tim's journal

whats epmap stand for?

I think epmap stands for EndPoint Mapper.

Indeed, it stands for EndPoint Mapper.

Is it bad to have port 135 epmap open

My computer started to ping this port on "random" computers today, it was sending pings to 20 consecutive IP's, then again using different inital start position, it has not stopped for a few hours now, is this a bad thing?? some virus?? hmmm, time to install a firewall...

You've got the MSBlaster virus, I suggest you look into the removal process and patch yourself to date...

What's going on my computer? epmap connections?
TCP Dentist:3019 mstr81212-64573.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3020 mstr81212-64574.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3021 mstr81212-64575.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3022 mstr81212-64576.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3023 mstr81212-64577.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3024 mstr81212-64578.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3025 mstr81212-64579.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3026 mstr81212-64580.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3027 mstr81212-64581.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3028 mstr81212-64582.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3029 mstr81212-64583.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3030 mstr81212-64584.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3031 mstr81212-64585.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3032 mstr81212-64586.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3033 mstr81212-64587.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3034 mstr81212-64588.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3035 mstr81212-64589.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3036 mstr81212-64590.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3037 mstr81212-64591.dial-in.ttnet.net.tr:epmap SYN_
SENT
TCP Dentist:3038 mstr81212-64592.dial-in.ttnet.net.tr:epmap SYN_
SENT

Bad bad bad... looks like my site has become quite popular lately, with people looking for epmap info. Well start here: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

I had MSBlaster and it wasn't all that hard to find/clean. Installed the patch and all is working well. But I'm still getting epmap activity.

slowly it's accessing uswest.net:

System:8 TCP homesystem:epmap 0-1pool100-163.nas1.cedar-rapids1.ia.us.da.qwest.net:3744SY N_RCVD
System:8 TCP homesystem:epmap 0-1pool230-190.nas2.cheyenne1.wy.us.da.qwest.net:3353 SYN_RCVD
System:8 TCP homesystem:epmap 0-1pool189-91.nas5.sioux-falls1.sd.us.da.qwest.net:4013 SYN_RCVD

This being after cleaning up MSBlaster.exe (if you not sure if you have this worm, you can check your sessions).

The new 'worm' or what ever it is, only seems to ping odd sites from the sites I have been to in IE. But what's really odd as I'm kind of documenting it here now, it stopped. :)

My Norton Internet Security keeps giving me a warning: Blocked Stealth TCP Port epmap. Whats going on? Is someone trying to access my system? Thanks

When I type the C:\windows>netstat -an command I have 13 TCP ports 2 established and 11 listening. What does that mean? Thanks

what is excat defination of epmap ??? what is access list in cisco route to block it.

Again, I installed the MS Blaster Patch, but I still have some sort of worm active on the system. Not sure if it's the probing version of MS Blaster that wasn't removed. My system is very active today:

Using TCPView.exe (10 minute sampling):

svchost.exe:388 TCP homesystem:epmap 0-1pool44-94.nas17.portland1.or.us.da.qwest.net:1900 ESTABLISHED
System:8 TCP homesystem:epmap 0-2pool1-123.nas44.tempe1.az.us.da.qwest.net:3956 SYN_RCVD

