TCP connections alive well after Firefox is closed
According to Sysinternals TCPView, I have several TCP connections that stay open (established) well after I close and exit Firefox, I'm talking 8 hours after. Normal connections close within minutes if shutting down Firefox. I'd post a pic, but there is no option for it so here's a paste (commas instead of tabs):
process/protocol, local address, remote asddress, state firefox.exe.7108, TCP, russ-l675,gt,rr,com.53713, dfw06s17-in-17.1e100.net:http, established firefox.exe.7108, TCP, russ-l675,gt,rr,com.54103, 203.30.164.5:http, established
I can (and do!) manually close these connections and they don't come back until I restart FF.
Thanks!
Russ
Krejt Përgjigjet (7)
Didn't you say the “Hide My Ass! Web Proxy” extension was to blame?
When you right-click the taskbar, choose Task Manager, then click the Processes tab, is firefox.exe in the list? If so, see the “Firefox hangs when you quit it” section of the following article.
For whatever reason, you can only attach screenshots to replies, not the original post. If you need to include screenshots in future questions, you can upload them to a host like http://imgur.com and post the links.
Yes, but it's been disabled for over a week and this is still happening. Just to be sure, I will uninstall the add-ons. One of these resolves to Australia and the other to a Google server. Am I being watched? This info comes up from the "odd" IP address: _____________________________________________________________________
MarkMonitor is the Global Leader in Online Brand Protection.
MarkMonitor Domain Management(TM) MarkMonitor Brand Protection(TM) MarkMonitor AntiPiracy(TM) MarkMonitor AntiFraud(TM) Professional and Managed Services
Visit MarkMonitor at www.markmonitor.com Contact us at 1 (800) 745-9229 In Europe, at +44 (0) 203 206 2220
The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. MarkMonitor.com does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this Data only for lawful purposes and that, under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail (spam); or (2) enable high volume, automated, electronic processes that apply to MarkMonitor.com (or its systems). MarkMonitor.com reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.
Registrant:
DNS Admin Google Inc. 1600 Amphitheatre Parkway Mountain View CA 94043 US dns-admin@google.com +1.6502530000 Fax: +1.6506188571
Domain Name: 1e100.net
Registrar Name: Markmonitor.com Registrar Whois: whois.markmonitor.com Registrar Homepage: http://www.markmonitor.com
Administrative Contact: DNS Admin Google Inc. 1600 Amphitheatre Parkway Mountain View CA 94043 US dns-admin@google.com +1.6502530000 Fax: +1.6506188571 Technical Contact, Zone Contact: DNS Admin Google Inc. 1600 Amphitheatre Parkway Mountain View CA 94043 US dns-admin@google.com +1.6502530000 Fax: +1.6506188571
Created on..............: 2009-09-24. Expires on..............: 2019-09-24. Record last updated on..: 2012-04-20.
Domain servers in listed order:
ns2.google.com ns3.google.com ns1.google.com ns4.google.com
MarkMonitor is the Global Leader in Online Brand Protection.
MarkMonitor Domain Management(TM) MarkMonitor Brand Protection(TM) MarkMonitor AntiPiracy(TM) MarkMonitor AntiFraud(TM) Professional and Managed Services
Visit MarkMonitor at www.markmonitor.com Contact us at 1 (800) 745-9229 In Europe, at +44 (0) 203 206 2220 _____________________________________________________________________
Russ
The gist of the above article is that if you're browsing any given site on the web, chances are good that you have a connection to that hostname. Most sites use one Google service or another, whether it's Google Analytics, Google Adsense, Google Recaptcha, Google Search, or the myriad of other services. Firefox's own phishing and malware protection is powered by Google, with updates coming from their servers.
So no, that connection is not suspicious. Again, I refer you to the aforementioned article for solving the issue of the firefox.exe process sticking around after all Firefox windows have been closed.
I use Sysinternals process explorer in lieu of task manager, and I make sure the FF process is gone. When I exit FF, it usually takes 30 seconds to a minute to completely unload. I'm at a loss to see how how a TCP connection attributed to FF can stay alive 8 hours after closing it and verifying that it is indeed closed. Is there a program I can use to trace this rogue connection and see what's using it?
Russ
It only takes three clicks to open Task Manager to check.
It does sound impossible for firefox.exe to have any connections open if it's not running. I would first get a second opinion, for instance using the netstat utility.
- Press the Windows logo orb on the taskbar.
- In the search box, type cmd.exe
- In the search results, right-click cmd.exe and choose Run as Administrator.
- In the command prompt window that opens, type netstat -a -b and press Enter.
It sounds like you're after either Fiddler or Wireshark.
I DL'ed Fiddler and will give it a try. The problem, however, seems to have gone away after removing HMA from FF. After shutting down FF, TCPView only shows two localhost connections on ports 58042 & 58043, which die as expected after FF is closed. Apparently, disabling HMA was not enough...
Russ
I believe this problem to be solved. It's been a week since uninstalling HMA and the mystery connections are no longer happening.
Thanks Mr. Gingerbread_Man!
Russ