SP2's firewall has some protection to throttle outgoing connections when a
number of failed connection attempts has occurred. Since many worms scan IP
addresses at random looking for other hosts to infect, you're triggering the
protection and your outbound traffic will get clogged up rather quickly if
you're infected with multiple things. The point is to prevent infected
hosts from spreading their infections, so when you see this problem there's
a good chance you've picked up something. I deal with student computers on
a college network and they manage to catch everything out there, and we've
been seeing a great deal of infections lately that are variants of existing
worms that are slow to be picked up by AV vendors. So as one of the
responses to this message already suggested - try multiple AV programs to
get a "second opinion" - you might find that you caught something during
your install/update process that isn't detected quite yet.
A couple free tools we use to detect this situation when AV doesn't catch it
yet:
ActivePorts: http://www.snapfiles.com/get/activeports.html - this will show
you the connection attempts and their related processes in a really
straightforward way.
Autoruns: http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml - shows
everything that starts up when your computer does, like msconfig but much
more comprehensive. Something might be starting up you aren't noticing if
you aren't looking hard enough.
One other tip is to take a look at your LSP (layered service provider)
catalog to see all the things that comprise your network stack. The command
"netsh winsock show catalog" will show you a list of the LSPs on the system,
and "netsh winsock reset catalog" will reset it back to its defaults, just
in case some malware has injected itself in there.
-Anthony
On 11/1/04 12:08 PM, "Dan Denton" <ddenton@PAYLESSOFFICE.com> wrote:
A company who I do consulting for has had 2 machines in the past 2
months who have been infected with adware and spyware who's network
interface shows "Limited or no connectivity". The first was some time
ago, and the only way I could get the machine to talk on the network was
to slick and rebuild it (probably the responsible thing to do anyway).
From what I have read on the internet this means that the computer
cannot connect to it's DHCP server. A repair of the interface results in
an error saying that an address couldn't be obtained from the server.
Reinstalling TCP/IP, Repair installs of WinXP, reinstalls of SP2, Virus
and Ad-aware scans do not fix the problem. Dealing with the 2nd machine
this has happened to, I've found a process called wmiprvse.exe that
didn't look familiar, and according to Symantec it could be a sign of
Trojan.Gletta.A or a Gaobot variant, however neither of these was found
by a scan (Symantec or Trend). I'm looking for a course of action other
than nuke/pave. Any suggestions would be greatly appreciated.
Dan Denton
Information Technology Manager, CCNA
Pay-LESS Office Products
402-891-6210 ext 61
ddenton@paylessoffice.com
