X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

TCP connections alive well after Firefox is closed

Posted

According to Sysinternals TCPView, I have several TCP connections that stay open (established) well after I close and exit Firefox, I'm talking 8 hours after. Normal connections close within minutes if shutting down Firefox. I'd post a pic, but there is no option for it so here's a paste (commas instead of tabs):

process/protocol, local address, remote asddress, state firefox.exe.7108, TCP, russ-l675,gt,rr,com.53713, dfw06s17-in-17.1e100.net:http, established firefox.exe.7108, TCP, russ-l675,gt,rr,com.54103, 203.30.164.5:http, established

I can (and do!) manually close these connections and they don't come back until I restart FF.

Thanks!

Russ

Additional System Details

Installed Plug-ins

  • Shockwave Flash 11.4 r402
  • Adobe PDF Plug-In For Firefox and Netscape 11.0.0
  • Coupons, Inc. Coupon Printer Plugin
  • Coupons, Inc. Coupon Printer DLL
  • Windows Activation Technologies Plugin for Mozilla

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0

More Information

Gingerbread Man
  • Top 25 Contributor
219 solutions 899 answers

Didn't you say the “Hide My Ass! Web Proxy” extension was to blame?

When you right-click the taskbar, choose Task Manager, then click the Processes tab, is firefox.exe in the list? If so, see the “Firefox hangs when you quit it” section of the following article.


For whatever reason, you can only attach screenshots to replies, not the original post. If you need to include screenshots in future questions, you can upload them to a host like http://imgur.com and post the links.

Question owner

Yes, but it's been disabled for over a week and this is still happening. Just to be sure, I will uninstall the add-ons. One of these resolves to Australia and the other to a Google server. Am I being watched? This info comes up from the "odd" IP address: _____________________________________________________________________

MarkMonitor is the Global Leader in Online Brand Protection.

MarkMonitor Domain Management(TM) MarkMonitor Brand Protection(TM) MarkMonitor AntiPiracy(TM) MarkMonitor AntiFraud(TM) Professional and Managed Services

Visit MarkMonitor at www.markmonitor.com Contact us at 1 (800) 745-9229 In Europe, at +44 (0) 203 206 2220

The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. MarkMonitor.com does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this Data only for lawful purposes and that, under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail (spam); or (2) enable high volume, automated, electronic processes that apply to MarkMonitor.com (or its systems). MarkMonitor.com reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.

Registrant:

       DNS Admin
       Google Inc.
       1600 Amphitheatre Parkway
       Mountain View CA 94043
       US
       dns-admin@google.com +1.6502530000 Fax: +1.6506188571
   Domain Name: 1e100.net
       Registrar Name: Markmonitor.com
       Registrar Whois: whois.markmonitor.com
       Registrar Homepage: http://www.markmonitor.com
   Administrative Contact:
       DNS Admin
       Google Inc.
       1600 Amphitheatre Parkway
        Mountain View CA 94043  US
        dns-admin@google.com +1.6502530000 Fax: +1.6506188571
   Technical Contact, Zone Contact:
       DNS Admin
       Google Inc.
       1600 Amphitheatre Parkway
       Mountain View CA 94043 US
       dns-admin@google.com +1.6502530000 Fax: +1.6506188571
   Created on..............: 2009-09-24.
   Expires on..............: 2019-09-24.
   Record last updated on..: 2012-04-20.
   Domain servers in listed order:
   ns2.google.com
   ns3.google.com
   ns1.google.com
   ns4.google.com
   

MarkMonitor is the Global Leader in Online Brand Protection.

MarkMonitor Domain Management(TM) MarkMonitor Brand Protection(TM) MarkMonitor AntiPiracy(TM) MarkMonitor AntiFraud(TM) Professional and Managed Services

Visit MarkMonitor at www.markmonitor.com Contact us at 1 (800) 745-9229 In Europe, at +44 (0) 203 206 2220 _____________________________________________________________________

Russ

Gingerbread Man
  • Top 25 Contributor
219 solutions 899 answers

The gist of the above article is that if you're browsing any given site on the web, chances are good that you have a connection to that hostname. Most sites use one Google service or another, whether it's Google Analytics, Google Adsense, Google Recaptcha, Google Search, or the myriad of other services. Firefox's own phishing and malware protection is powered by Google, with updates coming from their servers.

So no, that connection is not suspicious. Again, I refer you to the aforementioned article for solving the issue of the firefox.exe process sticking around after all Firefox windows have been closed.

Question owner

I use Sysinternals process explorer in lieu of task manager, and I make sure the FF process is gone. When I exit FF, it usually takes 30 seconds to a minute to completely unload. I'm at a loss to see how how a TCP connection attributed to FF can stay alive 8 hours after closing it and verifying that it is indeed closed. Is there a program I can use to trace this rogue connection and see what's using it?

Russ

Gingerbread Man
  • Top 25 Contributor
219 solutions 899 answers

It only takes three clicks to open Task Manager to check.

It does sound impossible for firefox.exe to have any connections open if it's not running. I would first get a second opinion, for instance using the netstat utility.

  1. Press the Windows logo orb on the taskbar.
  2. In the search box, type cmd.exe
  3. In the search results, right-click cmd.exe and choose Run as Administrator.
  4. In the command prompt window that opens, type netstat -a -b and press Enter.

It sounds like you're after either Fiddler or Wireshark.

Question owner

I DL'ed Fiddler and will give it a try. The problem, however, seems to have gone away after removing HMA from FF. After shutting down FF, TCPView only shows two localhost connections on ports 58042 & 58043, which die as expected after FF is closed. Apparently, disabling HMA was not enough...

Russ

Question owner

I believe this problem to be solved. It's been a week since uninstalling HMA and the mystery connections are no longer happening.

Thanks Mr. Gingerbread_Man!

Russ