Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Strange outgoing connection for WPAD?

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 1 posts
I'm at wits end here. Since yesterday whenever I connect to my router (via Ethernet) svchost tries to connect to some obscure IP. The previous night it never did this and I've not installed anything new. I'm using Comodo and my defense+ and firewall have both been on permanently. Windows 7 64bit SP1.

Some of it seems to be IPV6 traffic? Strange, some sort of IPV4 tunneling possibly? Also, ignore, I'm just blocking Microsoft.

Anyway, I did multiple malware scans (malwarebytes, spybot, super-antispyware, Dr. Web, Gmer) and never found a thing. I also re-imaged my entire system HDD to 3 weeks ago, but the exact same behavior occurs (And it never did so previously). So time to dig deeper...

Using TCP View I found the Svchost process attempting the connection. I then moved on to Process Monitor to track the PID and found that the service NIS (Network Store Interface Service) is initiating the connection.

So that doesn't help much.

So I fired up Wireshark. Following the TCP traffic I originally got nothing, but then I gave up and decided to let the connection through. Managed to follow those packets and I got:

GET /wpad.dat HTTP/1.1Connection: Keep-AliveAccept: */*Host: 404 Not FoundServer: BaseHTTP/0.3 Python/2.6.6Content-type: text/htmlVary: HostContent-Length: 384Accept-Ranges: bytesDate: Wed, 27 Jun 2012 11:21:03 GMTAge: 0Via: 1.1 varnishConnection: close<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" />
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>Nothing matches the given URI</p>

This is supposed to be hosted at Going to this page results in a 404 error just as seen in the HTML from wireshark.

Attached are screenshots from Process Monitor and my Comodo firewall log. Any ideas?

Attached Thumbnails

  • pic1.png
  • pic2.png

  • 0




    Tech Secretary

  • Global Moderator
  • 3,888 posts
Hello ProCo,

Are you still loooking for an answer on this one? If so, we can start some digging.

Also, why would you block Microsoft? :confused:

  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP