The How-To Geek Forums Have Migrated to Discourse


How-To Geek Forums / Windows 7

Internet activity without a browser on

(37 posts)
  • Started 6 years ago by popscott
  • Latest reply from fusionx22
  • Topic Viewed 8655 times

popscott
Posts: 16

I have a laptop that sucks my hughes.net usage (200mb) when I connect the

network adapter, but do not have a browser on. It is a

svchost netsvcs that is causing it. 67-148-147-128.dia.static.qwest.net

is coming up in the task manager resourse monitor screen. I can kill "end

process" the svchost at least a couple of times and the problem goes away.

I have msconfiged and the start page and stopped any un-needed programs.

Where does it getting the qwest.net addy as I can do a detailed search and

nothing comes up. Nothing appears in the Registry either (regedit)

Windows update is turned off and Nortons update and pulse checker is turned

off.

HiJack this log at

http://popscott.webs.com/hijackthis.txt

processes running at

http://popscott.webs.com/laptop.jpg

Thanks in advance

Posted 6 years ago
Top
 
whs
Posts: 17584

This is very strange because 67-148-147-128 is a Dutch soccer betting network that has a node in the US.
http://www.robtex.com/ip/67.148.147.128.html

Depending on the AV program you are using, you may be able to set it on the block list.

Posted 6 years ago
Top
 
popscott
Posts: 16

Actually when it resets itself after I "end process", it will vary the values to these (seems random) and others. 67-148-147-107
67-148-147-123. Also the qwest.net is a high speed ISP

Norton AV here. What do I put in to get this blocked, just qwest.net or the whole number static qwest thingy

Posted 6 years ago
Top
 
whs
Posts: 17584

Not sure, try both. Cannot hurt.

Posted 6 years ago
Top
 
Kelen
Posts: 283

I suggest you take a look through services and disable anything strange.

Posted 6 years ago
Top
 
popscott
Posts: 16

I have these services running when this is happening

http://popscott.webs.com/1.jpg

I get an access denied if I try top stop any of these services so I can't tell which one is doing it.

Posted 6 years ago
Top
 
ispalten
Posts: 6259

Might want to read this page, http://www.clickonf5.org/micro.....ction/7261

You can also run from an Elevated Command Prompt NETSTAT -o -b, it will show who is using the internet and where connected too.

Irv S.

Posted 6 years ago
Top
 
popscott
Posts: 16

the resource monior is how I got the static qwest.net stuff. I'm curious as to where I can find where the static.qwest.net comes from. I can search my computer and registry and can find no reference

Posted 6 years ago
Top
 
ispalten
Posts: 6259

Did you TRY the NETSTAT command?

Irv S.

Posted 6 years ago
Top
 
raphoenix
Posts: 14920

popscott,

http://commandwindows.com/index.html
http://ss64.com/index.html

***Run NETSTAT as ispalten (Irv S.) Recommends !!!!

http://commandwindows.com/netstat.htm
http://ss64.com/nt/netstat.html

Regards,
Rick P.

Posted 6 years ago
Top
 
popscott
Posts: 16

Elevated Command Prompt what does it mean.... when I put NETSTAT -o -b in the regular command prompt is says I need to elevate it, which I don't know what that means? All the links shown, I do not see how to get my command prompt elevated.

As for the http://www.clickonf5.org link above... the article describes the task manager, resource monitor that I ALREADY have been getting the static.qwest.net information from. It is the internet addy (qwest.net) that has the same PID number as the svchost that comes up and starts downloading. If I "end process" the svchost with that PID number at least 2 times, then the problem, svchost, and qwest.net go away. I get the same results when I run the "Process Explorer" program, TCPViewer program, and autorun program from Microsoft. I'm seeing the Netstat may bring me the same results as I already have.

Posted 6 years ago
Top
 
LH
Posts: 20002

Right click on your Command Prompt shortcut, and select, Run as Administrator.

