Windows 2000 Pro SP4 - Chattering NIC

  • Thread starter Thread starter Nick Dangr
  • Start date Start date
N

Nick Dangr

I need a little insight here.

I have a Windows 2000 Pro SP4 machine (with the latest updates) that
seems to have periods where its sending out a lot (and I mean a LOT) of
internet traffic on ports 135 and 445 (which thanks to a little
research seem to have something to do with file and print sharing).

I ran CommView on the machine and noted its hitting about 50 or so
different computers on the web. My suspicions are some kind of worm or
trojan but Symantec Antivirus Enterprise and Pest Patro find nothing.
In addition Microsoft Antispyware isn't seeing anything either.

I'm at a loss... anyone offer some help?

Please?

Regards

Ben
 
From a command prompt;

netstat -aon

now match up the PID > Image name found in Task Manager|Processes tab

For services;
tlist -s
now match up the PID > Image name

You can extract the tlist.exe utility from the Support.cab file from the
Windows 2000 installation CD's Support\Tools folder

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
|I need a little insight here.
|
| I have a Windows 2000 Pro SP4 machine (with the latest updates) that
| seems to have periods where its sending out a lot (and I mean a LOT) of
| internet traffic on ports 135 and 445 (which thanks to a little
| research seem to have something to do with file and print sharing).
|
| I ran CommView on the machine and noted its hitting about 50 or so
| different computers on the web. My suspicions are some kind of worm or
| trojan but Symantec Antivirus Enterprise and Pest Patro find nothing.
| In addition Microsoft Antispyware isn't seeing anything either.
|
| I'm at a loss... anyone offer some help?
|
| Please?
|
| Regards
|
| Ben
|
 
took forever to reply - sorry about that and thanks very much for the
reply

I got the tlist... handy little utility.

I tried the netstat -aon and got an error - the "o" option doesn't
appear to be present in my netstat. I did run a netstat -an but no
PIDs were listed.

Am I doing something wrong?
 
I don't have Windows 2000 in front of me. Should work though. What do you
get if you;

netstat /?


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| took forever to reply - sorry about that and thanks very much for the
| reply
|
| I got the tlist... handy little utility.
|
| I tried the netstat -aon and got an error - the "o" option doesn't
| appear to be present in my netstat. I did run a netstat -an but no
| PIDs were listed.
|
| Am I doing something wrong?
|
 
Thanks again for the assist. Here's what I get:

C:\Documents and Settings\administrator>netstat /?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with
the -s
option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto;
proto
may be TCP or UDP. If used with the -s option to
display
per-protocol statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default,
statistics are
shown for TCP, UDP and IP; the -p option may be used to
specify
a subset of the default.
interval Redisplays selected statistics, pausing interval
seconds
between each display. Press CTRL+C to stop
redisplaying
statistics. If omitted, netstat will print the current
configuration information once.
 
Another quick followup - I found TCPView - I can load that up on the
computer and it'll show me which PID (or PIDS) relate to the
connection.

Let me make a guess here - once I know the PID, try to isolate which
one or ones are generating the traffic and I should check them out... ?
 
Okay - did some more checking using TCPView.

It appears there're about a bazillion entries like this:

services.exe:2268 TCP chad:2388 chad:0 LISTENING
services.exe:2268 TCP chad:2950 chad:0 LISTENING
services.exe:2268 TCP chad:3033 chad:0 LISTENING
services.exe:2268 TCP chad:3112 chad:0 LISTENING
services.exe:2268 TCP chad:3216 chad:0 LISTENING
services.exe:2268 TCP chad:3660 chad:0 LISTENING
services.exe:2268 TCP chad:3848 chad:0 LISTENING
services.exe:2268 TCP chad:4021 chad:0 LISTENING
services.exe:2268 TCP chad:4413 chad:0 LISTENING
services.exe:2268 TCP chad:4625 chad:0 LISTENING

In addition there're a lot of entries like this:
System:8 TCP chad:1249 chad:0 LISTENING
System:8 TCP chad:1300 chad:0 LISTENING
System:8 TCP chad:1364 chad:0 LISTENING
System:8 TCP chad:1374 chad:0 LISTENING
System:8 TCP chad:1778 chad:0 LISTENING

The really alarming entries in those lists are these, though:

services.exe:2268 TCP chad:1330 ip68-226-152-247.lf.br.cox.net:6667 ESTABLISHED
services.exe:2268 TCP chad:2320 user.77.26.4.201.dial-ip.telemar.net.br:epmap CLOSE_WAIT
services.exe:2268 TCP chad:2346 201-254-224-159.mrse.com.ar:epmap ESTABLISHED

and

System:8 TCP chad:2350 201-14-215-50.pltce7005.dsl.brasiltelecom.net.br:microsoft-ds ESTABLISHED
System:8 TCP chad:2947 201-25-35-91.pltce7005.dsl.brasiltelecom.net.br:microsoft-ds ESTABLISHED
TIME_WAIT


System:8 shows other connections, to shares on the network.

