219.145.179.103 in China on my system!

Jookse,

PE's Whois does resolve IP address correctly. You are right. But when you right click on a line in PE, choose "Resolve IP ... " and type the above IP in, then the "Host" line says: "Could not resolve IP address", though the "Country" line indicates "China". The "Host line" typically does a good job showing a detailed DNS under ARIN, but apparently not under APNIC as is the case here?

 

Fraha,

I was wondering about the program name and path that caused this contact with China. PE can identify this program in the first column.

Since PID is 4, are you saying that instead of a program name and file path you simply got "* SYSTEM" under the "Process column" ?

 

The resolve tries to find the DNS, and it looks like it is not sure.
I see in resolving rather often addresses in China but could not resolve host, for instance or addresses in AU which are lots of time on apnic too.
In this case the IP is on the Chinanet, but the node itself is in AU, so maybe this is a reason for Port Explorer to be uncertain and rather says it could not find it.

 

Jooske,

Thanks for making the distinction between the IP and the node, and suggesting that PE's DNS resolution may be confused because it does not make the distinction. However, I think this whole thing about resolving the DNS should be improved in PE. Maybe PE ought to be able to distinguish between IP and node in order to be no longer confused.

Therefore, I am sure you would agree that, in the spirit of improving the product, this comment should be passed on to DiamondCS. How best to do that? As a moderator, is it part of your tasks to send product-improvement suggestions to DiamondCS when they occur under your watch? Or do you think that I should do it? Or is someone else at Diamond watching, for sure, what we are writing about here and will automatically forward the suggestion to the PE programmer(s) ? Your answer here will be useful in the future, since this is my first day posting at Wilders.

 

Be assured the DiamondCs team is on the board frequently and will correct this if our conclusions are wrong and telling is where it is wrong or will applaud and tell us it will be on the worklist for improvements for a next version.
I remember Gavin ever long ago told there is a difference between whois and resolving, but what it exactly was and where...... must be few years ago, can have been in teh TDS forum or in this, will be some searching

 

They could be using a program like Anonymizer... It selects different proxies around the world to confuse and conceal your real IP. I'd be worried about that NWEReboot entry on your registry. One of my user's PC has been acting up lately and I found it too on the registry. A little research on google has turned up nothing. It seems to be something pretty new and nobody knows what it is.

 

try winipcfg release your ip wait for a bit and renew see if your still bothered
turn off system restore then purge the restore directory
run virus scan and or addaware spybot
make sure all are up to date
check your active x and script settings block 3rd party under options advanced infact remove java active x alltogether initialize trusted sites in iexplorer to minumum level and block untrusted sites check bootlog files and system install logs to see if programs bundled there software with unknown applications
check odbc in ctrl pannel for suspicious additions check to see if your using signed drivers check date time stamps on software for newly added rogues
if it just started type scanreg /restore and choose a time when your computer was running fine
to find out what is accessing use a file dependency checker!!

 

I would tick these for removal in Hijack This:

O2 - BHO: (no name) - {904691A1-C588-4B27-BC47-D8599EDB3F97} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present


Me personally, i wouldn't allow any sites into my Trusted Zone - very dangerous(IMO) free.aol.com is a spyware notorious for installing into your safe zones.

O15 - Trusted Zone: www.anwb.nl
O15 - Trusted Zone: http://www.diamond.com.au
O15 - Trusted Zone: www.diamondcs.com.au
O15 - Trusted Zone: http://www.devolkskrant.nl
O15 - Trusted Zone: www.euro2004.com
O15 - Trusted Zone: http://groups.msn.com
O15 - Trusted Zone: www.nos.nl
O15 - Trusted Zone: http://www.nos.nl
O15 - Trusted Zone: http://www.nosnieuws.nl
O15 - Trusted Zone: europe.real.com
O15 - Trusted Zone: nl.sitestat.com
O15 - Trusted Zone: www.tspeedtest.nl
O15 - Trusted Zone: http://home.wanadoo.nl


Some say this is an OK toolbar ... some say it's pending and some say it's spyware. I would keep my eyes on it.


O15 - Trusted Zone: www.anwb.nl
O3 - Toolbar: ANWB Toolbar - {EBB03E3E-020A-418D-B322-761B730CA860} - C:\Program Files\ANWBToolbar\ANWBToolbar.dll
O9 - Extra button: ANWB (HKLM)
O9 - Extra 'Tools' menuitem: ANWB-toolbar (HKLM)

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453078342
http://www.spywaredata.com/spyware/toolbar.php?status=

 

just in case you are interested, this is the same ip address I was getting when I trialed foxmail. Here is what my NSASoft Whois brought up.

 

Get rid of these and your fine - tjis is a searchmaid infection.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro2004.com/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {904691A1-C588-4B27-BC47-D8599EDB3F97} - (no file)
O15 - Trusted Zone: www.euro2004.com