ttmcmurry

I think I get it -- bittorrent added this thing called the "DNA server" and I believe it's UPnP enabled. Even though I wasn't running bittorrent at all, this service connected to the router via UPnP, opened the ports, and started traffic. For the record, I still haven't used bittorrent to download anything, I merely installed the software and that was enough to get this to start on its own. This morning, I was running WireShark and turned my cable modem back on and noticed traffic coming from my computer to utorrent.com & bittorrent.com. Moments later the behavior started again. That got me to thinking "hmm, Bittorrent isn't running, so what is?" - and I recalled reading something on their website about a distributed download accelerator called DNA so I looked into it. WireShark was going crazy with the DNS lookups at that point.. so I uninstalled DNA server, saw more communication to the bittorrent servers and then the DNS lookups stopped. I had, according to my router's WISH list, just under 300 open UDP sessions before that uninstall. Five minutes later, it was down to 13 active connections. What's interesting to me is why when I blocked the ports from Symantec Multitier Protection's firewall, that the traffic was still permitted and would not block. Perhaps there is some kind of interaction between the firewall & upnp? Anyhow, I checked it over lunch now and the issue is gone. Thanks for pointing me in the right direction. Travis

I was playing around with Wireshark and noticed I have a 2003 server that is contantly making DNS requests. Here's the scenario while I was troubleshooting: I turned off all possible services and exited all applications except: services running Application Experience Lookup Service ATI HotKey Poller DCOM Server Process Launcher DHCP Client Event Log Network Connections Plug and Play Remote Access Connection Manager Remote Procedure Call (RPC) Security Accounts Manager Shell Hardware Detection Telephony Terminal Services Themes Windows Driver Foundation - User Mode Driver Framework Windows Firewall / Internet Connection Sharing (ICS) Windows Management Instrumentation Wireless Configuration Applications Running ati2evxx ati2evxx csrss ctfmon dumpcap explorer lsass mmc (Services.msc) notepad (while I type this up) rundll32 rundll32 services smax4pnp smss svchost (7 copies) system taskmgr winlogon wireshark wmiprvse I used Windows Process Explorer to track down the svchost instances and they all corresponded to the services running at top, in other words, it all belonged there. But every few seconds or so the server accepts a UDP packet from somewhere on the public internet (it seems random) and then spits out queries and receives responses and moves on. This is going at such a slow pace that I can't attribute any CPU usage to whatever process is doing this. I've applied the DNS Client patch KB951748 but that doesn't seem to be stopping it. Symantec Endpoint Protection (v11.0.2) is the AV software used on it in conjunction with Windows Firewall. Also tried using netstat -v -b to see if I could find what application might be making an external connection but can't find anything or it's happening so fast it's not displaying. This server is not a DNS server either. Even after a reboot or a NIC repair the DNS lookups continue. Has anyone else seen this behavior? Thanks for anyone's help. Travis issues_with_dns.zip