Hey guys

Thanks for all the help you have given in the past, I dont know if you have seen this one, but it was new to me

My latest little thing from the Sygate Personal Firewall I use is

crss.exe wanting to talk to IP 224.0.0.22

This IP resolves to igmp.mcast.net

I obviously blocked it and run Spybot S&D to be on the safe side, all this taking me away from watching Gone in 60 Seconds :(

I have that up to date and have SpywareGuard and SpywareBlaster on this machine, so was not worried about it just suprised when it asked, as I had just turned the machine on.

Anyway there you go thats my suprise of the day

Are you sure about the spelling? There is a process csrss.exe which is the Client Server Runtime SubSystem (one of the Default Processes in Windows 2000 (http://support.microsoft.com/support/kb/articles/Q263/2/01.ASP)) but this should have no need for network access. There is also a trojan Gutta (http://securityresponse.symantec.com/avcenter/venc/data/trojan.gutta.html) that uses a file with the same name (although Symantec's description seems to suggest that it should not need network access either). In either case, I would suggest blocking it and doing some further investigation.

If the spelling is correct and the file is in the Windows System folder then I would very suspicious (many malware programs try to use similar spelling to Windows' files) and would suggest a scan with your favoured anti-trojan utility.

The 224.0.0.22 address is reserved for IGMP membership reports (see RFC 3376 - Internet Group Management Protocol, Version 3 (http://www.faqs.org/rfcs/rfc3376.html) for more details) - IGMP itself is used for transmitting data to a group of other systems. To this extent, no conclusion can be drawn as to whether this traffic is legitimate or not - but unless you are using audio or video streaming software (the main use for IGMP), there is no need for your system to be using it in the first place.