Dunno what services.exe:2268 could be though.

Ideas?
 
Try;

tlist -s

to see what is running under services.exe

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Okay - did some more checking using TCPView.
|
| It appears there're about a bazillion entries like this:
|
| services.exe:2268 TCP chad:2388 chad:0 LISTENING
| services.exe:2268 TCP chad:2950 chad:0 LISTENING
| services.exe:2268 TCP chad:3033 chad:0 LISTENING
| services.exe:2268 TCP chad:3112 chad:0 LISTENING
| services.exe:2268 TCP chad:3216 chad:0 LISTENING
| services.exe:2268 TCP chad:3660 chad:0 LISTENING
| services.exe:2268 TCP chad:3848 chad:0 LISTENING
| services.exe:2268 TCP chad:4021 chad:0 LISTENING
| services.exe:2268 TCP chad:4413 chad:0 LISTENING
| services.exe:2268 TCP chad:4625 chad:0 LISTENING
|
| In addition there're a lot of entries like this:
| System:8 TCP chad:1249 chad:0 LISTENING
| System:8 TCP chad:1300 chad:0 LISTENING
| System:8 TCP chad:1364 chad:0 LISTENING
| System:8 TCP chad:1374 chad:0 LISTENING
| System:8 TCP chad:1778 chad:0 LISTENING
|
| The really alarming entries in those lists are these, though:
|
| services.exe:2268 TCP chad:1330 ip68-226-152-247.lf.br.cox.net:6667
ESTABLISHED
| services.exe:2268 TCP chad:2320
user.77.26.4.201.dial-ip.telemar.net.br:epmap CLOSE_WAIT
| services.exe:2268 TCP chad:2346 201-254-224-159.mrse.com.ar:epmap
ESTABLISHED
|
| and
|
| System:8 TCP chad:2350
201-14-215-50.pltce7005.dsl.brasiltelecom.net.br:microsoft-ds ESTABLISHED
| System:8 TCP chad:2947
201-25-35-91.pltce7005.dsl.brasiltelecom.net.br:microsoft-ds ESTABLISHED
| TIME_WAIT
|
|
| System:8 shows other connections, to shares on the network.
|
| Dunno what services.exe:2268 could be though.
|
| Ideas?
|
 
I reran netstat -an and found services was going nuts on a different
port, but to the same degree. Here's what tlist showed me:

-2 Idle.exe
8 System.exe
208 SMSS.exe
232 CSRSS.exe
252 WINLOGON.exe MM Notify Callback
280 SERVICES.exe
292 LSASS.exe
456 svchost.exe
484 ccSetMgr.exe
512 ccEvtMgr.exe
612 LEXBCES.exe
640 spoolsv.exe LEXLMPM
668 LEXPPS.exe LexPPS BCE Comm Window
716 lic98rmt.exe
740 DefWatch.exe
764 svchost.exe
804 hidserv.exe
824 InCDsrv.exe
876 LogWatNT.exe
844 nvsvc32.exe NVSVCPMMWindowClass
928 oodag.exe
1016 ptssvc.exe
1052 mstask.exe SYSTEM AGENT COM WINDOW
1132 services.exe
1192 Rtvscan.exe VPIPCLINK
1208 WinMgmt.exe
1228 winvnc4.exe winvnc::IPC_Interface
1248 mspmspsv.exe
1260 svchost.exe
1368 explorer.exe Program Manager
1576 daemon.exe Virtual DAEMON Manager V3.47
1544 ccApp.exe ccApp
1624 VPTray.exe Symantec AntiVirus
264 InCD.exe
InCD_GUI_MAINFRAME__1A6E0D67_3515_471D_8D7D_C8E76EC0DA2A
1772 eTrust PestPatrol -- Active Protection
1844 type32.exe keyboard
1852 QOELoader.exe
1872 gcasDtServ.exe DDE Server Window
1880 qttask.exe QTPlayer Tray Icon
1956 Ad-Watch.exe Ad-Watch
1964 rundll32.exe MediaCenter
1984 msnmsgr.exe MSNUnnamedWindow
2004 MailWasher.exe MailWasher Pro 5.0
2028 Tardis95.exe Tardis for Windows 95 V4.0
1724 Tcpview.exe TCPView - Sysinternals: www.sysinternals.com
2784 CMD.exe C:\WINNT\system32\cmd.exe - tlist
2816 TLIST.exe
-2 _Total.exe
 
