mysterious open ports

T

TomH

Can anyone please tell me why my system has opened all of
these UDP ports(output from MS PortReporter):
==========================================
Operating System: Windows XP
TCP/UDP Port to Process Mappings at service start-up
22 mappings found
PID:process Port Local IP State Remote IP:port
4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
4:System UDP 445 0.0.0.0 *:*
824:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
888:svchost.exe UDP 123 24.86.74.167 *:*
888:svchost.exe UDP 123 127.0.0.1 *:*
888:svchost.exe UDP 1934 127.0.0.1 *:*
888:svchost.exe UDP 1935 127.0.0.1 *:*
888:svchost.exe UDP 1937 127.0.0.1 *:*
888:svchost.exe UDP 1938 127.0.0.1 *:*
888:svchost.exe UDP 1940 127.0.0.1 *:*
888:svchost.exe UDP 1941 127.0.0.1 *:*
888:svchost.exe UDP 1943 127.0.0.1 *:*
888:svchost.exe UDP 1944 127.0.0.1 *:*
944:svchost.exe UDP 1044 0.0.0.0 *:*
944:svchost.exe UDP 1206 0.0.0.0 *:*
944:svchost.exe UDP 1617 0.0.0.0 *:*
944:svchost.exe UDP 3182 0.0.0.0 *:*
1500:iexplore.exe TCP 1136 24.86.74.167 CLOSE WAIT 69.50.166.212:80
1500:iexplore.exe UDP 2885 127.0.0.1 *:*
1684:iexplore.exe TCP 3455 24.86.74.167 CLOSE WAIT 24.69.255.240:8080
1684:iexplore.exe TCP 3456 24.86.74.167 CLOSE WAIT 24.69.255.240:8080
1684:iexplore.exe UDP 3312 127.0.0.1 *:*
=======================

I only have these applications running: IE and Outlook Express.
I deactivated netbios over tcpip to minimize attack surfaces, and all my
anti spyware, antitrojan, and other
security ware say my system is clean, so I'm puzzled by all these open
ports.
Please help.
 
D

David H. Lipman

Please try another tool...

1) Download the following two items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt351.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM .

2) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
3) Reboot your PC into Safe Mode then shutdown as many applications as possible.
4) Using the Trend Sysclean utility, perform a Full Scan of your platform and
clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform
6) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) Create a new Restore point

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html




| Can anyone please tell me why my system has opened all of
| these UDP ports(output from MS PortReporter):
| ==========================================
| Operating System: Windows XP
| TCP/UDP Port to Process Mappings at service start-up
| 22 mappings found
| PID:process Port Local IP State Remote IP:port
| 4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
| 4:System UDP 445 0.0.0.0 *:*
| 824:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
| 888:svchost.exe UDP 123 24.86.74.167 *:*
| 888:svchost.exe UDP 123 127.0.0.1 *:*
| 888:svchost.exe UDP 1934 127.0.0.1 *:*
| 888:svchost.exe UDP 1935 127.0.0.1 *:*
| 888:svchost.exe UDP 1937 127.0.0.1 *:*
| 888:svchost.exe UDP 1938 127.0.0.1 *:*
| 888:svchost.exe UDP 1940 127.0.0.1 *:*
| 888:svchost.exe UDP 1941 127.0.0.1 *:*
| 888:svchost.exe UDP 1943 127.0.0.1 *:*
| 888:svchost.exe UDP 1944 127.0.0.1 *:*
| 944:svchost.exe UDP 1044 0.0.0.0 *:*
| 944:svchost.exe UDP 1206 0.0.0.0 *:*
| 944:svchost.exe UDP 1617 0.0.0.0 *:*
| 944:svchost.exe UDP 3182 0.0.0.0 *:*
| 1500:iexplore.exe TCP 1136 24.86.74.167 CLOSE WAIT 69.50.166.212:80
| 1500:iexplore.exe UDP 2885 127.0.0.1 *:*
| 1684:iexplore.exe TCP 3455 24.86.74.167 CLOSE WAIT 24.69.255.240:8080
| 1684:iexplore.exe TCP 3456 24.86.74.167 CLOSE WAIT 24.69.255.240:8080
| 1684:iexplore.exe UDP 3312 127.0.0.1 *:*
| =======================
|
| I only have these applications running: IE and Outlook Express.
| I deactivated netbios over tcpip to minimize attack surfaces, and all my
| anti spyware, antitrojan, and other
| security ware say my system is clean, so I'm puzzled by all these open
| ports.
| Please help.
|
|
|
|
|
 
D

David H. Lipman

You had the Java/ByteVerify Exploit Trojan.

JAVA is JAVA and the Sun Java was infected. I have seen this before, nothing new (te me at
least)

Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and Settings\limited\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-72615c50-5f72dbb6.class
Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and Settings\limited\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4f7a6e50-5a280a80.class
Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and Settings\limited\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-36d0366-38625aff.class
Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and Settings\limited\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1910af14-607cb935.zip,(Installe
r.class)
Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and Settings\limited\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5d0f29c3.zip,(Parse
r.class)

Often the .CLASS files are in ZIP files in the Java JAR or .CLASS files in the FILE cache so
it is a good idea to go to the Java Control Panel applet and select the "clear the cache"
function.

On another note, NETSTAT is a good Command Line utility but it is a static view, basically a
momentary snapshot. A better tool is a GUI called TCPView.exe --
http://www.sysinternals.com/ it will display the active changes in UDP and TCP and will
show the executable opening the port.

Thanx for posting the SYSCLEAN.LOG file !

--
Dave




| David, I did all of that. The summary says nothing found, but in the
| logfiles it seems to describe the removal of a java virus. But this virus
| is supposed to infect the MS java VM, which I don't have. I have the Sun
| Java implementation.
| Also there seems to have been a lot of problems accessing files, "Access
| denied", but the account under which I ran this has full admin privs, so it
| seems inconsistent. In any case, I have attached the sysclean.log text file
| (and that text file only) for you to look at. Please let me know what your
| opinion is.
| Thankyou for your useful help.
|
|
| ==========================================================
| | > Please try another tool...
| >
| > 1) Download the following two items...
| >
| > Trend Sysclean Package
| > http://www.trendmicro.com/download/dcs.asp
| >
| > Latest Trend signature files.
| > http://www.trendmicro.com/download/pattern.asp
| >
| > Create a directory.
| > On drive "C:\"
| > (e.g., "c:\New Folder")
| > or the desktop
| > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| >
| > Download SYSCLEAN.COM and place it in that directory.
| > Download the Trend Pattern File by obtaining the ZIP file.
| > For example; lpt351.zip
| >
| > Extract the contents of the ZIP file and place the contents in the same
| > directory as
| > SYSCLEAN.COM .
| >
| > 2) Disable System Restore
| > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
| > 3) Reboot your PC into Safe Mode then shutdown as many applications as
| > possible.
| > 4) Using the Trend Sysclean utility, perform a Full Scan of your
| > platform and
| > clean/delete any infectors found
| > 5) Restart your PC and perform a "final" Full Scan of your platform
| > 6) Re-enable System Restore and re-apply any System Restore
| > preferences,
| > (e.g. HD space to use suggested 400 ~ 600MB),
| > 7) Reboot your PC.
| > 8) Create a new Restore point
| >
| > * * * Please report back your results * * *
| >
| >
| > --
| > Dave
| > http://www.claymania.com/removal-trojan-adware.html
| >
| >
| >
| >
| > | > | Can anyone please tell me why my system has opened all of
| > | these UDP ports(output from MS PortReporter):
| > | ==========================================
| > | Operating System: Windows XP
| > | TCP/UDP Port to Process Mappings at service start-up
| > | 22 mappings found
| > | PID:process Port Local IP State Remote IP:port
| > | 4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
| > | 4:System UDP 445 0.0.0.0 *:*
| > | 824:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
| > | 888:svchost.exe UDP 123 24.86.74.167 *:*
| > | 888:svchost.exe UDP 123 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1934 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1935 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1937 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1938 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1940 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1941 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1943 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1944 127.0.0.1 *:*
| > | 944:svchost.exe UDP 1044 0.0.0.0 *:*
| > | 944:svchost.exe UDP 1206 0.0.0.0 *:*
| > | 944:svchost.exe UDP 1617 0.0.0.0 *:*
| > | 944:svchost.exe UDP 3182 0.0.0.0 *:*
| > | 1500:iexplore.exe TCP 1136 24.86.74.167 CLOSE WAIT 69.50.166.212:80
| > | 1500:iexplore.exe UDP 2885 127.0.0.1 *:*
| > | 1684:iexplore.exe TCP 3455 24.86.74.167 CLOSE WAIT
| > 24.69.255.240:8080
| > | 1684:iexplore.exe TCP 3456 24.86.74.167 CLOSE WAIT
| > 24.69.255.240:8080
| > | 1684:iexplore.exe UDP 3312 127.0.0.1 *:*
| > | =======================
| > |
| > | I only have these applications running: IE and Outlook Express.
| > | I deactivated netbios over tcpip to minimize attack surfaces, and all my
| > | anti spyware, antitrojan, and other
| > | security ware say my system is clean, so I'm puzzled by all these open
| > | ports.
| > | Please help.
| > |
| > |
| > |
| > |
| > |
| >
| >
|
|
|
 