System:8 TCP homesystem:epmap uslec-66-255-190-7.cust.uslec.net:1355 SYN_RCVD
System:8 TCP homesystem:epmap 0-1pool153-132.nas9.colorado-springs1.co.us.da.qwest.net:4329 SYN_RCVD
System:8 TCP homesystem:epmap 0-1pool153-132.nas9.colorado-springs1.co.us.da.qwest.net:4873 SYN_RCVD
System:8 TCP homesystem:epmap 66.167.154.52:2120 SYN_RCVD
System:8 TCP homesystem:epmap 0-1pool215-111.nas8.albuquerque1.nm.us.da.qwest.net:3250 SYN_RCVD
System:8 TCP homesystem:epmap 0-2pool19-100.nas11.portland1.or.us.da.qwest.net:4490 ESTABLISHED
svchost.exe:388 TCP homesystem:epmap 67.2.46.108:4759 ESTABLISHED
System:8 TCP homesystem:epmap 0-1pool118-84.nas8.tucson1.az.us.da.qwest.net:3035 SYN_RCVD
System:8 TCP homesystem:epmap 0-1pool8-56.nas3.bellevue1.wa.us.da.qwest.net:3615 SYN_RCVD
System:8 TCP homesystem:epmap 67.1.243.75:4201 SYN_RCVD
System:8 TCP homesystem:epmap 0-1pool245-93.nas1.duluth1.mn.us.da.qwest.net:3360 SYN_RCVD
System:8 TCP homesystem:epmap 67.1.226.30:1601 SYN_RCVD
System:8 TCP homesystem:epmap 0-1pool248-50.nas3.duluth1.mn.us.da.qwest.net:2681 SYN_RCVD
System:8 TCP homesystem:epmap 0-2pool193-81.nas1.fargo1.nd.us.da.qwest.net:1918 SYN_RCVD
System:8 TCP homesystem:epmap 0-1pool44-154.nas17.portland1.or.us.da.qwest.net:4961 ESTABLISHED
svchost.exe:388 TCP homesystem:epmap 0-1pool44-154.nas17.portland1.or.us.da.qwest.net:4961 ESTABLISHED

The last couple of days it has been stuck on uswest.net. (My ISP).

Has anyone else run into this after installing the patch?

OZtwo

Ahmed, try Cisco's page. Let us know if it is what you ahve been looking for: http://www.cisco.com/warp/public/707/cisco-sn-20030814-blaster.shtml

The blaster virus looks for other computers to launch from, thats why the activity in endpoint you are seeing. Put up a firewall if you do not have one already. Your computer has over 65000 ports on it to communicate through. When you transmit date across an asynchronous line, a particular port will say sending or recieving data. If you are not sending data, your ports will be in "listening" mode. A Syn flood is a computer trying to get a response from your computer so it can establish another route to launch from or to see what services can already be exploited.

And would you PLEASE use spellcheck nextime! Excat means nothing. Just because you install the patch, does not mean that you are going to stop the virus from searching for a new launching point. You will just close the open port on your computer or whatever the fix in the patch does, but it will not stop the virus.

-Kill your television!

i've got the sample problem as above ..cleaned off the worm, but still i can axx " task manager " shows for a split second then closes! it's never done this before. i'm running windows xp / home ...and it's a fresh install updated to the max ...

I have the exact problem that OzTwo is currently facing. After running symanetc's blaster fix/updating windows to latest service pack/getting all the necessary patches/closing various services etc. I am still getting multiple established outgoing connections to random ip/ports resolved to my ISP. The process that predominates in these is svchost.exe with a few System:8 connections on the side ... :'( When i run my firewall everything's fine of course but still the annoyance factor is pretty great

I would be interested to know how worms propagate. I have heard of some which use an existing venerability in a server/listening program to get their code onto a computer.
Is this the only way they can work, in which case a PC behind an NAT router should be safe?

yep tim, but bear in mind port forwarding, DMZ settings and, possibly uPnP (which you really should disable, both on the router and the pc - see http://grc.com). Any of these things could open your pc's ports to the internet

Just cleaned my PC where I had the same EPMAP problem. Seems there is a new worm called Raleka which infects the svchost.exe file and copies it to different locations. Quite hard to remove as it is protected by a service and when you shut down the processes your XP machine decides to reboot (nice one MS!). Yesterdays update to NAV got it in the end.

Not really a lot of info on it as you can see. Seems to be of the same ilk as the Blaster worms. http://securityresponse.symantec.com/avcenter/venc/dyn/34796.html

I love Network Utility in Jaguar for Mac... how can I have more fun with it???

THANKS!!!

Same problem as OZtwo and n2j3:

I noticed that if i block all outgoing traffic with ZAPro, i get something like this:

... Source IP Destination IP Direction ...
My IP:1240 Some IP:53 Outgoing
My IP:1239 Some IP:53 Outgoing
My IP:1238 Some IP:53 Outgoing
My IP:1237 Some IP:53 Outgoing
My IP:1236 Some IP:53 Outgoing
My IP:1235 Some IP:53 Outgoing
My IP:1234 Some IP:53 Outgoing
....

