Is this virus or spyware or normal behavior??

[eminemence]

When I connect thru my Win2k machine on a dial-up to the net,
the amount of data sent is considerably higher than that what is recieved.
Like if I am normally surfing the net then the amount of bytes sent should be less than what is recved.
But I am not able to judge if this is normal or not:
I did a netstat and this is the result
******************************************************
G:\WINNT>netstat

Active Connections

Proto Local Address Foreign Address State
TCP zion-nh2rln46t0:1041 72.9.239.226:5005 ESTABLISHED
TCP zion-nh2rln46t0:3995 PPP-219.65.121.212.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:3997 PPP-219.65.121.213.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:3999 PPP-219.65.121.214.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:4001 PPP-219.65.121.215.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:4003 PPP-219.65.121.216.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:4005 PPP-219.65.121.217.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:4007 PPP-219.65.121.218.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:4009 PPP-219.65.121.219.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:4011 PPP-219.65.121.220.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:4013 PPP-219.65.121.221.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:4015 PPP-219.65.121.222.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:4017 PPP-219.65.121.223.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:4019 PPP-219.65.121.224.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:4021 PPP-219.65.121.225.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:4023 PPP-219.65.121.226.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:4025 PPP-219.65.121.227.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:4027 PPP-219.65.121.228.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:4029 PPP-219.65.121.229.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:4031 PPP-219.65.121.230.chn.dialup.vsnl.net.in:epmap SYN_SENT
TCP zion-nh2rln46t0:4033 PPP-219.65.121.231.chn.dialup.vsnl.net.in:epmap SYN_SENT
***********************************************
can some networking guru decipher this and tell me what is happening?
Can this be caused by some spyware?
Also I have recently upgraded to SP4 so the svchost.exe thing should be
fixed.
Thanks.
--eminemence.

 

[eminemence]

Okay found it was infected by this worm..
Here are the worm details with removal instructions..
*securityresponse.symantec.com/avcenter/venc/data/w32.francette.worm.html
I found it by just checking the other i/o writes in the task manager
which showed up syshost.exe.
I have just renamed the file and removed the registry entry
and everything is fine.
Bye.
--eminemence.

 

[digen]

Good job there of pin pointing out & solving the problem.
But just a few questions & suggestions from my side.
1.Do you have a firewall in place? If not then its better to get one & protect your host.
2.Just to make it sure if you could copy paste the output of the command

c:\>netstat -ano

from the prompt.

You may also consider disabling DCOM service from services.msc & blocking port 135.
Noteisabling DCOM may have effect on some programs that depend on it.

Here is quite amount of info for you to understand about the particular service.DCOM & Port 135