[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


100 netstat time_wait www.google.com connections

Posted on 2011-09-12
Medium Priority
Last Modified: 2012-05-12
Recently my Windows XP SP3 system started running with the network connection applet showing busy constantly.

netstat -boa shows ~100 connections to www.google.com like this one:

  TCP    COMPUTERNAME:1273    TIME_WAIT       0

But I can't see a Google app running.

Suggestions? Thanks.
Question by:sldiamond
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4

Expert Comment

ID: 36526485
you can try to use "handle" or "TCPview" utility from sysinternals.com to figure which process is doing that. Or wireshark/netmon to see what is being send and received in those sessions

Author Comment

ID: 36526533
Thanks for the response but previously I tried both TCPview and Wireshark and wasn't helped.

TCPview show the process as "[SystemProcess]" and PID=0, just as netstat.

Wireshark produced a bunch of transactions. Here's an example. What specifically do you suggest I look for?

No.     Time        Source                Destination           Protocol Info
      1 0.000000        TCP      vs-server > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 TSV=0 TSER=0 SACK_PERM=1
      7 0.020976         TCP      http > vs-server [SYN, ACK] Seq=0 Ack=1 Win=5672 Len=0 MSS=1356 SACK_PERM=1 TSV=973689195 TSER=0 WS=6
      8 0.021006        TCP      vs-server > http [ACK] Seq=1 Ack=1 Win=128480 Len=0 TSV=132411 TSER=973689195
      9 0.021090        TCP      vs-server > http [FIN, ACK] Seq=1 Ack=1 Win=128480 Len=0 TSV=132411 TSER=973689195
     11 0.040966         TCP      http > vs-server [FIN, ACK] Seq=1 Ack=2 Win=5696 Len=0 TSV=973689216 TSER=132411
     12 0.040992        TCP      vs-server > http [ACK] Seq=2 Ack=2 Win=128480 Len=0 TSV=132411 TSER=973689216
     13 1.016172        TCP      sysopt > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 TSV=0 TSER=0 SACK_PERM=1
LVL 12

Accepted Solution

Sommerblink earned 1500 total points
ID: 36527231
PID 0 is a fake process and incidently runs in Ring 0 (Kernel Mode). If you run Performance Monitor and add the Process monitor for instance _Total: "% Privilaged Time", you will see that the computer actually idles in Kernel Mode.

So, either your network tools are reporting false information or something is up.

What happens if you create a new local account and see if you still see connections running on PID 0. Sometimes programs installed don't run under "all" profiles.

Also, try Safe Mode with Networking and see if you still see it running
Also, what does the output for the command 'route print' say?

At this point I would also recommend removing this PC from the corporate network at this point and assume it is infected and at this point prepare for reimaging. The above would simply be used for fact gathering.

Also, have you tried Autoruns (from Sysinternals) and check to see what is slated for starting up? Make sure that you choose Options/Verify Code Signatures just to make sure something doesn't say Google or Microsoft.
Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.


Author Comment

ID: 36527419
Thanks for the suggestions.

I'm not able to create a new local account due to policies.

Here's the output of route print:

Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 50 56 c0 00 08 ...... VMware Virtual Ethernet Adapter for VMnet8
0x3 ...00 50 56 c0 00 01 ...... VMware Virtual Ethernet Adapter for VMnet1
0x4 ...f0 7b cb 68 40 04 ...... Dell Wireless 1397 WLAN Mini-Card - Packet Scheduler Miniport
0x5 ...00 26 b9 c9 3f e9 ...... Intel(R) 82567LM Gigabit Network Connection - Packet Scheduler Miniport
0x6 ...00 26 37 bd 39 42 ...... PdaNet Broadband Adapter - Packet Scheduler Miniport
0x7 ...08 00 27 00 c4 86 ...... VirtualBox Host-Only Ethernet Adapter - Packet Scheduler Miniport
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        25        1        25        25        25        20        20        20        20        20        20        20        20        20        25        20        20        20        1               5        1               6        1        1        1        1
Default Gateway:
Persistent Routes:
  None, 222.1 are VMware network adapters. .56.1 is VirtualBox.

In safe mode with networking, netstat shows no connections.

Active Connections

  Proto  Local Address          Foreign Address        State

I ran autorunsc -m -v and recognized almost all of the programs. The only ones that weren't verified were:

   Broadcom Wireless Manager UI
     DW WLAN Card Wireless Network Tray Applet
     (Not verified) Dell Inc.
     5d967f10b86dc88795450932759ded92 (MD5)
     521a960a2a8e769e5aa1450b8f6a2eddba3fc169 (SHA-1)
     599aef23d54b92be4734bba352adb5cad23c9307b2a21aa40e6e50e240674ef7 (SHA-256)

     "DISABLED-wscript.exe" //Nologo "C:\Program Files\SafeBoot\autodomain.vbs"
     File not found: DISABLED-wscript.exe
   Cellhire DataManager
     "C:\Program Files\Cellhire DataManager\chdm.exe" /auto
     Cellhire DataManager
     (Not verified) SoftPerfect Research
     c:\program files\cellhire datamanager\chdm.exe
     a5fdf7ff1666ecb7cd0331cd8610712b (MD5)
     1df47739c2c4f4442d56b5bd0619bed4dbe8698e (SHA-1)
     5f713c505c81c726f4c4634ccd4653892eb3fb5ef51feaa172c31116143ae754 (SHA-256)

