How to know which program is connecting to domainmanager.com by IP ?

That will probably stop the connects.
But will that show me the origin of the connects ?

EDIT: :
I disabled all IPv6 by editing the registry as per the MS Support KB-article, and then re-booted.
And indeed, that killed the connects.
Thanks! my man. Finally.

Any ideas how I can find out what program/service is connecting ?
I'll explain why I want to know.
I notice this started when I came back from a holiday. I allowed someone to use my PC during that holiday. I confronted him with it. He is not showing up anymore ever since, and not picking up the phone. I do not want a SWAT team breaking into my house.
Although I had an atomic bunker built, with a food supply for 50 years, ever since my son started downloading torrents.

 

I think that I was happy too soon.
There are now connects visible in WireShark to 64.40.103.249 (ns1.domainmanager.com) over TCP instead of ICMPv6.
And some of them are in green (success?), and some of them are in red (failed?).

 

Hi,

Try Port explorer, that will sniff packets and show PID/application sending the packets..

http://www.softpedia.com/progDownload/DiamondCS-Port-Explorer-Download-9933.html

 

Hi,

Thanks for that one. Grabbing it now. What's best, should I start with IPv6 disabled (as it is now) or IPv6 enabled ?

 

Hi,

Just leave IPV6 disabled.

- Stem

 

OK, then. It's already installed and now waiting for the next batch of connects.
I'm quitting the browser to lower the number of connections in the program.

 

I do not believe that this is happening.
With IPv6 disabled : nothing visible in Port Explorer.
With IPv6 enabled : nothing visible in Port Explorer.

 

May be a problem installing onto your OS.

Try TCPview. It does not sniff or log so you would need to watch (not a problem if the connections are made frequently), but it will show endpoint connections and application bound to endpoint.

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx


- Stem

 

That would be strange, I installed wuth "Run as administrator", and then re-booted. But it doesn't matter really.
I'll give TCPView a chance to help me out.

Thanks for the sugestions so far everyone.

 

Stem, I have to change my pen name.
I already tried TCPView before, with the same result now. (see post #3).

 

Do you have all your applications in LNS application filtering screen set to log as they are off by default?.you need to click to get the !! symbols next to application you want to log.From the earlier log it was pointed out that only itunes seemed to show an established connection so it maybe worth disabling each application or removing each application entry and trying to see which one (if any) is responsible for the entry.
ellison

 

what progs do you have on startup? can you review and maybe even post, if you feel like, the list of them (use MS Autoruns - Logon tab)

 

I attached screen shots of the LnS App Filtering Window, and the Logon-tab of MS Autoruns.
If there are anymore tabs you need to see, let me know.

 

Leave IPV6 disabled.

1. First let’s go to “Start” and then click on “Run”.

2. When the Run box opens, just type in “services.msc” and press “OK”. Next the Services applet will load.

3. Werify if WinHTTP WebProxy Auto-Discovery Service is set to ”Disabled” or "Manual"

4. Go to “Start” and then click on “Run”, type in “regedit” and press “OK”

go to "HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

if you find any "dword" value with name "xxxxxProxy.xxx" , delete it.

Finally, restart your computer

 

looking at those on autostart, they don't seem they would be using that .com. I know you used S&D but could you also scan with MBAM and maybe Gmer?

 

@sparviero:
IPv6 off, and WinHTTP WebProxy Auto-Discovery Service was set to Manual, and it was Started.
And I couldn't find a "dword" value with name "xxxxxProxy.xxx". see screenshot below.

@Cudni:
Is it enough to scan just the harddisk with Windows 7 installed ?
And is it going to take long, or can I wait for it ?
If it is going to take long I will scan overnight.

 

From "HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

delete value

AutoConfigProxy
MigrateProxy
ProxyEnable
ProxyOveride

restart

 

OK, now I see. Your mask value had a dot in it. and I didn't see any dword name with a suffix.

What am I actually deleting, and is it reversible ?

EDIT: I already exported the registry key.