Just a quick follow up - the above listed services... services.exe was
showing a profuse number of listening sockets on port 1132 at the time
of the tlist... instead of the original 2268. So it appears the
listening port varies itself...
 
If you;

tlist /s

you should get output similar to this below. Here you can get info about the
specific processes running under them.

services.exe 828 Eventlog, PlugPlay
lsass.exe 840 Netlogon, PolicyAgent, ProtectedStorage,
SamSs
svchost.exe 1036 DcomLaunch, TermService
svchost.exe 1116 RpcSs
MsMpEng.exe 1184 WinDefend
svchost.exe 1224 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
dmserver, ERSvc, EventSystem, helpsvc,
HidServ, lanmanserver, lanmanworkstation,
Messenger, Netman, Nla, NtmsSvc, RasMan,
Schedule, seclogon, SENS, SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, W32Time, winmgmt, wuauserv,
WZCSVC
svchost.exe 1300 Dnscache
svchost.exe 1372 LmHosts, RemoteRegistry, SSDPSRV, WebClient
BRSVC01A.EXE 1520 Brother XP spl Service

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Just a quick follow up - the above listed services... services.exe was
| showing a profuse number of listening sockets on port 1132 at the time
| of the tlist... instead of the original 2268. So it appears the
| listening port varies itself...
|
 
I used the /s switch this time and got similar output:

C:\Documents and Settings\Kathryn Adler>tlist /s
-2 Idle.exe
8 System.exe
208 SMSS.exe
232 CSRSS.exe
252 WINLOGON.exe MM Notify Callback
280 SERVICES.exe
292 LSASS.exe
452 svchost.exe
480 ccSetMgr.exe
508 ccEvtMgr.exe
608 LEXBCES.exe
632 spoolsv.exe LEXLMPM
660 LEXPPS.exe LexPPS BCE Comm Window
684 lic98rmt.exe
696 DefWatch.exe
720 svchost.exe
788 hidserv.exe
820 InCDsrv.exe
864 LogWatNT.exe
868 nvsvc32.exe NVSVCPMMWindowClass
916 oodag.exe
1008 ptssvc.exe
1040 mstask.exe SYSTEM AGENT COM WINDOW
264 services.exe
1240 Rtvscan.exe VPIPCLINK
1268 explorer.exe Program Manager
1356 WinMgmt.exe
1444 winvnc4.exe winvnc::IPC_Interface
1524 mspmspsv.exe
1556 svchost.exe
1568 daemon.exe Virtual DAEMON Manager V3.47
1880 ccApp.exe ccApp
1916 VPTray.exe Symantec AntiVirus
2092 InCD.exe
InCD_GUI_MAINFRAME__1A6E0D67_3515_471D_8D7D_C8E76EC0DA2A
2240 eTrust PestPatrol -- Active Protection
2272 type32.exe keyboard
2300 QOELoader.exe
2320 qttask.exe QTPlayer Tray Icon
2328 gcasDtServ.exe DDE Server Window
2396 Ad-Watch.exe Ad-Watch
2420 rundll32.exe MediaCenter
904 msnmsgr.exe MSNUnnamedWindow
2544 MailWasher.exe MailWasher Pro 5.0
2500 Tardis95.exe Tardis for Windows 95 V4.0
3488 CMD.exe C:\WINNT\system32\cmd.exe - tlist /s
3556 TLIST.exe
-2 _Total.exe
 
TCP 2268 is listed here as AMT. No idea what that might be.