T

TomH

Dave, thanks again.
Are you sure? Why did that av app not list that in the "viruses found"
category?
I don't use java for anything other than a cute little applet-in-a webpage
that calculates and displays the current position of the ISS, so I took it
right out.
Any idea why all my other av apps missed it? And, any idea what this one
does as a payload? or is it under complete control of its maker?

Thanks again

David H. Lipman said:
You had the Java/ByteVerify Exploit Trojan.

JAVA is JAVA and the Sun Java was infected. I have seen this before,
nothing new (te me at
least)

Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
Settings\limited\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-72615c50-5f72dbb6.class
Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
Settings\limited\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4f7a6e50-5a280a80.class
Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
Settings\limited\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-36d0366-38625aff.class
Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
Settings\limited\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1910af14-607cb935.zip,(Installe
r.class)
Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
Settings\limited\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5d0f29c3.zip,(Parse
r.class)

Often the .CLASS files are in ZIP files in the Java JAR or .CLASS files in
the FILE cache so
it is a good idea to go to the Java Control Panel applet and select the
"clear the cache"
function.

On another note, NETSTAT is a good Command Line utility but it is a static
view, basically a
momentary snapshot. A better tool is a GUI called TCPView.exe --
http://www.sysinternals.com/ it will display the active changes in UDP
and TCP and will
show the executable opening the port.

Thanx for posting the SYSCLEAN.LOG file !

