Unsolved
This post is more than 5 years old
99 Posts
0
161812
February 23rd, 2004 23:00
Network problem???
Have a network of six computers, Dell Diminsions, Windows XP,one computer does the dialing to connect to the internet, 56k modem. After I disconnect from the Internet, the modem immediately dials out again. When I disconnect it stays that way until I redial. I disconnected the network and the problem stopped. I can not find out what program or computer is constantly dialing out to the Internet after shut down of # 1 computer. All automatic up-dates are off. Have Norton System works, SpyBot, and routinely run virus checks etc. Also I changed the modem twice. Same problem.
Any ideas what may be the problem.
0 events found
No Events found!
jmwills
2 Intern
•
12K Posts
0
February 23rd, 2004 23:00
frazser
99 Posts
0
February 23rd, 2004 23:00
Thanks for the fast responds.
Just checked the email settngs again and they are not set to auto dial. Any other place I can check?
Lupunus
11 Posts
0
February 25th, 2004 20:00
if there is no eMailer outodialing it sounds like you have a dialer or a trojan horse on one of your systems.
Try Ad-aware and/or spybot to remove it and update your virus scanner to the latest signatures.
By the way. Using a workstation as a network router to the Internet is very unsecure!!
Greetz
Lupunus
frazser
99 Posts
0
February 25th, 2004 22:00
At present I have spybot, ad-aware and spy guard on all machines. Anti-virus ( Nortons) is up-dated always. Have an eight switch router. Computer #1 connects to the Internet and the other computers are connected via CJ 5 cables to the router switch. All computers running Window XP and up to date on all up-dates. Am going to use another computer as the #1 computer.
Another small problem I forgot to mention is that sometimes when I try to disconnect from the Internet from any computer there is no respond. Sometimes I have to shut the computer down to get a dis-connect from the Internet.
Will run the ad-aware and Spybot on all machines and see what happens.
Any ideas on what may be the problem? Been fighting this for sometime. Any and all ideas are most welcomed.
sentinel-master
345 Posts
0
February 26th, 2004 16:00
To truly get to the bootom of this - I think you may need to download a freeware protcol analyser - like www.ethereal.com but only if you are used to running protcol analysers and reading the traces....
If not try issueing the following 32bit command shell in XP Start ->Run -> cmd
The when the shell box - white on black appears type netstat -a
Thats should tell you the active network connections on your computer.....and hopefully point to the activating source of the dial session. If you not sure what you are looking at - do a cut and paste - to post the output here.
jwatt
4.4K Posts
0
February 26th, 2004 18:00
The download is free for individual use.
Jim
frazser
99 Posts
0
February 26th, 2004 18:00
Trying to figure out how to cut and paste the C/WINDOWS\SYSTEM 32\cmd.exc information to this post.
In the mean while ,I changed my network a little by making a different computer the master. Same problems. After disconnecting from the Internet the modem immediately dials out again.
frazser
99 Posts
0
February 27th, 2004 02:00
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\vincent f. splain>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP ONE:pop3 ONE:0 LISTENING
TCP ONE:epmap ONE:0 LISTENING
TCP ONE:microsoft-ds ONE:0 LISTENING
TCP ONE:1025 ONE:0 LISTENING
TCP ONE:1026 ONE:0 LISTENING
TCP ONE:1028 ONE:0 LISTENING
TCP ONE:2869 ONE:0 LISTENING
TCP ONE:4393 ONE:0 LISTENING
TCP ONE:4394 ONE:0 LISTENING
TCP ONE:4395 ONE:0 LISTENING
TCP ONE:4396 ONE:0 LISTENING
TCP ONE:4397 ONE:0 LISTENING
TCP ONE:5000 ONE:0 LISTENING
TCP ONE:1027 ONE:0 LISTENING
TCP ONE:3001 ONE:0 LISTENING
TCP ONE:3002 ONE:0 LISTENING
TCP ONE:3003 ONE:0 LISTENING
TCP ONE:netbios-ssn ONE:0 LISTENING
TCP ONE:2869 SETI4.mshome.net:1866 ESTABLISHED
TCP ONE:2869 SETI3.mshome.net:1791 ESTABLISHED
TCP ONE:2869 SETI1.mshome.net:1098 ESTABLISHED
TCP ONE:2869 SETI1.mshome.net:2914 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:7986 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:8312 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:12441 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:18415 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:37541 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:40830 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:42993 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:45138 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:48816 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:63343 TIME_WAIT
