PDA

View Full Version : Fresh install, weird active internet connection



sal
08-04-2005, 02:10 AM
I've just finished up rounding off a fresh install of WinXP Pro (a couple of hours later), and it looks like the internet connection is intermittently active, it slowly blinks on and off. It's kind of annoying and I'm sure it's not usually like that I'm sure.

Here's a screener of active connections (http://sal.neoburn.net/imagef1/files/netstat.gif), what could cause the net connection to do this?

zqwerty
08-04-2005, 03:09 PM
svchost.exe will be talking to MS.

sal
08-04-2005, 06:32 PM
Is there a better way than netstat -a to see all connections? To be honest, I'm not sure if its that plain a deal. I swear the connection was either being used by me actively or not at all.

Greg
08-04-2005, 06:58 PM
If you disable netbios and redo netstat, does anything change?

Your firewall (if you have a good one like Kerio) can also tell what connections are alive.

sal
09-04-2005, 12:55 AM
Heres an example of what it looks like (http://sal.neoburn.net/imagef1/files/active_internet_connection.gif). It does that forever, from boot up to shutdown.

How do I disable netbios (and what is it?). I will try installing another firewall :/

Rob99
09-04-2005, 01:23 AM
If it is installed you can untick it, it will show up the same place as your TCP/IP settings

sal
09-04-2005, 01:44 AM
Doesn't look like I have it installed (http://sal.neoburn.net/imagef1/files/no_netbios.gif), could it have anything to do with the fact that I bridged instead of ICS?

zqwerty
09-04-2005, 02:10 AM
Go here to get a better program to view who your computer is talking to:

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Rob99
09-04-2005, 02:42 AM
How fast is the light blinking?

There will always be a very very small amount activity even if nothing is using it.

sal
09-04-2005, 02:45 AM
How fast is the light blinking?

There will always be a very very small amount activity even if nothing is using it.
It blinks exactly as displayed in this picture

http://sal.neoburn.net/imagef1/files/active_internet_connection.gif

Rob99
09-04-2005, 02:51 AM
could it have anything to do with the fact that I bridged instead of ICS?Probally something like that, I would just make sure you have a good firewall, sygate and kero are good.

[Edit]Both lights are not flashing, it's probally just checking for a connection.

sal
09-04-2005, 02:52 AM
Sorry for the screenshot overload, but I really want to know whats happening.

http://sal.neoburn.net/imagef1/files/netstat2.gif

Does anything look suspicious there?

Rob99
09-04-2005, 02:57 AM
Not an expert on this but I would say no. Heres mine (http://sal.neoburn.net/imagef1/files/Rob99-netstat-a.jpg)

Greg
09-04-2005, 07:53 AM
How do I disable netbios
Open Network Connections.
Right-click on your connection.
Properties.
Highlight Internet Protocol [TCP/IP].
Properties.
Advanced.
Wins.
Check Disable Netbios over TCP/IP.

It can also be disabled under Services.

sal
09-04-2005, 10:51 AM
If you disable netbios and redo netstat, does anything change?
No, nothing changes. It looks like it sends a packet every second, but I dont know where to. Argh, annoying!

sal
09-04-2005, 10:53 AM
[Edit]Both lights are not flashing, it's probally just checking for a connection.
But it shouldn't be doing this the whole time the computer is on, I am on broadband.

Jen
09-04-2005, 12:55 PM
If your computer is networked with others, then the LAN lights might be flashing as it communicates (or checks for the presence of) with the other machines?

zqwerty
09-04-2005, 01:13 PM
When I installed Win2KPro I knew nothing about the OS. Everytime I went on the internet there was activity for about 6 hours as it updated the drivers and other parts of the system, I think.

If you think about it, it is quite unlikely that the CD that you have used to instal the OS is not completely up-to-date, so therefore many small housekeeping tasks and improvements will have to be made to get it to the latest configuration. This has nothing to do with critical updates and security improvements, I think this is what svchost.exe (up to 4 incidences running) does, make sure that the day to day workings are as current as possible.

Sometimes I see activity that I cannot account for and I quickly activate TCPView and see that once more my computer is talking to MS under the radar, so to speak, even though I have "inform me of any updates from MS from MS before installing" ticked.

I bet you will find that this activity will stop once the system is completely current.

sal
09-04-2005, 01:38 PM
If your computer is networked with others, then the LAN lights might be flashing as it communicates (or checks for the presence of) with the other machines?
Its not the LAN light that flashes, it's the Internet Connection one that does.


I bet you will find that this activity will stop once the system is completely current.
I took care of EVERYTHING to do with updates. I feel kind of paranoid, like big brother is watching me or something.

zqwerty
09-04-2005, 02:15 PM
"Just because you're paranoid doesn't mean they aren't trying to get you"

I am not talking about updates, I am talking about everyday house keeping, from MS.

sal
09-04-2005, 02:41 PM
I wish they wouldn't do everyday housekeeping (whatever that is) if thats the case. Anyway, in a last ditch effort, I done some packet sniffing, but am still unsure what to gather from this, I promise this is the last screenshot from me:

http://sal.neoburn.net/imagef1/files/packetsniffer.gif

I notice bridge in there but thats about it. Can anyone enlighten me now?

sal
13-04-2005, 07:40 PM
I just netstat -a'd our computer and found some interesting entries (sal.neoburn.net/imagef1/files/netstat_new.gif). Kind of sucks how the usual spyware/adware applications cant help with some of these.

Jen
13-04-2005, 07:52 PM
Run HijackThis. That should be able to locate absoluagency on your system. Have you tried search for this item as well, especially in your hosts file? It appears to be a trojan from a google search.

Information on the trojan Trojan.StartPage.H (http://securityresponse.symantec.com/avcenter/venc/data/trojan.startpage.h.html). If you look down that page, you will see absoluagency mentioned as adding entries to IE favourites as well.

sal
13-04-2005, 09:06 PM
Run HijackThis. That should be able to locate absoluagency on your system. Have you tried search for this item as well, especially in your hosts file? It appears to be a trojan from a google search.

Information on the trojan Trojan.StartPage.H (http://securityresponse.symantec.com/avcenter/venc/data/trojan.startpage.h.html). If you look down that page, you will see absoluagency mentioned as adding entries to IE favourites as well.
Hi Jen,

Ran HJT, got given a clean bill of health (http://sal.neoburn.net/imagef1/files/hijackthis_sal.log) (although of course I dont actually). The absoluagency.com url is in my hosts file but as a blocked item (0.0.0.0 absoluagency.com) because I use a one of these (http://www.mvps.org/winhelp2002/hosts.htm) hosts files. I will keep chipping away at this though.

sal
14-04-2005, 02:16 PM
Where would I find these rogue connections (http://sal.neoburn.net/imagef1/files/netstat_new.gif) starting from and how would I stop them from listening?