Solved

100 netstat time_wait www.google.com connections

Posted on 2011-09-12
6
1,352 Views
Last Modified: 2012-05-12
Recently my Windows XP SP3 system started running with the network connection applet showing busy constantly.

netstat -boa shows ~100 connections to www.google.com like this one:

  TCP    COMPUTERNAME:1273    74.125.224.244:http    TIME_WAIT       0

But I can't see a Google app running.

Suggestions? Thanks.
0
Comment
Question by:sldiamond
  • 4
6 Comments
 
LVL 4

Expert Comment

by:vvk
Comment Utility
you can try to use "handle" or "TCPview" utility from sysinternals.com to figure which process is doing that. Or wireshark/netmon to see what is being send and received in those sessions
0
 

Author Comment

by:sldiamond
Comment Utility
Thanks for the response but previously I tried both TCPview and Wireshark and wasn't helped.

TCPview show the process as "[SystemProcess]" and PID=0, just as netstat.

Wireshark produced a bunch of transactions. Here's an example. What specifically do you suggest I look for?

No.     Time        Source                Destination           Protocol Info
      1 0.000000    192.168.5.244         74.125.224.240        TCP      vs-server > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 TSV=0 TSER=0 SACK_PERM=1
      7 0.020976    74.125.224.240        192.168.5.244         TCP      http > vs-server [SYN, ACK] Seq=0 Ack=1 Win=5672 Len=0 MSS=1356 SACK_PERM=1 TSV=973689195 TSER=0 WS=6
      8 0.021006    192.168.5.244         74.125.224.240        TCP      vs-server > http [ACK] Seq=1 Ack=1 Win=128480 Len=0 TSV=132411 TSER=973689195
      9 0.021090    192.168.5.244         74.125.224.240        TCP      vs-server > http [FIN, ACK] Seq=1 Ack=1 Win=128480 Len=0 TSV=132411 TSER=973689195
     11 0.040966    74.125.224.240        192.168.5.244         TCP      http > vs-server [FIN, ACK] Seq=1 Ack=2 Win=5696 Len=0 TSV=973689216 TSER=132411
     12 0.040992    192.168.5.244         74.125.224.240        TCP      vs-server > http [ACK] Seq=2 Ack=2 Win=128480 Len=0 TSV=132411 TSER=973689216
     13 1.016172    192.168.5.244         74.125.224.240        TCP      sysopt > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 TSV=0 TSER=0 SACK_PERM=1
0
 
LVL 12

Accepted Solution

by:
Sommerblink earned 500 total points
Comment Utility
PID 0 is a fake process and incidently runs in Ring 0 (Kernel Mode). If you run Performance Monitor and add the Process monitor for instance _Total: "% Privilaged Time", you will see that the computer actually idles in Kernel Mode.

So, either your network tools are reporting false information or something is up.

What happens if you create a new local account and see if you still see connections running on PID 0. Sometimes programs installed don't run under "all" profiles.

Also, try Safe Mode with Networking and see if you still see it running
Also, what does the output for the command 'route print' say?

At this point I would also recommend removing this PC from the corporate network at this point and assume it is infected and at this point prepare for reimaging. The above would simply be used for fact gathering.

Also, have you tried Autoruns (from Sysinternals) and check to see what is slated for starting up? Make sure that you choose Options/Verify Code Signatures just to make sure something doesn't say Google or Microsoft.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:sldiamond
Comment Utility
Thanks for the suggestions.

I'm not able to create a new local account due to policies.