--
Dave




| David, I did all of that. The summary says nothing found, but in the
| logfiles it seems to describe the removal of a java virus. But this
virus
| is supposed to infect the MS java VM, which I don't have. I have the
Sun
| Java implementation.
| Also there seems to have been a lot of problems accessing files, "Access
| denied", but the account under which I ran this has full admin privs, so
it
| seems inconsistent. In any case, I have attached the sysclean.log text
file
| (and that text file only) for you to look at. Please let me know what
your
| opinion is.
| Thankyou for your useful help.
|
|
| ==========================================================
| | > Please try another tool...
| >
| > 1) Download the following two items...
| >
| > Trend Sysclean Package
| > http://www.trendmicro.com/download/dcs.asp
| >
| > Latest Trend signature files.
| > http://www.trendmicro.com/download/pattern.asp
| >
| > Create a directory.
| > On drive "C:\"
| > (e.g., "c:\New Folder")
| > or the desktop
| > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| >
| > Download SYSCLEAN.COM and place it in that directory.
| > Download the Trend Pattern File by obtaining the ZIP file.
| > For example; lpt351.zip
| >
| > Extract the contents of the ZIP file and place the contents in the
same
| > directory as
| > SYSCLEAN.COM .
| >
| > 2) Disable System Restore
| > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
| > 3) Reboot your PC into Safe Mode then shutdown as many
applications as
| > possible.
| > 4) Using the Trend Sysclean utility, perform a Full Scan of your
| > platform and
| > clean/delete any infectors found
| > 5) Restart your PC and perform a "final" Full Scan of your
platform
| > 6) Re-enable System Restore and re-apply any System Restore
| > preferences,
| > (e.g. HD space to use suggested 400 ~ 600MB),
| > 7) Reboot your PC.
| > 8) Create a new Restore point
| >
| > * * * Please report back your results * * *
| >
| >
| > --
| > Dave
| > http://www.claymania.com/removal-trojan-adware.html
| >
| >
| >
| >
| > | > | Can anyone please tell me why my system has opened all of
| > | these UDP ports(output from MS PortReporter):
| > | ==========================================
| > | Operating System: Windows XP
| > | TCP/UDP Port to Process Mappings at service start-up
| > | 22 mappings found
| > | PID:process Port Local IP State Remote IP:port
| > | 4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
| > | 4:System UDP 445 0.0.0.0 *:*
| > | 824:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
| > | 888:svchost.exe UDP 123 24.86.74.167 *:*
| > | 888:svchost.exe UDP 123 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1934 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1935 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1937 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1938 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1940 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1941 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1943 127.0.0.1 *:*
| > | 888:svchost.exe UDP 1944 127.0.0.1 *:*
| > | 944:svchost.exe UDP 1044 0.0.0.0 *:*
| > | 944:svchost.exe UDP 1206 0.0.0.0 *:*
| > | 944:svchost.exe UDP 1617 0.0.0.0 *:*
| > | 944:svchost.exe UDP 3182 0.0.0.0 *:*
| > | 1500:iexplore.exe TCP 1136 24.86.74.167 CLOSE WAIT
69.50.166.212:80
| > | 1500:iexplore.exe UDP 2885 127.0.0.1 *:*
| > | 1684:iexplore.exe TCP 3455 24.86.74.167 CLOSE WAIT
| > 24.69.255.240:8080
| > | 1684:iexplore.exe TCP 3456 24.86.74.167 CLOSE WAIT
| > 24.69.255.240:8080
| > | 1684:iexplore.exe UDP 3312 127.0.0.1 *:*
| > | =======================
| > |
| > | I only have these applications running: IE and Outlook Express.
| > | I deactivated netbios over tcpip to minimize attack surfaces, and
all my
| > | anti spyware, antitrojan, and other
| > | security ware say my system is clean, so I'm puzzled by all these
open
| > | ports.
| > | Please help.
| > |
| > |
| > |
| > |
| > |
| >
| >
|
|
|
 
D

David H. Lipman

TomH:

Yes, I am sure...

I have no idea why the others miss the Java/ByteVerify. Maybe it is out of dat, maybe it
isn't scanning archive files, maybe the AV software was shutdown when it waqs infected. I
don't know.
But is the folowing patch on your PC --
http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx

Information below...
Exploit-ByteVerify -- http://vil.nai.com/vil/content/v_100261.htm

Finally I have attached a McAfee Scan Report log file in HTML format showing a similar
infection.

