Network problem???

One service that you can likely get along without is XP's "Universal Plug and Play" (UPnP). It's responsible for the TCP/5000 and UDP/1900 listeners in the TCPView output.

Here's an article on turning off the two components involved with UPnP:

http://www.tweakxp.com/tweak782.aspx

Another article by Steve Gibson overstates the risks (in my opinion), but provides a tool for disabling UPnP:

http://grc.com/unpnp/unpnp.htm

There's a lengthy article explaining UPnP there, as well as a GUI tool for enabling and disabling the two services involved.

Try disabling it on "ONE" first.

Jim

Sorry I wasn't too clear.  This setting is for the computer that has the direct connection to the internet.  It should stop the other slave machines on the network from starting a dial out

It's not in internet options, it's the connection to the internet in "Network Connections" on computer ONE.

Message Edited by ostell on 02-28-2004 05:46 PM

I beleve so if I am understanding your question. Just one modem is active and that is on computer ONE. The other computers are connected to ONE by the LAN cables.

If I bring up Internet Options on the five slave computers, >to Internet Properties, >Connection tab , Ican't get to the advace setting tab as the option is not availible due to being on a network system.

Thanks for the advice Ostell. I understand what you are telling me now and will definitely consider that as a later action if we don't find this problem.

JIMW followed your directions. Have a read out of computer SETI6 when the network was disabled and again when I enabled it. As soon as I connected the network Computer ONE connected to the Internet. Hope you can use these items to troubleshoot.

 

 

 
 Proto  Local Address          Foreign Address        State
 TCP    SETI6:epmap            0.0.0.0:0              LISTENING
 TCP    SETI6:microsoft-ds     0.0.0.0:0              LISTENING
 TCP    SETI6:1025             0.0.0.0:0              LISTENING
 TCP    SETI6:1029             0.0.0.0:0              LISTENING
 TCP    SETI6:2620             0.0.0.0:0              LISTENING
 TCP    SETI6:2623             0.0.0.0:0              LISTENING
 TCP    SETI6:5000             0.0.0.0:0              LISTENING
 TCP    SETI6:1028             0.0.0.0:0              LISTENING
 TCP    SETI6:epmap            [::]:0                 LISTENING       0
 TCP    SETI6:1025             [::]:0                 LISTENING       0
 UDP    SETI6:microsoft-ds     *:*
 UDP    SETI6:isakmp           *:*
 UDP    SETI6:1030             *:*
 UDP    SETI6:1123             *:*
 UDP    SETI6:2882             *:*
 UDP    SETI6:ntp              *:*
 UDP    SETI6:1037             *:*
 UDP    SETI6:1900             *:*
 UDP    SETI6:3009             *:*
 UDP    SETI6:1900             *:*

:\Documents and Settings\vincent splain>

 

 

 

 Proto  Local Address          Foreign Address        State
 TCP    SETI6:epmap            0.0.0.0:0              LISTENING
 TCP    SETI6:microsoft-ds     0.0.0.0:0              LISTENING
 TCP    SETI6:1025             0.0.0.0:0              LISTENING
 TCP    SETI6:1029             0.0.0.0:0              LISTENING
 TCP    SETI6:2620             0.0.0.0:0              LISTENING
 TCP    SETI6:2623             0.0.0.0:0              LISTENING
 TCP    SETI6:5000             0.0.0.0:0              LISTENING
 TCP    SETI6:1028             0.0.0.0:0              LISTENING
 TCP    SETI6:epmap            [::]:0                 LISTENING       0
 TCP    SETI6:1025             [::]:0                 LISTENING       0
 UDP    SETI6:microsoft-ds     *:*
 UDP    SETI6:isakmp           *:*
 UDP    SETI6:1030             *:*
 UDP    SETI6:1123             *:*
 UDP    SETI6:2882             *:*
 UDP    SETI6:ntp              *:*
 UDP    SETI6:1037             *:*
 UDP    SETI6:1900             *:*
 UDP    SETI6:3009             *:*
 UDP    SETI6:1900             *:*

:\Documents and Settings\vincent splain>

 