Here's the output of route print:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 50 56 c0 00 08 ...... VMware Virtual Ethernet Adapter for VMnet8
0x3 ...00 50 56 c0 00 01 ...... VMware Virtual Ethernet Adapter for VMnet1
0x4 ...f0 7b cb 68 40 04 ...... Dell Wireless 1397 WLAN Mini-Card - Packet Scheduler Miniport
0x5 ...00 26 b9 c9 3f e9 ...... Intel(R) 82567LM Gigabit Network Connection - Packet Scheduler Miniport
0x6 ...00 26 37 bd 39 42 ...... PdaNet Broadband Adapter - Packet Scheduler Miniport
0x7 ...08 00 27 00 c4 86 ...... VirtualBox Host-Only Ethernet Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.3    192.168.1.33        25
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
      192.168.1.0    255.255.255.0     192.168.1.33    192.168.1.33        25
     192.168.1.33  255.255.255.255        127.0.0.1       127.0.0.1        25
    192.168.1.255  255.255.255.255     192.168.1.33    192.168.1.33        25
     192.168.56.0    255.255.255.0     192.168.56.1    192.168.56.1        20
     192.168.56.1  255.255.255.255        127.0.0.1       127.0.0.1        20
   192.168.56.255  255.255.255.255     192.168.56.1    192.168.56.1        20
     192.168.81.0    255.255.255.0     192.168.81.1    192.168.81.1        20
     192.168.81.1  255.255.255.255        127.0.0.1       127.0.0.1        20
   192.168.81.255  255.255.255.255     192.168.81.1    192.168.81.1        20
    192.168.222.0    255.255.255.0    192.168.222.1   192.168.222.1        20
    192.168.222.1  255.255.255.255        127.0.0.1       127.0.0.1        20
  192.168.222.255  255.255.255.255    192.168.222.1   192.168.222.1        20
        224.0.0.0        240.0.0.0     192.168.1.33    192.168.1.33        25
        224.0.0.0        240.0.0.0     192.168.56.1    192.168.56.1        20
        224.0.0.0        240.0.0.0     192.168.81.1    192.168.81.1        20
        224.0.0.0        240.0.0.0    192.168.222.1   192.168.222.1        20
  255.255.255.255  255.255.255.255     192.168.1.33    192.168.1.33        1
  255.255.255.255  255.255.255.255     192.168.56.1               5        1
  255.255.255.255  255.255.255.255     192.168.56.1               6        1
  255.255.255.255  255.255.255.255     192.168.56.1    192.168.56.1        1
  255.255.255.255  255.255.255.255     192.168.81.1    192.168.81.1        1
  255.255.255.255  255.255.255.255    192.168.222.1   192.168.222.1        1
Default Gateway:       192.168.1.3
===========================================================================
Persistent Routes:
  None

192.168.81.1, 222.1 are VMware network adapters. .56.1 is VirtualBox.

In safe mode with networking, netstat shows no connections.

Active Connections

  Proto  Local Address          Foreign Address        State

I ran autorunsc -m -v and recognized almost all of the programs. The only ones that weren't verified were:

   Broadcom Wireless Manager UI
     C:\WINNT\system32\WLTRAY.exe
     DW WLAN Card Wireless Network Tray Applet
     (Not verified) Dell Inc.
     5.60.48.35
     c:\winnt\system32\wltray.exe
     5d967f10b86dc88795450932759ded92 (MD5)
     521a960a2a8e769e5aa1450b8f6a2eddba3fc169 (SHA-1)
     599aef23d54b92be4734bba352adb5cad23c9307b2a21aa40e6e50e240674ef7 (SHA-256)

   SBPTool.AutoDomain
     "DISABLED-wscript.exe" //Nologo "C:\Program Files\SafeBoot\autodomain.vbs"
     File not found: DISABLED-wscript.exe
   Cellhire DataManager
     "C:\Program Files\Cellhire DataManager\chdm.exe" /auto
     Cellhire DataManager
     (Not verified) SoftPerfect Research
     5.1.0.0
     c:\program files\cellhire datamanager\chdm.exe
     a5fdf7ff1666ecb7cd0331cd8610712b (MD5)
     1df47739c2c4f4442d56b5bd0619bed4dbe8698e (SHA-1)
     5f713c505c81c726f4c4634ccd4653892eb3fb5ef51feaa172c31116143ae754 (SHA-256)

