a possible virus?

[Jianping Hua]

I just notice that the LAN connection indication on systray always has
the upper-right light on, which means it's continuing receiving packets.
My internet connection is obviously slowed down by it. When I donwload
win2000 service packet 4 yesterday, the speed is around 20Kbps.
However if I use another computer in my lab, it's around 1Mbps.
I think there might some virus, but my norton antivirus find nothing,
and my win2000 has all the critical updates.
I'm using a win2000 professional. Besides the slow connection,
my computer seems work fine. I just notice this yesterday, but it
might be so for quite a long time.
Does anyone encounter the similar problem?

Jianping

 

[Chuck]

I just notice that the LAN connection indication on systray always has
the upper-right light on, which means it's continuing receiving packets.
My internet connection is obviously slowed down by it. When I donwload
win2000 service packet 4 yesterday, the speed is around 20Kbps.
However if I use another computer in my lab, it's around 1Mbps.
I think there might some virus, but my norton antivirus find nothing,
and my win2000 has all the critical updates.
I'm using a win2000 professional. Besides the slow connection,
my computer seems work fine. I just notice this yesterday, but it
might be so for quite a long time.
Does anyone encounter the similar problem?

Jianping

Jianping,

Get Port Explorer (free) from
<http://www.diamondcs.com.au/portexplorer/index.php?page=home> to show you what
network connections your computer is actually opening, and what processes are
opening them. And Process Explorer (free) from
<http://www.sysinternals.com/ntw2k/freeware/procexp.shtml>. Provides way more
information than Task Manager.

Try these free online virus scans, which may complement your NAV (I assume you
keep your NAV sigs up to date?):
<http://www.bitdefender.com/scan/license.php>
<http://www.pandasoftware.com/activescan/com/activescan_principal.htm>
<http://housecall.trendmicro.com/housecall/start_corp.asp>

Now check for, and learn to defend against, additional carriers of infection.

First, download LSP-Fix and WinsockXPFIx from <http://www.cexx.org/lspfix.htm>,
and CWShredder from <http://www.majorgeeks.com/download4086.html>. All are
free.

Next, close all Internet Explorer and Outlook windows, then run CWShredder.
Have it fix all variants.

Now check for, and remove, spyware. Get HijackThis
<http://www.majorgeeks.com/download.php?det=3155> and Spybot S&D
<http://www.safer-networking.org/index.php?page=download>. Both free.
1) Install and run Spybot. First update it ("Search for updates"), then run a
scan ("Check for problems"). Trust Spybot, and make all recommended deletions.
2) Install and run HijackThis. Do NOT make any changes immediately. Save the
HJT Log.
3) Have your HJT log interpreted by experts at one or more of the following
forums (and post it here):
<http://forums.net-integration.net/>
<http://www.spywareinfo.com/forums/>
<http://forums.tomcoyote.org/>
<http://www.wilderssecurity.com/>

If removal of any spyware affects your ability to access the internet (some
spyware builds itself into the network software, and its removal may damage your
network), run LSP-Fix and / or WinsockXPFIx.

Finally, improve your chances for the future.

Harden your browser. There are various websites which will check for
vulnerabilities, here are three which I use.
http://www.jasons-toolbox.com/BrowserSecurity/
http://bcheck.scanit.be/bcheck/
https://testzone.secunia.com/browser_checker/

Harden your operating system. Check at least monthly for security updates.
http://windowsupdate.microsoft.com/

Block possibly dangerous websites with a Hosts file. Three Hosts file sources I
use:
http://www.accs-net.com/hosts/get_hosts.html
http://www.mvps.org/winhelp2002/hosts.htm
(The third is included, and updated, with Spybot (see above)).

Maintain your Hosts file with:
eDexter <http://www.accs-net.com/hosts/get_hosts.html>
Hostess <http://accs-net.com/hostess/>

And Jianping, please don't contribute to the spread of email address mining
viruses. Learn to munge your email address properly, to keep yourself a bit
safer when posting to open forums. Protect yourself and the rest of the
internet - never post your address unmunged.
http://www.mailmsg.com/SPAM_munging.htm

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[jianping]

Thanks, Chuck.

I've done most you mentioned above. But still, my system is receiving
packets. The Port Explorer find nothing, no data in, no data out.
Spybot show some possible spywares which I delete. Here is what given
by hijackthis

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\winnt\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\winnt\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon
initialize
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec
Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ezShieldProtector for Px]
C:\WINNT\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program
Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) -
http://www.tamiloviam.com/Activex/tdserver.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) -
http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
- http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1408.g.akamai.net/7/1408/99...W/win/061-0848.20031022.TtzS4/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://207.188.7.150/148637b2dd420697e017/netzip/RdxIE601.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline
Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -
http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield
International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan
Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.5613888889
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player
Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software
XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{54C6D5A1-3708-43BC-AA6F-6B3BC903191A}:
NameServer = 128.194.178.1,128.194.198.5,165.91.32.63
O17 - HKLM\System\CS1\Services\Tcpip\..\{54C6D5A1-3708-43BC-AA6F-6B3BC903191A}:
NameServer = 128.194.178.1,128.194.198.5,165.91.32.63
O17 - HKLM\System\CS2\Services\Tcpip\..\{54C6D5A1-3708-43BC-AA6F-6B3BC903191A}:
NameServer = 128.194.178.1,128.194.198.5,165.91.32.63

I don't know what's wrong.

Jianping

 

[Chuck]

Thanks, Chuck.

I've done most you mentioned above. But still, my system is receiving
packets. The Port Explorer find nothing, no data in, no data out.
Spybot show some possible spywares which I delete. Here is what given
by hijackthis

Jianping,

That's not a complete HJT Log. I'd bet your running processes list has some
interesting stuff in it.

Doing a brief web search, I found various spyware forums that recommend removal
of these 3 items.

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://207.188.7.150/148637b2dd420697e017/netzip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield
International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player
Class) - http://www.live365.com/players/play365.cab

Do you have Napster running? That seems like a good candidate for network
traffic to me.

Post a complete HJT Log, and let's take a look.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[jianping]

Thanks Chuck. I've deleted the three you mentioned. The trafic light
is still on. I don't have napster on. I think this was installed by
the previous owner. Here should be the complete log file.

Jianping

Logfile of HijackThis v1.97.7
Scan saved at 5:01:14 PM, on 5/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec
AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\MATLAB6\webserver\bin\win32\matlabserver.exe
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\Symantec_Client_Security\Symantec
AntiVirus\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\ezSP_Px.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\internat.exe
D:\users\Hua\install\hijackthis\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\winnt\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\winnt\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon
initialize
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec
Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ezShieldProtector for Px]
C:\WINNT\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program
Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) -
http://www.tamiloviam.com/Activex/tdserver.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) -
http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
- http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1408.g.akamai.net/7/1408/99...W/win/061-0848.20031022.TtzS4/iTunesSetup.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline
Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -
http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan
Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.5613888889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software
XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{54C6D5A1-3708-43BC-AA6F-6B3BC903191A}:
NameServer = 128.194.178.1,128.194.198.5,165.91.32.63
O17 - HKLM\System\CS1\Services\Tcpip\..\{54C6D5A1-3708-43BC-AA6F-6B3BC903191A}:
NameServer = 128.194.178.1,128.194.198.5,165.91.32.63
O17 - HKLM\System\CS2\Services\Tcpip\..\{54C6D5A1-3708-43BC-AA6F-6B3BC903191A}:
NameServer = 128.194.178.1,128.194.198.5,165.91.32.63

 

[Chuck]

Thanks Chuck. I've deleted the three you mentioned. The trafic light
is still on. I don't have napster on. I think this was installed by
the previous owner. Here should be the complete log file.

Jianping,

Well, I was wrong. Nothing interesting there.

Let's go back and ask again - what indications do you have that you're infected
with malware?

Did you try any of the free online virus scans?

Port Explorer always shows SOME network traffic. Let's try this.

You have the Local Area Connection Status, and Port Explorer, both of which give
frequently updated counts of network traffic. See my attachment, which is a
picture I made of my desktop.

To get an idea of the magnitude of network traffic which your computer is
supposedly producing, look at 4 figures, which I indicated on my attachment as A
- D.

1) From the icon in the tool tray (the traffic light), right click and select
Status.
2) Start Port Explorer. Arrange the LAN Connection Status wizard (from Step 1)
so you can see it and the Port Explorer display - maybe like I setup my desktop
in the attachment.
3) In Port Explorer, select Remote - this tab shows all connections outside
your LAN, which should be any you have to worry about.
4) Find a process listed in PE where the Sent and / or Received figures ("C"
and "D" respectively) change rapidly. This will, most likely, be the process
causing your problems. In my example, I used Agent:4076. Yours will certainly
be different. It may not even be listed under the Remote tab - you may have to
look elsewhere (and if so, you probably don't have to worry quite as much).
5) Write down figures A, B, C, then D - in that order - and consistently
please. I don't expect you to capture all 4 at the same time - just be as
accurate and consistent as possible. Do this for half an hour or so every 10
minutes. That will give a picture of the volume of traffic being passed. Write
down the Remote Address(es) indicated too.
6) In your next post, include everything you wrote down.

Of course, since this is a used computer, and you're worried about what's really
happening there, I don't think you'd be considered paranoid to simply wipe and
reinstall the OS - you did get a system CD with a license didn't you?

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Jianping Hua]

Chuck:

I can't see the figure you post.

Anyway I checked Port Explorer, there is no rapid changing figures
in Sent and /or Received columns in any process. But there are
continuous changes in LAN connection status. I recorded at three
different time spots

Duration: 21:43:22, Sent/Received: 10,194/2,921,159,
Duration: 21:52:28, Sent/Received: 10,424/2,948,033,
Duration: 22:01:49, Sent/Received: 10,511/2,974,900,

The sent might due to outlook express. You can the the receiving
trafic is huge, around 50 packets per second. However in Port Explorer
there is nothing shown:

0, TCP, Local port: 1593, Remote Address: 165.91.245.124, Remote Port: 632,
TIME_WAIT, Sent: ---, Received: ---, Creation: ---
696, UDP, Local port: 2697, Remote Address: *.*.*.*, Remote Port: *,
LISTENING, Sent: ---, Received: ---, Creation: 16:58 05/05/2004
832, TCP, Local port: 1356, Remote Address: 207.46.156.154, Remote Port: 80,
LISTENING, Sent: 2/357, Received: 7/11873, Creation: 07:43 06/05/2004
832, TCP, Local port: 1359, Remote Address: 207.46.156.154, Remote Port:
443, LISTENING, Sent: 8/4567, Received: 45/425045935, Creation: 07:43
06/05/2004
832, TCP, Local port: 1359, Remote Address: 207.46.249.57, Remote Port: 80,
LISTENING, Sent: 3/440, Received: 10/13231, Creation: 07:43 06/05/2004

There first seems to be a computer nearby, but I don't know which.
The second process should by norton antivirus, keep running every
several seconds. The other three by wuauserv.

Maybe there is nothing wrong. I just feel wierd that your computer
is always receive packets.

Thanks for your help.

Jianping