TCP ONE:2869 SETI6.mshome.net:2116 ESTABLISHED
TCP ONE:2869 SETI2.mshome.net:1822 ESTABLISHED
TCP ONE:4388 SETI2.mshome.net:5000 TIME_WAIT
TCP ONE:4389 SETI1.mshome.net:5000 TIME_WAIT
TCP ONE:4393 SETI2.mshome.net:5000 ESTABLISHED
TCP ONE:4394 SETI1.mshome.net:5000 ESTABLISHED
TCP ONE:4395 SETI4.mshome.net:5000 ESTABLISHED
TCP ONE:4396 SETI3.mshome.net:5000 ESTABLISHED
TCP ONE:4397 SETI6.mshome.net:5000 ESTABLISHED
TCP ONE:epmap ONE:0 LISTENING 0
TCP ONE:1025 ONE:0 LISTENING 0
TCP ONE:1026 ONE:0 LISTENING 0
UDP ONE:microsoft-ds *:*
UDP ONE:isakmp *:*
UDP ONE:3004 *:*
UDP ONE:3021 *:*
UDP ONE:3228 *:*
UDP ONE:3238 *:*
UDP ONE:3274 *:*
UDP ONE:ntp *:*
UDP ONE:1900 *:*
UDP ONE:ntp *:*
UDP ONE:1900 *:*
UDP ONE:3005 *:*
UDP ONE:3015 *:*
UDP ONE:3961 *:*
UDP ONE:domain *:*
UDP ONE:bootps *:*
UDP ONE:bootpc *:*
UDP ONE:ntp *:*
UDP ONE:netbios-ns *:*
UDP ONE:netbios-dgm *:*
UDP ONE:1900 *:*
C:\Documents and Settings\vincent f. splain>
Is this the stuff you needed?
frazser
99 Posts
0
February 27th, 2004 16:00
Thanks JIMW for the reply. I have the six computer running the SETI at Home. After each one has completed the unit assigned they are suppose to return the unit to SETI and download another one. Have Internet connection to shut down after no activity for 10 minutes. Average about 34 units a day so they should only dial out that many times.
When the computer dials out after shuting down there is no activity seen on any of the computer. Bits of information sent and received as registered on the screen is only in the area of about 3 to 4,000 bytes. Checking the SETI screens on all computers indicate no need for any downloads or uploads.
If my dial up computer is on with the network system disabled that machine works like it is suppose to. Only with the network system activated do I have a problem.
Any other information you all need to help solve this problem. Ran all my spy stuff and anti-virus programs a number of times.
jwatt
4.4K Posts
0
February 27th, 2004 16:00
Yep! From the names of the other machines shown below..."SETI(n)", it looks like there may be multiple copies of "SETI at home" running on the LAN.
TCP ONE:2869 SETI4.mshome.net:1866 ESTABLISHED
TCP ONE:2869 SETI3.mshome.net:1791 ESTABLISHED
TCP ONE:2869 SETI1.mshome.net:1098 ESTABLISHED
TCP ONE:2869 SETI1.mshome.net:2914 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:7986 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:8312 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:12441 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:18415 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:37541 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:40830 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:42993 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:45138 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:48816 TIME_WAIT
TCP ONE:2869 SETI1.mshome.net:63343 TIME_WAIT
TCP ONE:2869 SETI6.mshome.net:2116 ESTABLISHED
TCP ONE:2869 SETI2.mshome.net:1822 ESTABLISHED
TCP ONE:4388 SETI2.mshome.net:5000 TIME_WAIT
TCP ONE:4389 SETI1.mshome.net:5000 TIME_WAIT
TCP ONE:4393 SETI2.mshome.net:5000 ESTABLISHED
TCP ONE:4394 SETI1.mshome.net:5000 ESTABLISHED
TCP ONE:4395 SETI4.mshome.net:5000 ESTABLISHED
TCP ONE:4396 SETI3.mshome.net:5000 ESTABLISHED
TCP ONE:4397 SETI6.mshome.net:5000 ESTABLISHED
Could it be that one or more of those machines is trying to submit data, or download another problem set?
Jim
Message Edited by jimw on 02-27-2004 01:41 PM
jwatt
4.4K Posts
0
February 27th, 2004 19:00
Getting a copy of TCPView might help figure this out. Here's a link to the tcpview zip file at sysinternals.com.
Once you have the downloaded file unzipped, run "tcpview.exe". Select "Show Unconnected Endpoints" and "Resolve Addresses" from the "Options" menu. Then select "File/Save As", and store the information into a text file. Then open the text file with Notepad, "Edit/Select All", and "Edit/Copy" the contents of the text file. Then paste the output into a Forum reply, and we'll see if we can figure this out!
If you run TCPView and save the output while there's an open dialout connection that you don't know about, that would likely help.
