Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Repeated internet connections from unknown program

  1. #1
    geoffp Guest

    Default Repeated internet connections from unknown program

    Could anyone tell me how to identify a program on my PC which connects to the internet every 7 to 8 seconds, please?
    The connection is
    indicated by a sharp blip
    on the Zonealarm traffic icon.
    Re-booting does not clear the
    problem.

    It appears to have no effect on my use of the computer or internet but it is very irritating and I would like to stop it.Thanks

    -

    GeoffP

    Operating System:Windows XP Home Edition
    Software Version:8.0
    Product Name:ZoneAlarm (Free)

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Repeated internet connections from unknown program


    <blockquote><hr>GeoffP wrote:
    Could anyone tell me how to identify a program on my PC which connects to the internet every 7 to 8 seconds, please?
    The connection is
    indicated by a sharp blip
    on the Zonealarm traffic icon.
    Re-booting does not clear the
    problem.

    It appears to have no effect on my use of the computer or internet but it is very irritating and I would like to stop it.Thanks

    -

    GeoffP

    Operating System:
    Windows XP Home Edition
    Software Version:
    8.0
    Product Name:
    ZoneAlarm (Free)

    <hr></blockquote>
    Blips in the za icon could be just simple localhost traffic.
    Set the logging for the loopback in the logs and alerts section and see the logged events.
    Or use "netstat -b -v" command in the command prompt and look at the immediate traffic.

    This will log traffic over a short period of time:[*]Open the command.[*]Type "netstat -b 5 > activity.txt" and press enter. Then run an application such as a browser or an updater, wait till it is finished, then press Ctrl+C.[*] or in your situation open nothing and just wait.[*]Type "activity.txt" on the command line to open the log file in the notepad.
    The file activity.txt will create a log of all process that made a connection to the Internet. The log will include all processes involved and all IPs and such.

    Oldsod.
    Best regards.
    oldsod

  3. #3
    geoffp Guest

    Default Re: Repeated internet connections from unknown program

    Many thanks for your rapid and very helpful response.I managed to produce the log and, because I only have XP Home, to view it through Process Explorer.I think you were correct in your idea that the connections were normal local host traffic but I don't understand their regularity.However, the log shows the culprit to be svchost.exe originating in C:\windows\system32\ws2-32.dll and C:\windows\system32\winhttp.dll.I would appreciate any further advice you may have but I'm no expert and
    a bit reluctant to poke about too much in this area!!!. Maybe I should leave things as they are?
    Thanks again and ind Regards

    -

    GeoffP

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Repeated internet connections from unknown program

    <blockquote><hr>GeoffP wrote:
    Many thanks for your rapid and very helpful response.I managed to produce the log and, because I only have XP Home, to view it through Process Explorer.I think you were correct in your idea that the connections were normal local host traffic but I don't understand their regularity.However, the log shows the culprit to be svchost.exe originating in C:\windows\system32\ws2-32.dll and C:\windows\system32\winhttp.dll.I would appreciate any further advice you may have but I'm no expert and
    a bit reluctant to poke about too much in this area!!!. Maybe I should leave things as they are?
    Thanks again and ind Regards

    -

    GeoffP
    <hr></blockquote>
    The svchost.exe and these .dlls are not unusual in their relationship.

    Svchost.exe is the service host manager (not just the usual file name of generic host process):

    http://process.networktechs.com/Svchost.exe.php

    The ws2-32.dll ("win sock dll" for the winsock of windows - second(2) version of winsock and is for the 32 bit O.S.) is involved directly with the Windows API (lower kernel of windows). This is how the window sock is connecdted to the operating system.

    The winhttp.dll ("win http dll" used for http connections in/for windows) supports the windows services and various desktop applications, and it is involved with the Native API (upper kernel) and Component Object Model (COM) files (also goes with with the DDE).

    Both of the two .dlls you mention are involved with the tcp/ip of windows (which is also used in local host traffic between window's files). Both are directly connected to the svchost.exe which supports much of the networking for windows and window's networking services.

    Just leave these alone - any effort to tamper with this will result in a damaged windows operating system. These are not malware, but correct files.

    Oldsod.

