Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Frequent Slow Internet Connection - high number of TCP in netstat -a


  • Please log in to reply

#1
riz92

riz92

    Member

  • Member
  • PipPip
  • 23 posts
Hi,

I have frequent slow internet connection for quite some time. Have called my broadband internet provider
technical support. They checked my 'netstat -a' and found out high number of TCP ( I am not a pc savvy so do
not really understand what does it mean). They suggested to send my lap top to a technician to check further for
spyware. Open a topic in the malware removal forum and have gone thru the troubleshooting process with Jimmy2012. He suggested me to open a new topic in this forum. My internet connection will just hang and all pages will load forever. When this happen I ran thru cmd.exe with netstat -a command. It will show high number of TCP to
local host as shown below:

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Owner>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP sri:epmap sri:0 LISTENING
TCP sri:microsoft-ds sri:0 LISTENING
TCP sri:2804 sri:0 LISTENING
TCP sri:netbios-ssn sri:0 LISTENING
TCP sri:1209 84.53.178.74:http CLOSE_WAIT
TCP sri:1763 ntdd2519.fm.netbenefit.co.uk:http ESTABLISHED
TCP sri:1764 ntdd2519.fm.netbenefit.co.uk:http ESTABLISHED
TCP sri:3190 sanmarcos.ezoshosting.com:http CLOSE_WAIT
TCP sri:3192 sanmarcos.ezoshosting.com:http CLOSE_WAIT
TCP sri:3196 sanmarcos.ezoshosting.com:http CLOSE_WAIT
TCP sri:3232 ew-in-f127.google.com:http CLOSE_WAIT
TCP sri:3236 216.89.80.21:http TIME_WAIT
TCP sri:3249 sanmarcos.ezoshosting.com:http ESTABLISHED
TCP sri:3251 216.89.80.21:http ESTABLISHED
TCP sri:3253 a88-221-114-181.deploy.akamaitechnologies.com:http ESTABLISHED
TCP sri:3255 a88-221-114-181.deploy.akamaitechnologies.com:http ESTABLISHED
TCP sri:3257 a88-221-114-181.deploy.akamaitechnologies.com:http CLOSE_WAIT
TCP sri:3259 a88-221-114-181.deploy.akamaitechnologies.com:http CLOSE_WAIT
TCP sri:3261 a88-221-114-181.deploy.akamaitechnologies.com:http ESTABLISHED
TCP sri:3263 a88-221-114-181.deploy.akamaitechnologies.com:http ESTABLISHED
TCP sri:3265 *.112.2o7.net:http ESTABLISHED
TCP sri:3268 ey-in-f147.google.com:http CLOSE_WAIT
TCP sri:3270 *.112.2o7.net:http ESTABLISHED
TCP sri:3274 www.newsnow.co.uk:http TIME_WAIT
TCP sri:3276 www.newsnow.co.uk:http TIME_WAIT
TCP sri:3281 www.newsnow.co.uk:http TIME_WAIT
TCP sri:3282 www.newsnow.co.uk:http TIME_WAIT
TCP sri:3283 www.newsnow.co.uk:http TIME_WAIT
TCP sri:3300 ey-in-f147.google.com:http CLOSE_WAIT
TCP sri:3302 ey-in-f147.google.com:http CLOSE_WAIT
TCP sri:3312 193.38.108.198:https ESTABLISHED
TCP sri:3313 193.38.108.198:https ESTABLISHED
TCP sri:3314 193.38.108.198:https ESTABLISHED
TCP sri:3315 193.38.108.198:https ESTABLISHED
TCP sri:3316 ssl.vip.scd.yahoo.com:https ESTABLISHED
TCP sri:3317 ssl.vip.scd.yahoo.com:https ESTABLISHED
TCP sri:3321 sanmarcos.ezoshosting.com:http ESTABLISHED
TCP sri:3325 mg1b.mail.vip.mud.yahoo.com:http ESTABLISHED
TCP sri:3329 sanmarcos.ezoshosting.com:http ESTABLISHED
TCP sri:1030 sri:0 LISTENING
TCP sri:1072 localhost:1073 ESTABLISHED
TCP sri:1073 localhost:1072 ESTABLISHED
TCP sri:1075 localhost:1076 ESTABLISHED