Where 'Some IP' remains the same as long as I don't disconnect. When I reconnect, It ('Some IP') can either be the same IP or another IP, that will also remain the same till I disconnect again, but the port is always 53. Up to now, I had only three different 'Some IP', which happen to belong to my ISP (Sympatico-Bell Canada, which is also my phone company) and I can block them with ZAPro firewall.

Now if I shutdown ZAPro and turn on Nettools-Netstat, I notice connection attempts through the EPMAP port just as reported by OZtwo n2j3. Sometimes a connection is established: most of the time it drops immediately but still sometimes it remains. It also reports svchost.exe as the source.

ZAPro doesn't mention any program being the source of these and NAV doesn't detect anything. I also tried an online trojan scan from Blackcode: nothing. And, yes: NAV and WinXp have been Updated.

I know now EPMAP is port 135. But 'the thing' that tries to connect seems, according to ZAPro, to use other ports, incrementing by one at each attempt.

So, that's my story. (And what is this site anyway! **:D )

Yes... i have a done right now a netstat comand to see my connection, and I the same or similar situation of astidkalis.
Some IP address that estabilish a connection with me on emap port.
I have already solved MSBlast problem and I dont have other trojan.
I have seen that these IP who estabilish connection with me are by the same mine ISP... so, the same nationality... is the same for you too?

I have the exact same problem as OZtwo and n2j3 and sgrantham (I have WinXP). I have tried everything under the sun and then some. I previously had the blaster virus, removed it and updated, and things were fine for a while. Then, about two weeks ago (Sept 13) my connection got slow. The upload speeds are VERY slow. I ruled out all hardware issues (even installed another NIC, and my connection reads perfect over XBox Live). I have tried scanning with Norton (full version and the blaster fix as well), McAfee, done all of the Windoze updates (it installed the lastest fix for this type of hole, but it didn't fix it) and have installed ZoneAlarm as well (most likely too late though). The Virus scans find nothing, so I got PestControl. That found a lot, but still didn't help. AdAware didn't help either, and neither did SpyBot SD. I looked through RegCleaner, but couldn't find anything particular and don't want to mess up my system. I also should note I have NetBIOS over TCP/IP disabled as well. TCPView is showing the EPMAP process which I know has to be the problem (I have seen it on port 135 and now it is on 948). I can't disallow that with ZA because then DNS doesn't work and my connection is worthless. If I turn ZA on, the requests with that process stop. Once I turn it on, the epmap goes nuts, and I get requests all of the time (about every 2-5 seconds). I also noticed that ZA shows numerous ICMP requests coming in too (correct me if I am wrong, but I probably got this stupid problem because I wasn't blocking those to begin with). My question is this....I was told the only thing I could do (from Earthlink Tech Support and from all of the internet searching I could do) is to run XP set-up again, or do a complete fresh install....has anyone removed this same problem by doing that? I was just reading that I might have the Welchia virus (I find that hard to believe because no current virus software finds anything on my system). The only thing is, my dllhost.exe and svchost.exe files are in a different directory than the ones the removal instructions say to remove. Mine sits in the windows system32 directory, and there is no entries under the wins directory. I don't want to delete a file I need, can someone please tell me (especially if you are having the same problem) if these are actual files I need? Should I simply run XP setup again to copy over them, or do I not have this problem and my connection is messed up for some other reason? THANKS FOR THE HELP!!!

Exactly the same problem as raber's here. The computer is a new Compaq - I bought it a couple of days ago and have barely had the time to set up a dial-up. Which is flooded with epmap requests right now.
Good job by Compaq/HP - besides providing me with a wormed system, they gave me no installation CDs for anything at all. I just ran their "Recovery" software, which simply created an image of the system files on 6 CDs. I would bet the worm is included in the image. Tomorrow I'm formatting and switching to Linux. Microsoft and all its minions suck again.