http://www.networkuptime.com/library/tcp_udp_ports.html

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Okay - did some more checking using TCPView.
|
| It appears there're about a bazillion entries like this:
|
| services.exe:2268 TCP chad:2388 chad:0 LISTENING
| services.exe:2268 TCP chad:2950 chad:0 LISTENING
| services.exe:2268 TCP chad:3033 chad:0 LISTENING
| services.exe:2268 TCP chad:3112 chad:0 LISTENING
| services.exe:2268 TCP chad:3216 chad:0 LISTENING
| services.exe:2268 TCP chad:3660 chad:0 LISTENING
| services.exe:2268 TCP chad:3848 chad:0 LISTENING
| services.exe:2268 TCP chad:4021 chad:0 LISTENING
| services.exe:2268 TCP chad:4413 chad:0 LISTENING
| services.exe:2268 TCP chad:4625 chad:0 LISTENING
|
| In addition there're a lot of entries like this:
| System:8 TCP chad:1249 chad:0 LISTENING
| System:8 TCP chad:1300 chad:0 LISTENING
| System:8 TCP chad:1364 chad:0 LISTENING
| System:8 TCP chad:1374 chad:0 LISTENING
| System:8 TCP chad:1778 chad:0 LISTENING
|
| The really alarming entries in those lists are these, though:
|
| services.exe:2268 TCP chad:1330 ip68-226-152-247.lf.br.cox.net:6667
ESTABLISHED
| services.exe:2268 TCP chad:2320
user.77.26.4.201.dial-ip.telemar.net.br:epmap CLOSE_WAIT
| services.exe:2268 TCP chad:2346 201-254-224-159.mrse.com.ar:epmap
ESTABLISHED
|
| and
|
| System:8 TCP chad:2350
201-14-215-50.pltce7005.dsl.brasiltelecom.net.br:microsoft-ds ESTABLISHED
| System:8 TCP chad:2947
201-25-35-91.pltce7005.dsl.brasiltelecom.net.br:microsoft-ds ESTABLISHED
| TIME_WAIT
|
|
| System:8 shows other connections, to shares on the network.
|
| Dunno what services.exe:2268 could be though.
|
| Ideas?
|
 
<g> Me neither... I honestly couldn't find much of anything to explain
what was going on. I suspect a trojan of some kind... there were a
couple connections that showed a port common to IRC - which a lot of
virii and bots will use to share connections.

In any case, my wife is in the process of backing things up like crazy
because I'm going to wipe and reload the system.

Thanks *very* much for the time and advice though!

Ben
 
It could be and you're welcome. I'll also include below my standard boiler
plate on the clean install.

To do a clean install, either boot the Windows 2000 install CD-Rom or setup
disks. The set of four install disks can be created from your Windows 2000
CD-Rom; change to the \bootdisk directory on the CD-Rom and execute
makeboot.exe (from dos) or makebt32.exe (from 32 bit) and follow the
prompts.

Setup inspects your computer's hardware configuration and then begins to
install the Setup and driver files. When the Windows 2000 Professional
screen appears, press ENTER to set up Windows 2000 Professional.

Read the license agreement, and then press the F8 key to accept the terms of
the license agreement and continue the installation.

When the Windows 2000 Professional Setup screen appears, all the existing
partitions and the unpartitioned spaces are listed for each physical hard
disk. Use the ARROW keys to select the partitions Press D to delete an
existing partition, If you press D to delete an existing partition, you must
then press L (or press ENTER, and then press L if it is the System
partition) to confirm that you want to delete the partition. Repeat this
step for each of the existing partitions When all the partitions are deleted
press F3 to exit setup, (to avoid unexpected drive letter assignments with
your new install) then restart the pc then when you get to this point in
setup again select the unpartitioned space, and then press C to create a new
partition and specify the size (if required). Windows will by default use
all available space.

Be sure to apply SP4 and these two below to your new install before
connecting to any network. Internet included. (sasser, msblast)
http://download.microsoft.com/download/E/6/A/E6A04295-D2A8-40D0-A0C5-241BFECD095E/W2KSP4_EN.EXE
http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

Then

Rollup 1 for Microsoft Windows 2000 Service Pack 4
http://www.microsoft.com/downloads/...CF-8850-4531-B52B-BF28B324C662&displaylang=en

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| <g> Me neither... I honestly couldn't find much of anything to explain
| what was going on. I suspect a trojan of some kind... there were a
| couple connections that showed a port common to IRC - which a lot of
| virii and bots will use to share connections.
|
| In any case, my wife is in the process of backing things up like crazy
| because I'm going to wipe and reload the system.
|
| Thanks *very* much for the time and advice though!
|
| Ben
|
 
Excellent - I didn't have the rollup although I have an SP4 CD I burned
a while ago - I'll put the rollup onto a flashdrive and take that home
too - should be pretty smooth.
 
Back
Top