svchost.exe opening hundreds of connections to router's port 5100

Checking thru CF’s outbound connections, I noticed that an instance of svchost (XP SP3) opens literally hundreds of connections to my router’s 5100 port (see attached image). Don’t really know if this is “normal” and why it happens. Any ideas?

[attachment deleted by admin]

Use netstat, Process Explorer or Process Hacker to see what service(s) are using these network connections.

Port 5100 is most commonly used by Yahoo Messenger. Do you have/use this app?

It is also commonly used for VOIP.

Ewen :slight_smile:

@wj32: Process Explorer gives “svchost.exe -k netsvcs” with all the possible services registered in the process being legitimate XP ones… what else?
@panic: No there’s no yahoo msgr here. And skype is set to other ports also. Would yahoo msgr ask for access thru svchost anyway?

Thanks both for answering

Would you mind specifying which services that instance of svchost is hosting.

Sorry, I thought you were on Vista or 7, where network connections have service tag information. But it’s better on XP - in Process Explorer, take a look at the stack of one of those connections and paste it here.

@Radaghast: I attached 2.jpg showing the services registered in the process (svchost.exe -k netsvcs | PID:904 on this boot, as shown on my first CF screen cap)… mind the greek in “Display name” 88)
@wj32: Also attached 3.jpg (as “copy all” strangely refused to work for me in the TCP/IP thread stack)

[attachment deleted by admin]

Would you check a to see if a registry key exists and if so, report it’s value.

Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

See if there is a key called ‘Connections’ if so, what information does it contain?

@Radaghast: There’s no such key in this registry path… ???
Any thoughts?

That’s fine, I was just eliminating one possibility.

In all honesty, at this point I have only limited ideas, the files listed in the thread stack are,on the face of it, legitimate and moreover, important Windows files, but I’m not convinced the amount of activity we’re seeing for WinHTTP.dll, is correct. Of course it will depend on what was being done at the time. Out of interest, in the image of the tcp/ip thread stack, what was the protocol entry selected, to show the stack information?

For now, I think it’s worth verifying the integrity of the system files, as TCP over port 5100 is quite unusual and as Panic has already mentioned, the most common service to use this is Yahoo messenger.

To run an integrity check, insert your XP CD and from a command line run SFC /scannow You could also use Sigcheck

Another option, may be to run a repair of winsock repair How to determine and recover from Winsock2 corruption

In the meantime, I’ll have a look at the various services hosted by that instance of svchost.

@Radaghast: Nothing actually was done at the time, regarding WinHTTP.dll in terms of net access (pure idle). The protocol was TCP. Whatever does this, it generates streams of connections from successive ports on my pc to router’s port 5100. There’s no further traffic thru the internet (either the router blocks it or it wasn’t meant to go anywhere in the first place). Will run sigcheck (pls confirm path: C:\windows\system32 ? ) and report back…

Thanx for even bothering

Will run sigcheck (pls confirm path: C:\windows\system32 ? ) and report back..

my thought was to check winhttp.dll and ws2_32.dll, both of which should reside in system32. I suspect they’ll be clean, but…

As we don’t yet know what this is and it doesn’t appear ‘normal’ it may be worth adding a rule to svchost, found under the Applications rules tab in the firewall, to block TCP out to port 5100

Another though, it will be a little laborious but maybe worthwhile. Whilst monitoring the TCP activity to port 5100, disable each of the services hosted by this instance of svchost, within the services console. Temporally stopping each service, will not have a major impact on the system and it may well tell us which specific service is causing this activity.

Both winhttp.dll and ws2_32.dll show up as signed from MS on sigcheck. Netdiag tests winsock as “passed” also. Blocking 5100 TCP/out and will tomorrow kill services one by one monitoring traffic to p.5100. Great idea, provided I don’t crash the system disabling all of them! Thanx man.

@Radaghast: I find it hard to believe how this was solved - if it actually did… I’ll have to watch and wait. Following your advice I managed to nail it down to the two services shown in the picture attached. Telephony (tapisrv.dll) and rasmans.dll (remote access connection management if I am translating it correctly from greek). With all other registered services killed, the system kept on its weird behavior. Due to dependencies between them, these two were “hard to die” and had to use services.msc to disable them for the next boot. So the port opening to router’s p. 5100 stopped. I then re-enabled Telephony first and rasmans then (on two seperate boots) setting them to non-automatic in services.msc. (dunno if they were set in this state or to auto before). Well guess what, the mysterious behavior is gone! I really can’t understand what this was all about… and IF it actually ended. Any thoughts?

Thanks for all btw

[attachment deleted by admin]

You’ve done a great job working through all those services :-TU I confess, I wouldn’t have thought either of those mentioned, would have been responsible and I’m not really clear on why they’d be causing this behaviour.

As fas as I remember, both of those services should be set to manual by default, which means they can become active on-demand. The question is, do you have a need for either of these services to be active. To answer that we can look at some of their responsibilities, for example:

If you use Dial-up you will need these
Some types of pppoe connections may need these
Some types of VPN may needs these
The software firewall in XP has some interaction, too

As I am unable to provide a definitive answer as to why either of these may be generating the traffic you’ve been seeing, you may wish to consider running Wireshark whilst the events are occurring. Perhaps some analysis of the data packets will provide some more info.

If you wish to take a look at this option, you can always post the capture file as an attachment here.

[at]Radaghast: At this point, both of these services are in “non-automatic” (on demand) in services console, they’re both started in normal OS startup AND… the problem is gone! I really think this is strange, there is no trace of the previous weird behavior with the continuous opening of connections from the pc to router’s p. 5100. And though I am no expert, there are two possibilities. A. a bug ? B. a malware or sth alike ?
I just disabled them totally thru services console, rebooted with them inactive, then re-enabled them one at a time, booting after each one’s start (Telephony had to be re-enabled first since rasmans depended on it). It is some kind of “solution” but it’s not rational and doesn’t explain anything, don’t you agree?

Thanks a lot

btw my adsl uses PPPoE and I do use VPN so I probably need the services in question

It is a partial solution, but it’s not ideal.

I’m not personally aware of any malware that targets either of these two services specifically, but I’m by no means a malware expert. I guess it could be a bug or some kind, but it seems a little strange.

I know you don’t use Yahoo messenger, but do you use any messaging applications, or do you have a webcam? Also, clutching at straws here, is the router running default firmware, or has it been replaced with something like dd-wrt/openwrt/tomato?

As as your pppoe and vpn requirements go, I’d suggest disabling the services and see what happens.

Also don’t forget the protocol analysis, with Wireshark.

Yeah I think I'll have to run Wireshark.. but doesn't that mean that I have to somehow reproduce the initial problem?

Apologies, I missed your earlier comment about the problem being gone. Well, it’s worth keeping the idea in mind.

Guess what? It’s happening again! It actually happened once more, then it… stopped. Now it’s on since last night. Ran Wireshark, can’t find anything useful (to me at least) thru its logs, except that several sequencial attempts are made FROM various ports on my PC TO p 5100 (socalia). I’d appreciate some help on using WS more effectively ;D