I have a new Dell (one week old) which started having all of the problems described almost immediately, even with the OEM McAfee Personal Firewall installed. After installing Norton PFW and ZoneAlarm Pro, installing all patches, etc. I was still being bombarded with epmap attempts, hundreds of ICMP pings and many Trojan horse scans. Using McAfee's tracing feature,. I found that they originated mostly from the US (LA, Chicago, Washington, Dallas were big) , but also received numerous attempts from Germany, China, Korea. I finally decided to Reformat the computer and reinstall all OEM software. Results: same EPMAP attempts almost immediately. Activity appears to be a bit slower, but overall activity is still very high and annoying. One last observation: I am seeing the same problems on my 3 year old laptop with the only similarity to my PC being that I use EARTHLINK.NET. I see that others mention them also. Any chance they are part of the problem?

My Sony PCG-Z1RA had many of the same symptoms listed above. It turned out to be Welchia. I downloaded the removal tool at securityresponse.symantec.com/avcenter/tools.list.html and that fixed the problem.

I've had this epmap problem, and it is \windows\system32\mslaugh.exe

a varient of msblast apparently.

I have crazy epmap activity. I've got about 200 connections in syn_sent to sequential IP's all checking their 135. I've updated and run NAV and I've done the msblast removal just for fun. No luck yet.

I recently hooked my pc back up to the internet with a UK service provider and a static IP address.
It was getting bombarded from day 1 so I decided to reinstall windows and make sure everything was up to date and everything installed (ZA etc).

Well here is the netstat results:

