Suspicious Port 135 Outgoing activity

[coomarlin]

For the last 2 weeks my broadband cable connection has not been up to par. For the last 4-5 years I've had rock solid 2800/256 service. But about 2 weeks ago I began experiencing intermitten service. FOr instance I'd download a 15MB file from microsoft and about every 4-5 MB it would pause for maybe up to 2 minutes and then resume. Pause....Resume and so on. Surfing also became a problem. I might click on an Anandtech link and imediately I was taken to the page. I might click three more links with no problems. The 4th link I click the page would search and search only to later time out. After the time out I'd click the link again and it would load imediately.

Anyway, I called my cable comapny tech support to see if maybe a node/router/switch in my area of town might be bad and after some reasearching they found no issues with their service. I called my friend down the road and he said his connection was fine. So I concluded the problem was on my end somewhere. I use Norton Antivirus 2002 and my year subscription was about to expire so I thought what the heck I'll reformat Windows XP and that would fix the issue. Long story short I reformatted my C drive and installed XP from scratch. I thought for sure it would cure my internet woes but it didn't. I downloaded firefox and tried it. Nice browser and all but I still had the same problems I have with IE. I installed all available updates from windows update.

So as a last ditch resort I called my cable comapnies tier 2 support and I ran some tests for him. The first test I went to toast.net to test my bandwidth. The first test showed 1050 kbs down. The second test showed 2700 kbs down. He becase suspiscious. He tested my signal strength and said it looked fine. The communication with the modem seemed fine. He then noticed a rediculous amount of outgoing packets sent from my computer on port 135. He immediately suspected a virus. I told him that I had been using virus protection and that I also did a clean install of windows just 1 day earlier. He sent me an email that tested my ports some how and it looked like this:

Action Entry Interface Inbound or Outbound Traffic Source IP Match Source IP Mask Source Port Low Source Port High Dest IP Match Dest IP Mask Dest Port Low Dest Port High Protocol to Match Times Matched
Discard 1 Inbound All 0.0.0.0 0.0.0.0 53 53 0.0.0.0 0.0.0.0 0 65535 UDP 0
Discard 1 Inbound All 0.0.0.0 0.0.0.0 67 67 0.0.0.0 0.0.0.0 0 65535 UDP 0
Discard 1 Inbound All 0.0.0.0 0.0.0.0 69 69 0.0.0.0 0.0.0.0 0 65535 UDP 0
Discard 1 Inbound All 0.0.0.0 0.0.0.0 80 80 0.0.0.0 0.0.0.0 0 65535 TCP 0
Discard 0 Inbound All 0.0.0.0 0.0.0.0 0 65535 0.0.0.0 0.0.0.0 135 139 UDP 771
Discard 0 Inbound All 0.0.0.0 0.0.0.0 0 65535 0.0.0.0 0.0.0.0 135 139 TCP 0
Discard 1 Both All 0.0.0.0 0.0.0.0 0 65535 0.0.0.0 0.0.0.0 161 162 UDP 0
Discard 1 Both All 0.0.0.0 0.0.0.0 0 65535 0.0.0.0 0.0.0.0 445 445 UDP 0
Discard 1 Both All 0.0.0.0 0.0.0.0 0 65535 0.0.0.0 0.0.0.0 445 445 TCP 8
Discard 1 Both All 0.0.0.0 0.0.0.0 0 65535 0.0.0.0 0.0.0.0 520 520 UDP 0
Discard 1 Inbound All 0.0.0.0 0.0.0.0 0 65535 0.0.0.0 0.0.0.0 1433 1434 UDP 0
Discard 1 Both All 0.0.0.0 0.0.0.0 0 65535 0.0.0.0 0.0.0.0 1900 1900 UDP 0
Discard 1 Both All 0.0.0.0 0.0.0.0 0 65535 0.0.0.0 0.0.0.0 27374 27374 TCP 0
Discard 1 Both All 0.0.0.0 0.0.0.0 0 65535 0.0.0.0 0.0.0.0 39213 39213 UDP 0
Discard 1 Both All 0.0.0.0 0.0.0.0 0 65535 0.0.0.0 0.0.0.0 3128 3128 UDP 0


He said the 5th line down showed 771 packets and that was way too high. He suspected a virus or some spyware was sending stuff out on that port and that would explain my intermitten service.

I reinstalled both Norton and Adaware. I did thorouigh scans and found absolutely nothing.

Now I have no idea what to do. I ran a port scan at broadband reports and it said my setup looked healthy and it could not see any of my ports so I should be good in terms of incoming traffic.

I do have a second hard drive (D on my system that I did not reformat. I guess it's theoretically possible that a virus could reside on that drive and cause problems, but a full scan by Norton founf it to be clean. I guess my other options are that the modem itself might be bad? Or the network card itself might be bad? I've run out of ideas.

Anyone have any ideas on whats going on here?

 

[Genx87]

I am a little confused. Your matrix shows the 771 on an inbound path???

Anywho try to download something like Ad-aware. It typically seems to find malware and spyware much better than any AV suite can.

Also see if your router can block ports for specific IP addys. Once a trojan gets on your machine from behind NAT, you dont have to have any ports opened or forwarded for it to affect your machines.

btw the listing for port 135 is a DCE resolution and 139 is a netbios session.

Do you have netbios installed on your nic?

 

[coomarlin]

I never noticed it said inbound. I must have misinterpretted the matrix. The Tech talked to indicated it was outgoing packets. Now I'm a little confused.

As for As-Aware, I mentioned above that I did do complete scans and it founf nothing other than a few tracking cookies. I deleted them, but it didn't help anything. Also, I DO NOT have NetBios installed. TCP only.

If those are in fact incoming packets does that mean someone is trying to hack me? Would changing my IP help that?

