219.145.179.103 in China on my system!

Discussion in 'Port Explorer' started by Fraha, Jun 24, 2004.

Thread Status:
Not open for further replies.
  1. Pigitus

    Pigitus Guest

    Jookse,

    PE's Whois does resolve IP address correctly. You are right. But when you right click on a line in PE, choose "Resolve IP ... " and type the above IP in, then the "Host" line says: "Could not resolve IP address", though the "Country" line indicates "China". The "Host line" typically does a good job showing a detailed DNS under ARIN, but apparently not under APNIC as is the case here?
     
  2. Pigitus

    Pigitus Guest

    Fraha,

    I was wondering about the program name and path that caused this contact with China. PE can identify this program in the first column.

    Since PID is 4, are you saying that instead of a program name and file path you simply got "* SYSTEM" under the "Process column" ?
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The resolve tries to find the DNS, and it looks like it is not sure.
    I see in resolving rather often addresses in China but could not resolve host, for instance or addresses in AU which are lots of time on apnic too.
    In this case the IP is on the Chinanet, but the node itself is in AU, so maybe this is a reason for Port Explorer to be uncertain and rather says it could not find it.
     
  4. Pigitus

    Pigitus Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    97
    Location:
    USA
    Jooske,

    Thanks for making the distinction between the IP and the node, and suggesting that PE's DNS resolution may be confused because it does not make the distinction. However, I think this whole thing about resolving the DNS should be improved in PE. Maybe PE ought to be able to distinguish between IP and node in order to be no longer confused.

    Therefore, I am sure you would agree that, in the spirit of improving the product, this comment should be passed on to DiamondCS. How best to do that? As a moderator, is it part of your tasks to send product-improvement suggestions to DiamondCS when they occur under your watch? Or do you think that I should do it? Or is someone else at Diamond watching, for sure, what we are writing about here and will automatically forward the suggestion to the PE programmer(s) ? Your answer here will be useful in the future, since this is my first day posting at Wilders.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Be assured the DiamondCs team is on the board frequently and will correct this if our conclusions are wrong and telling is where it is wrong or will applaud and tell us it will be on the worklist for improvements for a next version.
    I remember Gavin ever long ago told there is a difference between whois and resolving, but what it exactly was and where...... must be few years ago, can have been in teh TDS forum or in this, will be some searching :(
     
  6. Duncan_922

    Duncan_922 Guest

    They could be using a program like Anonymizer... It selects different proxies around the world to confuse and conceal your real IP. I'd be worried about that NWEReboot entry on your registry. One of my user's PC has been acting up lately and I found it too on the registry. A little research on google has turned up nothing. It seems to be something pretty new and nobody knows what it is.
     
  7. zero'z down

    zero'z down Guest

    try winipcfg release your ip wait for a bit and renew see if your still bothered
    turn off system restore then purge the restore directory
    run virus scan and or addaware spybot
    make sure all are up to date
    check your active x and script settings block 3rd party under options advanced infact remove java active x alltogether initialize trusted sites in iexplorer to minumum level and block untrusted sites check bootlog files and system install logs to see if programs bundled there software with unknown applications
    check odbc in ctrl pannel for suspicious additions check to see if your using signed drivers check date time stamps on software for newly added rogues
    if it just started type scanreg /restore and choose a time when your computer was running fine
    to find out what is accessing use a file dependency checker!!
     
  8. Mephisto

    Mephisto Guest

    I would tick these for removal in Hijack This:

    O2 - BHO: (no name) - {904691A1-C588-4B27-BC47-D8599EDB3F97} - (no file)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present


    Me personally, i wouldn't allow any sites into my Trusted Zone - very dangerous(IMO) free.aol.com is a spyware notorious for installing into your safe zones.

    O15 - Trusted Zone: www.anwb.nl
    O15 - Trusted Zone: http://www.diamond.com.au
    O15 - Trusted Zone: www.diamondcs.com.au
    O15 - Trusted Zone: http://www.devolkskrant.nl
    O15 - Trusted Zone: www.euro2004.com
    O15 - Trusted Zone: http://groups.msn.com
    O15 - Trusted Zone: www.nos.nl
    O15 - Trusted Zone: http://www.nos.nl
    O15 - Trusted Zone: http://www.nosnieuws.nl
    O15 - Trusted Zone: europe.real.com
    O15 - Trusted Zone: nl.sitestat.com
    O15 - Trusted Zone: www.tspeedtest.nl
    O15 - Trusted Zone: http://home.wanadoo.nl


    Some say this is an OK toolbar ... some say it's pending and some say it's spyware. I would keep my eyes on it.


    O15 - Trusted Zone: www.anwb.nl
    O3 - Toolbar: ANWB Toolbar - {EBB03E3E-020A-418D-B322-761B730CA860} - C:\Program Files\ANWBToolbar\ANWBToolbar.dll
    O9 - Extra button: ANWB (HKLM)
    O9 - Extra 'Tools' menuitem: ANWB-toolbar (HKLM)

    http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453078342
    http://www.spywaredata.com/spyware/toolbar.php?status=
     
  9. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,929
    Location:
    SW. Oklahoma
    just in case you are interested, this is the same ip address I was getting when I trialed foxmail. Here is what my NSASoft Whois brought up.
     

    Attached Files:

  10. Mephisto

    Mephisto Guest

    Get rid of these and your fine - tjis is a searchmaid infection.
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro2004.com/index.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {904691A1-C588-4B27-BC47-D8599EDB3F97} - (no file)
    O15 - Trusted Zone: www.euro2004.com
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.