TCP sri:1076 localhost:1075 ESTABLISHED
TCP sri:3188 localhost:10350 ESTABLISHED
TCP sri:3191 localhost:10350 ESTABLISHED
TCP sri:3195 localhost:10350 ESTABLISHED
TCP sri:3231 localhost:10350 ESTABLISHED
TCP sri:3233 localhost:10350 ESTABLISHED
TCP sri:3240 localhost:10350 ESTABLISHED
TCP sri:3248 localhost:10350 ESTABLISHED
TCP sri:3252 localhost:10350 FIN_WAIT_2
TCP sri:3254 localhost:10350 FIN_WAIT_2
TCP sri:3256 localhost:10350 FIN_WAIT_2
TCP sri:3258 localhost:10350 FIN_WAIT_2
TCP sri:3260 localhost:10350 ESTABLISHED
TCP sri:3262 localhost:10350 ESTABLISHED
TCP sri:3264 localhost:10350 FIN_WAIT_2
TCP sri:3267 localhost:10350 ESTABLISHED
TCP sri:3269 localhost:10350 ESTABLISHED
TCP sri:3273 localhost:10350 TIME_WAIT
TCP sri:3275 localhost:10350 TIME_WAIT
TCP sri:3277 localhost:10350 TIME_WAIT
TCP sri:3278 localhost:10350 CLOSE_WAIT
TCP sri:3279 localhost:10350 TIME_WAIT
TCP sri:3280 localhost:10350 TIME_WAIT
TCP sri:3284 localhost:10350 ESTABLISHED
TCP sri:3287 localhost:10350 ESTABLISHED
TCP sri:3288 localhost:10350 ESTABLISHED
TCP sri:3292 localhost:10350 ESTABLISHED
TCP sri:3299 localhost:10350 ESTABLISHED
TCP sri:3301 localhost:10350 ESTABLISHED
TCP sri:3307 localhost:10350 TIME_WAIT
TCP sri:3320 localhost:10350 ESTABLISHED
TCP sri:3324 localhost:10350 ESTABLISHED
TCP sri:3328 localhost:10350 ESTABLISHED
TCP sri:5152 sri:0 LISTENING
TCP sri:5152 localhost:1380 CLOSE_WAIT
TCP sri:10350 sri:0 LISTENING
TCP sri:10350 localhost:3187 TIME_WAIT
TCP sri:10350 localhost:3188 ESTABLISHED
TCP sri:10350 localhost:3191 ESTABLISHED
TCP sri:10350 localhost:3193 TIME_WAIT
TCP sri:10350 localhost:3195 ESTABLISHED
TCP sri:10350 localhost:3197 TIME_WAIT
TCP sri:10350 localhost:3231 ESTABLISHED
TCP sri:10350 localhost:3233 ESTABLISHED
TCP sri:10350 localhost:3240 ESTABLISHED
TCP sri:10350 localhost:3246 TIME_WAIT
TCP sri:10350 localhost:3248 ESTABLISHED
TCP sri:10350 localhost:3252 CLOSE_WAIT
TCP sri:10350 localhost:3254 CLOSE_WAIT
TCP sri:10350 localhost:3256 CLOSE_WAIT
TCP sri:10350 localhost:3258 CLOSE_WAIT
TCP sri:10350 localhost:3260 ESTABLISHED
TCP sri:10350 localhost:3262 ESTABLISHED
TCP sri:10350 localhost:3264 CLOSE_WAIT
TCP sri:10350 localhost:3267 ESTABLISHED
TCP sri:10350 localhost:3269 ESTABLISHED
TCP sri:10350 localhost:3271 TIME_WAIT
TCP sri:10350 localhost:3284 ESTABLISHED
TCP sri:10350 localhost:3287 ESTABLISHED
TCP sri:10350 localhost:3288 ESTABLISHED
TCP sri:10350 localhost:3292 ESTABLISHED
TCP sri:10350 localhost:3299 ESTABLISHED
TCP sri:10350 localhost:3301 ESTABLISHED
TCP sri:10350 localhost:3303 TIME_WAIT
TCP sri:10350 localhost:3304 TIME_WAIT
TCP sri:10350 localhost:3309 TIME_WAIT
TCP sri:10350 localhost:3320 ESTABLISHED
TCP sri:10350 localhost:3324 ESTABLISHED
TCP sri:10350 localhost:3328 ESTABLISHED
TCP sri:10351 sri:0 LISTENING
TCP sri:10352 sri:0 LISTENING
TCP sri:10353 sri:0 LISTENING
TCP sri:10354 sri:0 LISTENING
UDP sri:microsoft-ds *:*
UDP sri:isakmp *:*
UDP sri:4500 *:*
UDP sri:9999 *:*
UDP sri:ntp *:*
UDP sri:netbios-ns *:*
UDP sri:netbios-dgm *:*
UDP sri:1900 *:*
UDP sri:ntp *:*
UDP sri:1900 *:*
UDP sri:3270 *:*

C:\Documents and Settings\Owner>

I hope someone can help me to tackle this problem.

