The PC is portmapping the universe...

[14karat]

Hey guys,
My dad starting complaining about 3 weeks ago that his dial-up access had fell thru the floor. I figured just a crappy connection, but as my luck would have it, nope.
Checked the activity and outbound packets were maxed. It's so bad that hardly anything can come inbound, and at times it can't even manage a dns response.
I loaded wireshark and found that the PC was portmapping a different IP several times per second...
I've ran AVG, Spybot S&D, and Norton AV and they've all turned up empty.
I know this has to be some malicious code but I've been banging my head on this for 2 weeks now and I'm at the end of my rope.
Anyone ran into this one before?

 

[Van]

What is the ip its doing this to? Have you looked to see what process is running and tried shutting down all non essential programs to see if it stops? What about sluething to see if your dad can tell you what sites he went to the day before it started and have you checked his email to see whats in there? If you can check with symantec and nortons labs concerning the ip that may help to or the ip could help us to help you more. You may have to format the drive and do a clean install though if you cant find what your looking for but it does sound like code thats hijacked your dads comp and is being used to gather info if its more than one ip or being used to inflict a dos atack possibly.

Norton I believe if Im remembering correctly has a utility to take a snapshot and send it to its labs, its possible that your dads comp has a new virus that they dont know about yet.

 

[14karat]

The IPs are random. It's obviously scanning random IPs for open ports. I figure it will report any open ports it finds to another server or webservice, I never left it running long enough to find out.
I've checked all the latest updated files for any evidence of tampering. And I've been through all the services - shutting them down one by one. I haven't been able to find a combination that stops the scanning without killing the connection.
My gut feeling is that this thing has embedded itself into one of the COM services (RPC maybe?) or maybe even in the kernel... Whatever it is it's well hidden - this doesn't look like any kiddie hack I've seen before...
Dad said he hadn't been any where he doesn't normally venture, and history didn't give up anything. Event logs are clean, etc...
I'll keep digging... I'll look into the snapshot utility - never used anything like that before...
Last resort will be a re-install. Problem is, he uses Pagemaker and his install disks are missing (got his license & codes, but no disks), so if I have to re-image the thing, that'll be a hoot. It'll be cheaper to build another machine for email / net access than to buy Pagemaker!
May try and switch him over to Scribus... may even go ahead and try to switch him to Fedora 9 whilst I'm at it!

 

[Van]

It could be as simple as an email he opened up or even a legit site he went to, I had a .org site that sent avast into a frenzy the other day when I was searching for more information on a medical question I had. Try googling port mapping software and see what comes up, it may help lead you in the right direction, also you could try the symantec and norton news groups or forums to see if anyone else has come across this.

 

[Van]

It has to be one of the trojans floating around and its using your pops comp to gather information and send it back probably by way of a proxy or two to the operater of the trojan. If you can install komodo firewall on the comp it could help you get a more detailed idea of the program as it will catch everything that wants to connect to the net and ask you wether you want to give it permission or not.

 

[boomerang]

There are 3 links in the middle of this post.

AnandTech - Security Resource Thread

The 3rd, 'Automated Malware Removal Script Package (remove viruses and spyware automatically)' I would recommend you use first. You will create a package of scanners that will automatically run, cleaning what they find as they go. It can take hours to run, but it does it's thing automatically. 4 hours or more is the norm. You will be downloading the software and latest definitions for this package. All free.

If the system is still not cleaned up, click on the 1st one 'Forum Member John's Security (Malware removal / prevention) Guide'. This one lists 5 different pieces of software to run (all free, or trialware) and then lists some other options if needed. Lots of reading at that site. A lot of information to digest. If the log files from the first batch are relatively clean, I usually skip this second round.

I use these tools on severely infected systems. They work extremely well. I see you have other options, so you may not feel all this is worth the effort.

 

[navychop]

And time to reboot the chair - keyboard interlink.

 

[14karat]

I finally managed to eradicate the thing.
It was wmsncs and why all the scanners didn't catch it is beyond me, cuz they should have.
With the PC dialed in I ran 'netstat -o' to show the PID with the connections. This pinpointed me to a PID, but taskmangler didn't show that PID (it was hidden).
So, out comes my sysinternals CD (sysinternals downloaded from MS TECHNET.)
Fired up procmon and, bingo, there was the hidden PID along with the wmsncs.exe and it was lurking in the Fonts folder (only way to see the file in there was through a console screen using dir /a since the file was marked hidden & system.)
Then tried pskill on the PID, but it just kept coming back...
Well, on to regedit and a search for wmsncs... they were EVERYWHERE... and as soon as I delete a key it comes right back... grrrr.
Fine, turn on SpyBot S&D (with the reg change confirmations turned on).
As soon as I deleted a key of course I had to confirm (and use the remember option) but then I would immediately deny the add (that was coming from the trojan) and remember it as well.
Had to do this for every key I deleted (and yes there were a TON of them. It was embedded into the display, print spooler, browser, etc...
Pretty much anything you touched made sure this thing was running.
Finally got the registry sterilized and ran pskill again. This time, it died for good.
Immediately go to the fonts folder and run 'attrib -H -S wmsncs.exe'
Then 'del wmsncs.exe'.
All is well now.
I unloaded AVG & Norton.
Kept Spybot S&D and installed Moon Secure.
I'll see what this combination does for a while...
Just glad I was able to finally be rid of it.

 

[boomerang]

Thanks for the update. I for one, am very impressed. I learned a lot from your post. Good stuff!

 

[14karat]

Appreciate that Boomerang...
I will be the first to admit that I'm at a disadvantage in Windows. I've lived in a predominately Linux world for a few years now. When I hit a snag in Windows, I'm pretty much left to fish for answers anywhere I can find them.
I do appreciate all the posts given to help with this.

