For some time now, I see this in my LnS log window (screenshot).
It is the only message being logged. Thankfully LnS covered my butt with the mighty "All other packets" rule.
I cannot find out which program is trying to connect to the net.

Most of the time it is green.domainmanager.com=216.194.67.56.
But it alternates between the following 3 IPs. But sometimes it is also mix of green and ns1.
-{ Quote: "green.domainmanager.com=216.194.67.56
ns1.domainmanager.com=216.194.67.56
white.domainmanager.com=64.40.103.249" }-

There are lots of iffy sites hosted on these IP ranges.

I get this additional but useless (to me) information from this site : http://whois.gwebtools.com/

-{ Quote: "GREEN.DOMAINMANAGER.COM is running on the ip address 216.194.67.56 that belongs to the network 216.194.64.0/19.
This network is part of the autonomus system AS13911 from the company Proxy-registered route object for GT.
Total of domains on green.domainmanager.com: 0

NS1.DOMAINMANAGER.COM is running on the ip address 216.194.67.56 that belongs to the network 216.194.64.0/19.
This network is part of the autonomus system AS13911 from the company Proxy-registered route object for GT.
Total of domains on ns1.domainmanager.com: 5173

NS2.DOMAINMANAGER.COM is running on the ip address 64.40.103.249 that belongs to the network 64.40.96.0/19.
This network is part of the autonomus system AS14280 from the company Proxy-registered route object for GT.
Total of domains on ns2.domainmanager.com: 5174


Type Name IP Reverse
NS ns2.domainmanager.com 64.40.103.249 ns1.domainmanager.com
NS ns1.domainmanager.com 216.194.67.56 green.domainmanager.com" }-

If only the Log window or the Packet's content window would show the originating program in a column, it would be easier.

I already let Spybot S&D hump all 6 hard disks over night. But it congratulated me with the fact that nothing was found.
I can only hope that this is harmless.

So my question is whether there is a way to find out which program it is which is trying to connect ?

http://i49.tinypic.com/nywa4p.png

see if MS TCPView gives you extra info you need

I downloaded and fired up TCPView.
I have the LnS Log window open on the left, so I can see when the batch of 8 attempts is occurring. On the right I have the TCPview window opened (running as Administrator) and sorted by ascending Protocol. This places all TCP protocol connections at the top and in clear view. But when the 8 connection attempts occur Nothing happens in the TCPview window.

another approach is to download and use Process Explorer as it will unlike tcpview show connections owned by the system. Right click on an .exe you think might be communicating (including system entry) then view tcp/ip tab. I'm assuming no malware though.

OK, I will do that now.
One thing which I forgot to mention is that when right after a (re)boot I open up the LnS Log window, I can already see the first 8 entries with connection attempts to domainmanager.com.
I already disabled all unnecessary startup programs and rebooted a couple of times, but the connnection attempts persist.

Restart the computer and call the ‘Driver Logs’ on the ‘Look ‘n’ Stop Console’ screen, should list applications that was recently active.

DLL Filtering on Win32 may also help.

I did as Cudni suggested (right-click+properties+TCP-tab) on each exe in the window. But nothing with the IPs, or domainmanager.com domain names listed.
It might have been "disguised" in IPv6 format though.

Also just did what Phant0m suggested and rebooted.
The output of the LnS "Console >> Driver Logs-button" (just after reboot) is here : http://i45.tinypic.com/dy5dhz.png
The output of the LnS "Log window" (just after reboot) is here : http://i49.tinypic.com/250ng37.png

I did some further tests this morning.
It are the 8 x "1 message Uplink" entries in the "Driver Logs".
Always 8. And in 2 batches of 4, with a delay from a couple of seconds upto 1 minute between the first 4 and the second 4.

DTaskManager (http://dimio.altervista.org/eng/) is another little tool that could help you here. The "Ports" tab would help you to spot the process name (and its PID) using those connections. There is no need to install, it's a simple executable.

(I mostly use AnVir Task Manager Pro for this but it's a multi-functional bigger gun to install.)

Check to see if your registry has a key with a sub directory titled 'domain manager'.

Tried with DTaskManager, but nothing happens visually when the 8 connection attempts occur. not for local IP 10.0.0.103 (my PC on the LAN) and not for local IP 127.0.0.1.
I also do not see the IPs 216.194.67.56 and 64.40.103.249 anywhere in the remote IP column. Also all PID numbers show up as a dash. Everywhere.