Jim
frazser
99 Posts
0
February 27th, 2004 21:00
alg.exe:724 TCP ONE:3001 ONE:0 LISTENING
explorer.exe:1612 TCP ONE:4027 ONE:0 LISTENING
explorer.exe:1612 TCP ONE:4028 ONE:0 LISTENING
IEXPLORE.EXE:3956 UDP ONE:3815 *:*
IEXPLORE.EXE:780 UDP ONE:3764 *:*
LEXPPS.EXE:1832 TCP ONE:1026 ONE:0 LISTENING
lsass.exe:872 UDP ONE:isakmp *:*
NAVAPW32.EXE:268 TCP ONE:1027 ONE:0 LISTENING
siMailProxyServer.exe:564 TCP ONE:pop3 ONE:0 LISTENING
svchost.exe:1128 TCP ONE:epmap ONE:0 LISTENING
svchost.exe:1192 TCP ONE:1025 ONE:0 LISTENING
svchost.exe:1192 TCP ONE:3002 ONE:0 LISTENING
svchost.exe:1192 TCP ONE:3003 ONE:0 LISTENING
svchost.exe:1192 UDP ONE:3004 *:*
svchost.exe:1192 UDP one:ntp *:*
svchost.exe:1192 UDP ONE:ntp *:*
svchost.exe:1192 UDP ONE:3005 *:*
svchost.exe:1192 UDP ONE:3015 *:*
svchost.exe:1192 UDP one.mshome.net:domain *:*
svchost.exe:1192 UDP one.mshome.net:bootps *:*
svchost.exe:1192 UDP one.mshome.net:bootpc *:*
svchost.exe:1192 UDP one.mshome.net:ntp *:*
svchost.exe:1460 UDP ONE:3021 *:*
svchost.exe:1460 UDP ONE:3228 *:*
svchost.exe:1460 UDP ONE:3238 *:*
svchost.exe:1460 UDP ONE:3274 *:*
svchost.exe:1460 UDP ONE:3827 *:*
svchost.exe:1460 UDP ONE:3828 *:*
svchost.exe:1524 TCP ONE:2869 ONE:0 LISTENING
svchost.exe:1524 TCP ONE:3978 ONE:0 LISTENING
svchost.exe:1524 TCP ONE:3979 ONE:0 LISTENING
svchost.exe:1524 TCP ONE:3980 ONE:0 LISTENING
svchost.exe:1524 TCP ONE:3981 ONE:0 LISTENING
svchost.exe:1524 TCP ONE:3982 ONE:0 LISTENING
svchost.exe:1524 TCP ONE:5000 ONE:0 LISTENING
svchost.exe:1524 TCP one.mshome.net:2869 seti4.mshome.net:2754 ESTABLISHED
svchost.exe:1524 TCP one.mshome.net:2869 seti3.mshome.net:2549 ESTABLISHED
svchost.exe:1524 TCP one.mshome.net:2869 seti1.mshome.net:2273 ESTABLISHED
svchost.exe:1524 TCP one.mshome.net:2869 seti6.mshome.net:3006 ESTABLISHED
svchost.exe:1524 TCP one.mshome.net:2869 seti2.mshome.net:2772 ESTABLISHED
svchost.exe:1524 TCP one.mshome.net:3978 seti3.mshome.net:5000 ESTABLISHED
svchost.exe:1524 TCP one.mshome.net:3979 seti2.mshome.net:5000 ESTABLISHED
svchost.exe:1524 TCP one.mshome.net:3980 seti6.mshome.net:5000 ESTABLISHED
svchost.exe:1524 TCP one.mshome.net:3981 seti4.mshome.net:5000 ESTABLISHED
svchost.exe:1524 TCP one.mshome.net:3982 seti1.mshome.net:5000 ESTABLISHED
svchost.exe:1524 UDP one:1900 *:*
svchost.exe:1524 UDP ONE:1900 *:*
svchost.exe:1524 UDP one.mshome.net:1900 *:*
System:4 TCP ONE:microsoft-ds ONE:0 LISTENING
System:4 TCP ONE:1028 ONE:0 LISTENING
System:4 TCP one.mshome.net:netbios-ssn ONE:0 LISTENING
System:4 UDP ONE:microsoft-ds *:*
System:4 UDP one.mshome.net:netbios-ns *:*
System:4 UDP one.mshome.net:netbios-dgm *:*
Are these the items you were refering too.
Thanks, I really appreciate this help.
jwatt
4.4K Posts
0
February 27th, 2004 21:00
Yes. But I don't see any "off-lan" connections! Was the modem active at the time, and was there evidence of traffic passing through it? All those connections involving "svchost.exe" are odd-looking, but they're all to one or the other of the "seti" machines on the LAN.
Jim
jwatt
4.4K Posts
0
February 27th, 2004 22:00
"If you run TCPView and save the output while there's an open dialout connection that you don't know about, that would likely help."
Now that we have baseline data when there wasn't any active connection, the next step is to see if we can catch the culprit process in the act. So while an unexpected dialout is happening, take another look with TCPView.
Jim
frazser
99 Posts
0
February 27th, 2004 22:00