Posted 20 November 2012 - 03:40 AM
Am rather perplexed about the network traffic that is being received and sent out.
The system is a XP SP2. PC is connected via a cable to a TPL router with wireless HW modem attached.
Has firewall ZA which used to work fine until a deluge of attacks (over 500 within a few seconds trying to access the PC). Could be the settings of ZA not well done then. But the originally set MS firewall became inoperable due to ICS being unable to activate, even though tried directly.
Have scanned with many AV such as SD, MalwareB, AVGfree, MV, etc - all negative but the traffic is still like being redirected immediately as TCPView shows.
In the past, the traffic when the HW modem was directly plugged into the PC usb port, the traffic sent out through the local area connection is usually about 10% of that received. However, it has since gotten to be about equal ie packets sent almost equal received. This happened since sometime ago with or without the router though the addition of the router could have been a cause. Why, because initially it couldn't log into the internet if the port is not allowed to open as a server.
So there is a this question why Generic Host Process for Win32 need to be server in order for the PC to access internet?
Logging in is by firstly enabling the LAN, then plugging in the modem attached to the router.
The HWei modem recently has a liveupdate program running (it didn't use to have). My PC accesses the internet through the national proxy server. Disabling the modem liveupdate didn't seem to affect the access once logged in. The TCPView log attached has it disabled.
On the Windows Task Manager, System Idle Process is high at 70 level; and taskmgr.exe is active in top 3 postion besides the browser in 2nd position.
alg.exe appeared as a server on internet log in
AVGfree is running but it shows 2 avgsrvx.exe
It appears, according to the Local Area Connection Status, that the amount of traffic is immediately transferred from the receipt to the sent. Does this mean it is being redirected?
It appears so as a check found some being redirected to various sites - google, some reseved sites, research sites, etc. Can anyone help to confirm, and if so, what can be done to stop the outflow? Thanks.
Following is what appeared on the TCPView file. Noted that TCPView deletes records as the page changes so have tried to get the page upon loading.
avgemc.exe 1976 TCP DEMO 10110 DEMO 0 LISTENING
lsass.exe 440 UDP DEMO 4500 * *
[System Process] 0 TCP demo 2579 a5.creativecommons.org http TIME_WAIT
[System Process] 0 TCP demo 2577 sin04s02-in-f2.1e100.net http TIME_WAIT
firefox.exe 3388 TCP demo 2576 sin04s02-in-f2.1e100.net http ESTABLISHED 1 1,106 1 376
firefox.exe 3388 TCP demo 2567 sin04s02-in-f24.1e100.net http ESTABLISHED
firefox.exe 3388 TCP demo 2560 sin04s02-in-f23.1e100.net https ESTABLISHED 29 18,490 428 570,136
firefox.exe 3388 TCP demo 2559 sin04s02-in-f17.1e100.net https ESTABLISHED 97 30,786 123 14,100
AcroRd32.exe 3392 UDP DEMO 2514 * *
firefox.exe 3388 TCP demo 2391 sin04s02-in-f0.1e100.net https CLOSE_WAIT
svchost.exe 904 UDP demo 1900 * *
svchost.exe 904 UDP DEMO 1900 * *
svchost.exe 872 UDP DEMO 1400 * * 178 6,894 171 42,525
svchost.exe 872 UDP DEMO 1399 * * 376 14,851 363 95,105
svchost.exe 872 UDP DEMO 1279 * * 243 9,607 239 61,640
svchost.exe 872 UDP DEMO 1185 * * 178 6,662 7 2,105
svchost.exe 872 UDP DEMO 1184 * * 15 614 6 1,572
svchost.exe 872 UDP DEMO 1183 * * 122 4,470 8 1,707
svchost.exe 872 UDP DEMO 1046 * * 198 7,080 20 4,693
svchost.exe 872 UDP DEMO 1036 * * 177 6,812 40 8,315
svchost.exe 872 UDP DEMO 1035 * * 269 9,925 39 10,607
svchost.exe 820 UDP demo router * *
lsass.exe 440 UDP DEMO isakmp * *
System 4 TCP DEMO microsoft-ds DEMO 0 LISTENING
System 4 UDP DEMO microsoft-ds * *
snmp.exe 1756 UDP DEMO snmp * *
System 4 TCP demo netbios-ssn DEMO 0 LISTENING
System 4 UDP demo netbios-dgm * *
System 4 UDP demo netbios-ns * * 453 22,650 218 10,900
svchost.exe 764 TCP DEMO epmap DEMO 0 LISTENING
svchost.exe 820 UDP demo ntp * *
svchost.exe 820 UDP DEMO ntp * *
tcpsvcs.exe 1736 TCP DEMO chargen DEMO 0 LISTENING
tcpsvcs.exe 1736 UDP DEMO chargen * *
tcpsvcs.exe 1736 TCP DEMO qotd DEMO 0 LISTENING
tcpsvcs.exe 1736 UDP DEMO qotd * *
tcpsvcs.exe 1736 TCP DEMO daytime DEMO 0 LISTENING
tcpsvcs.exe 1736 UDP DEMO daytime * *
tcpsvcs.exe 1736 TCP DEMO discard DEMO 0 LISTENING
tcpsvcs.exe 1736 UDP DEMO discard * *
tcpsvcs.exe 1736 TCP DEMO echo DEMO 0 LISTENING
tcpsvcs.exe 1736 UDP DEMO echo * *