Local Port is 135. My ip was 82.51.43.191
What do you mean? how to check remote port?

[wetwet]

Removing 135 rule on INCOMING and OUTBOUND traffic, My sygate firewall found this:

File Version :      5.1.2600.0 (xpclient.010817-1148)
File Description :   Generic Host Process for Win32 Services (svchost.exe)
File Path :      C:\WINDOWS\SYSTEM32\svchost.exe
Process ID :      0x384 (Heximal) 900 (Decimal)

Connection origin :   remote initiated
Protocol :      TCP
Local Address :    82.49.62.250
Local Port :      135 (EPMAP - Location service - Dynamically assign ports for RPC)
Remote Name :         
Remote Address :   82.49.206.227
Remote Port :       4280

Ethernet packet details:
Ethernet II (Packet Length: 62)
   Destination:    68-7a-72-02-00-00
   Source:    f0-ed-20-00-03-00
Type: IP (0x0800)
Internet Protocol
   Version: 4
   Header Length: 20 bytes
   Flags:
      .1.. = Don't fragment: Set
      ..0. = More fragments: Not set
   Fragment offset:0
   Time to live: 123
   Protocol: 0x6 (TCP - Transmission Control Protocol)
   Header checksum: 0xccd5 (Correct)
   Source: 82.49.206.227
   Destination: 82.49.62.250
Transmission Control Protocol (TCP)
   Source port: 4285
   Destination port: 135
   Sequence number: 3953400007
   Acknowledgment number: 0
   Header length: 28
   Flags:
      0... .... = Congestion Window Reduce (CWR): Not set
      .0.. .... = ECN-Echo: Not set
      ..0. .... = Urgent: Not set
      ...0 .... = Acknowledgment: Not set
      .... 0... = Push: Not set
      .... .0.. = Reset: Not set
      .... ..1. = Syn: Set
      .... ...0 = Fin: Not set
   Checksum: 0x37bb (Correct)
   Data (0 Bytes)

Binary dump of the packet:
0000:  68 7A 72 02 00 00 F0 ED : 20 00 03 00 08 00 45 00 | hzr..... .....E.
0010:  00 30 77 BB 40 00 7B 06 : D5 CC 52 31 CE E3 52 31 | .0w.@.{...R1..R1
0020:  3E FA 10 BD 00 87 EB A4 : 18 C7 00 00 00 00 70 02 | >.............p.
0030:  FF FF BB 37 00 00 02 04 : 05 AC 01 01 04 02       | ...7..........  


And i got again several connections



  Proto  Indirizzo locale       Indirizzo esterno       Stato
  TCP    mobileghost:epmap      host100-26.pool8249.interbusiness.it:4342  ESTAB
LISHED
  TCP    mobileghost:epmap      host238-45.pool8249.interbusiness.it:3938  ESTAB
LISHED
  TCP    mobileghost:epmap      host137-71.pool8249.interbusiness.it:4531  ESTAB
LISHED
  TCP    mobileghost:epmap      host99-76.pool8249.interbusiness.it:4130  ESTABL
ISHED
  TCP    mobileghost:epmap      host13-126.pool8249.interbusiness.it:2824  ESTAB
LISHED
  TCP    mobileghost:epmap      host14-135.pool8249.interbusiness.it:4604  ESTAB
LISHED
  TCP    mobileghost:epmap      host189-187.pool8249.interbusiness.it:1984  ESTA
BLISHED
  TCP    mobileghost:epmap      host117-188.pool8249.interbusiness.it:3026  ESTA
BLISHED
  TCP    mobileghost:epmap      host227-206.pool8249.interbusiness.it:4312  ESTA
BLISHED
  TCP    mobileghost:epmap      host56-211.pool8249.interbusiness.it:2524  ESTAB
LISHED
  TCP    mobileghost:4959       rs01.avast.com:http    SYN_SENT