C:\>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:707 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1198 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1199 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1249 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1251 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1252 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1254 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1262 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1263 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1264 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1267 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1269 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1270 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1273 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1274 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1412 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4171 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6881 0.0.0.0:0 LISTENING
TCP 81.168.80.188:139 0.0.0.0:0 LISTENING
TCP 81.168.80.188:1198 198.133.219.25:80 ESTABLISHED
TCP 81.168.80.188:1199 198.133.219.25:80 ESTABLISHED
TCP 81.168.80.188:1249 203.173.164.191:6881 LAST_ACK
TCP 81.168.80.188:1251 81.132.104.155:6882 ESTABLISHED
TCP 81.168.80.188:1252 24.132.149.33:6887 ESTABLISHED
TCP 81.168.80.188:1254 172.183.125.249:6881 ESTABLISHED
TCP 81.168.80.188:1262 64.65.83.126:6882 ESTABLISHED
TCP 81.168.80.188:1263 200.141.227.203:6883 ESTABLISHED
TCP 81.168.80.188:1264 81.164.210.111:6883 ESTABLISHED
TCP 81.168.80.188:1267 82.64.132.39:6884 ESTABLISHED
TCP 81.168.80.188:1269 12.237.36.172:6884 ESTABLISHED
TCP 81.168.80.188:1270 24.184.85.4:6887 ESTABLISHED
TCP 81.168.80.188:1273 80.50.40.219:6883 ESTABLISHED
TCP 81.168.80.188:1274 213.112.205.138:6882 ESTABLISHED
TCP 81.168.80.188:4171 64.62.96.42:6667 ESTABLISHED
TCP 81.168.80.188:6881 12.216.244.50:2787 ESTABLISHED
TCP 81.168.80.188:6881 12.217.230.5:4232 ESTABLISHED
TCP 81.168.80.188:6881 24.65.23.11:2654 ESTABLISHED
TCP 81.168.80.188:6881 24.95.238.112:64811 ESTABLISHED
TCP 81.168.80.188:6881 24.159.26.78:4566 ESTABLISHED
TCP 81.168.80.188:6881 24.238.231.152:3634 ESTABLISHED
TCP 81.168.80.188:6881 62.111.208.30:1761 ESTABLISHED
TCP 81.168.80.188:6881 62.195.247.59:33220 ESTABLISHED
TCP 81.168.80.188:6881 63.192.195.78:4897 ESTABLISHED
TCP 81.168.80.188:6881 63.245.32.156:3107 ESTABLISHED
TCP 81.168.80.188:6881 65.30.183.47:61620 ESTABLISHED
TCP 81.168.80.188:6881 65.48.181.16:33714 ESTABLISHED
TCP 81.168.80.188:6881 65.93.166.2:4474 ESTABLISHED
TCP 81.168.80.188:6881 66.25.156.89:3329 ESTABLISHED
TCP 81.168.80.188:6881 66.32.128.211:3462 ESTABLISHED
TCP 81.168.80.188:6881 66.118.109.38:4728 ESTABLISHED
TCP 81.168.80.188:6881 67.20.151.137:3532 ESTABLISHED
TCP 81.168.80.188:6881 67.34.160.80:50649 ESTABLISHED
TCP 81.168.80.188:6881 68.18.119.201:50697 ESTABLISHED
TCP 81.168.80.188:6881 68.67.8.54:3202 ESTABLISHED
TCP 81.168.80.188:6881 68.71.13.94:65313 ESTABLISHED
TCP 81.168.80.188:6881 68.99.117.72:26558 ESTABLISHED
TCP 81.168.80.188:6881 68.100.245.38:6411 ESTABLISHED
TCP 81.168.80.188:6881 68.202.221.182:3918 ESTABLISHED
TCP 81.168.80.188:6881 80.56.68.5:1918 LAST_ACK
TCP 81.168.80.188:6881 80.56.68.5:1945 ESTABLISHED
TCP 81.168.80.188:6881 80.74.196.210:50848 ESTABLISHED
TCP 81.168.80.188:6881 80.100.23.145:42265 ESTABLISHED
TCP 81.168.80.188:6881 80.202.22.2:26641 ESTABLISHED
TCP 81.168.80.188:6881 80.202.209.211:63275 ESTABLISHED
TCP 81.168.80.188:6881 80.212.210.198:1419 ESTABLISHED
TCP 81.168.80.188:6881 81.103.219.81:3249 ESTABLISHED
TCP 81.168.80.188:6881 82.161.4.45:1345 ESTABLISHED
TCP 81.168.80.188:6881 161.109.228.223:1655 ESTABLISHED
TCP 81.168.80.188:6881 168.226.92.13:3930 ESTABLISHED
TCP 81.168.80.188:6881 193.216.168.29:3102 ESTABLISHED
TCP 81.168.80.188:6881 200.196.54.117:49547 ESTABLISHED
TCP 81.168.80.188:6881 203.214.1.79:4076 ESTABLISHED
TCP 81.168.80.188:6881 209.8.10.25:2136 ESTABLISHED
TCP 81.168.80.188:6881 212.106.144.18:3916 ESTABLISHED
TCP 81.168.80.188:6881 213.66.57.118:32973 ESTABLISHED
TCP 81.168.80.188:6881 216.99.224.6:52720 ESTABLISHED
TCP 81.168.80.188:6881 216.155.95.180:3341 ESTABLISHED
TCP 81.168.80.188:6881 217.117.128.84:3032 ESTABLISHED
TCP 81.168.80.188:6881 217.164.60.113:2083 ESTABLISHED
TCP 81.168.80.188:6881 219.77.167.104:1724 ESTABLISHED
TCP 81.168.80.188:6881 220.255.119.56:1234 ESTABLISHED
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1036 *:*
UDP 0.0.0.0:1200 *:*
UDP 81.168.80.188:69 *:*
UDP 81.168.80.188:137 *:*
UDP 81.168.80.188:138 *:*
UDP 81.168.80.188:500 *:*
UDP 127.0.0.1:2089 *:*
UDP 127.0.0.1:3888 *:*

C:\>

sorry for the long paste needless to say a "netstat" never finishes.

