100 netstat time_wait www.google.com connections

Recently my Windows XP SP3 system started running with the network connection applet showing busy constantly.

netstat -boa shows ~100 connections to www.google.com like this one:

  TCP    COMPUTERNAME:1273    TIME_WAIT       0

But I can't see a Google app running.

Suggestions? Thanks.
Who is Participating?
SommerblinkConnect With a Mentor Commented:
PID 0 is a fake process and incidently runs in Ring 0 (Kernel Mode). If you run Performance Monitor and add the Process monitor for instance _Total: "% Privilaged Time", you will see that the computer actually idles in Kernel Mode.

So, either your network tools are reporting false information or something is up.

What happens if you create a new local account and see if you still see connections running on PID 0. Sometimes programs installed don't run under "all" profiles.

Also, try Safe Mode with Networking and see if you still see it running
Also, what does the output for the command 'route print' say?

At this point I would also recommend removing this PC from the corporate network at this point and assume it is infected and at this point prepare for reimaging. The above would simply be used for fact gathering.

Also, have you tried Autoruns (from Sysinternals) and check to see what is slated for starting up? Make sure that you choose Options/Verify Code Signatures just to make sure something doesn't say Google or Microsoft.
you can try to use "handle" or "TCPview" utility from sysinternals.com to figure which process is doing that. Or wireshark/netmon to see what is being send and received in those sessions
sldiamondAuthor Commented:
Thanks for the response but previously I tried both TCPview and Wireshark and wasn't helped.

TCPview show the process as "[SystemProcess]" and PID=0, just as netstat.

Wireshark produced a bunch of transactions. Here's an example. What specifically do you suggest I look for?

No.     Time        Source                Destination           Protocol Info
      1 0.000000        TCP      vs-server > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 TSV=0 TSER=0 SACK_PERM=1
      7 0.020976         TCP      http > vs-server [SYN, ACK] Seq=0 Ack=1 Win=5672 Len=0 MSS=1356 SACK_PERM=1 TSV=973689195 TSER=0 WS=6
      8 0.021006        TCP      vs-server > http [ACK] Seq=1 Ack=1 Win=128480 Len=0 TSV=132411 TSER=973689195
      9 0.021090        TCP      vs-server > http [FIN, ACK] Seq=1 Ack=1 Win=128480 Len=0 TSV=132411 TSER=973689195
     11 0.040966         TCP      http > vs-server [FIN, ACK] Seq=1 Ack=2 Win=5696 Len=0 TSV=973689216 TSER=132411
     12 0.040992        TCP      vs-server > http [ACK] Seq=2 Ack=2 Win=128480 Len=0 TSV=132411 TSER=973689216
     13 1.016172        TCP      sysopt > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 TSV=0 TSER=0 SACK_PERM=1
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

sldiamondAuthor Commented:
Thanks for the suggestions.

I'm not able to create a new local account due to policies.

Here's the output of route print:

Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 50 56 c0 00 08 ...... VMware Virtual Ethernet Adapter for VMnet8
0x3 ...00 50 56 c0 00 01 ...... VMware Virtual Ethernet Adapter for VMnet1
0x4 ...f0 7b cb 68 40 04 ...... Dell Wireless 1397 WLAN Mini-Card - Packet Scheduler Miniport
0x5 ...00 26 b9 c9 3f e9 ...... Intel(R) 82567LM Gigabit Network Connection - Packet Scheduler Miniport
0x6 ...00 26 37 bd 39 42 ...... PdaNet Broadband Adapter - Packet Scheduler Miniport
0x7 ...08 00 27 00 c4 86 ...... VirtualBox Host-Only Ethernet Adapter - Packet Scheduler Miniport
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        25        1        25        25        25        20        20        20        20        20        20        20        20        20        25        20        20        20        1               5        1               6        1        1        1        1
Default Gateway:
Persistent Routes:
  None, 222.1 are VMware network adapters. .56.1 is VirtualBox.

In safe mode with networking, netstat shows no connections.

Active Connections

  Proto  Local Address          Foreign Address        State

I ran autorunsc -m -v and recognized almost all of the programs. The only ones that weren't verified were:

   Broadcom Wireless Manager UI
     DW WLAN Card Wireless Network Tray Applet
     (Not verified) Dell Inc.
     5d967f10b86dc88795450932759ded92 (MD5)
     521a960a2a8e769e5aa1450b8f6a2eddba3fc169 (SHA-1)
     599aef23d54b92be4734bba352adb5cad23c9307b2a21aa40e6e50e240674ef7 (SHA-256)

     "DISABLED-wscript.exe" //Nologo "C:\Program Files\SafeBoot\autodomain.vbs"
     File not found: DISABLED-wscript.exe
   Cellhire DataManager
     "C:\Program Files\Cellhire DataManager\chdm.exe" /auto
     Cellhire DataManager
     (Not verified) SoftPerfect Research
     c:\program files\cellhire datamanager\chdm.exe
     a5fdf7ff1666ecb7cd0331cd8610712b (MD5)
     1df47739c2c4f4442d56b5bd0619bed4dbe8698e (SHA-1)
     5f713c505c81c726f4c4634ccd4653892eb3fb5ef51feaa172c31116143ae754 (SHA-256)

   QuickTime Task
     "C:\Program Files\QuickTime\QTTask.exe" -atboottime
     QuickTime Task
     (Not verified) Apple Inc.
     c:\program files\quicktime\qttask.exe
     73430e79d6df4de9055e2a7742b881d3 (MD5)
     57bad288a6ed978346aa99e33189493c7f458a65 (SHA-1)
     ab067341a3b647fd7273fb1146bb9355ae53acbd259fc061df82399a5c185775 (SHA-256)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
   CardMinder Viewer.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CardMinder Viewer.lnk
     CardMinder Viewer
     (Not verified) PFU LIMITED
     c:\program files\pfu\scansnap\cardminder\cardlauncher.exe
     cdf79ea2250ed216363698b5c734b3e8 (MD5)
     13123c1dbd7a84c3b349e592d8ab79a5691d9c90 (SHA-1)
     7c7153757a88a04e7dbfce58c4d8231fdc5f6beb80ce1e9ab19c592ca06367a7 (SHA-256)
   Cisco Security Agent.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Security Agent.lnk
     Cisco Security Agent component
     (Not verified) Cisco Systems, Inc.
     c:\program files\cisco systems\csagent\bin\okclient.exe
     8fdfa944938e240a6375d639a5733256 (MD5)
     2047f3656da4e54e1d1f8da829f20ae401a9ba99 (SHA-1)
     3f5ca3ec3d7312fb20f7ebae88cb263dd3b0bd86f4a03e3647dcddaccae08fcb (SHA-256)
   Conversion to PDF with ScanSnap Organizer.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Conversion to PDF with ScanSnap Organizer.lnk
     PfuSsOrgOcrChk Application
     (Not verified) PFU LIMITED
     c:\program files\pfu\scansnap\organizer\pfussorgocrchk.exe
     4eb2874907d2be76b644193bff0d4ab7 (MD5)
     ee77de7591f4270a4daa434c99b001d426cce6eb (SHA-1)
     41ccd7c1abed38969d627893dccf6edd41dd37dcbc881c0cdf57d4fea6e4c658 (SHA-256)
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EMCSI.lnk
     (Not verified) EMC Corporation
     c29cc30f422ed2abd3fb9cf870d9c739 (MD5)
     25b3b5a35485b337e53d926d337ce80445d8cd2f (SHA-1)
     f75cbe26b249c235b3542b3dd1cec7172d376d9ae833cbc23bfba87f8fc1d940 (SHA-256)
   Evernote Clipper.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Evernote Clipper.lnk
     0c1980a81c3d15a89f32eb8c935d9edd (MD5)
     dcfda6ad191e58f4b99f25cb816ab3f92cdb38f4 (SHA-1)
     6a7891279b8a05b99099b9f97adc66c9cdbd86168d1ad0ad1367e0f7f0ae726b (SHA-256)
   McAfee Security Scan Plus.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee

   ScanSnap Manager.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ScanSnap Manager.lnk
     ScanSnap Manager
     (Not verified) PFU LIMITED
     c:\program files\pfu\scansnap\driver\pfussmon.exe
     840b4087805c8d5a7be3d301394429ca (MD5)
     6d8bfa8250d2d14da4fcdd22a7cf14be2c4b6be2 (SHA-1)
     b42bfac0a4af68976d0c570835dbfe52edccf548e0a734626fdc97f07f946949 (SHA-256)
   VPN Client.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
     85ab6c3089bee58999b434e114e8a64c (MD5)
     f480a5c7f587edcc3bfc86524dbab551d50306f6 (SHA-1)
     7a1b4cbb5559e30fe23d3815b82079e237f58813ee7eeddc98c663c0149cb8bb (SHA-256)

C:\Documents and Settings\diamos1\Start Menu\Programs\Startup
   VPN Client.lnk
     C:\Documents and Settings\diamos1\Start Menu\Programs\Startup\VPN Client.lnk
     85ab6c3089bee58999b434e114e8a64c (MD5)
     f480a5c7f587edcc3bfc86524dbab551d50306f6 (SHA-1)
     7a1b4cbb5559e30fe23d3815b82079e237f58813ee7eeddc98c663c0149cb8bb (SHA-256)

Anything else you want me to try?
sldiamondAuthor Commented:

I'm going to accept your comment as the solution. Here's why. Motivated by your suggestion to create a new local user account, I figured out how to login to the local admin account. In that account, I still saw the 100+ www.google.com TIME_WAIT connections in netstat. That got me thinking.

I looked around and found two "interesting" programs in the boot sequence. Even though I had disabled GadgetTrak tracking, programs from GadgetTrak and Skyhook Wireless were *still* being loaded and run, and--it turns out--causing the multiple www.google.com TIME_WAIT connections that I saw in netstat.

So when I uninstalled (as opposed to disabled) GadgetTrak, the programs noted above were removed from the boot sequence, and the multiple www.google.com TIME_WAIT connections stopped being created.

So, thanks for the suggestion which led to the fix!
sldiamondAuthor Commented:
Thanks for your help. There was no malware, and while you didn't exactly identify the problem, your suggestion to login as a different user led to the solution. Again, thanks!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.