Strange netstat behavior on Windows XP regarding


When I do a netstat (on Windows XP) I seem to always get a huge amount of connections and I can't figure out where they are coming from.

A netstat -o shows me that some are coming from PID xxx, which is Firefox, but if I kill it, the connections still remain.

Some are coming from PID 0, which makes no sense to me.

SECOND PROBLEM: One would think you could edit the C:\WINDOWS\system32\drivers\etc\hosts file to block this, but it seems like my machine is ignoring the hosts file! (I have tried with the DNS client service both enabled and disabled, same result).

I just rebooted, killed all my normal programs, and I can't seem to reproduce the problem. If I was a paranoid person, I would think there was some sort of an intelligent trojan running.

I am running Windows XP Professional, Kaspersky Antivirus, CCleaner, and am fully up to date on Windows Update. What gives?

My questions are:

  1. Is anyone else seeing these weird connections to
  2. Why isn't my hosts filter working?
  3. Is there a utility I can run to find out what's happening? I've tried autoruns.exe from Sysinternals but didn't see anything interesting.

Am I the only one with this problem? If there are any additional things you need me to run, let me know.


Posted 2009-07-08T04:40:44.100

Reputation: 533



2) Why isn't my hosts filter working?

One explanation is, that the adware/malware connected to the server using a different DNS name or the IP address. When netstat resolved the IP address, you got the PTR record, which can be a different DNS name. That means, that the HOSTS lookup was probably not for the (www.) name.


Posted 2009-07-08T04:40:44.100

Reputation: 14 208


Two notes that may clear up some confusion:

  • netstat has no possibility to find out what name has been used to initiate connection; it only tracks the IP address (check this with netstat -n -o). When displaying information to you it tries to resolve the IP addresses back to name. So the malware you have may connect straight to IP address or to a completely different name.

  • PID 0 may be shown for TCP connections in TIME_WAIT state, after the process has terminated. This is normal.


Posted 2009-07-08T04:40:44.100

Reputation: 1 108


Those connections may be because of banners on sites you visited.

Connection do not disappear right away from netstat after actual connection was ended. That arises a question - in what state connections to partypoker are? ESTABLISHED or CLOSE_WAIT or something else?


Posted 2009-07-08T04:40:44.100



Well, Party Poker is a well-known online poker room (I also play there :)). I don't know as for FireFox, but it installs something for IE, at least fast launch icon and something else (I think some plugin for in-browser gaming) - I blocked it when installing the client. At least it doesn't seem to be malware. Try to locate and uninstall PartyPoker client if you have one. Also reboot and check if there are connections before running FF - because I really think it's some sort of plugin by PartyPoker, which is definitely not risky site.


Posted 2009-07-08T04:40:44.100
