No Clue about this one, any ideas?

[kyoji]

Well, I know this is my first post but I've been registered for a while. I don't consider myself a noob at computers, but I'm certaintly not as good as you guys haha, hence why I read your forums (as in that movie Short Circuit "INPUT, INPUUUTTT!"). But, meh, I stumbled across something that pretty much baffles me eh. (I am not Canadian by the way if you're wondering about the Eh) It's 5:10AM so if I'm rambling sorry, but I mean no harm . Anyways, back to my point. I use Sygate Personal Firewall (anyone heard of it, I am sure you have heh) and it's always worked fine and well. Recently I discovered that whenever I open a search, my computer sends out data (or tries to anywho). I, of course, block it always but its sort of leaving me clueless here. Hmm let me take a screeny of what I'm getting... (I've run all the AV's and spyware detectors I have and seem to be available, and nada-zip. That worried me more then if it had found something of course, so I come to you now PC gurus. It only does it now and then, so of course I can't seem to get the message from Sygate (Why am I thinking of Terminator 2?!) when it doesn't do it... Eh, just need to wait I guess. In the meantime, any thoughts? I will post what IP it is trying to connect to, and hopefully we can go from there somehow.

Thanks,
Brian

[scriptkiddie18]

I couldnt think of anything yet but did you try clicking yes at least once and see what happened...and you could use neotrace to get some info on that IP (im in school right now )

[nihil]

Strange.........the IP looks like some sort of proxy? I get it as IANA but whois says that it is an EU addy that is really worldwide?

9 212.113.11.253 27ms 27ms 28ms TTL: 0 (so-3-0.ipcolo2.London2.Level3.net ok)
10 212.187.129.161 27ms 28ms 27ms TTL: 0 (ge-4-3-1.mp1.London2.Level3.net ok)
11 212.187.128.138 96ms 110ms 110ms TTL: 0 (so-1-0-0.bbr1.Washington1.Level3.net ok)
12 64.159.1.69 110ms 124ms 110ms TTL: 0 (so-2-3-0.bbr1.Chicago1.Level3.net ok)
13 64.159.1.222 124ms 124ms 124ms TTL: 0 (ge-8-0.hsa1.Chicago1.Level3.net ok)
14 64.154.65.66 124ms 123ms 124ms TTL: 0 (unknown.Level3.net fraudulent rDNS)
15 64.198.101.201 124ms 124ms 123ms TTL: 0 (64-198-101-201.ip.mcleodusa.net ok)
16 64.198.101.150 123ms 124ms 123ms TTL: 0 (CHCGILOCC7201-CHCGILOCJM201.mcleodusa.net ok)
17 209.253.102.38 220ms 138ms 138ms TTL: 0 (209-253-102-38.ip.mcleodusa.net ok)
18 63.250.71.54 151ms 151ms 151ms TTL: 0 (No rDNS)
19 66.158.163.165 151ms 151ms 151ms TTL: 43 (No rDNS)


That is the backend of traceroute for clintoris.com?.....................I cannot get a whois for that domain.

I will leave it to those who are more knowlegeable

Cheers

[Negative]

224.0.0.0 - 224.0.0.255 is assigned as the Local Network Control Block, as described in RFC 3171.

Local Network Control Block (224.0.0/24)

Addresses in the Local Network Control block are used for protocol
control traffic that is not forwarded off link. Examples of this
type of use include OSPFIGP All Routers (224.0.0.5) [RFC2328].

And here's the OSPF protocol.

[R0n1n]

I just ran a sniff with iris, its actually a broadcast over netbios by the master browser.

Its due to the operations of the "master browser" (see http://support.microsoft.com/default...NoWebContent=1)

for discussion on browsers.

(Also, i`m guessing the machine you are looking at is on a very small network?). So... the machine first asks over ARP who has the Address it has received via DHCP, if its not taken it then registers the address by broadcasting NetBIOS Name Service (port 137) over the subnets broadcast IP. It then registers its workgroup if it doesn`t detect that its workgroup is up, again over netbios name service. Once this is done it uses the master browser, broadcasting over the LAN at its subnet level that its a win2k/xp etc workstation.

So I guess its explorer being helpful and making sure it knows the local subnet, in case you want to use the search fucntion for network resources.

You can disable it by setting the following key to 0


HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\[InterfaceName]\PerformRouterDiscovery


Hope this helps.

[Tiger Shark]

You won't find that address in a whois. 224.0.0.2 is the multicast address used by multicast apps to locate multicast routers.

Broadcast: Everyone gets the packets eg: ARP
Unicast: Single host gets the packets eg: TCP
Multicast: A select group of hosts get the packets eg: streaming video.

It would seem that you have some addin, (Realplayer type of thing), with IE that is looking for a mulitcast router on the local network. Past that I can't be of much more help.... sorry.

[phishphreek]

to find out which application it is...

You can use netstat before and after to see if anything has changed. fport is pretty good for this. www.foundstone.com

You can also use filemon and regmon from www.systernals.com to see what files are being used at that time. This can give good clues most of the time.

Just make sure to disable your realtime antivirus. The av activity will flood your logs and make it really hard to read.

[kyoji]

Ah, I see now. Thanks guys, I was initially worried it may be a new trojan thats unidentified by everything since it just came out. Again, thanks for the infor