--
Dave




| Dave, thanks again.
| Are you sure? Why did that av app not list that in the "viruses found"
| category?
| I don't use java for anything other than a cute little applet-in-a webpage
| that calculates and displays the current position of the ISS, so I took it
| right out.
| Any idea why all my other av apps missed it? And, any idea what this one
| does as a payload? or is it under complete control of its maker?
|
| Thanks again
|
| | > You had the Java/ByteVerify Exploit Trojan.
| >
| > JAVA is JAVA and the Sun Java was infected. I have seen this before,
| > nothing new (te me at
| > least)
| >
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| > Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-72615c50-5f72dbb6.class
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| > Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4f7a6e50-5a280a80.class
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| > Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-36d0366-38625aff.class
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| >
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1910af14-607cb935.zip,(Installe
| > r.class)
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| >
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5d0f29c3.zip,(Parse
| > r.class)
| >
| > Often the .CLASS files are in ZIP files in the Java JAR or .CLASS files in
| > the FILE cache so
| > it is a good idea to go to the Java Control Panel applet and select the
| > "clear the cache"
| > function.
| >
| > On another note, NETSTAT is a good Command Line utility but it is a static
| > view, basically a
| > momentary snapshot. A better tool is a GUI called TCPView.exe --
| > http://www.sysinternals.com/ it will display the active changes in UDP
| > and TCP and will
| > show the executable opening the port.
| >
| > Thanx for posting the SYSCLEAN.LOG file !
| >
| > --
| > Dave
| >
| >
| >
| >
| > | > | David, I did all of that. The summary says nothing found, but in the
| > | logfiles it seems to describe the removal of a java virus. But this
| > virus
| > | is supposed to infect the MS java VM, which I don't have. I have the
| > Sun
| > | Java implementation.
| > | Also there seems to have been a lot of problems accessing files, "Access
| > | denied", but the account under which I ran this has full admin privs, so
| > it
| > | seems inconsistent. In any case, I have attached the sysclean.log text
| > file
| > | (and that text file only) for you to look at. Please let me know what
| > your
| > | opinion is.
| > | Thankyou for your useful help.
| > |
| > |
| > | ==========================================================
| > | | > | > Please try another tool...
| > | >
| > | > 1) Download the following two items...
| > | >
| > | > Trend Sysclean Package
| > | > http://www.trendmicro.com/download/dcs.asp
| > | >
| > | > Latest Trend signature files.
| > | > http://www.trendmicro.com/download/pattern.asp
| > | >
| > | > Create a directory.
| > | > On drive "C:\"
| > | > (e.g., "c:\New Folder")
| > | > or the desktop
| > | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| > | >
| > | > Download SYSCLEAN.COM and place it in that directory.
| > | > Download the Trend Pattern File by obtaining the ZIP file.
| > | > For example; lpt351.zip
| > | >
| > | > Extract the contents of the ZIP file and place the contents in the
| > same
| > | > directory as
| > | > SYSCLEAN.COM .
| > | >
| > | > 2) Disable System Restore
| > | > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
| > | > 3) Reboot your PC into Safe Mode then shutdown as many
| > applications as
| > | > possible.
| > | > 4) Using the Trend Sysclean utility, perform a Full Scan of your
| > | > platform and
| > | > clean/delete any infectors found
| > | > 5) Restart your PC and perform a "final" Full Scan of your
| > platform
| > | > 6) Re-enable System Restore and re-apply any System Restore
| > | > preferences,
| > | > (e.g. HD space to use suggested 400 ~ 600MB),
| > | > 7) Reboot your PC.
| > | > 8) Create a new Restore point
| > | >
| > | > * * * Please report back your results * * *
| > | >
| > | >
| > | > --
| > | > Dave
| > | > http://www.claymania.com/removal-trojan-adware.html
| > | >
| > | >
| > | >
| > | >
| > | > | > | > | Can anyone please tell me why my system has opened all of
| > | > | these UDP ports(output from MS PortReporter):
| > | > | ==========================================
| > | > | Operating System: Windows XP
| > | > | TCP/UDP Port to Process Mappings at service start-up
| > | > | 22 mappings found
| > | > | PID:process Port Local IP State Remote IP:port
| > | > | 4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
| > | > | 4:System UDP 445 0.0.0.0 *:*
| > | > | 824:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
| > | > | 888:svchost.exe UDP 123 24.86.74.167 *:*
| > | > | 888:svchost.exe UDP 123 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1934 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1935 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1937 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1938 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1940 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1941 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1943 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1944 127.0.0.1 *:*
| > | > | 944:svchost.exe UDP 1044 0.0.0.0 *:*
| > | > | 944:svchost.exe UDP 1206 0.0.0.0 *:*
| > | > | 944:svchost.exe UDP 1617 0.0.0.0 *:*
| > | > | 944:svchost.exe UDP 3182 0.0.0.0 *:*
| > | > | 1500:iexplore.exe TCP 1136 24.86.74.167 CLOSE WAIT
| > 69.50.166.212:80
| > | > | 1500:iexplore.exe UDP 2885 127.0.0.1 *:*
| > | > | 1684:iexplore.exe TCP 3455 24.86.74.167 CLOSE WAIT
| > | > 24.69.255.240:8080
| > | > | 1684:iexplore.exe TCP 3456 24.86.74.167 CLOSE WAIT
| > | > 24.69.255.240:8080
| > | > | 1684:iexplore.exe UDP 3312 127.0.0.1 *:*
| > | > | =======================
| > | > |
| > | > | I only have these applications running: IE and Outlook Express.
| > | > | I deactivated netbios over tcpip to minimize attack surfaces, and
| > all my
| > | > | anti spyware, antitrojan, and other
| > | > | security ware say my system is clean, so I'm puzzled by all these
| > open
| > | > | ports.
| > | > | Please help.
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| > |
| >
| >
|
|
 