THANKS IN ADVANCE
  • 0

Advertisements


#2
makai

makai

    Portlock - Oahu

  • Member
  • PipPipPipPipPip
  • 2,793 posts
Hello,

I don't know if this will help as TCP is not my realm of expertise. Also, since you mention a "laptop", I have to assume you are using a wireless connection and have a wireless router. Given that... take a look at the links I'm posting here.

http://blog.washingt...s_wirele_1.html
Basically, this link talks about re-routing of your wireless router, more specifically DNSChanger. Since you say you already went through some spyware help, this may not apply. However, it still may be a good thing to check out.

http://extremesecuri...t-hijacked.html
This link basically talks about the same subject, but explains a little more of what you can do/look for.

To check if you router has been hijacked, you can run a cmd query by opening a cmd prompt and typing in ipconfig /all (note the space between ipconfig and /all)
If you read down the cmd window, you will see the IP address of your ISP listed on the line DNS Servers... it may look something like 66.75.160.64 depending on who your ISP is.

Next, you want to go to the following link and enter your DNS Server value to see if it relates to your ISP. Just enter the numbers you see in the DNS Server line of the cmd window
http://samspade.org/
The information displayed should be related to you ISP. The name and address of your ISP will show up in the first few lines. If you don't recognize the the ISP as your own, I would think you might be hijacked and being rerouted, thus possibly why your connection is so messed up.

Well, as stated, I don't know if any of this will help you. Also, I don't know if you already went through this during your spyware help. However, this "check" is something everyone should do. There are a ton of people that don't secure there wireless routers with a password and it only leaves them open to hacking.

makai
  • 0

#3
riz92

riz92

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Makai,

Thank you for the reply and information regarding wireless security. However my laptop is not on wireless, it is
connect thru ethernet cable. Do you have any idea what my problem could be?
Thanks Again
  • 0

#4
makai

makai

    Portlock - Oahu

  • Member
  • PipPipPipPipPip
  • 2,793 posts
When you run ipconfig /all, is your ISP identified correctly? Use the Samspade link to determine if it is. What is the DNS value?
  • 0

#5
riz92

riz92

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Makai,

The ip config is showing the correct DNS value which refer to Virgin Media (my broadband provider). There are 3
DNS values shown:

DNS Servers . . . . . . . . . . . : 62.31.64.39
62.31.112.39
62.31.144.39

thanks in advance
  • 0

#6
makai

makai

    Portlock - Oahu

  • Member
  • PipPipPipPipPip
  • 2,793 posts
As I stated in my first post this is not my realm of expertise. However after doing a little research, I'm wondering if perhaps you have a few programs that are constantly pinging the internet. Perhaps processes/programs running in the background doing periodical update/status checks.

I looked over your Hijackthis log in your spyware forum post, and it looks like there are a lot of startup programs. Skype, a few BHO, toolbars, etc.

What you might do is go to Start>run and type in msconfig
Go to the Startup tab and uncheck everything there... except anything to do with antivirus, firewall. Then restart your computer.

After your computer restarts, try running netstat-a again to see if there is still a lot of TCP activity.

I don't know how else to troubleshoot this but just looking at the TCP entries in your first post tends to make me think there are programs set to automatically ping the internet.

Let me know how it goes.
  • 0

#7
riz92

riz92

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi there

We tried removing all extraneous programmes during startup excpt antivirus etc. Unfortunately, no difference in log report. Any other ideas? TIA
  • 0

#8
makai

makai

    Portlock - Oahu

  • Member
  • PipPipPipPipPip
  • 2,793 posts
Hello,

I used to be a Tech here not so long ago, and many times I would ask that the OP post a copy of his Hijackthis log in the thread. Can you do that? HOWEVER, DO NOT copy and paste the log into the thread, but rather only ATTACH THE LOG FILE as an attachment so I can download it.

Spyware is not the only thing the Hijackthis log is useful for. Hopefully the mods still remember me and won't grumble about it. :)
  • 0

#9
riz92

riz92

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Makai,

Attached is the log.

Thanks

Attached File  hijackthis.log_dec4th.txt   9.88KB   203 downloads
  • 0

#10
makai

makai

    Portlock - Oahu

  • Member
  • PipPipPipPipPip
  • 2,793 posts
Sorry for not getting back to you sooner. I was researching your log. You sure do have a lot of things starting up that are unnecessary but it's difficult to determine what could be causing your problems. You have many services running that could probably be stopped, but I can't recommend which ones since I don't know what services you want to keep. On my computer, my total running processes in Task Mangaer is 21. This includes the fact that I also have Firefox open at the moment... without FF, it's only 20. How many processes are you running in Task manager?