I scanned the registry as Administrator and my own user id, but all that comes up are these matches :-{ Quote: "System.AppDomainManager
_AppDomainManager
System.AppDomainManagerInitializationOptions
Microsoft.VisualStudio.CommonIDE.VsAppDomainManager" }-

When connection attempts run cmd console as administrator, and do netstat -anb command, or netstat 3 -anb > C:\netstat.log
Interval of 3 second saved in C:\netstat.log, to disable CTRL+C

The current remote IP is still "green.domainmanager.com=216.194.67.56" in the LnS Log window.

I tried many times with netstat -abn. But I do not see any of the offending remote IPs.
Then I tried with netstat -abno 1 > C:\netstat1.log, followed by netstat -abno 1 > C:\netstat2.log
netstat1.log = first 4 connection attempts, netstat2.log = second 4 connection attempts.

I think that it has to do with the offending connects being Protocol 41 : IPv6 (encapsulation). See the screen shot in the OP.

218411
218412

Your *.log show only 127.0.0.1 connections ESTABLISHED by [AppleMobileDeviceService.exe], no active internet connections.

Try to find domain name with netstat 3 -abf > C:\netstat.log , and surf.

I'm under the impression that it has nothing to do with surfing or a browser. The protocol 41 (IPv6 address in a IPv4 packet) will never show the true contents of the package with netstat.
Like I posted earlier. The entries are already there right after logging in. The first thing I do after hitting Enter on the log in screen, is open up LnS to check the log. And each time the entries are already there.
None of the browsers I use has permanent access to the internet, they always have to ask the first time they are fired up.
I also tried the following. Start up the PC, and let it sit at the log in screen for 30 minutes. To check if the connection attempts also occur before log in. But the first 4, then next 4 entries are always logged with the log in time.
So it is happening after/at log in. Unless LnS only protects, but does not log to the Console and Log windows, before the User is logged in.

Netstat log for "netstat 3 -abf > C:\netstat.log" attached.
The remote IP and domain name, have changed to ns1.domainmanager.com=64.40.103.249. See screen shots.

I'll probably just reformat.

218417


218418
218420

I was just now going to backup my files before the reformat. Did a quick check of the LnS log window. And I noticed that the remote IP and domain had changed into : 66-226-75-118.dedicated.abac.ne=66.226.75.118, still protocol 41, and type IP.
It should be : 66-226-75-118.dedicated.abac.net=66.226.75.118 though. Either LnS is dropping the 't', or is it done purposely by "the other side" ?
There's mostly pr0n cr.p hosted on that IP : http://www.myipneighbors.net/?s=66.226.75.118
Because I'm pretty determined now to find a fix for this pr0n cr.p, any new ideas before I do the format ?
Continuing with the backup now.

EDIT: : Forgot the screenshots :

218494218493

Just wondering whether its anything to do with hosts file?...similar to the problem i had.Post 9 gives the fix...
http://www.wilderssecurity.com/showthread.php?t=265634
ellison

No, just checked. See screen shot.
I double checked with notepad and did a find in the file for the domains and IPs. Nothing found.

The block of IPs 10.0.0.170 - 179 is reserved for my Linux VMware VMs.
They were added after the problem started.

Spybot S&D was installed only recently and added all those cr.p sites to the hosts file.

I do not think that the hosts file is involved because the traffic is of type IP, the otherway around. So no domain name is known on my PC. I think that LnS resolves the IP to a domain name before it logs it. On top of that it is also of Protocol 41, an IPv6 IP in a IPv4 packet. So I do not know if the IPs which are shown in the log are the ones we should be looking for.

If only LnS would list the originating program, or PID in the log. But that is just whingeing on my part, mumble, mumble.

218492

Maybe try a packet sniffer like wireshark?.It might show a bit more info.
http://www.wireshark.org/
ellison

It using teredo. If you want to turn off the tunnel, you simply must delete it. Then create it again if you need it.

Use the netsh interface to see the syntax of the commands. cmd ==> netsh int ipv6 help is a good starting point.

@ellison64:
Say I have installed Wireshark. Then what should I do ?
Sorry, I do not know the program, only heard of it.


@sparviero:
I opened a cmd-window as Administrator, and checked with ipconfig /all whether there were any weird/new Tunnel adapters, and if they were connected. Just the usual 4 tunnel adapters and the first one listed was connected.

Then, at the time the connection attempts occurred, I issued the ipconfig /all command a few times quickly. Nothing had changed.

The I issued "netsh interface ipv6 reset" to kill any user specified settings". But I received this message in response to the command : "There's no user specified settings to be reset." I re-booted anyway.

After the re-boot I disabled Teredo Tunneling with "netsh interface teredo set state disabled" and received "Ok." in response.