 

 

 

After connected to Internet for about three minutes I pasted the following activity.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\vincent splain>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    SETI6:epmap            SETI6:0                LISTENING
  TCP    SETI6:microsoft-ds     SETI6:0                LISTENING
  TCP    SETI6:1025             SETI6:0                LISTENING
  TCP    SETI6:1029             SETI6:0                LISTENING
  TCP    SETI6:2620             SETI6:0                LISTENING
  TCP    SETI6:2623             SETI6:0                LISTENING
  TCP    SETI6:3439             SETI6:0                LISTENING
  TCP    SETI6:5000             SETI6:0                LISTENING
  TCP    SETI6:1028             SETI6:0                LISTENING
  TCP    SETI6:netbios-ssn      SETI6:0                LISTENING
  TCP    SETI6:3439             ONE.mshome.net:2869    ESTABLISHED
  TCP    SETI6:5000             ONE.mshome.net:3617    ESTABLISHED
  TCP    SETI6:epmap            SETI6:0                LISTENING       0
  TCP    SETI6:1025             SETI6:0                LISTENING       0
  UDP    SETI6:microsoft-ds     *:*
  UDP    SETI6:isakmp           *:*
  UDP    SETI6:1030             *:*
  UDP    SETI6:1123             *:*
  UDP    SETI6:2882             *:*
  UDP    SETI6:ntp              *:*
  UDP    SETI6:1037             *:*
  UDP    SETI6:1900             *:*
  UDP    SETI6:3072             *:*
  UDP    SETI6:ntp              *:*
  UDP    SETI6:netbios-ns       *:*
  UDP    SETI6:netbios-dgm      *:*
  UDP    SETI6:1900             *:*

C:\Documents and Settings\vincent splain>
C:\Documents and Settings\vincent splain> Proto  Local Address          Foreign
Address        State
'Proto' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> TCP    SETI6:epmap            0.0.0.0:
0              LISTENING
'TCP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> TCP    SETI6:microsoft-ds     0.0.0.0:
0              LISTENING
'TCP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> TCP    SETI6:1025             0.0.0.0:
0              LISTENING
'TCP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> TCP    SETI6:1029             0.0.0.0:
0              LISTENING
'TCP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> TCP    SETI6:2620             0.0.0.0:
0              LISTENING
'TCP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> TCP    SETI6:2623             0.0.0.0:
0              LISTENING
'TCP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> TCP    SETI6:5000             0.0.0.0:
0              LISTENING
'TCP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> TCP    SETI6:1028             0.0.0.0:
0              LISTENING
'TCP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> TCP    SETI6:epmap            [::]:0
               LISTENING       0
'TCP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> TCP    SETI6:1025             [::]:0
               LISTENING       0
'TCP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> UDP    SETI6:microsoft-ds     *:*
'UDP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> UDP    SETI6:isakmp           *:*
'UDP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> UDP    SETI6:1030             *:*
'UDP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> UDP    SETI6:1123             *:*
'UDP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> UDP    SETI6:2882             *:*
'UDP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> UDP    SETI6:ntp              *:*
'UDP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> UDP    SETI6:1037             *:*
'UDP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> UDP    SETI6:1900             *:*
'UDP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> UDP    SETI6:3009             *:*
'UDP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain> UDP    SETI6:1900             *:*
'UDP' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\vincent splain>
C:\Documents and Settings\vincent splain>:\Documents and Settings\vincent splain
>
C:\Documents and Settings\vincent splain>
C:\Documents and Settings\vincent splain>
C:\Documents and Settings\vincent splain>
C:\Documents and Settings\vincent splain>
C:\Documents and Settings\vincent splain>
C:\Documents and Settings\vincent splain>
C:\Documents and Settings\vincent splain>
C:\Documents and Settings\vincent splain>

It looks like UPnP is still running on "ONE", since there's a connection from TCP/5000 on SETI6 to an apparently random port (3439) on ONE. And once again, there's no sign of an "off-lan" connection.

