Port 135 excess of traffic, XP SP1 updated

[Eddy]

Under "Indirizzo esterno" you see the connections like 82.51.160.99:3074
That means you are connected to 82.51.160.99 using port 3074, check what these connections are and what the ports normally are used for.

[wetwet]

The large part of them are unassigned!

[Eddy]

Here is what my personal port database has on them, perhaps it helps. It doesn't mean ofcourse that no other (harmfull?) applications can or are using those ports.

Result for port 3419 = Isogon SoftAudit
Result for port 3031 = Remote AppleEvents/PPC Toolbox : MyDoom.B@mm : MicroSpy
Result for port 1743 = Cinema Graphics License Manager
Result for port 4351 = PLCY Net Services
Result for port 3929 = AMS Port
Result for port 3225 = FCIP
Result for port 2744 = honyaku
Result for port 2783 = AISES
Result for port 3877 = XMPCR Interface Port
Result for port 3074 = Xbox game port
Result for port 1647 = tcp  rsap

Some ideas:

1) Remove the firewall and reinstall. Close ALL ports and open manually only those who are really needed to make the system work. While doing this, create a list (application, tcp/udp, portnr) so you can see for future reference what is using what and what is needed.

2) Closes all those ports and see if there is applicatation that stops working correctly.

[wetwet]

The problem evolved, now it stands listening on port 1025 and port 445

SVCHOST.EXE:1188   TCP   mobileghost:1025   mobileghost:0   LISTENING
System:4   TCP   mobileghost:microsoft-ds   mobileghost:0   LISTENING   
System:4   TCP   mobileghost:netbios-ssn   mobileghost:0   LISTENING   
System:4   TCP   mobileghost:netbios-ssn   mobileghost:0   LISTENING   
   

No antivirus (avast, norton, avg, on line scanner) is able to find a virus.

As soon as i remove my firewall rule for blocking incoming and outgoing traffic, i get a bunch of traffic such as:


netstat -n

Connessioni attive

  Proto  Indirizzo locale       Indirizzo esterno       Stato
  TCP    82.49.63.42:445        4.4.211.199:2136       ESTABLISHED
  TCP    82.49.63.42:445        62.39.240.5:3730       ESTABLISHED
  TCP    82.49.63.42:445        68.163.200.94:3250     ESTABLISHED
  TCP    82.49.63.42:445        68.190.253.120:3757    ESTABLISHED
  TCP    82.49.63.42:445        145.254.127.2:4224     SYN_RECEIVED
  TCP    82.49.63.42:445        200.150.245.74:2314    ESTABLISHED
  TCP    82.49.63.42:445        208.133.141.179:4284   ESTABLISHED
  TCP    82.49.63.42:445        213.254.72.164:1750    ESTABLISHED
  TCP    127.0.0.1:4274         127.0.0.1:4275         ESTABLISHED
  TCP    127.0.0.1:4275         127.0.0.1:4274         ESTABLISHED


ANY HELP WILL BE APPRECIATED!
Is this a new worm?

[Eddy]

Let's see if I can explain the things I want (english ain't my native language)

We are talking here about data traffic. Data traffic can be incomming and outgoing.  Most applications are using them both. eg: a browser. You want to open a webpage so the browser sends data (outgoing), when the requisted page(site) is found it sends you the page (incomming). Nothing wrong with that, but the same goes for all aplications. So in order to find out if something is normal or not you need to know (find out) what application is causing the traffic, where it goes to and where it comes from and (if possible) what traffic it is. eg what the data content is.

At htis point, I think we better start from scratch since I got the impression you don't know much about computers and how everyhting is working (no offense!)

01) visit one of my webpages (click on the link in my signature)
02) get/install the applications mentioned there
03) Update them
04) terminate the internet connection (unplug the cable)
05) run them (after doing so your system will be clean of viruses, spy-/adware and such)
06) Clean/remove everything harmfull things they find
07) Reboot
08) remove the firewall
09) reboot
10) install the firewall
11) plug back in to the internet
12) if the firewall asks if something is allowed, find out what exactly it is that is asking permission before saying yes/no

If you follow these steps, all traffic that still takes place should be 'normal' (not harmfull) I know I am asking a lot, but I truly believe this is what you should do at this point.

[wetwet]

Well, first time on a computer: back in 1984 (13 years old).
First time on internet 1989, first time programming with TCP/ip socket 1990.
I've done socket programming in C, perl, java, C++ and other languages since then (both on unix and windows).
No offense at all, anyway.

The program which is causing outgoing connections is svchost.exe and this is not normal.

I'm doing the step you are suggesting.

[Eddy]

Oh now we tell our history   Let me surprise you:

Working with comps over 24 years
Running a comp repair store for almost ten years
Running a on-site-service (b2b) for 3 years
Programmed in, (not gonna tell all), ALL Basic dialects, Z80 assembler, 80286, 80386, 80486, Forth, Fortran, pascal, mnemonics, and many more

I was one of the people who programmed Tassword (the precessor of ms-word and wordperfect)
I was the one, together with a friend, who wrote a interpreter for basicode for the Sinclair comps, although Sinclair England said it wasn't possible to do so
I'm the only one in my country who is officially allowed to help students with the practicum fase of their education in ALL aspects of the it/computer sector
All of my 'colleges' (is this english?) in the region send people to me when they can't solve a problem theirselfs.

Shall I go on?  

[wetwet]

I dont think that the goal of this forum is to explain how cool we are.

I think i have a problem, i shared what i have seen, looking for similiar experiences and, hopefully, a solution.

That's all the story.

[Eddy]

AGREED! So take what I said in my prvious post with a little salt (see the smileys) It wasn't ment all that serious and certainly not ment as "teaching" or so. Sorry if you have took it that way, but that was not my intention. Let's blame it on the fact that my original language ain't english. Again, sorry for this little misunderstanding

[whocares]

so, back to business:


1) I don't see that many outbound connections in this (now rather lengthy) thread; stuff like
"Connection origin :   remote initiated
Protocol :      TCP
Local Address :    82.49.62.250
Local Port :      135 (EPMAP"

is normal as soon as you're connected !!
Blaster, Sasser & other network worms knocking on your door:
If you have all Windowsupdates applied, use secure passwords, have your System configured properly and/or have a firewall that BLOCKS TCP 135 (as example), there's nothing to worry about this..

2) I don't see many follow-ups & reports to the advice/links/Tools artras gave you..

3) you do imho have an excessiv lot of running processes & startup entries

-->



1) --> install, update, scan & fix with Ad-aware, spybot and cwshredder
from http://www.lurkhere.com/~nicefiles/index.html & www.lavasoft.de

2) check all (Startup-)entries in HJT-Log if they are malicious or useless,  
and fix them if so...
--> with Log-file from Hijackthis
http://www.spywareinfo.com/%7Emerijn/htlogtutorial.html (english tutorial) in combination with:

a) database http://www.sysinfo.org/startuplist.php or OFFLINE: http://www.pacs-portal.co.uk/startup_pages/start_ups.exe or
http://www.windowsstartup.com/wso/search.php & http://www.reger24.de/processes.php & www.google.de
b) KAV-Scanner (see below)

reboot..
*
if problems remain, tell us exactly what you did so far, and post a new Hijackthis-Log