 

[cparker]

If you have it clean and you feel pretty good about it... snapshot that sucker and create a restore point. I, too, use linux and have since about 2004 or 2005.... I MAKE my kids snapshot their windows machines. The rule is, if you get it infected, you fix it yourself or you resore it to factory new and start over. "But I'll lose all my emails!" .. "I'll show you how to use imap instead of pop for your mail"... "What about my music?" ... "Hope you burned a DVD" ....

In short, if it's important to you, make sure it's not dependant on just one machine. I used to have people that got reinfected so often, I set up a dual boot on their machine that they never saw. I'd boot to the clean install to repair their infected one.

Linux is so much easier... yeah I know folks are afraid of it but I think Pagemaker runs under Wine now (Pagemaker 7 I think).

 

[14karat]

cparker wrote: "Linux is so much easier... yeah I know folks are afraid of it..."

Talk about irony. It seems like only yesterday I was hearing how Linux required a tech to install, yadayadayada....

My first delve into Linux was back when there was no interactive installer... (at least not GUI!) Had to sift thru all the hardware specs... I think my first install was SuSE in 95... maybe 96... I think it was release 4 or 5.. can't really recall...
Everything was going to Windows 95 & NT at that time... it was interesting to say the least.
My whole purpose was to set up an internet connection sharing server (basically a router) that I didn't have to reboot every 4 hours! The thing ran for over 6 months without a reboot. It finally died after the harddrive heads had worn tracks into the disk platters (this was just a PC!)
Now I stare at Vista and all I can do is scratch my head...

Anybody remember interrupt & DMA jumpers?

But, I'm getting off topic. Better shut up before I get scolded, eh?

 

[navychop]

Anybody remember interrupt & DMA jumpers?

OH yes! And CGA being replaced by EGA, and new video cables esp for VGA. And how we thought getting color, even at the CGA level, was such a major advance!

I still have a tray of jumpers sitting around. Need to move them next to my 5.25" floppy drives, over by the stack of 8 inchers I still have. Don't have an 8" drive anymore, though.

Maybe it's time for a little housecleaning.

 

[Foxbat]

I still have a tray of jumpers sitting around. Need to move them next to my 5.25" floppy drives, over by the stack of 8 inchers I still have. Don't have an 8" drive anymore, though.

Maybe it's time for a little housecleaning.

I resemble that remark... I still have my first computer in the basement, a 4 MHz Z-80 S-100 bus monster that weighs a good 30 lbs, almost all of it in the Power Supply's transformer. It has all of 64 KB of static RAM, too!

 

[14karat]

...how we thought getting color, even at the CGA level, was such a major advance!

Hercules Adapter with an amber monitor... that's all you need...

 

[14karat]

I still have my first computer...

1st - Timex Sinclair 1000 - 2K main memory but I had the 16K exp pack! Did away with the membrane keyboard and hardwired in a TI99/4A keyboard.
2nd - Radio Shack Model 4P (portable!) dual 5.25 floppies, 64K...
Closed up in the case it looked like a sewing machine...

Also acquired a DEC PDP1170 when a local bank changed it out. Actually had the thing working in my dad's print shop for a while... never really did anything with it, but everybody wanted to know what it was! Enjoyed playing Star Trek on it for a while.

(But I didn't keep any of them...!)

 

[snathanb]

1st - Timex Sinclair 1000 - 2K main memory but I had the 16K exp pack!

And any jostling of the memory pack at all would cause mine to reboot, right in the middle of typing in a program on that gawd awful membrane keyboard.

I paid $75 for the 16k expansion pack. I have 4GB in my desktop today.

It would take 262,144 16k expansion packs to equal 4GB.

At $75 a pop, that is: $19,660,800

In early-1980s dollars.

According to the inflation calculator website... http://www.westegg.com/inflation/

What cost $19660800 in 1983 would cost $40,429,071.09 in 2007.

sure glad memory prices fell!

 

[navychop]

I resemble that remark... I still have my first computer in the basement, a 4 MHz Z-80 S-100 bus monster that weighs a good 30 lbs, almost all of it in the Power Supply's transformer. It has all of 64 KB of static RAM, too!

I sold my 2 Heathkit Z-80 based machines. Well, ex-wife got one, sold the other. I still have my original, the RCA COSMAC VIP with the 1802 CPU. Still remember some commands: F8 = load immediate 32 = unconditional branch. I was going to send it to some guy who is slowly putting together a personal computer museum, but lost his contact info.

Hercules Adapter with an amber monitor... that's all you need...

Ahh, the memories! And how sexy those amber monitors were over the greenies!

 

[cparker]

you guys aren't old enough... hehehe.... the first computer I was ever exposed to was built by my older brother and my dad in our basement. It ran on vacuum tubes, was the size of 2 chest freezers and all it did was punch holes in cards. You could reprogram it by swapping tubes around in different sockets. It was quite a marvel back then. I would guess you've all got more raw computing power now in your WATCH than that old thing had.

 

[Foxbat]

I would guess you've all got more raw computing power now in your WATCH than that old thing had.

Or, go to Hallmark and get an Audio greeting card...

Not old enough? I wish! My friend across the street and I use to make card castles from the boxes of punched cards his dad would bring home from the bank. Our record was over twenty-two stories, and I think it covered over 20 square feet of their living room. (We figured out a means to use the air pressure from their air conditioning duct to help support the roof in one design.)

One of the other "treasures" that his dad brought home was a couple of the perfboard programming cards from their old IBM card sorter. It had these wires, plugs, and other modules that you could plug into the board. Maybe that was my first programming until I got some time on one of Notre Dame's IBM 360 teletype terminals back in 1973. Paper tape and all!

We were all pretty n00b then...