 

[mechBgon]

1) do you have a router (if so, what brand/model)

2) do you have a software firewall

3) are there other computers inside your "perimeter" (sharing your internet connection)

4) do you have SP2 installed on WinXP

5) what version of Norton do you use now, 2002?

6) do you have risk factors (warez, etc) that could be bringing the junk in?


A fresh WinXP install is pretty easy to exploit and if you want to take another run at it, you might want to follow these suggestions, including the ones under the ongoing prevention section. People are not very enthusiastic about using a Limited account, but at least give it a try... it's like wearing your seatbelt when you drive.

If you could post your HJT log output here, that might shed some light on it: HJT 1.99

 

[coomarlin]

Originally posted by: mechBgon
1) do you have a router (if so, what brand/model)

2) do you have a software firewall

3) are there other computers inside your "perimeter" (sharing your internet connection)

4) do you have SP2 installed on WinXP

5) what version of Norton do you use now, 2002?

6) do you have risk factors (warez, etc) that could be bringing the junk in?


A fresh WinXP install is pretty easy to exploit and if you want to take another run at it, you might want to follow these suggestions, including the ones under the ongoing prevention section. People are not very enthusiastic about using a Limited account, but at least give it a try... it's like wearing your seatbelt when you drive.

If you could post your HJT log output here, that might shed some light on it: HJT 1.99

To answer your questions:
1) No Router
2) I'm using Windows XP Firewall
3) No other computers in my household
4) Yes. My Windows XP install disk has SP2 integrated into it. And I install the reamining few updates from Windows Update immediately after install.
5) Norton Antivirus 2002 with continually updated virus defs.
6) Before my reinstall I used Sharaza occasionally, but since the reformat I haven't installed it. No Warez sites.

I ran Hijack This and this is the log file:


Logfile of HijackThis v1.99.0
Scan saved at 5:44:38 PM, on 12/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1103917711078
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

It's pretty cryptic to me and I really don't see anything out of the ordinary. Do you? As I stated above, XP SP2 is installed during the install. When I run windows update there are onlt a handfull of updates available to me.

 

[coomarlin]

Also, I just downloaded AntiVir 6.0 from the site you listed and did a complete scan with it. It did not find anything. So right now I'd used AntiVir, NAV, and Ad-Aware and did not find anything alarming.

 

[mechBgon]

Can I suggest giving up on Norton 2002 already The engine is scary-out-of-date by now, no adware/spyware/Trojan/dialer detections. You can hook yourself up with a free 15-day trial of Norton 2005 to see if you like it: link

If I were so fortunate as to have broadband, I'd block all unnecessary ports in both directions for TCP and UDP and just leave open the ones that I need for a valid reason, such as

20 & 21 FTP
25 SMTP email
53 DNS
80 web
110 POP3 email
123 NTP (allows Windows to sync to outside time servers)
443 SSL secured web
3389 if needed for remote desktop connection

and set up port triggering for ports needed for online gaming. You could do all of that very simply with a Netgear RP614 for about $30-40. If your machine did catch something, it would at least serve as damage control.

I pasted your HJT log results into this thingie and it tagged a few of them as unnecessary, but none as being known-bad stuff. You might also double-check that your Windows Firewall has no exceptions allowed, or at least none except those you really want. Couldn't hurt to fully enable DEP either.

That said, your sporadic Internet dropouts (like the occasional link not working, for example) sound like they could be simply a DNS server not responding. Once in a while my ISP will have one of their two DNS servers go down, and I experience some of the same thing. You can find your DNS servers' addresses by using the ipconfig /all command in a command-prompt window (Start > Run > cmd), then ping their IP addresses and see if they're responsive or not, next time it occurs.

 

[coomarlin]

Once again thanks for the help. As I mentioned my cable service informed me that they are unaware of any problems and have not had any other reports like mine. And also my neighbors aren't having any issues with the broadband. So I'm pretty certain it's not a DNS issue.

I tried pasting my file into that website you listed and it actually did show two of the entries as possibly nasty
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

I made a backup and then deleted them to see if that made any difference. It didn't.

I took a closer look at my Windows firewall and it seems that don't have any unnessecary ports enabled. Just the basics that you have listed above.

Could a bad modem or NIC cause this problem? Or is it surely a software issue?

 

[mechBgon]

When I had cable, they never admitted to a failure of anything on their end either :evil: "Oh gee, we'll have to schedule a guy to come out," and a couple hours later my modem would sync up again. Whatever...

I could entertain the idea of a NIC issue, or maybe even your modem losing its connection to the mother ship (but presumably you would notice it losing its connection and syncing up again). If you had another NIC laying around, that would be easy enough to try... pull the plug on the modem, hook the new NIC up to it, and power up your modem again so it will take the new NIC.

 

[coomarlin]

Just a quick note. I was preparing to head to Staples today and pick up a router/firewall. But before I left I thought I'd run to my cable office and pick up a new modem. I exchanged my 5 year old Tyrallion (sp?) for a new Motorola surfboard. It seems to have fixed the problem. (Crosses fingers). In about 20 minutes of surfing it hasn't timed out and I began downloading XP SP2 from microsofts website as a test and it hasn't stopped so far after 140MB.

I'm still going to go pick up the firewall router just for the added security. I'll let you know if my problems come back.

 

[coomarlin]

I bought the Netgear WGR614 v5 from staples today for $29.99 after MIR. Not too bad. It installed without a hitch and seems rock solid. I ran a port scan at broadband reports and it turned out good. Is there any other sites I can use to test the firewall?

As I mentioned yesterday the Modem replacement fixed my intermitten internet problem. I'm glad thats done and over with. I'm cruising along just fine now at ~3000/256.

 

[Chunkee]

glad it worked out for you....sometimes, it is just the basic things like hardware, that are the culprit

jC