   QuickTime Task
     "C:\Program Files\QuickTime\QTTask.exe" -atboottime
     QuickTime Task
     (Not verified) Apple Inc.
     c:\program files\quicktime\qttask.exe
     73430e79d6df4de9055e2a7742b881d3 (MD5)
     57bad288a6ed978346aa99e33189493c7f458a65 (SHA-1)
     ab067341a3b647fd7273fb1146bb9355ae53acbd259fc061df82399a5c185775 (SHA-256)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
   CardMinder Viewer.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CardMinder Viewer.lnk
     CardMinder Viewer
     (Not verified) PFU LIMITED
     c:\program files\pfu\scansnap\cardminder\cardlauncher.exe
     cdf79ea2250ed216363698b5c734b3e8 (MD5)
     13123c1dbd7a84c3b349e592d8ab79a5691d9c90 (SHA-1)
     7c7153757a88a04e7dbfce58c4d8231fdc5f6beb80ce1e9ab19c592ca06367a7 (SHA-256)
   Cisco Security Agent.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Security Agent.lnk
     Cisco Security Agent component
     (Not verified) Cisco Systems, Inc.
     c:\program files\cisco systems\csagent\bin\okclient.exe
     8fdfa944938e240a6375d639a5733256 (MD5)
     2047f3656da4e54e1d1f8da829f20ae401a9ba99 (SHA-1)
     3f5ca3ec3d7312fb20f7ebae88cb263dd3b0bd86f4a03e3647dcddaccae08fcb (SHA-256)
   Conversion to PDF with ScanSnap Organizer.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Conversion to PDF with ScanSnap Organizer.lnk
     PfuSsOrgOcrChk Application
     (Not verified) PFU LIMITED
     c:\program files\pfu\scansnap\organizer\pfussorgocrchk.exe
     4eb2874907d2be76b644193bff0d4ab7 (MD5)
     ee77de7591f4270a4daa434c99b001d426cce6eb (SHA-1)
     41ccd7c1abed38969d627893dccf6edd41dd37dcbc881c0cdf57d4fea6e4c658 (SHA-256)
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EMCSI.lnk
     (Not verified) EMC Corporation
     c29cc30f422ed2abd3fb9cf870d9c739 (MD5)
     25b3b5a35485b337e53d926d337ce80445d8cd2f (SHA-1)
     f75cbe26b249c235b3542b3dd1cec7172d376d9ae833cbc23bfba87f8fc1d940 (SHA-256)
   Evernote Clipper.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Evernote Clipper.lnk
     0c1980a81c3d15a89f32eb8c935d9edd (MD5)
     dcfda6ad191e58f4b99f25cb816ab3f92cdb38f4 (SHA-1)
     6a7891279b8a05b99099b9f97adc66c9cdbd86168d1ad0ad1367e0f7f0ae726b (SHA-256)
   McAfee Security Scan Plus.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee

   ScanSnap Manager.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ScanSnap Manager.lnk
     ScanSnap Manager
     (Not verified) PFU LIMITED
     c:\program files\pfu\scansnap\driver\pfussmon.exe
     840b4087805c8d5a7be3d301394429ca (MD5)
     6d8bfa8250d2d14da4fcdd22a7cf14be2c4b6be2 (SHA-1)
     b42bfac0a4af68976d0c570835dbfe52edccf548e0a734626fdc97f07f946949 (SHA-256)
   VPN Client.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
     85ab6c3089bee58999b434e114e8a64c (MD5)
     f480a5c7f587edcc3bfc86524dbab551d50306f6 (SHA-1)
     7a1b4cbb5559e30fe23d3815b82079e237f58813ee7eeddc98c663c0149cb8bb (SHA-256)

C:\Documents and Settings\diamos1\Start Menu\Programs\Startup
   VPN Client.lnk
     C:\Documents and Settings\diamos1\Start Menu\Programs\Startup\VPN Client.lnk
     85ab6c3089bee58999b434e114e8a64c (MD5)
     f480a5c7f587edcc3bfc86524dbab551d50306f6 (SHA-1)
     7a1b4cbb5559e30fe23d3815b82079e237f58813ee7eeddc98c663c0149cb8bb (SHA-256)

Anything else you want me to try?

Author Comment

ID: 36531000

I'm going to accept your comment as the solution. Here's why. Motivated by your suggestion to create a new local user account, I figured out how to login to the local admin account. In that account, I still saw the 100+ www.google.com TIME_WAIT connections in netstat. That got me thinking.

I looked around and found two "interesting" programs in the boot sequence. Even though I had disabled GadgetTrak tracking, programs from GadgetTrak and Skyhook Wireless were *still* being loaded and run, and--it turns out--causing the multiple www.google.com TIME_WAIT connections that I saw in netstat.

So when I uninstalled (as opposed to disabled) GadgetTrak, the programs noted above were removed from the boot sequence, and the multiple www.google.com TIME_WAIT connections stopped being created.

So, thanks for the suggestion which led to the fix!

Author Closing Comment

ID: 36531005
Thanks for your help. There was no malware, and while you didn't exactly identify the problem, your suggestion to login as a different user led to the solution. Again, thanks!

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Make the most of your online learning experience.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question