I checked the state of the Teredo server : netsh interface teredo show state
Teredo Parameters
---------------------------------------------
Type : disabled
Server Name : teredo.ipv6.microsoft.com.
Client Refresh Interval : 30 seconds
Client Port : unspecified
State : offline
Error : client is in a managed network

Then I waited to see if the connections would re-occur. They did. So I re-booted.

After the re-boot, and straight after the login, I went straight into LnS to display the Log window. But I could already see the first batch of 4 connection attempts.

So I re-enabled Teredo with "netsh interface teredo set state default" and received "Ok." in response.

I checked the state of the Teredo server : netsh interface teredo show state
Teredo Parameters
---------------------------------------------
Type : client
Server Name : teredo.ipv6.microsoft.com.
Client Refresh Interval : 30 seconds
Client Port : unspecified
State : offline
Error : client is in a managed network

-{ Quote: "
Say I have installed Wireshark. Then what should I do ?
" }-
press Ctrl+i
this will open a list of available network interfaces. Click on Start button next to the one that you see packets being logged

Hey, thanks for your answer.
I was caught up in another tab.
Will get to it.

OK. Yesterday, after I posted, it was quite late so I downloaded WireShark this morning.

I attached screen shots of the WireShark capture, and the LnS Log Window.
The 8 blue "Router Sollicitation" lines in the WireShark capture, correspond to the 8 log entries at the top in the LnS Log window ( U-32 - U-39 ). And also to the 8 "1 message Uplink" entries at the bottom in the LnS Console window.

I selected the first occurrence of the "Router Sollicitation" lines, to make the "Internet Protocol" in the window below it expand.
No surprises here, and still not the source of the connection attempts.

218507218508

Try to disable all IPv6 components, except the IPv6 loopback interface.
(Type 0xffffffff) This value also configures Windows to use Internet Protocol version 4 (IPv4) instead of IPv6 in prefix policies.

http://support.microsoft.com/kb/929852#appliesto

That will probably stop the connects.
But will that show me the origin of the connects ?

EDIT: :
I disabled all IPv6 by editing the registry as per the MS Support KB-article, and then re-booted.
And indeed, that killed the connects.
Thanks! my man. :) Finally.

Any ideas how I can find out what program/service is connecting ?
I'll explain why I want to know.
I notice this started when I came back from a holiday. I allowed someone to use my PC during that holiday. I confronted him with it. He is not showing up anymore ever since, and not picking up the phone. I do not want a SWAT team breaking into my house.
Although I had an atomic bunker built, with a food supply for 50 years, ever since my son started downloading torrents. ;D

I think that I was happy too soon.
There are now connects visible in WireShark to 64.40.103.249 (ns1.domainmanager.com) over TCP instead of ICMPv6.
And some of them are in green (success?), and some of them are in red (failed?).

218513

Hi,

Try Port explorer, that will sniff packets and show PID/application sending the packets..

http://www.softpedia.com/progDownload/DiamondCS-Port-Explorer-Download-9933.html

Hi,

Thanks for that one. Grabbing it now. What's best, should I start with IPv6 disabled (as it is now) or IPv6 enabled ?

Hi,

Just leave IPV6 disabled.

- Stem

OK, then. It's already installed and now waiting for the next batch of connects.
I'm quitting the browser to lower the number of connections in the program.

I do not believe that this is happening.
With IPv6 disabled : nothing visible in Port Explorer.
With IPv6 enabled : nothing visible in Port Explorer.

May be a problem installing onto your OS.

Try TCPview. It does not sniff or log so you would need to watch (not a problem if the connections are made frequently), but it will show endpoint connections and application bound to endpoint.

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx


- Stem

That would be strange, I installed wuth "Run as administrator", and then re-booted. But it doesn't matter really.
I'll give TCPView a chance to help me out.

Thanks for the sugestions so far everyone.

Stem, I have to change my pen name.
I already tried TCPView before, with the same result now. (see post #3 (http://www.wilderssecurity.com/showpost.php?p=1684932&postcount=3)).

Do you have all your applications in LNS application filtering screen set to log as they are off by default?.you need to click to get the !! symbols next to application you want to log.From the earlier log it was pointed out that only itunes seemed to show an established connection so it maybe worth disabling each application or removing each application entry and trying to see which one (if any) is responsible for the entry.
ellison

what progs do you have on startup? can you review and maybe even post, if you feel like, the list of them (use MS Autoruns - Logon tab)

I attached screen shots of the LnS App Filtering Window, and the Logon-tab of MS Autoruns.
If there are anymore tabs you need to see, let me know.

218525218526

Leave IPV6 disabled.