    Message Edited by Oldsod on 01-27-2009 06:36 PM
    Best regards.
    oldsod

  5. #5
    stupefy Guest

    Default Re: Repeated internet connections from unknown program



    OK, so now we know svchost.exe, ws2-32.dll, and winhttp.dll are involved in the unknown communication that occurs
    every eight seconds.....this still does not solve the issue by pinpointing what is triggering svchost.exe to
    initiate communications every eight seconds, and whether these communications are to the Internet or Trusted Zones,
    and whether the communications are Inbound or Outbound Communications or Both.

    My first question is:
    Are the Sharp Blips on the ZoneAlarm Traffic Icon Dominated by:
    Green Bars (incoming) or
    Red Bars (outgoing)

    My second question is:
    Do you have Diskeeper Installed?
    Diskeeper by Default acts as an Server and should be Blocked across the board an only allowed access to the Trusted.

    My third question is:
    Is the Computer connected to an Router, if so, is the connection Hardwired or Wireless?

    My fourth question is:
    If the Computer is behind an Router, is Internet Connection Sharing Disabled?

    My fifth question is:
    Is the Universal Plug and Play Device Host Service Disabled? (UPnP)
    Is the SSDP Discovery Service Disabled? (the server for UPnP)
    (whenever disabling UPnP also disable the server for UPnP)

    My first suggestion is:
    Creating two Expert Rules to try and further pinpoint what is triggering svchost.exe every eight seconds.

    Expert Rule #1:
    NAME = Sniffer1
    COMMENTS = Outbound
    STATE = Enabled
    ACTION = Allow
    TRACK = Alert and Log
    SOURCE = My Computer
    DESTINATION = Any
    PROTOCOL = Any
    TIME = Any

    Expert Rule #2:
    NAME = Sniffer2
    COMMENTS = Inbound
    STATE = Enabled
    ACTION = Allow
    TRACK = Alert and Log
    SOURCE = Any
    DESTINATION = My Computer
    PROTOCOL = Any
    TIME = Any

    With these two Expert Rules Enabled you might be able to pinpoint what is triggering svchost.exe

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Repeated internet connections from unknown program


    <blockquote><hr>stupefy wrote:


    OK, so now we know svchost.exe, ws2-32.dll, and winhttp.dll are involved in the unknown communication that occurs
    every eight seconds.....this still does not solve the issue by pinpointing what is triggering svchost.exe to
    initiate communications every eight seconds, and whether these communications are to the Internet or Trusted Zones,
    and whether the communications are Inbound or Outbound Communications or Both.

    My first question is:
    Are the Sharp Blips on the ZoneAlarm Traffic Icon Dominated by:
    Green Bars (incoming) or
    Red Bars (outgoing)

    My second question is:
    Do you have Diskeeper Installed?
    Diskeeper by Default acts as an Server and should be Blocked across the board an only allowed access to the Trusted.

    My third question is:
    Is the Computer connected to an Router, if so, is the connection Hardwired or Wireless?

    My fourth question is:
    If the Computer is behind an Router, is Internet Connection Sharing Disabled?

    My fifth question is:
    Is the Universal Plug and Play Device Host Service Disabled? (UPnP)
    Is the SSDP Discovery Service Disabled? (the server for UPnP)
    (whenever disabling UPnP also disable the server for UPnP)

    My first suggestion is:
    Creating two Expert Rules to try and further pinpoint what is triggering svchost.exe every eight seconds.

    Expert Rule #1:
    NAME = Sniffer1
    COMMENTS = Outbound
    STATE = Enabled
    ACTION = Allow
    TRACK = Alert and Log
    SOURCE = My Computer
    DESTINATION = Any
    PROTOCOL = Any
    TIME = Any

    Expert Rule #2:
    NAME = Sniffer2
    COMMENTS = Inbound
    STATE = Enabled
    ACTION = Allow
    TRACK = Alert and Log
    SOURCE = Any
    DESTINATION = My Computer
    PROTOCOL = Any
    TIME = Any

    With these two Expert Rules Enabled you might be able to pinpoint what is triggering svchost.exe

    <hr></blockquote>


    The router wireless or wired and the diskkeeper rpobably are not involved. Probably the rest of the list does not apply either.

    Expert rule allow all just for logging?? Kind of risky to allow all to any place to the internet?
    Why not just turn on the localhost logging in the ZA instead (as these are localhost connections which are being discussed). Why not just one rule with logging instead of using two?

    A simple "netstat -anob" will reveal what is connected, to where and why using the those previous stated files. It will reveal the what and why and where.