   QuickTime Task
     "C:\Program Files\QuickTime\QTTask.exe" -atboottime
     QuickTime Task
     (Not verified) Apple Inc.
     7.7.0.0
     c:\program files\quicktime\qttask.exe
     73430e79d6df4de9055e2a7742b881d3 (MD5)
     57bad288a6ed978346aa99e33189493c7f458a65 (SHA-1)
     ab067341a3b647fd7273fb1146bb9355ae53acbd259fc061df82399a5c185775 (SHA-256)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
   CardMinder Viewer.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CardMinder Viewer.lnk
     CardMinder Viewer
     (Not verified) PFU LIMITED
     4.1.30.1
     c:\program files\pfu\scansnap\cardminder\cardlauncher.exe
     cdf79ea2250ed216363698b5c734b3e8 (MD5)
     13123c1dbd7a84c3b349e592d8ab79a5691d9c90 (SHA-1)
     7c7153757a88a04e7dbfce58c4d8231fdc5f6beb80ce1e9ab19c592ca06367a7 (SHA-256)
   Cisco Security Agent.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Security Agent.lnk
     Cisco Security Agent component
     (Not verified) Cisco Systems, Inc.
     5.2.0.245
     c:\program files\cisco systems\csagent\bin\okclient.exe
     8fdfa944938e240a6375d639a5733256 (MD5)
     2047f3656da4e54e1d1f8da829f20ae401a9ba99 (SHA-1)
     3f5ca3ec3d7312fb20f7ebae88cb263dd3b0bd86f4a03e3647dcddaccae08fcb (SHA-256)
   Conversion to PDF with ScanSnap Organizer.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Conversion to PDF with ScanSnap Organizer.lnk
     PfuSsOrgOcrChk Application
     (Not verified) PFU LIMITED
     4.1.10.3
     c:\program files\pfu\scansnap\organizer\pfussorgocrchk.exe
     4eb2874907d2be76b644193bff0d4ab7 (MD5)
     ee77de7591f4270a4daa434c99b001d426cce6eb (SHA-1)
     41ccd7c1abed38969d627893dccf6edd41dd37dcbc881c0cdf57d4fea6e4c658 (SHA-256)
   EMCSI.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EMCSI.lnk
     (Not verified) EMC Corporation
     1.0.0.12
     c:\emcsoftware\emcsiuser.exe
     c29cc30f422ed2abd3fb9cf870d9c739 (MD5)
     25b3b5a35485b337e53d926d337ce80445d8cd2f (SHA-1)
     f75cbe26b249c235b3542b3dd1cec7172d376d9ae833cbc23bfba87f8fc1d940 (SHA-256)
   Evernote Clipper.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Evernote Clipper.lnk
     c:\winnt\installer\{f761359c-9ced-45ae-9a51-9d6605cd55c4}\evernote.ico
     0c1980a81c3d15a89f32eb8c935d9edd (MD5)
     dcfda6ad191e58f4b99f25cb816ab3f92cdb38f4 (SHA-1)
     6a7891279b8a05b99099b9f97adc66c9cdbd86168d1ad0ad1367e0f7f0ae726b (SHA-256)
   McAfee Security Scan Plus.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee

   ScanSnap Manager.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ScanSnap Manager.lnk
     ScanSnap Manager
     (Not verified) PFU LIMITED
     5.1.20.30
     c:\program files\pfu\scansnap\driver\pfussmon.exe
     840b4087805c8d5a7be3d301394429ca (MD5)
     6d8bfa8250d2d14da4fcdd22a7cf14be2c4b6be2 (SHA-1)
     b42bfac0a4af68976d0c570835dbfe52edccf548e0a734626fdc97f07f946949 (SHA-256)
   VPN Client.lnk
     C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
     c:\winnt\installer\{176130bc-99a1-41fe-a78b-56045e33ad70}\icon3e5562ed7.ico
     85ab6c3089bee58999b434e114e8a64c (MD5)
     f480a5c7f587edcc3bfc86524dbab551d50306f6 (SHA-1)
     7a1b4cbb5559e30fe23d3815b82079e237f58813ee7eeddc98c663c0149cb8bb (SHA-256)

C:\Documents and Settings\diamos1\Start Menu\Programs\Startup
   VPN Client.lnk
     C:\Documents and Settings\diamos1\Start Menu\Programs\Startup\VPN Client.lnk
     c:\winnt\installer\{176130bc-99a1-41fe-a78b-56045e33ad70}\icon3e5562ed7.ico
     85ab6c3089bee58999b434e114e8a64c (MD5)
     f480a5c7f587edcc3bfc86524dbab551d50306f6 (SHA-1)
     7a1b4cbb5559e30fe23d3815b82079e237f58813ee7eeddc98c663c0149cb8bb (SHA-256)

Anything else you want me to try?
0
 

Author Comment

by:sldiamond
Comment Utility
Sommerblink:

I'm going to accept your comment as the solution. Here's why. Motivated by your suggestion to create a new local user account, I figured out how to login to the local admin account. In that account, I still saw the 100+ www.google.com TIME_WAIT connections in netstat. That got me thinking.

I looked around and found two "interesting" programs in the boot sequence. Even though I had disabled GadgetTrak tracking, programs from GadgetTrak and Skyhook Wireless were *still* being loaded and run, and--it turns out--causing the multiple www.google.com TIME_WAIT connections that I saw in netstat.

So when I uninstalled (as opposed to disabled) GadgetTrak, the programs noted above were removed from the boot sequence, and the multiple www.google.com TIME_WAIT connections stopped being created.

So, thanks for the suggestion which led to the fix!
0
 

Author Closing Comment

by:sldiamond
Comment Utility
Thanks for your help. There was no malware, and while you didn't exactly identify the problem, your suggestion to login as a different user led to the solution. Again, thanks!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now