Also, this log doesn't appear to be taken after you disabled things in msconfig... or is it?

I don't know if I'll be able to help you solve this and it may take a while to finally get to the bottom of things... but I'll keep trying for as long as it takes.
  • 0

Advertisements


#11
riz92

riz92

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Makai,

In the task manager I have 45 process.
System Configuration is showing about 20 services that is not window's and 43 window process.
I think that's a lot. Do you know any software that is good in cleaning up any un-necessary running programs?
Appreciate your help.
  • 0

#12
Computer Dr

Computer Dr

    New Member

  • Member
  • Pip
  • 8 posts
Get two programs. First Free zonealarm, and don't let anything run except what you know for sure. Basic windows programs. If unsure just say no, but don't check the box.

Next Get Anvir Free version. It will show you everything that is running and you can stop & disable things you don't know/trust.

You may notice a immediate speed up. From there start pinging.
Ping 127.0.0.1 (start>run>cmd>ping xxx.x.x.x)
in dos prompt run ipconfig, and see what your gateway is, and ping that
Ping something like www.yahoo.com
They should all be around 30-50..75 is gettin to high.
  • 0

#13
makai

makai

    Portlock - Oahu

  • Member
  • PipPipPipPipPip
  • 2,793 posts
Actually, 45 processes for a laptop isn't that much considering that laptops actually need more things running than a desktop. My desktop is 20, my laptops are 32.

I still think something that's running is causing the problem and I'm still trying to go through your log to find out. It's going to take some time since I'm going to look up every single item. I haven't disappeared, so I'll get back to you.


UPDATED...
I went through your log and noticed that you have a program starting up called X-Cleaner Deluxe. According to their website, this progam will... "Thwart unauthorized TCP/IP connections"... which means it's probably monitoring traffic between your computer and the web.

When you ran msconfig, did you uncheck X-Cleaner from starting up, then restart your computer, and then do the netstat test? Was X-Cleaner even in the Startup tab in msconfig? (it should have been because its an 04 entry in the HJT log). The reason I'm asking is I want to know if the log you posted was taken before or after you ran msconfig.

Also, I see you're running Windows Defender. Windows Defender is also monitoring traffic between your computer and the web... and so is the Nvidia Firewall you're running... and so is your ISP.

It almost seems that there is too much protection going on with your machine and maybe all of it is just slowing down your connection because they're all running together. If one app has to check and then allow connection, you won't connect unless the other apps run their checks too. JUST GUESSING HERE, since I can't actually look at your computer myself.

What you might have to do is to disable your defenses one at a time and run netstat to see if there is an improvement.

Try running msconfig again, and uncheck X-Cleaner, restart your machine, and then run netstat.
Do the same for Windows Defender and the Nvidia Firewall... one at a time. You may have to go into their respective programs to disable their startup as I don't see an 04 entry for them (so they might not show up in msconfig) By the way, after disabling each one, make sure you restart your computer so their process is not running when you run the netstat test.

Let me know how it goes!

Edited by makai, 05 December 2008 - 10:00 PM.

  • 0

#14
riz92

riz92

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Makai,Computer Dr,

Thanks for your input.

I have installed the 2 softwares that you suggested, ZoneAlarm and Anvir. Un-necessary programs have been
stopped from auto-startup which includes the X-Cleaner. Window Defender has also been disabled a step at a time. About the Nvidia firewall I do not know what it is. As far as I know I do not have this program installed.
Ocasionally high number of TCPs is still shown in the netstat-a.

When I ping to yahoo.com it is showing 35ms. Tried a few other websites as well, result is around the same but some
is showing high reading around 90-100ms.

One thing that I noticed in Anvir task manager is that it is showing rps.exe connecting to the local host and that particular local host is showing a lot in the netstat -a. When this happen the internet connection is very slow/stand still.
I do not know whether this is the root cause of the problem.

Appreciate your help.
Thanks in Advance
  • 0

#15
makai

makai

    Portlock - Oahu

  • Member
  • PipPipPipPipPip
  • 2,793 posts
rps.exe is your Broadband PCGuard.

Try disabling everything to do with PCGuard. You will have to do this using both msconfig and Services (Control Panel-Admin Tools-Services). Be sure to restart your computer before running your test.

Since you have ZA running now, plus all your other anti-virus apps, you shouldn't have a problem disabling PCGuard.

Edited by makai, 06 December 2008 - 12:36 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP