Mystery? Data sent to unknown.Level3.net

[drodg]

Use: Dell laptop, WinXP Pro, behind Dlink router, no firewall running,
mcafee anti-virus updated, all xp updates done, Adaware updates done, use
Mozilla browser plus IE.

I'm puzzled!...

- When PC is idle I run DOS Netstat -o. It periodically shows a mystery
connection to unknown.Level3.net:http and unknown.Level3.net:https. PID
shows as 780. Sometimes shows as ESTABLISHED while most of the time shows
as CLOSE WAIT.

- Trace route shows the IP as 209.245.19.42. Belongs to www.level3.com.
When I run Tasklisk /svc it shows PID 780 as svchost.exe.

- PID 780 svchost.exe contains:
AudioSrv, BITS, Browser, CryptSvc, Dhcp, ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc, lanmanserver, lanmanworkstation,
Netman, Nla, Schedule, seclogon, SENS, ShellHWDetection, srservice,
TermService, Themes, TrkWks, uploadmgr, W32Time, winmgmt, wuauserv, WZCSVC.

My question is: is the data being sent to Level3 safe, necessary or
possible spyware? Are there other ways to find out? Thank you.

 

[CheshireCat]

Nice detective work.
Do a google on "level3 spyware", I quote the following from a spyware
newsgroup.
Also, install a decent software firewall eg zonealarm, they can help tell
you what spyware is up to on your pc.

I ran live update this morning. While doing so, I noticed the KPF showed
that it wanted to connect to a site on level3.net. Why? I get spam from
level3.net customers all the time, what does Live Update need at level3.net?
I told KPF to deny the connection, and it still worked just fine.

It was probably connected to an Akamai server for the update. If not,
I'd really like to know to whom it's contacting. Although Akamai is
not the safest place to contact either.
Akamai has services based on virtually every large ISP, even that
nasty Level3. The idea is to store data closer to users to reduce the
amount of traffic overhead. However, Akamai does work with advertisers
and spyware vendors, too, which is why I generally would block Akamai.
Your assessment of Level3 is correct. Unfortunately, Level3 is the
only large ISP that I would consider a true black-hat...you'll find a
large number of spam-advertised sites running off of Level3,
especially adult ones. Most responsible ISPs will shut down a site if
they find it advertising via spam, but Level3 won't - not without a
lot of emails to various departments.

 

[drodg]

Not sure if this was it. I went into Cookie Manager in Mozilla. Deleted
and blocked all suspect adware cookies. Then went into IE and set it to
block all cookies. Went in and added Allowed cookies: login.hotmail.com,
microsoft.com, microsoft.net, etc. Only allowing cookies from the 2-3 sites
I use IE for: windows updates, office updates and hotmail. Otherwise I use
Mozilla for all web surfing.

So far so good. No data seems to be phoning home.... yet! I'll keep an eye
on it and post the results here if anything changes.
Thanks for your help and compliment, Dave.

 

[CheshireCat]

You might like to try some of sysinternals.com free tools like tcpview

 

[drodg]

I give up. The cookies idea didn't work. Installing a software firewall is
absolutely my last resort.

Now instead of unknown.level3.net:http (and https) I'm getting
63.251.152.210:http PID 772 and 205.161.4.30:https PID 772. On tasklist
/svc they both show as svchost with a long list of abbreviated tasks. Both
show as CLOSE_WAIT.

For now I must assume those connections are safe. Adaware and Mcafee AV
don't detect any monkey business. I'm going to leave it alone unless I read
somewhere that they're true spyware.

I am going to download tcpview. Thanks for recommending sysinternals.com.
A great site with lots of cool toys. Dave