1. First let’s go to “Start” and then click on “Run”.

2. When the Run box opens, just type in “services.msc” and press “OK”. Next the Services applet will load.

3. Werify if WinHTTP WebProxy Auto-Discovery Service is set to ”Disabled” or "Manual"

4. Go to “Start” and then click on “Run”, type in “regedit” and press “OK”

go to "HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

if you find any "dword" value with name "xxxxxProxy.xxx" , delete it.

Finally, restart your computer

looking at those on autostart, they don't seem they would be using that .com. I know you used S&D but could you also scan with MBAM and maybe Gmer?

@sparviero:
IPv6 off, and WinHTTP WebProxy Auto-Discovery Service was set to Manual, and it was Started.
And I couldn't find a "dword" value with name "xxxxxProxy.xxx". see screenshot below.

@Cudni:
Is it enough to scan just the harddisk with Windows 7 installed ?
And is it going to take long, or can I wait for it ?
If it is going to take long I will scan overnight.

218527

From "HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

delete value

AutoConfigProxy
MigrateProxy
ProxyEnable
ProxyOveride

restart

OK, now I see. Your mask value had a dot in it. and I didn't see any dword name with a suffix.

What am I actually deleting, and is it reversible ?

EDIT: I already exported the registry key.

-{ Quote: "
Is it enough to scan just the harddisk with Windows 7 installed ?
And is it going to take long, or can I wait for it ?
If it is going to take long I will scan overnight.
" }-
Yes do the main drive. Watch it for a bit before leaving it scanning (if you see it will take long)

-{ Quote: "I already exported the registry key." }-

sorry, I forgot to say, before changing any reg.key export first the same key.

@sparviero:
I deleted the 4 proxy values, and rebooted. IPv6 is completely disabled as you suggested. Then I fired up WireShark. I thought the problem was gone. Because the 8 connects occur at 13 minute intervals. And I did not se3e anything happening in WireShark, apart from the almost retarded router and repeater traffic. But after about 20 minutes I got to see what's in the WireShark screen shot below. It looks like the program who is trying to connect, also receives acknowledgments now from one of the IPs : 64.40.103.249 .

@Cudni:
See the screenshots of GMER below. I do not think that it is compatible with Windows 7. It's not mentioned on the Gmer homepage either (upto Vista). I tried running it as my own user profile, and as administrator. Same results.
I also tried their MBR rootkit detector (mbr.exe), and attached the mbr.log file : 218553
I also ran their Userland rootkit detector (catchme.exe) but that just flashed a command window and nothing more. I also didn't get to see a Scan-button as per the program's home page. So I opened a cmd-window as administrator and called catchme.exe from the command line. Here is a screenshot of the output : http://i45.tinypic.com/28hfqd2.png (maximum of 5 attachements reached so uploaded externally). But I doubt if that is to believed because I ran a "sfc.exe /scannow" and the installation came out clean. I guess that this program is also not Windows 7 compatible.
I will ran MBAM later today, because it was quite late at the end of the GMER saga. And I forgot to install and run MBAM.

WireShark capture after the 4 proxy values were deleted from the rigistry :

218549



GMER at startup :

218550

GMER at scan start :

218551

GMER end result :

218552

Memory,

Puhh, you are spending such a long time on this issue...
Just do a backup and reinstall your OS ;)

If you still speculate on malware that might have hit your machine, why don't you boot from an external medium, and do a scan of your harddrive from "outside". These rootkits are pretty clever in hiding...
There are a coupe of free products out there to scan your machine before it can boot from it's own harddisk.
One example of a free scanner is here:
<http://thepcsecurity.com/virus-scan-boot-disk-from-avira/>

Good luck,
Thomas :)

-{ Quote: "Memory,

Puhh, you are spending such a long time on this issue...
Just do a backup and reinstall your OS ;) .......... " }-I hear what you are saying man. I have already made backups of the C drive, and was going to re-format. And it is indeed long time spent on it. But I have this so called long time friend (since highschool) who is hiding. Just read or re-read post #26 (http://www.wilderssecurity.com/showpost.php?p=1687190&postcount=26) where I explain why I changed my mind.

Ok, now we know that your internet connection need Proxy Auto-Disover configuration files , "wpad.dat" files, that provide central administration for proxy connections to the Internet.
DNS query for “wpad.<dns suffix>” ==> wpad.INTERNET.NET

1. go into your Firefox or IE or other browser settings and disable proxy autodetection. You probably don’t need it anyway, and it slows down your first page load. If you use a network that does require a proxy, find out what the proxy is and enter its settings manually.

The only reason you wouldn’t be able to do this is if you are joined to a domain that sets this setting to On via domain Group Policy, or if you run the ISA Firewall Client with the option “Enable Web Browser Automatic Configuration” enabled (in which case you can just disable that setting, too.)

ex.
Disable proxy settins in Firefox 3.x:

• Select Tools and then Options.

