No Clue about this one, any ideas?
Results 1 to 8 of 8

Thread: No Clue about this one, any ideas?

  1. #1
    Junior Member
    Join Date
    Aug 2003

    Unhappy No Clue about this one, any ideas?

    Well, I know this is my first post but I've been registered for a while. I don't consider myself a noob at computers, but I'm certaintly not as good as you guys haha, hence why I read your forums (as in that movie Short Circuit "INPUT, INPUUUTTT!"). But, meh, I stumbled across something that pretty much baffles me eh. (I am not Canadian by the way if you're wondering about the Eh) It's 5:10AM so if I'm rambling sorry, but I mean no harm . Anyways, back to my point. I use Sygate Personal Firewall (anyone heard of it, I am sure you have heh) and it's always worked fine and well. Recently I discovered that whenever I open a search, my computer sends out data (or tries to anywho). I, of course, block it always but its sort of leaving me clueless here. Hmm let me take a screeny of what I'm getting... (I've run all the AV's and spyware detectors I have and seem to be available, and nada-zip. That worried me more then if it had found something of course, so I come to you now PC gurus. It only does it now and then, so of course I can't seem to get the message from Sygate (Why am I thinking of Terminator 2?!) when it doesn't do it... Eh, just need to wait I guess. In the meantime, any thoughts? I will post what IP it is trying to connect to, and hopefully we can go from there somehow.


  2. #2
    Join Date
    Jun 2003
    I couldnt think of anything yet but did you try clicking yes at least once and see what happened...and you could use neotrace to get some info on that IP (im in school right now )

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    Strange.........the IP looks like some sort of proxy? I get it as IANA but whois says that it is an EU addy that is really worldwide?

    9 27ms 27ms 28ms TTL: 0 ( ok)
    10 27ms 28ms 27ms TTL: 0 ( ok)
    11 96ms 110ms 110ms TTL: 0 ( ok)
    12 110ms 124ms 110ms TTL: 0 ( ok)
    13 124ms 124ms 124ms TTL: 0 ( ok)
    14 124ms 123ms 124ms TTL: 0 ( fraudulent rDNS)
    15 124ms 124ms 123ms TTL: 0 ( ok)
    16 123ms 124ms 123ms TTL: 0 ( ok)
    17 220ms 138ms 138ms TTL: 0 ( ok)
    18 151ms 151ms 151ms TTL: 0 (No rDNS)
    19 151ms 151ms 151ms TTL: 43 (No rDNS)

    That is the backend of traceroute for cannot get a whois for that domain.

    I will leave it to those who are more knowlegeable


  4. #4
    Join Date
    Aug 2001
    4,426 - is assigned as the Local Network Control Block, as described in RFC 3171.
    Local Network Control Block (224.0.0/24)

    Addresses in the Local Network Control block are used for protocol
    control traffic that is not forwarded off link. Examples of this
    type of use include OSPFIGP All Routers ( [RFC2328].

    And here's the OSPF protocol.

  5. #5
    Senior Member
    Join Date
    Oct 2002
    I just ran a sniff with iris, its actually a broadcast over netbios by the master browser.

    Its due to the operations of the "master browser" (see

    for discussion on browsers.

    (Also, i`m guessing the machine you are looking at is on a very small network?). So... the machine first asks over ARP who has the Address it has received via DHCP, if its not taken it then registers the address by broadcasting NetBIOS Name Service (port 137) over the subnets broadcast IP. It then registers its workgroup if it doesn`t detect that its workgroup is up, again over netbios name service. Once this is done it uses the master browser, broadcasting over the LAN at its subnet level that its a win2k/xp etc workstation.

    So I guess its explorer being helpful and making sure it knows the local subnet, in case you want to use the search fucntion for network resources.

    You can disable it by setting the following key to 0


    Hope this helps.
    Quis custodiet ipsos custodes

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    You won't find that address in a whois. is the multicast address used by multicast apps to locate multicast routers.

    Broadcast: Everyone gets the packets eg: ARP
    Unicast: Single host gets the packets eg: TCP
    Multicast: A select group of hosts get the packets eg: streaming video.

    It would seem that you have some addin, (Realplayer type of thing), with IE that is looking for a mulitcast router on the local network. Past that I can't be of much more help.... sorry.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    to find out which application it is...

    You can use netstat before and after to see if anything has changed. fport is pretty good for this.

    You can also use filemon and regmon from to see what files are being used at that time. This can give good clues most of the time.

    Just make sure to disable your realtime antivirus. The av activity will flood your logs and make it really hard to read.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  8. #8
    Junior Member
    Join Date
    Aug 2003
    Ah, I see now. Thanks guys, I was initially worried it may be a new trojan thats unidentified by everything since it just came out. Again, thanks for the infor

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts