Multiple epmap TCP connections established with one XP client



Lorimerc
07-09-2005, 11:49 PM
Hi,

I have an XP machine which is making multiple connections to my domain
controller over epmap, is this normal? I'm concerned I have a virus, the
number of connecions keep rising and rising:

I've done a full virus scan, ad-aware and spybot and founf nothing, I've
also run hijack this and have pasted the results below:

domain_controller:epmap XPCLIENT:1059 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1064 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1067 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1081 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1084 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1089 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1092 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1095 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1099 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1111 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1114 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1117 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1121 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1133 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1141 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1146 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1151 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1154 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1157 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1160 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1165 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1175 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1180 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1183 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1187 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1190 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1193 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1196 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1199 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1222 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1226 ESTABLISHED
TCP domain_controller:epmap XPCLIENT:1230 ESTABLISHED

Here are the results of the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 14:29:53, on 10/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\Windows\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Windows\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Windows\system32\PROMon.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\Windows\system32\wfxsnt40.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat
4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Windows\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\HPBPRO.EXE
C:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://miranda.hemscott.com/servlet/HsPublic?context=premium.home&path=premium&service=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.compaq.com/1Q00CDT/0409/bl7.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = 192.168.1.2:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Synchronization Manager]
%SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [StatusClient] C:\Program
Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat
4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program
Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP
for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CEBdc - [url]https://www1.boi-bol.com/jsp/payments/dcApplet.cab[/url]
O16 - DPF: CEBdep - [url]https://www1.boi-bol.com/jsp/payments/dcDependencies.cab[/url]
O16 - DPF: {05AAC5FF-6DD0-44A5-B978-4FF1E762BE6A}
(RNSTestControl.ActiveXTest) -
[url]http://www.londonstockexchange.com/rns/survey/RNSTestControl.CAB[/url]
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) -
[url]http://www.cult3d.com/download/cult.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
TepnelPLC.Tepnel.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = TepnelPLC.Tepnel.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
TepnelPLC.Tepnel.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
TepnelPLC.Tepnel.co.uk
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation -
C:\Windows\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\Windows\system32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc -
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program
Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Sophos Anti-Virus Update (SweepUpdate) - Sophos Plc -
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation -
C:\Windows\System32\WFXSVC.EXE

Is this normal or do I have a problem?

Thanks,

Chris

David H. Lipman
07-09-2005, 11:49 PM
From: "Lorimerc" <Lorimerc@discussions.microsoft.com>

| Hi,
|
| I have an XP machine which is making multiple connections to my domain
| controller over epmap, is this normal? I'm concerned I have a virus, the
| number of connecions keep rising and rising:
|
| I've done a full virus scan, ad-aware and spybot and founf nothing, I've
| also run hijack this and have pasted the results below:
|
| domain_controller:epmap XPCLIENT:1059 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1064 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1067 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1081 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1084 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1089 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1092 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1095 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1099 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1111 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1114 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1117 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1121 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1133 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1141 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1146 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1151 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1154 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1157 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1160 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1165 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1175 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1180 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1183 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1187 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1190 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1193 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1196 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1199 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1222 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1226 ESTABLISHED
| TCP domain_controller:epmap XPCLIENT:1230 ESTABLISHED
|
| Here are the results of the hijack this log:
| Logfile of HijackThis v1.99.1

< HJT log snipped >

| Is this normal or do I have a problem?
|
| Thanks,
|
| Chris

Chris:

I suggest you download TCPVIEW from SysInternals --
http://www.sysinternals.com/Utilities/TcpView.html

It is a free GUI utility that is similar to NETSTAT but is a dynamic GUI utility and will
show more information and not just a snapshot of what NETSTAT sees for that moment you
execute it.

I suggest using TCPVIEW on bot the XPCLIENT and the domain_controller. You need to examine
the activity of both the server and the workstation.

The HJT log did not indicate anything suspicious.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


Multiple epmap TCP connections established with one XP client