 

Yes do the main drive. Watch it for a bit before leaving it scanning (if you see it will take long)

 

sorry, I forgot to say, before changing any reg.key export first the same key.

 

@sparviero:
I deleted the 4 proxy values, and rebooted. IPv6 is completely disabled as you suggested. Then I fired up WireShark. I thought the problem was gone. Because the 8 connects occur at 13 minute intervals. And I did not se3e anything happening in WireShark, apart from the almost retarded router and repeater traffic. But after about 20 minutes I got to see what's in the WireShark screen shot below. It looks like the program who is trying to connect, also receives acknowledgments now from one of the IPs : 64.40.103.249 .

@Cudni:
See the screenshots of GMER below. I do not think that it is compatible with Windows 7. It's not mentioned on the Gmer homepage either (upto Vista). I tried running it as my own user profile, and as administrator. Same results.
I also tried their MBR rootkit detector (mbr.exe), and attached the mbr.log file : View attachment mbr.log
I also ran their Userland rootkit detector (catchme.exe) but that just flashed a command window and nothing more. I also didn't get to see a Scan-button as per the program's home page. So I opened a cmd-window as administrator and called catchme.exe from the command line. Here is a screenshot of the output : http://i45.tinypic.com/28hfqd2.png (maximum of 5 attachements reached so uploaded externally). But I doubt if that is to believed because I ran a "sfc.exe /scannow" and the installation came out clean. I guess that this program is also not Windows 7 compatible.
I will ran MBAM later today, because it was quite late at the end of the GMER saga. And I forgot to install and run MBAM.

WireShark capture after the 4 proxy values were deleted from the rigistry :





GMER at startup :



GMER at scan start :



GMER end result :

 

Memory,

Puhh, you are spending such a long time on this issue...
Just do a backup and reinstall your OS

If you still speculate on malware that might have hit your machine, why don't you boot from an external medium, and do a scan of your harddrive from "outside". These rootkits are pretty clever in hiding...
There are a coupe of free products out there to scan your machine before it can boot from it's own harddisk.
One example of a free scanner is here:
<http://thepcsecurity.com/virus-scan-boot-disk-from-avira/>

Good luck,
Thomas

 

I hear what you are saying man. I have already made backups of the C drive, and was going to re-format. And it is indeed long time spent on it. But I have this so called long time friend (since highschool) who is hiding. Just read or re-read post #26 where I explain why I changed my mind.

 

Ok, now we know that your internet connection need Proxy Auto-Disover configuration files , "wpad.dat" files, that provide central administration for proxy connections to the Internet.
DNS query for “wpad.<dns suffix>” ==> wpad.INTERNET.NET

1. go into your Firefox or IE or other browser settings and disable proxy autodetection. You probably don’t need it anyway, and it slows down your first page load. If you use a network that does require a proxy, find out what the proxy is and enter its settings manually.

The only reason you wouldn’t be able to do this is if you are joined to a domain that sets this setting to On via domain Group Policy, or if you run the ISA Firewall Client with the option “Enable Web Browser Automatic Configuration” enabled (in which case you can just disable that setting, too.)

ex.
Disable proxy settins in Firefox 3.x:

• Select Tools and then Options.

• Click the Advanced tab.

• Open the Network tab.

• Click the Settings button in the Connections area.

• Select No Proxy.

• Click OK.

2. make sure you have not a machine registered as WPAD at each domain level and in both DNS and WINS.

3. Open Network Connections by clicking the Start button , clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then clicking Manage network connections.

4.Click the Networking tab. Under This connection uses the following items, click either Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 6 (TCP/IPv6), and then click Properties.
To specify IPv4 IP address settings, do one of the following:
To obtain IP settings automatically, click Obtain an IP address automatically, and then click OK.
To obtain a DNS server address automatically, click Obtain DNS server address automatically, and then click OK.

5. To change DNS, WINS, and IP settings, click Advanced.
open DNS
if exist DNS server addresses ==> delete it
open WINS
if exist WINS addresses ==> delete it

restart

 

sparviero, I checked all of it. Everything was already set as you suggested to check and/or set it.