sent more than received

my dialup internet connection sends a lot of data out, usually more than I receive when I am surfing or downloading. But even when I am doing nothing, it sent out a lot of data, about 3k bytes/sec.

I have Windows 2000 pro sp4, ie6 sp1, eTrust antivirus, ms Anti-spyware, ad-aware, spybot, zone alarm personal, sygate personal.

I understand that some programs need to contact their servers to obtain updates, but constantly sending out 3k/sec is weird. Any idea?

I scan the system daily to get rid of spywares. Also I tried to block outgoing traffic using zone alarm and sygate. Zone alarm doesn't seem to have the option to block only outgoing traffic. Sygate does have the advance rules, but it didn't seem to work.

Reply to
Robert
Loading thread data ...

Thanks. I used sygate and found c:\\winnt\\system32\\mcafee32.exe is sending out the most of the data. I had mcafee on my system. This file is about 74k in size. Anyway terminate it solves the problem.

There are still a couple other processes sending out data: Generic Host Process for Win32 Service, and NT Kernel & System. Generic Host Process is constantly sending out about 200-500 byte. Are those normal?

Reply to
Robert

Active Ports and Process Explorer may help you.

formatting link
Duane :)

Reply to
Duane Arnold

"Robert" wrote in news:1108707254.466480.74880 @o13g2000cwo.googlegroups.com:

That's why you use something like Process Explorer to look inside running processes to see what is using the process (other programs). Malware can use svchost.exe (Generic Host Process program), which is the communicator and provides the communication plumbing for O/S programs to communicate and other programs such as malware programs to communicate out. Svchost.exe is just the messenger and you should find out what's using the messenger and not kill the messenger. And if svchost.exe is not running out of the winnt/system32 directory, then it's a Trojan. Active Ports can tell you that and Sygate can be fooled. That's why you go look for yourself and not depend upon Sygate to tell you everything is OK using it like a crutch.

Duane :)

Reply to
Duane Arnold

strange none of antivirus or antispyware caught this. I had to manually delete it.

Reply to
Robert

so if svchost.exe is running out of the winnt/system32 dir, then it is guaranteed to be good?

By the way, last night when svchost.exe is sending out data, it was running the automatic windows update, svchost.exe was uploading but mostly downloading.

Reply to
Robert

That isn't part of McAfee AFAIK - all the McAfee files will be in a folder under c:\\Program Files. I've checked some PCs I know have McAfee Internet Security and McAfee AV on them and there is no mcafee32.exe in the windows\\system32 folder on them.

A quick dig around on Google pulls up a few pages where c:\\windows\\system32\\mcafee32.exe is identified as part of the Backdoor.Win32.SdBot.lt Trojan - if that's what you have, you really need to get your system cleaned up.

Dan

Reply to
Spack

How many AVs and PFWs are you running simultaneously?? If you have several AV and several PFWs running at the same time I would not wonder if you see strange effects. Use one firewall and one anti-virus. More is not always better.

You have to find out what traffic it actually is. Try a command prompt and "netstat" to see active connections. Maybe there are some active. "netstat -o" does report the PIDs for those connections as well (I am not sure if this works on w2k). Check the windows task-manager and locate the processes with these PIDs. This should give you pointers what is active. XP has the "tasklist" command for the command prompt which does something similar.

One of your PFWs should have the ability to log traffic. This may be a place to look, too.

Active Ports was already mentioned elsewhere.

Just blocking this traffic does not help at all. You have to find out what is happening and solve the cause of the problem. With your amount of PFWs and AVs running it could easily be possible that they are producing this traffic just simply with DNS look ups of each other's access...

Gerald

Reply to
Gerald Vogt

"Robert" wrote in news:1108746769.328599.170520 @l41g2000cwc.googlegroups.com:

The svchost.exe like I said before is the messenger for the O/S and its programs that need communications. It's not only is used by the O/S but any program that needs a host program to provide the communications link between programs over the Internet or on a LAN between programs running on two different machines. Svchost.exe is only the plumbing and it doesn't care if the traffic flows upstream or downstream. It's just the messenger and provides the connection. So a malware program can use svchost.exe just as easily. Svchost.exe doesn't care who uses it and svchost.exe has many other tasks it must perform for the O/S besides communications and one is always running and cannot be overlaid by malware while it's in use and multiples of svchost.exe do run and that's why a Trojan with the svchost.exe name can be running out of another directory, because it's counted on that it's not being recognized as one that is not running out of the system32 directory. It would be very hard for malware to replace it in the system32 directory, because it's always in use and the O/S is protecting it running out of the winnt/system32 directory.

Duane :)

On another subject, I passed the 1st out of the 4 MSCD for .Net tests and it was rough but I did it. ;-)

Reply to
Duane Arnold

That is not strange. That is fairly common. No AV, no Anti-Spyware does detect all. That is impossible. It does only work for things it knows already. And there a lot of viruses out there, that have been very well crafted to prevent easy detection/recognition as well many that are hardly ever found and that the AV maker never saw before.

Gerald

Reply to
Gerald Vogt

The only post I've seen with the name of the virus was posted last week, where the file was listed as infected by eScan Antivirus. It's entirely possible (and quite likely) that the other AV vendors haven't provided updates to find this one yet. Looks like it's a new variant.

Dan

Reply to
Spack

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.