Multiple epmap TCP connections established with one XP client
in [Windows Viruses]
|
Prev: The system can not log you on due to the following error. The network request is not supported.
Next: HotPOP.com infected
From: Lorimerc on 10 Jun 2005 09:45 Hi, I have an XP machine which is making multiple connections to my domain controller over epmap, is this normal? I'm concerned I have a virus, the number of connecions keep rising and rising: I've done a full virus scan, ad-aware and spybot and founf nothing, I've also run hijack this and have pasted the results below: domain_controller:epmap XPCLIENT:1059 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1064 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1067 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1081 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1084 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1089 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1092 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1095 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1099 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1111 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1114 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1117 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1121 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1133 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1141 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1146 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1151 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1154 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1157 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1160 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1165 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1175 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1180 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1183 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1187 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1190 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1193 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1196 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1199 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1222 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1226 ESTABLISHED TCP domain_controller:epmap XPCLIENT:1230 ESTABLISHED Here are the results of the hijack this log: Logfile of HijackThis v1.99.1 Scan saved at 14:29:53, on 10/06/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Windows\System32\smss.exe C:\Windows\system32\winlogon.exe C:\Windows\system32\services.exe C:\Windows\system32\lsass.exe C:\Windows\system32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\system32\spoolsv.exe C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE C:\Windows\System32\WFXSVC.EXE C:\Program Files\WinFax\WFXMOD32.EXE C:\Windows\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\Windows\system32\PROMon.exe C:\PROGRA~1\WinFax\WFXSWTCH.exe C:\Windows\system32\wfxsnt40.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\WinFax\WFXCTL32.EXE C:\Program Files\Sophos SWEEP for NT\ICMON.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe C:\Windows\System32\svchost.exe C:\WINDOWS\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\HPBPRO.EXE C:\hijack this\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://miranda.hemscott.com/servlet/HsPublic?context=premium.home&path=premium&service=home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.2:8080 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: CEBdc - https://www1.boi-bol.com/jsp/payments/dcApplet.cab O16 - DPF: CEBdep - https://www1.boi-bol.com/jsp/payments/dcDependencies.cab O16 - DPF: {05AAC5FF-6DD0-44A5-B978-4FF1E762BE6A} (RNSTestControl.ActiveXTest) - http://www.londonstockexchange.com/rns/survey/RNSTestControl.CAB O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TepnelPLC.Tepnel.co.uk O17 - HKLM\Software\..\Telephony: DomainName = TepnelPLC.Tepnel.co.uk O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TepnelPLC.Tepnel.co.uk O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TepnelPLC.Tepnel.co.uk O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\Windows\system32\HPZipm12.exe O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS O23 - Service: Sophos Anti-Virus Update (SweepUpdate) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\Windows\System32\WFXSVC.EXE Is this normal or do I have a problem? Thanks, Chris
From: David H. Lipman on 10 Jun 2005 09:58
From: "Lorimerc" <Lorimerc(a)discussions.microsoft.com> | Hi, | | I have an XP machine which is making multiple connections to my domain | controller over epmap, is this normal? I'm concerned I have a virus, the | number of connecions keep rising and rising: | | I've done a full virus scan, ad-aware and spybot and founf nothing, I've | also run hijack this and have pasted the results below: | | domain_controller:epmap XPCLIENT:1059 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1064 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1067 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1081 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1084 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1089 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1092 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1095 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1099 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1111 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1114 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1117 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1121 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1133 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1141 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1146 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1151 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1154 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1157 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1160 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1165 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1175 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1180 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1183 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1187 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1190 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1193 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1196 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1199 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1222 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1226 ESTABLISHED | TCP domain_controller:epmap XPCLIENT:1230 ESTABLISHED | | Here are the results of the hijack this log: | Logfile of HijackThis v1.99.1 < HJT log snipped > | Is this normal or do I have a problem? | | Thanks, | | Chris Chris: I suggest you download TCPVIEW from SysInternals -- http://www.sysinternals.com/Utilities/TcpView.html It is a free GUI utility that is similar to NETSTAT but is a dynamic GUI utility and will show more information and not just a snapshot of what NETSTAT sees for that moment you execute it. I suggest using TCPVIEW on bot the XPCLIENT and the domain_controller. You need to examine the activity of both the server and the workstation. The HJT log did not indicate anything suspicious. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |