Network Attacks may appear to be Virus/Malware

Writing this to document my discovery of virus/malware activity in my computer and how I detected the source of the problem.

I am using a cable network service in Karachi. Using a Core2Duo 2ghz system with 1gb Ram with WindowsXp SP3 (32bit).

Started couple of days ago when I noticed Windows' Generic File Host (svchost.exe) started failing following which all internet activity would fail, including trying to enable/disable LAN connections. I am very cautious security wise but at the same time don't want unnecessary burden on my machine, so I didn't have any antivirus and only used a free Firewall program (Ashampoo Firewall) to monitor incoming/outgoing activity. I download Avast free antivirus and it caught a couple of dlls/exes and deleted the virus. OS started working normally again. Now a similar chain of events took place, internet activity died as well as any network activity, even the sound! I immediately checked the running services and found that most of the services that should be running (or set to "Automatic") are stopped. This included "Windows Firewall/Internet Connection Sharing" service. Something was stopping these services and I had no idea what.

Avast started finding a virus in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5" and in "C:\Windows\system". The files was called "x.exe" or "x[1]" sometimes as well as randomly generated filenames with extensions of jpg, png or bmp.

After a lot of scanning and a lot of googling around I found nothing, so I formed a theory that problem was the failure of my Firewall to stop attacks from outside. As soon as Windows Firewall stops working, Ashampoo Firewall stops monitoring internet activity as well, guess that it relies on Microsoft's internal Firewall for its functionality and is not self-sufficient.

To check my theory I connected using my Wifi Router which also has a built-in Firewall. It worked! No viruses, no failed services and everything went smooth.

Finally I got another firewall program (ZA) and connected through my laptop's internal card as before and was notified of constant attacks from different IPs from my network. ZA was able to stop these attacks and it is now possible for me to continue my work even without a hardware firewall.

Check for network attacks by getting a good firewall as well as a good antivirus program to take care of the incoming trojans/malware/virus etc.

These are the symptoms to look for:

-No active virus found in your system.

-Network activity stops (browser timeout, download stops etc)

-Essential XP services in stopped state after couple of minutes of internet connectivity (check using "services.mcs" in Run)

-Audio stops working (because "Windows Audio" service has stopped)

-Antivirus keeps finding malicious files in the same or slightly different location on regular basis (this is the result of the network intrusions).

What I learned:

-Avoid Ashampoo Firewall.

-Hardware firewall or a router with firewall is a good investment.

-This is Windows XP-only security flaw (http://bit.ly/ysSvKJ) so users of other versions of Windows are probably safe.

I do not keep up with Windows' updates and don't know how to search for a particular patch that addresses this problem in MS support, if anyone knows about it please do let me know.

Hope this will help someone someday.

Zonealarm is quite good. It was my go-to firewall before I moved over to a router based firewall. It takes the firewall's resource load off my PC/laptop to the dedicated router.