Virus or malware making multiple connections [resolved]

muz2000 · April 19, 2007, 9:33am

I have a problem where any internet application is making multiple connections to the internet on different ports - including Firefox, Skype, any update connections etc. I’ve tried a number of online and installed antivirus and malware scanners and I cannot find any problem. All connections are visible in the Comodo connections window.

Has anybody come across this problem?
Thanks,
CM.

panic · April 19, 2007, 1:13pm

Can you run Hijack This (http://www.merijn.org.downloads), save a system log as a TXT file and attach it here so we can have a look.

Cheers,
Ewen

muz2000 · April 19, 2007, 10:35pm

Hi Ewen,
Here’s the system log - I appreciate the help.
Colin.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:14:18 PM, on 4/19/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\ibmpmsvc.exe
C:\winnt\system32\svchost.exe
C:\WINNT\system32\ccs.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\winnt\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\WINNT\system32\TpKmpSVC.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\svchost.exe
C:\Program Files\Cisco Aironet\ADU.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\winnt\system32\tp4mon.exe
C:\winnt\system32\ctfmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\winnt\system32\ltmsg.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
O4 - HKLM..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM..\Run: [ADU] “C:\Program Files\Cisco Aironet\ADU.exe” -nogui
O4 - HKLM..\Run: [Comodo Firewall] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM..\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min
O4 - HKCU..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS.DEFAULT..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08c3 -f video -m logitech -d 10.5.1.2023 (User ‘Default user’)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\PkgMgr.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\winnt\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\winnt\system32\browseui.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Cisco Configuration Service (CCS) - Unknown owner - C:\WINNT\system32\ccs.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\winnt\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Desktop (Service_Desktop) - Unknown owner - C:\Program Files\Free-Soft\Virtual Desktop\Desktop.exe (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe

–
End of file - 4464 bytes

panic · April 20, 2007, 1:29am

Hey Muz,

There’s nothing odd in the HJT log or at least nothing odd to my eye (or googles). Are you using a tabbed browser that opens multiple pages by default? Maxthon, Slim Browser and AMBrowser will open separate connections for each tab that opens, even thought there is only a single instance of the app running.

What are the other ports that the browser is making a connection on?

Ewen

muz2000 · April 20, 2007, 11:25am

Ewen,
If I open this webpage in Firefox (only one tab) I can get up to 15 connections. Most connections appear to be on ports 80 and 53. Internet Explorer, Skype, Services.exe and any internet application appears to be making multiple connections although the ports used vary by application.

It appears to happen only when the program is in use, so for example as I type this entry, the number of connections has dropped to 2. As soon as I use Firefox again, the number immediately increases, which really slows down your browsing.

Any ideas?
Muz.

panic · April 20, 2007, 11:34am

Do you get a similarly large number of connections per site if you use IE?

Ewen

muz2000 · April 20, 2007, 3:10pm

Yes, IE seems to be affected too. It even seems to make multiple connections for Skype or antivirus updates.
Muz

panic · April 20, 2007, 11:43pm

As the felled tree said “I’m stumped”.

I’ve checked the support centre and there’s nothing related to this issue mentioned. I’ll post a link in the moderators area and see if anyone else has an idea on this Colin.

Is there inbound data in relation to each of the connections? This can be checked if you open CFP and click ACTIVITY - CONNECTIONS. In the Connections window you can see the inbond and outbound data streams for each connection.

Hang in there.

system · April 21, 2007, 2:31am

A bit OT: There’s something I’ve always wondered in the Connections window. Why is it that there are times when I know it’s just an outgoing connection yet it shows TCP In/Out, and vice versa? In CFP’s terminology, the forward slash / symbol represents and instead of or as per the rules system.

Back to Colin’s question: it’s not unusual for a program to have multiple connections, but 15 might be a bit too many. However, if Firefox had many tabs or if you visited certain sites, this is normal and expected. How long do these multi connections generally last just by leaving the program dormant?

muz2000 · April 21, 2007, 9:40am

There is outbound and inbound activity. When I opened Firefox with one tab on this web page, maybe ten or more connections opened. With 30 seconds of inactivity this reduced to 4. These are the connection that remained opened.

Source
192.168.1.1 ports 3052,54,57,58

Destination
209.149.207.16:80
216.239.59.103:80
66.102.9.147:80
72.14.217.93:80
Although these are port 80 others open on 53.

Within a minute or so these reduced to one connecton.

As you surf it adds connections to the list and keeps them open and closing them slowly.

All connections have inbound and outbound traffic although they only appear to transfer data while the web page is loading. IE does the same thing. Other applications and services are affected but they do not open so many connections, with the exception of Skype which can open 10 or more.

Muz

system · April 21, 2007, 12:05pm

Ports 53 (http) and 80 (DNS) are givens for any browser, so that’s normal.

I think there’s no real problem here, Colin, as I also notice mine connections disappearing as time elapses. And 30 secs is average. I currently have 3 tabs open in Opera and 9 connections. Depending how your browser and computer is configured, it can use up to x simultaneous connections (to speed up connections to the servers and browse/download faster, obviously).

As for Skype, I don’t know if 10+ is normal. Overall, I don’t think there’s an issue here.

muz2000 · April 22, 2007, 8:37pm

Ewena and Soya - thanks for your help. I found a nice little app, called cports, that allowed me to reolve the connections and there doesn’t appear to be a problem.
Thanks again,
Muz.

system · April 22, 2007, 9:05pm

No probs, Muz. I’d say Ewena did most of the work here (:WIN).