Posted 6 years ago
Top
 
popscott
Posts: 16

http://popscott.webs.com/netstat.jpg
is netstat screenshot

Posted 6 years ago
Top
 
ispalten
Posts: 6259

Check here ==> http://www.robtex.com/dns/www.tvb.com.hk.html

I assume QWEST is NOT your ISP?

Do an IPCONFIG /ALL in a command prompt and post results please?

Irv S.

Posted 6 years ago
Top
 
popscott
Posts: 16
 
ispalten
Posts: 6259

Very odd setting for the DNS servers? One to your Router, another to I suppose your ISP, DIRECTPC.COM?

Remove the one in your network settings to the Router... let it default to what it finds.

Irv S.

Posted 6 years ago
Top
 
popscott
Posts: 16

Am I unistalling this in the wirless internet connection properties screen

http://popscott.webs.com/adapter1.jpg

Also I have references to 2 adapters.... one WLAN minicard and a Wifi miniport adapter (disabled), is this correct

http://popscott.webs.com/adapter2.jpg

Posted 6 years ago
Top
 
ispalten
Posts: 6259

The PROPERTIES for TCP/IPv4 need to have the DNS settings removed and let it get the DNS servers automatically. I suspect it now has the 192.xxx.xxx.xxx address in it.

Irv S.

Posted 6 years ago
Top
 
popscott
Posts: 16

http://popscott.webs.com/dns.jpg

Is this what its suppose to look like..... it did not fix the the problem, after restart

It had a gateway value of 168.192.0.3 that I deleted in IP setting screen

DHCP enabled is in the IP address , not auto config, which won't let me change it

Posted 6 years ago
Top
 
ispalten
Posts: 6259

No, on the PROPERTIES you used ADVANCED to get to the one shown. There the DNS should be blank and checked to get automatically (Obtain DNS Server addresses automatically). On the property you are showing, the IP Settings tab should show DHCP enabled.

The Gateway should also be blank, but if you had the IP Address of the Router in there, it would be OK. That would be 192.168.1.1, not what you had.

Irv S.

Posted 6 years ago
Top
 
ispalten
Posts: 6259

I guess you can also try these two programs out :

http://technet.microsoft.com/e.....97437.aspx
http://www.netlimiter.com/featurelistnl3.php

The SysInternals is pretty close to what NETSTAT would show, but maybe it will work better?

Irv S.

Posted 6 years ago
Top
 
popscott
Posts: 16

TCP/IPv4 DNS settings did not help.
I have found if I stop the Background Intelligent Transfer Service that this svchost is still active, but the background download is not happening. Can I just disable it (Background Intelligent Transfer Service Under Task Manager, Services) or will it screw up my windows updates and norton updates

http://popscott.webs.com/bits.jpg

Posted 6 years ago
Top
 
raphoenix
Posts: 14920

BITS has to be Enabled for auto updates.

Posted 6 years ago
Top
 
popscott
Posts: 16

Please help me understand where this thing is taking me..... The PID svchost starts with the address 65.55.158.118 and always ends up with the static.qwest.net . "Stopping" the Background Intel services fixs the problem or "end process" the svchost several times also fixs it..... Is there anyway to BLOCK these address's somewhere

http://popscott.webs.com/t1.jpg startup, then

http://popscott.webs.com/t2.jpg Then

http://popscott.webs.com/t3.jpg

Thanks in advance

Posted 6 years ago
Top
 
raphoenix
Posts: 14920

Open the (4) files with Notepad in this directory. The .sam will not be available.
C:\Windows\System32\drivers\etc

Is there a reference to the issue in these files ????

Posted 6 years ago
Top
 
ispalten
Posts: 6259

Might I suggest you give this a try, https://www.howtogeek.com/forum/topic/get-this-tcpip-packet-tracer-now?replies=2 as it could tell you more info?

Irv S.

Posted 6 years ago
Top
 
popscott
Posts: 16
 
ispalten
Posts: 6259

Is the HOSTS.TXT your HOSTS file? According to this link, http://support.microsoft.com/kb/972034 it shouldn't look like that, it should have NO entries (ones without the # in the beginning) in Windows 7. I have a 64 bit version and my HOSTS file is in C:\Windows\\system32\drivers\etc by the way.

Irv S.

Posted 6 years ago
Top
 
popscott
Posts: 16

Do your following lines have the # in the beginning (which mine don't)? Thiers show they do.

127.0.0.1 localhost
::1 localhost

Posted 6 years ago
Top
 
ispalten
Posts: 6259

Here is my HOSTS file :

============
C:\Windows\System32\drivers\etc>type hosts
# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# 127.0.0.1 localhost
# ::1 localhost

C:\Windows\System32\drivers\etc>
=============

Why not copy the existing one to HOSTS.OLD and then edit the HOSTS file to look like mine? If it works, fine, if not copy the OLD over the one you have and then delete the OLD file, thereby restoring the HOSTS to the original?

Irv S.

Posted 6 years ago
Top
 
popscott
Posts: 16

Tried this and it did not help.....

I did find out how to block an ip address....

67-148-147-128.dia.static.qwest.net, but I'm finding it hard to do as the last three digits (128) keep changing to new values, so I can only get some blocked.

Posted 6 years ago
Top
 
ispalten
Posts: 6259

You could be worried about nothing... look here, http://www.robtex.com/ip/67.148.147.128.html the last two links as well on that page.

If you dig around the links, you'll find the person who 'owns' the registration, david.nolen(at)qwest.com, you could try writing him?

Many also resolve to Akamai.net, which is used by banners and pop-ups for advertising.

I guess it is quite possible your DNS is doing this as well.

Maybe you should try using OPENDNS ( http://www.opendns.com/ ) or Google DNS ( http://code.google.com/speed/p.....intro.html ) both of which will NOT allow the bad sites and links (that they know about) through.

Irv S.

Posted 6 years ago
Top
 
popscott
Posts: 16

If I stop the BITS (Background Intelligent Transfer Service) process this problem immediatly stops.

I CAN NOT get it (BITS) to startup as a manual or disabled setting. It resets itself to an "automatic with delay" on restart. How do I find what is using this BITS and resetting what I set the startup to?

Posted 6 years ago
Top
 
ispalten
Posts: 6259

You DO NOT want to stop that service... if you do, you will NOT be able to get Windows Updates... and it seems if that is the cause, you have not gotten fully some Windows updates. They are STILL in progress.

Some links about it:

http://technet.microsoft.com/e.....82721.aspx
http://msdn.microsoft.com/en-u.....85%29.aspx
http://wiki.blackviper.com/wik.....er_Service
http://en.wikipedia.org/wiki/B.....er_Service

In a nutshell, these are the processes that use it :

It is most commonly used by recent versions of Windows Update, Microsoft Update, Windows Server Update Services, and Systems Management Server to deliver software updates to clients, Microsoft's anti-virus scanner Microsoft Security Essentials to fetch signature updates, and is also used by Microsoft's instant messaging products to transfer files.

Stop it from running, you'll lose the above capabilities. I don't think you'd want to do that.

Irv S.

Posted 6 years ago
Top
 
popscott
Posts: 16

I have ran my Windows update, Norton update, adobe update when this all started, but it didn't help. So they should be current.

I read another blog and someone else said they had changed BITS to "manual" on startup to stop it. But mine keeps resetting itself on restart.

Posted 6 years ago
Top
 
ispalten
Posts: 6259

Like I've said before, if you check who is active in terms of ports and where connected too, you can figure out why. Once you know where the connection is coming from, you can determine why?

You might still be in the middle of getting updates for instance? How can you tell if you are current? If they are still trying to update it will report current.

Try NETSTAT -o -b -a and see if it gives more data?

When you say resetting, under SERVICES does it show AUTOMATIC (DELAYED) or just that it is running? Completely different meaning.

Irv S.

Posted 6 years ago
Top
 
fusionx22
Posts: 1

Sorry for bumping an old post, but I saw the same activity and was searching for an answer.

I traced it down pretty quickly and thought I could maybe save someone else some time - in my case it's an auto-update download from Adobe Reader.

Posted 5 years ago
Top
 



Topic Closed

This topic has been closed to new replies.