100+ svchost sockets

Discussion in 'Port Explorer' started by Dardasabaa, Mar 18, 2005.

Thread Status:
Not open for further replies.
  1. Dardasabaa

    Dardasabaa Guest

    Hello,

    This started a few weeks ago when I noticed horrible CPU performance and my Sygate firewall taking up 20% CPU +-, I tried using system restore but it told me it couldn't rollback successfuly (typical), while before that, my CPU usage was at a steady 0%, now it averages at 10% and making everything so slow and non responsive.
    Here are the specs:
    CPU: Intel Pentium 4 2.4ghz
    RAM: 1024MB (512x2) dual channel DDR 400 MHZ
    Display: ATI Radeon x800 256mb 256bit Pro
    Windows XP Pro SP2

    Well, enough chatter, here's what port explorer is showing.
    http://dardasaba.spymac.net/port1.JPG
    http://dardasaba.spymac.net/port2.JPG
    http://dardasaba.spymac.net/port3.JPG
    http://dardasaba.spymac.net/port4.JPG

    I tried setting up Sygate rules to block those ports but that didn't seem to have any effect.
    I ran all the AV,Spyware,adware,trojan scans I could think of and couldn't find anything apart from a few cookies that I've deleted.
    Please help, I'm clueless.

    P.S.
    I am registered here, I just forgot my password :(
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there,
    i take it you did every possible scanning, rebooted and it all came back?
    Seeing you using Mirc i get very suspicious..........
    It has all the same PID 1088 and no traffic and no creation date/time for the sockets, only the parent.
    Killing the process probably doesn't work either / might not be a good idea.
    You could kill those sockets, btw, one by one, have them blocked sending traffic, maybe you should first temporary disable sending in the parent process on top of that whole row so you can kill those sockets below of it and enable trafffec in the parent again after that.
    Never seen the behavior before.
     
    Last edited: Mar 18, 2005
  3. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
  4. Dardasabaa

    Dardasabaa Guest

    Thank you both for your reply.

    "i take it you did every possible scanning, rebooted and it all came back?"
    - Yes, several times.

    "Seeing you using Mirc i get very suspicious.........."
    - I never accept files from people I don't trust nor do I run any ($decode) commands given by spambots if that is your concern.

    "You could kill those sockets, btw, one by one"
    - I tried that, doesn't help much. Just reopens after a little while.

    Btw, I recently restarted before I took those screenshots so there were relatively less sockets than usually.

    Now that I checked it again, it has gotten to 250 system sockets...


    Thanks for the link, siliconman01. But I don't think this is the case as I have all remote access services and settings disabled.
     
  5. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Have you tried blocking incoming TCP and UDP for port 135 using your software firewall? I've got mine blocked on Windows XP-SP2, cable modem, and everything works just fine. I don't use MIRC or AIM however. Might be worth a try just to see what happens ;)
     
  6. Dardasabaa

    Dardasabaa Guest

    Yup, I tried that already.. Doesn't make the sockets disappear though, even after restarts.
     
  7. BourgePD

    BourgePD Registered Member

    Joined:
    Sep 5, 2004
    Posts:
    75

    Attached Files:

    • WWDC.jpg
      WWDC.jpg
      File size:
      48.3 KB
      Views:
      1,451
  8. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182
    If my memory serves me correctly, these are processes that have already closed and Windows has not yet released them. Although they appear to be running/connected they are not. This is a Windows error. I read this in PE's manual or on this website a few days ago. I have the same issue and don't run Mirc or any type of instant messaging/chat.

    This applies to any process with an * (asterik) infront of it.
     
  9. Dardasabaa

    Dardasabaa Guest

    Thank you for the fine program, BourgePD.

    I've disabled DCOM and RPC Locator, however, my internet connection stops working if I disable NetBIOS.. ugh.
    By looking at the screenshots, you can see most of it is port 135(DCOM) and now that it is disabled, it doesn't seem to appear and there are only 19 system sockets open. I'll see if this is temporary because of the recent restart or a permanent fix, thanks again.

    Snook:
    Well, that bug seemed to have driven my firewall crazy.
    Have you noticed any performance issues?
    Thanks for the info.
     
  10. Dardasabaa

    Dardasabaa Guest

    It's been atleast 12 hours since the restart and the number of system sockets is at 19, yay.

    Does anyone know how come my internet connection won't work if I disable NetBIOS? (Cable connection)
     
  11. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    What type of login/authentication process does your ISP use? Anything to do with your computer name?

    Regards,

    CrazyM
     
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    It looks like your machine is scanning for other vulnerable machines. Aren't you fully patched ?? The strange thing is that this looks like one of the OLDER worms, which scan every subnet NEAR yours, but not yours..

    I guess you could try Rootkit Revealer and/or Unhackme ? and a hijackthis or ASViewer log to look for anything suspicious..
     
  13. Dardasabaa

    Dardasabaa Guest

    Crazym:
    No, I think it only uses Username and password.

    Gavin:
    Yeah, I'm fully patched.
    Unhackme didn't find anything, but, RootkitRevealer found this:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\ 12/10/2004 12:52 PM 0 bytes Key name contains embedded nulls (*)
    HKLM\SYSTEM\ControlSet001\Services\a347scsa\Config\jdgg40 2/28/2005 3:59 AM 0 bytes Hidden from Windows API.
    SYSTEM 1/1/1601 2:00 AM 0 bytes Error dumping hive: Internal error.
    It also found LOTS of files (About 70,000) with KAVICHS which from my understanding is a legit KAV stream.

    ASViewer log at hxxp://dardasaba.spymac.net/asviewer.txt
     
  14. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182

    You will soon see that I was right...
     
  15. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    If you haven't already done so, you might try scanning the system in SafeMode with TDS and an AV. I would also suspect your current AV install so it might be worthwhile to try TrendMicro's Sysclean and their full definition set as that would not require a prior install.

    TrendMicro Definitions

    Sysclean

    Not sure about the rootkit revealer output but the asviewer output seems clean to me
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Those KAVICHS are indeed NTFS ADS streams created by KAV.
     
  17. Dardasabaa

    Dardasabaa Guest

    Ok, I'll try that, Dan. Thanks.

    Meanwhile, Gavin, do you have any guesses as to which worm it may be?
     
  18. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Too many to remember. It wouldn't be a known one anyway, or you would be detecting it. But the Mydoom worms did this, and the source is open.. :(
     
  19. anon

    anon Guest

    I hope this allows me to post anon.

    sysinternals process explorer reportedly allows you to see which process are listed as dependancies of svchost (which processes are hiding behind it).

    My first response in this case would be to go pick up process explorer and look for suspicious binaries using it. Kill the suspicious ones until the ports stop being opened, then google the process name, its folder name, and search your registry for refrences to it and google any terms that come up there.

    End of that process you should have your malware identified, removing it should be posted somewhere on the net.
     
Thread Status:
Not open for further replies.