• Click the Advanced tab.

• Open the Network tab.

• Click the Settings button in the Connections area.

• Select No Proxy.

• Click OK.

2. make sure you have not a machine registered as WPAD at each domain level and in both DNS and WINS.

3. Open Network Connections by clicking the Start button , clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then clicking Manage network connections.

4.Click the Networking tab. Under This connection uses the following items, click either Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 6 (TCP/IPv6), and then click Properties.
To specify IPv4 IP address settings, do one of the following:
To obtain IP settings automatically, click Obtain an IP address automatically, and then click OK.
To obtain a DNS server address automatically, click Obtain DNS server address automatically, and then click OK.

5. To change DNS, WINS, and IP settings, click Advanced.
open DNS
if exist DNS server addresses ==> delete it
open WINS
if exist WINS addresses ==> delete it

restart

sparviero, I checked all of it. Everything was already set as you suggested to check and/or set it.

I know this a looknstop forum ,but maybe at this point it may be worth uninstalling looknstop for the time being and install something like outpost firewall which has much better logging capabilities plus the ability to block those domains with web filtering.You could try the 30day trial pro version and see if it can give more insight.
ellison

Ok, looks like you now are playing with “Direct Access”, then you will need to be sure to delete the previously acquired WPAD script and resolved WPAD name.

The easiest way to accomplish this is to execute the following steps:
Clear the browser cache completely: ActiveX Controls, Cookies, History, etc..
Close all instances of browser.
Delete all WPAD script instances.
Open a command window as administrator and type the following command:
del \wpad.*.*.dat /s
del \wpad*.dat /s
del \proxy*.pac /s
del \*.pac /s

Clear the DNS and Netbios name caches.
Open a command window as administrator and type the following commands:
ipconfig /flushdns
nbtstat -R

You should now have a clean starting point for testing changes.

@ellison64:
LnS is blocking the connects that show up in the Log window.
It is only when I disable IPv6 completely, I suspect (so I'm not sure) that the program/process which connects switches to regular TCP connects and succeeds. But I'm a WireShark noob. And according to the docs, the red colour marks problem packets (out of order, chopped off, etc.). So maybe I'm still protected by noobie luck.

@sparviero:
I'm prepared to do what you suggest because it has been very useful advice you've given to me. I'm going to rid off the problem with a secure erase later, and then restoring the full backup I made, just after installing Windows 7. That backup contains only the fresh OS, nothing else, and should be clean.

But right now, I really like to discover which program/process/service is causing the connects to these shared hosting IPs with cr.p/smut sites.
I need to know if my PC was turned into a sleeping terrorist cell (ready to be woken up) or not.
I also emailed my ISP today to ask for the traffic logs from the period I was on holiday. But they'll probably not (be able to) oblige. If they keep their logs for that long anyway.

-{ Quote: "@ellison64:
LnS is blocking the connects that show up in the Log window.
It is only when I disable IPv6 completely, I suspect (so I'm not sure) that the program/process which connects switches to regular TCP connects and succeeds. But I'm a WireShark noob. And according to the docs, the red colour marks problem packets (out of order, chopped off, etc.). So maybe I'm still protected by noobie luck.

@sparviero:
I'm prepared to do what you suggest because it has been very useful advice you've given to me. I'm going to rid off the problem with a secure erase later, and then restoring the full backup I made, just after installing Windows 7. That backup contains only the fresh OS, nothing else, and should be clean.

But right now, I really like to discover which program/process/service is causing the connects to these shared hosting IPs with cr.p/smut sites.
I need to know if my PC was turned into a sleeping terrorist cell (ready to be woken up) or not.
I also emailed my ISP today to ask for the traffic logs from the period I was on holiday. But they'll probably not (be able to) oblige. If they keep their logs for that long anyway." }-

I would still try outpost as it probably has the best logging system of any firewall.Uninstall looknstop (you can keep registry entries for licensing and rules for reinstallation by unticking box on uninstalling screeen later) and try the trial version of outpost pro.I think youll benefit from the more indepth logging ,which may show what is trying to connect.
ellison

-{ Quote: " I really like to discover which program/process/service is causing the connects to these shared hosting IPs with cr.p/smut sites." }-

What the heck is this WPAD thing?

All major browsers currently support this feature. Only Opera (windows) doesn't support the WPAD protocol.
Note that many installed applications on windows by default following IE proxy settings, so which program/process/service is causing the connects ? maybe you could find this with another firewall, but certainly not with outpost, as suggested. ;)