When I run zonealarm it really screws things up (e.g. can't keep IRC connection alive)

Ok, now I am REALLY FRUSTRATED!!! I just formatted my drive and started with the factory settings of WinXP. The first time I did that, I got online and went directly to the Windows Update site, and while downloading Service Pack 1, I caught the msblast virus (got NT AUTH Shutdown error), and after my machine rebooted itself, I formatted and started over. The second time, I took much more care, and installed the patch (had it on CD) for msblast from MS first, then installed the firewall (ZoneAlarm), and then got on the internet. ZA was going nuts with ICMP requests, but it was blocking all of them. So, I thought my machine would be fine, and my internet connection fast again. NOPE! Is this earthlink or my machine?!?! So, after being completely updated, starting over, and cleaning my system; I see the following with TCPView:

cvpnd.exe:408 UDP Raber1:isakmp *:*
cvpnd.exe:408 UDP Raber1:4500 *:*
cvpnd.exe:408 UDP Raber1:62515 *:*
cvpnd.exe:408 UDP Raber1:62517 *:*
cvpnd.exe:408 UDP Raber1:62519 *:*
cvpnd.exe:408 UDP Raber1:62521 *:*
cvpnd.exe:408 UDP Raber1:62523 *:*
cvpnd.exe:408 UDP Raber1:62524 *:*
Navapw32.exe:1912 TCP Raber1:1027 Raber1:0 LISTENING
svchost.exe:1052 TCP Raber1:1025 Raber1:0 LISTENING
svchost.exe:1052 UDP raber1:ntp *:*
svchost.exe:1052 UDP Raber1:ntp *:*
svchost.exe:1052 UDP raber1:ntp *:*
svchost.exe:1280 UDP Raber1:1038 *:*
svchost.exe:1280 UDP Raber1:1045 *:*
svchost.exe:1280 UDP Raber1:3410 *:*
svchost.exe:1280 UDP Raber1:3411 *:*
svchost.exe:1312 TCP Raber1:5000 Raber1:0 LISTENING
svchost.exe:1312 UDP raber1:1900 *:*
svchost.exe:1312 UDP Raber1:1900 *:*
svchost.exe:1312 UDP raber1:1900 *:*
svchost.exe:944 TCP Raber1:epmap Raber1:0 LISTENING
System:4 TCP Raber1:microsoft-ds Raber1:0 LISTENING
System:4 TCP Raber1:1033 Raber1:0 LISTENING
System:4 TCP raber1:netbios-ssn Raber1:0 LISTENING
System:4 UDP Raber1:microsoft-ds *:*
System:4 UDP raber1:netbios-ns *:*
System:4 UDP raber1:netbios-dgm *:*

Can someone please explain what this means??? Why is the EPMAP there, and why would I have multiple svchost.exe files?!? My computer is being slammed from multiple ICMP requests too. Any helpful comments or e-mails would be greatly appreciated.

I tryed symantec blaster removal tool but i did'nt get rid of the blaster services that the blaster intall...

My way...

Please check:
C:\WINDOWS\system32\wins

If there are somting in this map delete it.

ex. SVHOST.EXE with large letters (delete)

Then you must clean teh registry form these services you found in your wins-map.

Search for services with "C:\WINDOWS\system32\wins" - then delete

This worked for me - blaster gone =)

/Maddy

I disabled DCOM in my win XP, but I still have port 135 listening.

I need to disable port 135 altogether. I do not need it!

Any suggestion is most appreciated

Gene

Could be Welchia. Had a teacher whose PC had Blaster symptoms, brought it in for a look. No blaster, but heaps of epmap ports. Corp NAV Home found nothing. Ran TCPview from SysInternals to see program opening the ports; NAV immediately went "Hey, I found the Welchia worm!" Wellwellwell, NAV's blind unless TCPview is run... downloaded removal tool from Symantec, ran that, result: one dead worm! Woot!

Hi there!

I have noticed that this f***ng worm (or whatever this thing is) can gain access to your bandwith thru MS SQL Server DB Service. If you're running MS SQL Server to provide DB services to remote users, then you should have special atention on ports 138, 139, 1260 and 1483.

Also, I'm sure that Norton Internet Security software suckz hard and it can't protect you from external attacks, because it haven't stopped any single attack since my last format (3 days ago) and It never block specific ports. Now I'm looking for another firewall, because Norton's really suckz!

Well... let's see...

The best firewall I've tested is Zone Alarm Pro. It allows you to block specific ports, programs and also executable files and dll's. It's very effective and cuztomizable (no, i'm not related to Zone Labs :P)

I'm not sure about this, but it seems that if your pc is working as a super-node to expand this worm, when someone tries to connect to your pc, he'll be contaminated too. I've noticed this when I was trying to remote my pc from different locations. Now some of those machines are showing the same symptoms described here. Have someone notice this problem?

