100+ svchost sockets

Hello,

This started a few weeks ago when I noticed horrible CPU performance and my Sygate firewall taking up 20% CPU +-, I tried using system restore but it told me it couldn't rollback successfuly (typical), while before that, my CPU usage was at a steady 0%, now it averages at 10% and making everything so slow and non responsive.
Here are the specs:
CPU: Intel Pentium 4 2.4ghz
RAM: 1024MB (512x2) dual channel DDR 400 MHZ
Display: ATI Radeon x800 256mb 256bit Pro
Windows XP Pro SP2

Well, enough chatter, here's what port explorer is showing.
http://dardasaba.spymac.net/port1.JPG
http://dardasaba.spymac.net/port2.JPG
http://dardasaba.spymac.net/port3.JPG
http://dardasaba.spymac.net/port4.JPG

I tried setting up Sygate rules to block those ports but that didn't seem to have any effect.
I ran all the AV,Spyware,adware,trojan scans I could think of and couldn't find anything apart from a few cookies that I've deleted.
Please help, I'm clueless.

P.S.
I am registered here, I just forgot my password

 

Hi there,
i take it you did every possible scanning, rebooted and it all came back?
Seeing you using Mirc i get very suspicious..........
It has all the same PID 1088 and no traffic and no creation date/time for the sockets, only the parent.
Killing the process probably doesn't work either / might not be a good idea.
You could kill those sockets, btw, one by one, have them blocked sending traffic, maybe you should first temporary disable sending in the parent process on top of that whole row so you can kill those sockets below of it and enable trafffec in the parent again after that.
Never seen the behavior before.

 

You may also wish to read this TOP Security Risks by SANS.

http://www.sans.org/top20/index.php#ports

paying particular attention to Windows Remote Access which uses Port 135 among others.

 

Thank you both for your reply.

"i take it you did every possible scanning, rebooted and it all came back?"
- Yes, several times.

"Seeing you using Mirc i get very suspicious.........."
- I never accept files from people I don't trust nor do I run any ($decode) commands given by spambots if that is your concern.

"You could kill those sockets, btw, one by one"
- I tried that, doesn't help much. Just reopens after a little while.

Btw, I recently restarted before I took those screenshots so there were relatively less sockets than usually.

Now that I checked it again, it has gotten to 250 system sockets...


Thanks for the link, siliconman01. But I don't think this is the case as I have all remote access services and settings disabled.

 

Have you tried blocking incoming TCP and UDP for port 135 using your software firewall? I've got mine blocked on Windows XP-SP2, cable modem, and everything works just fine. I don't use MIRC or AIM however. Might be worth a try just to see what happens

 

Yup, I tried that already.. Doesn't make the sockets disappear though, even after restarts.

 

Unless you have necessity for using these ports, perhaps close them?

http://www.firewallleaktester.com/wwdc.htm

 

If my memory serves me correctly, these are processes that have already closed and Windows has not yet released them. Although they appear to be running/connected they are not. This is a Windows error. I read this in PE's manual or on this website a few days ago. I have the same issue and don't run Mirc or any type of instant messaging/chat.

This applies to any process with an * (asterik) infront of it.

 

Thank you for the fine program, BourgePD.

I've disabled DCOM and RPC Locator, however, my internet connection stops working if I disable NetBIOS.. ugh.
By looking at the screenshots, you can see most of it is port 135(DCOM) and now that it is disabled, it doesn't seem to appear and there are only 19 system sockets open. I'll see if this is temporary because of the recent restart or a permanent fix, thanks again.

Snook:
Well, that bug seemed to have driven my firewall crazy.
Have you noticed any performance issues?
Thanks for the info.

 

It's been atleast 12 hours since the restart and the number of system sockets is at 19, yay.

Does anyone know how come my internet connection won't work if I disable NetBIOS? (Cable connection)

 

What type of login/authentication process does your ISP use? Anything to do with your computer name?

Regards,

CrazyM

 

It looks like your machine is scanning for other vulnerable machines. Aren't you fully patched ?? The strange thing is that this looks like one of the OLDER worms, which scan every subnet NEAR yours, but not yours..

I guess you could try Rootkit Revealer and/or Unhackme ? and a hijackthis or ASViewer log to look for anything suspicious..

 

Crazym:
No, I think it only uses Username and password.

Gavin:
Yeah, I'm fully patched.
Unhackme didn't find anything, but, RootkitRevealer found this:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\ 12/10/2004 12:52 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\a347scsa\Config\jdgg40 2/28/2005 3:59 AM 0 bytes Hidden from Windows API.
SYSTEM 1/1/1601 2:00 AM 0 bytes Error dumping hive: Internal error.
It also found LOTS of files (About 70,000) with KAVICHS which from my understanding is a legit KAV stream.

ASViewer log at hxxp://dardasaba.spymac.net/asviewer.txt

 

You will soon see that I was right...

 

If you haven't already done so, you might try scanning the system in SafeMode with TDS and an AV. I would also suspect your current AV install so it might be worthwhile to try TrendMicro's Sysclean and their full definition set as that would not require a prior install.

TrendMicro Definitions

Sysclean

Not sure about the rootkit revealer output but the asviewer output seems clean to me

 

Those KAVICHS are indeed NTFS ADS streams created by KAV.

 

Ok, I'll try that, Dan. Thanks.

Meanwhile, Gavin, do you have any guesses as to which worm it may be?

 

Too many to remember. It wouldn't be a known one anyway, or you would be detecting it. But the Mydoom worms did this, and the source is open..

 

I hope this allows me to post anon.

sysinternals process explorer reportedly allows you to see which process are listed as dependancies of svchost (which processes are hiding behind it).

My first response in this case would be to go pick up process explorer and look for suspicious binaries using it. Kill the suspicious ones until the ports stop being opened, then google the process name, its folder name, and search your registry for refrences to it and google any terms that come up there.

End of that process you should have your malware identified, removing it should be posted somewhere on the net.