    Oldsod.
    Best regards.
    oldsod

  7. #7
    geoffp Guest

    Default Re: Repeated internet connections from unknown program

    Thanks to both for your advice.Attached is a copy of the netstat -anob log.
    Does this help?
    I'm afraid it doesn't mean much to me !!!
    GeoffP
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.C:\Documents and Settings\Geoff Perry&gt;netstat -anobActive Connections
    Proto
    Local Address








    Foreign Address






    State









    PID

    TCP


    0.0.0.0:135










    0.0.0.0:0












    LISTENING





    1064

    c:\windows\system32\WS2_32.dll

    C:\WINDOWS\system32\RPCRT4.dll

    c:\windows\system32\rpcss.dll

    C:\WINDOWS\system32\svchost.exe

    -- unknown component(s) --

    [svchost.exe]
    TCP


    0.0.0.0:445










    0.0.0.0:0












    LISTENING





    4

    [System]
    TCP


    0.0.0.0:2869









    0.0.0.0:0












    LISTENING





    1372

    C:\WINDOWS\system32\httpapi.dll

    c:\windows\system32\ssdpsrv.dll

    C:\WINDOWS\system32\RPCRT4.dll

    [svchost.exe]
    TCP


    192.168.1.2:139






    0.0.0.0:0












    LISTENING





    4

    [System]
    UDP


    0.0.0.0:500










    *:*


































    716

    [lsass.exe]
    UDP


    0.0.0.0:4500









    *:*


































    716

    [lsass.exe]
    UDP


    0.0.0.0:445










    *:*


































    4

    [System]
    UDP


    127.0.0.1:1290







    *:*


































    1160

    c:\windows\system32\WS2_32.dll

    C:\WINDOWS\System32\WINHTTP.dll

    C:\WINDOWS\system32\upnp.dll

    C:\WINDOWS\system32\RPCRT4.dll

    C:\WINDOWS\system32\ole32.dll

    -- unknown component(s) --

    [svchost.exe]
    UDP


    127.0.0.1:1153







    *:*


































    200

    [Pptbc.exe]
    UDP


    127.0.0.1:1900







    *:*


































    1372

    c:\windows\system32\WS2_32.dll

    c:\windows\system32\ssdpsrv.dll

    C:\WINDOWS\system32\ADVAPI32.dll

    C:\WINDOWS\system32\kernel32.dll

    [svchost.exe]
    UDP


    127.0.0.1:123








    *:*


































    1160

    c:\windows\system32\WS2_32.dll

    c:\windows\system32\w32time.dll

    ntdll.dll

    C:\WINDOWS\system32\kernel32.dll

    [svchost.exe]
    UDP


    192.168.1.2:1900





    *:*


































    1372

    c:\windows\system32\WS2_32.dll

    c:\windows\system32\ssdpsrv.dll

    C:\WINDOWS\system32\ADVAPI32.dll

    C:\WINDOWS\system32\kernel32.dll

    [svchost.exe]
    UDP


    192.168.1.2:137






    *:*


































    4

    [System]
    UDP


    192.168.1.2:123






    *:*


































    1160

    c:\windows\system32\WS2_32.dll

    c:\windows\system32\w32time.dll

    ntdll.dll

    -- unknown component(s) --

    [svchost.exe]
    UDP


    192.168.1.2:138






    *:*


































    4

    [System]
    C:\Documents and Settings\Geoff Perry&gt;

  8. #8
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Repeated internet connections from unknown program

    Windows services has these enabled:
    DCOM, UPnP, SSDP, Time, IPsec (probably not needed unless you use a VPN), Local Security Authority (probably not needed to be run either), and a few others.
    All harmless and normal.

    Only questionable file is " Pptbc.exe" - never heard of this before until now.
    This could be legitimate or it could be malware.
    Do a search in windows or look at the properties of the file in the ZA and find out what this file is for.

    Oldsod.
    Best regards.
    oldsod

  9. #9
    geoffp Guest

    Default Re: Repeated internet connections from unknown program

    PPTBC.exe is a file in my Anti virus software Protector Plus 2008. It is a legitimate program required at start up and is associated with system tray access.
    GeoffP

  10. #10
    stupefy Guest

    Default Re: Repeated internet connections from unknown program



    Respectfully.....You are Wrong.....



Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •