100 netstat time_wait www.google.com connections

Posted on 2011-09-12
Medium Priority
Last Modified: 2012-05-12
Recently my Windows XP SP3 system started running with the network connection applet showing busy constantly.

netstat -boa shows ~100 connections to www.google.com like this one:

  TCP    COMPUTERNAME:1273    TIME_WAIT       0

But I can't see a Google app running.

Suggestions? Thanks.
Question by:sldiamond
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4

Expert Comment

ID: 36526485
you can try to use "handle" or "TCPview" utility from sysinternals.com to figure which process is doing that. Or wireshark/netmon to see what is being send and received in those sessions

Author Comment

ID: 36526533
Thanks for the response but previously I tried both TCPview and Wireshark and wasn't helped.

TCPview show the process as "[SystemProcess]" and PID=0, just as netstat.

Wireshark produced a bunch of transactions. Here's an example. What specifically do you suggest I look for?

No.     Time        Source                Destination           Protocol Info
      1 0.000000        TCP      vs-server > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 TSV=0 TSER=0 SACK_PERM=1
      7 0.020976         TCP      http > vs-server [SYN, ACK] Seq=0 Ack=1 Win=5672 Len=0 MSS=1356 SACK_PERM=1 TSV=973689195 TSER=0 WS=6
      8 0.021006        TCP      vs-server > http [ACK] Seq=1 Ack=1 Win=128480 Len=0 TSV=132411 TSER=973689195
      9 0.021090        TCP      vs-server > http [FIN, ACK] Seq=1 Ack=1 Win=128480 Len=0 TSV=132411 TSER=973689195
     11 0.040966         TCP      http > vs-server [FIN, ACK] Seq=1 Ack=2 Win=5696 Len=0 TSV=973689216 TSER=132411
     12 0.040992        TCP      vs-server > http [ACK] Seq=2 Ack=2 Win=128480 Len=0 TSV=132411 TSER=973689216
     13 1.016172        TCP      sysopt > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 TSV=0 TSER=0 SACK_PERM=1
LVL 12

Accepted Solution

Sommerblink earned 1500 total points
ID: 36527231
PID 0 is a fake process and incidently runs in Ring 0 (Kernel Mode). If you run Performance Monitor and add the Process monitor for instance _Total: "% Privilaged Time", you will see that the computer actually idles in Kernel Mode.

So, either your network tools are reporting false information or something is up.

What happens if you create a new local account and see if you still see connections running on PID 0. Sometimes programs installed don't run under "all" profiles.

Also, try Safe Mode with Networking and see if you still see it running
Also, what does the output for the command 'route print' say?

At this point I would also recommend removing this PC from the corporate network at this point and assume it is infected and at this point prepare for reimaging. The above would simply be used for fact gathering.

Also, have you tried Autoruns (from Sysinternals) and check to see what is slated for starting up? Make sure that you choose Options/Verify Code Signatures just to make sure something doesn't say Google or Microsoft.
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more


Author Comment

ID: 36527419
Thanks for the suggestions.

I'm not able to create a new local account due to policies.

Here's the output of route print:

Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 50 56 c0 00 08 ...... VMware Virtual Ethernet Adapter for VMnet8
0x3 ...00 50 56 c0 00 01 ...... VMware Virtual Ethernet Adapter for VMnet1
0x4 ...f0 7b cb 68 40 04 ...... Dell Wireless 1397 WLAN Mini-Card - Packet Scheduler Miniport
0x5 ...00 26 b9 c9 3f e9 ...... Intel(R) 82567LM Gigabit Network Connection - Packet Scheduler Miniport
0x6 ...00 26 37 bd 39 42 ...... PdaNet Broadband Adapter - Packet Scheduler Miniport
0x7 ...08 00 27 00 c4 86 ...... VirtualBox Host-Only Ethernet Adapter - Packet Scheduler Miniport
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        25        1        25        25        25        20        20        20        20        20        20        20        20        20        25        20        20        20        1               5        1               6        1        1        1        1
Default Gateway:
Persistent Routes:
  None, 222.1 are VMware network adapters. .56.1 is VirtualBox.

In safe mode with networking, netstat shows no connections.

Active Connections

  Proto  Local Address          Foreign Address        State

I ran autorunsc -m -v and recognized almost all of the programs. The only ones that weren't verified were:

   Broadcom Wireless Manager UI
     DW WLAN Card Wireless Network Tray Applet
     (Not verified) Dell Inc.
     5d967f10b86dc88795450932759ded92 (MD5)
     521a960a2a8e769e5aa1450b8f6a2eddba3fc169 (SHA-1)
     599aef23d54b92be4734bba352adb5cad23c9307b2a21aa40e6e50e240674ef7 (SHA-256)

     "DISABLED-wscript.exe" //Nologo "C:\Program Files\SafeBoot\autodomain.vbs"
     File not found: DISABLED-wscript.exe
   Cellhire DataManager
     "C:\Program Files\Cellhire DataManager\chdm.exe" /auto
     Cellhire DataManager
     (Not verified) SoftPerfect Research
     c:\program files\cellhire datamanager\chdm.exe
     a5fdf7ff1666ecb7cd0331cd8610712b (MD5)
     1df47739c2c4f4442d56b5bd0619bed4dbe8698e (SHA-1)
     5f713c505c81c726f4c4634ccd4653892eb3fb5ef51feaa172c31116143ae754 (SHA-256)

   QuickTime Task
     "C:\Program Files\QuickTime\QTTask.exe" -atboottime
     QuickTime Task
     (Not verified) Apple Inc.
     c:\program files\quicktime\qttask.exe
     73430e79d6df4de9055e2a7742b881d3 (MD5)
     57bad288a6ed978346aa99e33189493c7f458a65 (SHA-1)
     ab067341a3b647fd7273fb1146bb9355ae53acbd259fc061df82399a5c185775 (SHA-256)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
   CardMinder Viewer.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CardMinder Viewer.lnk
     CardMinder Viewer
     (Not verified) PFU LIMITED
     c:\program files\pfu\scansnap\cardminder\cardlauncher.exe
     cdf79ea2250ed216363698b5c734b3e8 (MD5)
     13123c1dbd7a84c3b349e592d8ab79a5691d9c90 (SHA-1)
     7c7153757a88a04e7dbfce58c4d8231fdc5f6beb80ce1e9ab19c592ca06367a7 (SHA-256)
   Cisco Security Agent.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Security Agent.lnk
     Cisco Security Agent component
     (Not verified) Cisco Systems, Inc.
     c:\program files\cisco systems\csagent\bin\okclient.exe
     8fdfa944938e240a6375d639a5733256 (MD5)
     2047f3656da4e54e1d1f8da829f20ae401a9ba99 (SHA-1)
     3f5ca3ec3d7312fb20f7ebae88cb263dd3b0bd86f4a03e3647dcddaccae08fcb (SHA-256)
   Conversion to PDF with ScanSnap Organizer.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Conversion to PDF with ScanSnap Organizer.lnk
     PfuSsOrgOcrChk Application
     (Not verified) PFU LIMITED
     c:\program files\pfu\scansnap\organizer\pfussorgocrchk.exe
     4eb2874907d2be76b644193bff0d4ab7 (MD5)
     ee77de7591f4270a4daa434c99b001d426cce6eb (SHA-1)
     41ccd7c1abed38969d627893dccf6edd41dd37dcbc881c0cdf57d4fea6e4c658 (SHA-256)
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EMCSI.lnk
     (Not verified) EMC Corporation
     c29cc30f422ed2abd3fb9cf870d9c739 (MD5)
     25b3b5a35485b337e53d926d337ce80445d8cd2f (SHA-1)
     f75cbe26b249c235b3542b3dd1cec7172d376d9ae833cbc23bfba87f8fc1d940 (SHA-256)
   Evernote Clipper.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Evernote Clipper.lnk
     0c1980a81c3d15a89f32eb8c935d9edd (MD5)
     dcfda6ad191e58f4b99f25cb816ab3f92cdb38f4 (SHA-1)
     6a7891279b8a05b99099b9f97adc66c9cdbd86168d1ad0ad1367e0f7f0ae726b (SHA-256)
   McAfee Security Scan Plus.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee

   ScanSnap Manager.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ScanSnap Manager.lnk
     ScanSnap Manager
     (Not verified) PFU LIMITED
     c:\program files\pfu\scansnap\driver\pfussmon.exe
     840b4087805c8d5a7be3d301394429ca (MD5)
     6d8bfa8250d2d14da4fcdd22a7cf14be2c4b6be2 (SHA-1)
     b42bfac0a4af68976d0c570835dbfe52edccf548e0a734626fdc97f07f946949 (SHA-256)
   VPN Client.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
     85ab6c3089bee58999b434e114e8a64c (MD5)
     f480a5c7f587edcc3bfc86524dbab551d50306f6 (SHA-1)
     7a1b4cbb5559e30fe23d3815b82079e237f58813ee7eeddc98c663c0149cb8bb (SHA-256)

C:\Documents and Settings\diamos1\Start Menu\Programs\Startup
   VPN Client.lnk
     C:\Documents and Settings\diamos1\Start Menu\Programs\Startup\VPN Client.lnk
     85ab6c3089bee58999b434e114e8a64c (MD5)
     f480a5c7f587edcc3bfc86524dbab551d50306f6 (SHA-1)
     7a1b4cbb5559e30fe23d3815b82079e237f58813ee7eeddc98c663c0149cb8bb (SHA-256)

Anything else you want me to try?

Author Comment

ID: 36531000

I'm going to accept your comment as the solution. Here's why. Motivated by your suggestion to create a new local user account, I figured out how to login to the local admin account. In that account, I still saw the 100+ www.google.com TIME_WAIT connections in netstat. That got me thinking.

I looked around and found two "interesting" programs in the boot sequence. Even though I had disabled GadgetTrak tracking, programs from GadgetTrak and Skyhook Wireless were *still* being loaded and run, and--it turns out--causing the multiple www.google.com TIME_WAIT connections that I saw in netstat.

So when I uninstalled (as opposed to disabled) GadgetTrak, the programs noted above were removed from the boot sequence, and the multiple www.google.com TIME_WAIT connections stopped being created.

So, thanks for the suggestion which led to the fix!

Author Closing Comment

ID: 36531005
Thanks for your help. There was no malware, and while you didn't exactly identify the problem, your suggestion to login as a different user led to the solution. Again, thanks!

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question