Try using one of the tools I cited in this note to stop UPnP on "ONE". If the connections don't stop, try disabling UPnP on SETI6. Leave that service disabled on "ONE".

I'm assuming SETI6 is the only "SETI" machine connected when you did the last two experiments.

Another service that might cause dialouts is the "Network Time Protocol", but I wouldn't expect them to be as frequent as this.

Let's see what happens if UPnP is turned off on "ONE" first.

Jim

JIMW

Used the downoad link you sent to  disable the plug N'play on ONE. Same problem, as soon as SETI 6 network was opened Computer ONE dialed out. Downloaded file to the SETI 6 computer, same problem.

Vince

JIMW,

 

My computer now has stayed off the Internet for about one hour. Maybe something has fixed it. However I will hold off on your

recommendation for a few hours and see what happens. In the mean while I will see if I can follow the listed directions.

Should I keep the Plug N'Pray program in the dis-able mode?

Thanks

vince

My computer now has stayed off the Internet for about one hour. Maybe something has fixed it. However I will hold off on your recommendation for a few hours and see what happens. In the mean while I will see if I can follow the listed directions.

I think that means that the UPnP service was "opening the door" for an as yet unknown program to establish a connection via ONE's dialup. I agree on holding off until you're confident that we've been able to stop this from happening.

Should I keep the Plug N'Pray program in the dis-able mode?

Yes, leave UPnP disabled. At some point, we'll need to confirm that re-enabling the UPnP service brings the symptom back. I don't think UPnP is the cause of the problem (if indeed re-enabling it brings the problem back!). Something else is taking advantage of what UPnP can do. That's why looking at the system (SETI6) with HijackThis may point toward the real source of the problem.

Jim

It's time to bring some more ammunition to find this problem.

Can you do two things...

First, post another set of "TCPView" output from SETI6 while a dialout is active. I'll check it and see if I can spot anything else that might be causing this.

Second, obtain a copy of HijackThis, and post the output to the Virus Information and Removal board.

Here are the current directions for obtaining and running HijackThis, taken from a recent note by ChrisRLG. I edited the download links because there is an intense distributed denial of service attack going on against most of the sites distributing Hijackthis. The remaining one works - I just confirmed it.

Download HijackThis From this link:-

http://www.aluriasoftware.com/tools/hijackthis.zip

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Then run, scan, save log, then in notepad copy the FULL log by copy and paste as a reply to this post and an expert with HijackThis Knowldge, will have a go at giving advice. Please note the list of experts names below, very few forum regulars here have had this training.

DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.

Jim

Another worthwhile tool to install on SETI6 would be ZoneAlarm. Unlike the XP firewall, ZoneAlarm can stop programs that are trying to connect to Internet sites from the machine ZoneAlarm is installed on.

I have the "Plus" version, but the free version provides the functionality needed to trap programs attempting to make outbound connections.

This link takes you to a ZoneLabs page that compares the features of their various firewall products. There's a download of the free "basic" version of ZoneAlarm there.

Jim

Jim,

After a number of Internet delays, Telephone and storm problems in area, I finally downloaded Zone Alarm on SETI 6. First item that came up on SETI 6 is ZA Pro ALert. Do you want to allow Generic Host Process for Win32 Services to acess local Network?

Technical Information

Destination IP{ 192.168.0.1:DNS

Application"svchost.exc.

Version 5.1.2600.0(xpclient.010817.1148

Technical Information

Destination IP{ 192.168.0.1:DNS

Yes, that one's OK. If you have ZA set so it recognizes your local network (192.168.0.0/255.255.255.0), things that are trying to get to other resources on that LAN are OK. That particular one is trying to reach the domain nameserver proxy at 192.168.0.1. That should be the IP address of your router.

Can you post the "ipconfig /all" output from SETI6 and ONE? I need to check to be sure I understand the way your network's set up. Thanks!

Jim

\Documents and Settings\vincent f. splain>netstat -a

Thanks. Can you also post the ipconfig /all output also?

I thought you'd said that the unexpected dialouts had stopped after you'd disabled UPnP on "ONE" and "SETI6"! Did I miss something?

Jim