I had the problem with a dial up internet access where the transmit light onf the modem went crazy. Using netstat i discovered that my computer was connecting to epmap. It was so bad that after about 5 minutes i had received 300K bytes but tranmitted over 2.5M. I looked at Maddy's comments about and found that I had two files in the C:\winnt\system32\wins directory one called SVHOST.EXE and the other DLLHOSTS.EXE both in upper case. I deleted both ... had to startup in safe mode to delete the DLLHOSTS.EXE file, edited the registry and removed the entries with "C:\WINDOWS\system32\wins" and this has killed it.

thanks Maddy

Ian

Look here:
http://www.software.rockwell.com/forum/rsview32/messageview.cfm?catid=19&threadid=5497

I have been loking for this epmap info and it seems that some connections open for it are normal in a XP machine.

I have 4 connections on epmap:
SVCHOST.EXE:712 TCP alchemist:epmap alchemist:0 LISTENING
SVCHOST.EXE:712 TCP alchemist:epmap lwby-199-224-85-64.ppp.lwby.epix.net:2449 ESTABLISHED
SVCHOST.EXE:712 TCP alchemist:epmap host197164.arnet.net.ar:3912 ESTABLISHED
SVCHOST.EXE:712 TCP alchemist:epmap 200.45.249.136:4243 ESTABLISHED

Some of them are ISP hosts...

When Winroute Pro 4.2 installed, i discovered connections to 80.80.15.166 at different ports both on my end and on their. And even after hmhost.sam was redirected to localhost, it still kept connecting, please advise if someone had this problem before (If Winroute is turned off all connections dissapear) there is nothing on the address in whois service and on the internet too...
HELP!!!!!!!!!!!1

I am having the same problems with this emap thing.

I have about 30 comptuers on my network adn none of them have welchia.

I am running tcpview, and I can see that explorer.exe System, services.exe and lsass.exe are popping up randomly. They are listening on different ports. The ports start at 1100 and count up.

Now I have System and the remote address is an ip address on my netowrk with (ipaddress):microsoft-ds. This just popped up on tcpview.

It seems to be counting up ports on explorer.exe on local host. And then time_wait on System connecting to a count up of remote address ip addresses. Very weird.

If anyone has any idea how to fix this, it would be greatly appreciated.

Charlie

This is what i get when i type netstat. I have run the blaster tool from symantec. but it says i don't have the worm. What should i do now????

Active Connections

Proto Local Address Foreign Address State
TCP d-crks5kauk5dbu:1692 localhost:1693 ESTABLISHED
TCP d-crks5kauk5dbu:1693 localhost:1692 ESTABLISHED
TCP d-crks5kauk5dbu:2316 213.1.251.19:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2430 213.1.255.39:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2453 line-0-16-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2454 line-0-30-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2457 line-0-29-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2459 line-0-43-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2464 line-0-39-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2471 line-0-52-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2477 line-0-20-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2479 line-0-55-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2483 line-0-58-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2485 line-0-76-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2491 line-0-99-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2493 line-0-94-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2504 line-0-112-bs3.tiscali.ch:epmap FIN_WAIT_
TCP d-crks5kauk5dbu:2515 line-0-128-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2518 line-0-124-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2525 line-0-133-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2527 line-0-2-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2534 line-0-143-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2539 line-0-150-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2570 line-0-207-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2583 line-0-221-bs3.tiscali.ch:epmap TIME_WAIT
TCP d-crks5kauk5dbu:2587 line-3-253-bs3.tiscali.ch:epmap SYN_SENT

Ok, I had a similar problem to Ian, Gene,...etc, may be this might help out. Here is my experience.

Windows XP Pro, Dial-up connection.

i) new computer, fresh windows installation
ii) recieved blaster virus from the dial-up
iii) remove the blaster virus
iv) patch windows, http://www.sophos.com/virusinfo/analyses/w32blastera.html

1) Now, looking in my Task Manager, under networking, the dialup is constantly sending epmap packets out on ports 3000+
2) using the command line to check, typed netstat /a to see the list of epmap processes sending
3) checked the Task Manager, under processes, there are two bogus processes, DLLHOST and SVCHOST (both in caps). End those processes
4) goto your Windows\system32\wins directory (if it exists). Delete the DLLHOST and SVCHOST files. If you did not kill the process before, you will not be able to delete them.
5) click Start, run, type in regedit. do search for windows\system32\wins
6) delete the entry whenever you see this.

This is how I solved it.

Cheers, Wei

I got a guestion about 135 port
Just after booting my computer ( windows 2000 server ),I find this ( result of netstat -an)

Local Addess : my system IP
port : Random
Foreign Address : my system IP
port : 135
state : TIME-WAIT

why does it happen? why my system try to connect to my system at 135 port?

It would be appreciate if you email me and tell why it happen. thanks!!

My favourite firewall is Sygate Personal Firewall Pro. I've tryed many others, but this has optimal functionality. Some of the others offer different view of the logs and active aplications, which sometimes is useful. But Sygate is srtill the best. :) Norton really really sucks. ZA is not so complicated as Sygate PFPro is. Compare the size of the setup file - it's estimate for the functions: approx 5MB (ZA) vs. 8.3MB (Sygate)
To block single or range of ports or IPs or MACs is really easy and fast.

My favourite firewall is Sygate Personal Firewall Pro. I've tryed many others, but this has optimal functionality. Some of the others offer different view of the logs and active aplications, which sometimes is useful. But Sygate is srtill the best. :) Norton really really sucks. ZA is not so complicated as Sygate PFPro is. Compare the size of the setup file - it's estimate for the functions: approx 5MB (ZA) vs. 8.3MB (Sygate)
To block single or range of ports or IPs or MACs is really easy and fast.

This is a little bit offtopic, but it will be useful for you in the fight with worms. It's so simle to block ports135-139! This eliminates 50% of the known vulnerabilities in Windows.

Hello,

I recently got bombarded with epmap connections too. I have a windows 2003 box with a static IP.

To fend off this attack, I installed the basic firewall and opened the following ports

80 - WWW
443 - SSL
21 - FTP
3389 -Remote Desktop
25 - SMTP

I disabled Internet user and made sure anonymous access was unchecked for WWW, SMTP, and FTP.

This of course didn't work. I was still getting hit with epmap connections that seemed to come from every direction. I decided to close one port at a time and monitor the connections with TCPView. I started with the SMTP port and much to my surprise, I think I hit the jackpot. My epmap connections went away. I reopened the port and noticed the epmap connections trickling back in. The port is now closed until I do some research. I will get back with my findings.

Thanks,
Shawn

in my pc port 135 error
and epmap error
my internet connection is cable through
when i browse the intenet my ping is request timed out and when internet page is completlly open ping is normally reply 10 time

please help me

thank you

Hy guys,
My quetion is the following, if epmap on port 153 is not that important why don't we close it?

Hi,

My win 2k server shows a transfer rate of 50GB /day on the ISP statistics where as my netstat shows 400MB any idea of what could be the prob

regards
Jai

i have formated my computer i have windows updates on sp1 and sp2 on cd's i did a full format have not connected to the net at all and i just used netstat after all my installations i still have this shitty svhost virus

Can You bind those services to a LOCAL ip, because I see it binds on 0.0.0.0:135...

Services for LAN should be bind to local IP...

is epmap is same as that of loc-srv service running on the UDP (135)

How can I disable and close epmap in port 135 in my computer? The netstat only show it in LISTENING.

Good job!

Good job!

Good job!

Good job!

Good job!

Good job!

Good job!

Good job!

Good job!

Veteran actor William Franklyn, known for voicing the 1960s Schweppes TV adverts, dies aged 81...

Veteran actor William Franklyn, known for voicing the 1960s Schweppes TV adverts, dies aged 81...

Nice page greetings to all in this guestbook! Would you please also visit my homepage?
[url=][/url]