T

TomH

Dave

I checked out the tools at SysInternals that you suggested --- I'm
impressed. ProcessExplorer is the killer --- all the inter-dependencies and
relationships between threads, processes, applications and services
displayed in one place instead of four or five different utilities is very
useful.
Having seen all the inter-dependencies now, I'm inclined to agree that those
ports are legit --- I can see whats what now with that tool, and yes, they
are just little system processes that have the ports open to do things like
manage DCOM, remote proc calls, network time protocol, and stuff like that.
Thx.

Regards, Tom



--------------------------------------------------------------------------------------------------------------------------------------
TomH:

Yes, I am sure...

I have no idea why the others miss the Java/ByteVerify. Maybe it is out of
dat, maybe it
isn't scanning archive files, maybe the AV software was shutdown when it
waqs infected. I
don't know.
But is the folowing patch on your PC --
http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx

Information below...
Exploit-ByteVerify -- http://vil.nai.com/vil/content/v_100261.htm

Finally I have attached a McAfee Scan Report log file in HTML format showing
a similar
infection.

--
Dave




| Dave, thanks again.
| Are you sure? Why did that av app not list that in the "viruses found"
| category?
| I don't use java for anything other than a cute little applet-in-a webpage
| that calculates and displays the current position of the ISS, so I took it
| right out.
| Any idea why all my other av apps missed it? And, any idea what this one
| does as a payload? or is it under complete control of its maker?
|
| Thanks again
|
| | > You had the Java/ByteVerify Exploit Trojan.
| >
| > JAVA is JAVA and the Sun Java was infected. I have seen this before,
| > nothing new (te me at
| > least)
| >
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| >
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-72615c50-5f72dbb6.class
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| >
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4f7a6e50-5a280a80.class
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| >
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-36d0366-38625aff.class
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| >
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1910af14-607cb935.zip,(Installe
| > r.class)
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| >
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5d0f29c3.zip,(Parse
| > r.class)
| >
| > Often the .CLASS files are in ZIP files in the Java JAR or .CLASS files
in
| > the FILE cache so
| > it is a good idea to go to the Java Control Panel applet and select the
| > "clear the cache"
| > function.
| >
| > On another note, NETSTAT is a good Command Line utility but it is a
static
| > view, basically a
| > momentary snapshot. A better tool is a GUI called TCPView.exe --
| > http://www.sysinternals.com/ it will display the active changes in UDP
| > and TCP and will
| > show the executable opening the port.
| >
| > Thanx for posting the SYSCLEAN.LOG file !
| >
| > --
| > Dave
| >
| >
| >
| >
| > | > | David, I did all of that. The summary says nothing found, but in the
| > | logfiles it seems to describe the removal of a java virus. But this
| > virus
| > | is supposed to infect the MS java VM, which I don't have. I have the
| > Sun
| > | Java implementation.
| > | Also there seems to have been a lot of problems accessing files,
"Access
| > | denied", but the account under which I ran this has full admin privs,
so
| > it
| > | seems inconsistent. In any case, I have attached the sysclean.log
text
| > file
| > | (and that text file only) for you to look at. Please let me know what
| > your
| > | opinion is.
| > | Thankyou for your useful help.
| > |
| > |
| > | ==========================================================
| > | | > | > Please try another tool...
| > | >
| > | > 1) Download the following two items...
| > | >
| > | > Trend Sysclean Package
| > | > http://www.trendmicro.com/download/dcs.asp
| > | >
| > | > Latest Trend signature files.
