exorbitant amount of packets being sent and other anomalies...

i have been monitoring my LAN connection to a router with a DSL connection the past few days since ive noticed my internet browsing experience is getting more and more lousy. i have to continually press F5 to refresh the browser in order for most pages to fully load or load at all, this becoming a nuisance. in regards to the packets being sent out, as reported from the Network Connections properties window, they are usually being reported in the range between 30,000,000,000,000 and over 100,000,000,000,000 (not a typo) while my packets recieved is in the 500,000 to 900,000 range. ive done spyware and virus sweeps and nothing has come up. any suggestions to improve the situation are greatly appreciated.

 

Wow, that is unusual. What OS are you using?

Try looking at the processes in the task manager and see if there's anything not vital or suspicious there.

 

You can also open Command Prompt and type netstat -a and see if there are any unusual connection attempts there.

 

My guess would be a trojan or rootkit infection. Likely, your system is no longer fully under your control, but is being used as a tool or a weapon by someone else. The best scenario for you is probably to back up any critical data you might have (data, pictures, maybe music, not programs) and reformat the system. If you are using an operating system prior to Windows XP, the OS will not have a firewall running out-of-the-box. In that case, do not connect your system to the internet until you have either installed a software firewall such as Sygate PF, or better yet placed a hardware router between your local network and your broadband modem.

All the best,
-AT

 

thanks for the responses...im running XP Pro SP 2

im guessing that when i run netstat -a im looking for connections that arent local, correct?

 

Actually, in the case of a rootkit, local connections might be re-routed, so even they may be pertanent. Could you post the results of your netstat -a? That might help us troubleshoot.

 

Nothing stands out to me from your netstat, but the more interesting information might be in which programs are responsible for the connections. Try running the command:

Code:

netstat -ab

This time, and please post the results as text if possible (think of the dialup people! )

 

Active Connections

Proto Local Address Foreign Address State PID
TCP james:epmap james:0 LISTENING 956
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
-- unknown component(s) --
[svchost.exe]

TCP james:microsoft-ds james:0 LISTENING 4
[System]

TCP james:3476 james:0 LISTENING 1032
[apache.exe]

TCP james:1031 james:0 LISTENING 3612
[alg.exe]

TCP james:3476 james:0 LISTENING 1032
[apache.exe]

TCP james:10110 james:0 LISTENING 1840
[avgemc.exe]

TCP james:netbios-ssn james:0 LISTENING 4
[System]

UDP james:4621 *:* 1096
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP james:1217 *:* 1096
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP james:microsoft-ds *:* 4
[System]

UDP james:isakmp *:* 728
[lsass.exe]

UDP james:4622 *:* 1096
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP james:4409 *:* 1096
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP james:1480 *:* 1096
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP james:4500 *:* 728
[lsass.exe]

UDP james:1069 *:* 1096
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP james:1037 *:* 1096
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP james:4387 *:* 1096
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP james:1900 *:* 1144
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP james:ntp *:* 1052
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP james:3174 *:* 780
[Maxthon.exe]

UDP james:1900 *:* 1144
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP james:ntp *:* 1052
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP james:netbios-dgm *:* 4
[System]

UDP james:netbios-ns *:* 4
[System]

 

Hmm, nothing particularly jumps out at me but that doesn't mean it's not a rootkit or even a severe spyware infection. Try running a thorough scan over at Housecall, see if you can find anything that way.

 

well, ive been poking around for the past week, did the housecall scan...nothing. ad-aware...scanned and cleaned, problem persists. rootkit cleaner...scanned, nothing found. id really rather not have to go through the hassle of reformating but unless i can figure a way to fix this, it looks like thats my only option.

 

From what you're describing, it sounds like you may have one of the stealthier forms of rootkits. You haven't, by chance, played a Sony or BMG labeled CD in your PC before have you?

 

none that i know of. i wish i could at least know what the cause is. thats what bugs me the most. i can always reformat, i just want to know why this is happening. curiosity is getting the best of me.