| > | > http://www.trendmicro.com/download/pattern.asp
| > | >
| > | > Create a directory.
| > | > On drive "C:\"
| > | > (e.g., "c:\New Folder")
| > | > or the desktop
| > | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| > | >
| > | > Download SYSCLEAN.COM and place it in that directory.
| > | > Download the Trend Pattern File by obtaining the ZIP file.
| > | > For example; lpt351.zip
| > | >
| > | > Extract the contents of the ZIP file and place the contents in the
| > same
| > | > directory as
| > | > SYSCLEAN.COM .
| > | >
| > | > 2) Disable System Restore
| > | >
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
| > | > 3) Reboot your PC into Safe Mode then shutdown as many
| > applications as
| > | > possible.
| > | > 4) Using the Trend Sysclean utility, perform a Full Scan of your
| > | > platform and
| > | > clean/delete any infectors found
| > | > 5) Restart your PC and perform a "final" Full Scan of your
| > platform
| > | > 6) Re-enable System Restore and re-apply any System Restore
| > | > preferences,
| > | > (e.g. HD space to use suggested 400 ~ 600MB),
| > | > 7) Reboot your PC.
| > | > 8) Create a new Restore point
| > | >
| > | > * * * Please report back your results * * *
| > | >
| > | >
| > | > --
| > | > Dave
| > | > http://www.claymania.com/removal-trojan-adware.html
| > | >
| > | >
| > | >
| > | >
| > | > | > | > | Can anyone please tell me why my system has opened all of
| > | > | these UDP ports(output from MS PortReporter):
| > | > | ==========================================
| > | > | Operating System: Windows XP
| > | > | TCP/UDP Port to Process Mappings at service start-up
| > | > | 22 mappings found
| > | > | PID:process Port Local IP State Remote IP:port
| > | > | 4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
| > | > | 4:System UDP 445 0.0.0.0 *:*
| > | > | 824:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
| > | > | 888:svchost.exe UDP 123 24.86.74.167 *:*
| > | > | 888:svchost.exe UDP 123 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1934 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1935 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1937 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1938 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1940 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1941 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1943 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1944 127.0.0.1 *:*
| > | > | 944:svchost.exe UDP 1044 0.0.0.0 *:*
| > | > | 944:svchost.exe UDP 1206 0.0.0.0 *:*
| > | > | 944:svchost.exe UDP 1617 0.0.0.0 *:*
| > | > | 944:svchost.exe UDP 3182 0.0.0.0 *:*
| > | > | 1500:iexplore.exe TCP 1136 24.86.74.167 CLOSE WAIT
| > 69.50.166.212:80
| > | > | 1500:iexplore.exe UDP 2885 127.0.0.1 *:*
| > | > | 1684:iexplore.exe TCP 3455 24.86.74.167 CLOSE WAIT
| > | > 24.69.255.240:8080
| > | > | 1684:iexplore.exe TCP 3456 24.86.74.167 CLOSE WAIT
| > | > 24.69.255.240:8080
| > | > | 1684:iexplore.exe UDP 3312 127.0.0.1 *:*
| > | > | =======================
| > | > |
| > | > | I only have these applications running: IE and Outlook Express.
| > | > | I deactivated netbios over tcpip to minimize attack surfaces, and
| > all my
| > | > | anti spyware, antitrojan, and other
| > | > | security ware say my system is clean, so I'm puzzled by all these
| > open
| > | > | ports.
| > | > | Please help.
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| > |
| >
| >
|
|
 
D

David H. Lipman

You're welcome Tom !

Anytime.

--
Dave




| Dave
|
| I checked out the tools at SysInternals that you suggested --- I'm
| impressed. ProcessExplorer is the killer --- all the inter-dependencies and
| relationships between threads, processes, applications and services
| displayed in one place instead of four or five different utilities is very
| useful.
| Having seen all the inter-dependencies now, I'm inclined to agree that those
| ports are legit --- I can see whats what now with that tool, and yes, they
| are just little system processes that have the ports open to do things like
| manage DCOM, remote proc calls, network time protocol, and stuff like that.
| Thx.
|
| Regards, Tom
|
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top