How to know which program is connecting to domainmanager.com by IP ?

Discussion in 'LnS English Forum' started by Memory, May 27, 2010.

Thread Status:
Not open for further replies.
  1. Memory

    Memory Guest

    For some time now, I see this in my LnS log window (screenshot).
    It is the only message being logged. Thankfully LnS covered my butt with the mighty "All other packets" rule.
    I cannot find out which program is trying to connect to the net.

    Most of the time it is green.domainmanager.com=216.194.67.56.
    But it alternates between the following 3 IPs. But sometimes it is also mix of green and ns1.
    There are lots of iffy sites hosted on these IP ranges.

    I get this additional but useless (to me) information from this site : http://whois.gwebtools.com/

    If only the Log window or the Packet's content window would show the originating program in a column, it would be easier.

    I already let Spybot S&D hump all 6 hard disks over night. But it congratulated me with the fact that nothing was found.
    I can only hope that this is harmless.

    So my question is whether there is a way to find out which program it is which is trying to connect ?

    http://i49.tinypic.com/nywa4p.png
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    see if MS TCPView gives you extra info you need
     
  3. Memory

    Memory Guest

    I downloaded and fired up TCPView.
    I have the LnS Log window open on the left, so I can see when the batch of 8 attempts is occurring. On the right I have the TCPview window opened (running as Administrator) and sorted by ascending Protocol. This places all TCP protocol connections at the top and in clear view. But when the 8 connection attempts occur Nothing happens in the TCPview window.
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    another approach is to download and use Process Explorer as it will unlike tcpview show connections owned by the system. Right click on an .exe you think might be communicating (including system entry) then view tcp/ip tab. I'm assuming no malware though.
     
  5. Memory

    Memory Guest

    OK, I will do that now.
    One thing which I forgot to mention is that when right after a (re)boot I open up the LnS Log window, I can already see the first 8 entries with connection attempts to domainmanager.com.
    I already disabled all unnecessary startup programs and rebooted a couple of times, but the connnection attempts persist.
     
  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Restart the computer and call the ‘Driver Logs’ on the ‘Look ‘n’ Stop Console’ screen, should list applications that was recently active.

    DLL Filtering on Win32 may also help.
     
  7. Memory

    Memory Guest

    I did as Cudni suggested (right-click+properties+TCP-tab) on each exe in the window. But nothing with the IPs, or domainmanager.com domain names listed.
    It might have been "disguised" in IPv6 format though.

    Also just did what Phant0m suggested and rebooted.
    The output of the LnS "Console >> Driver Logs-button" (just after reboot) is here : http://i45.tinypic.com/dy5dhz.png
    The output of the LnS "Log window" (just after reboot) is here : http://i49.tinypic.com/250ng37.png
     
  8. Memory

    Memory Guest

    I did some further tests this morning.
    It are the 8 x "1 message Uplink" entries in the "Driver Logs".
    Always 8. And in 2 batches of 4, with a delay from a couple of seconds upto 1 minute between the first 4 and the second 4.
     
  9. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    DTaskManager is another little tool that could help you here. The "Ports" tab would help you to spot the process name (and its PID) using those connections. There is no need to install, it's a simple executable.

    (I mostly use AnVir Task Manager Pro for this but it's a multi-functional bigger gun to install.)
     
  10. illicit

    illicit Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    91
    Check to see if your registry has a key with a sub directory titled 'domain manager'.
     
  11. Memory

    Memory Guest

    Tried with DTaskManager, but nothing happens visually when the 8 connection attempts occur. not for local IP 10.0.0.103 (my PC on the LAN) and not for local IP 127.0.0.1.
    I also do not see the IPs 216.194.67.56 and 64.40.103.249 anywhere in the remote IP column. Also all PID numbers show up as a dash. Everywhere.

    I scanned the registry as Administrator and my own user id, but all that comes up are these matches :
     
  12. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    When connection attempts run cmd console as administrator, and do netstat -anb command, or netstat 3 -anb > C:\netstat.log
    Interval of 3 second saved in C:\netstat.log, to disable CTRL+C
     
    Last edited: May 28, 2010
  13. Memory

    Memory Guest

    The current remote IP is still "green.domainmanager.com=216.194.67.56" in the LnS Log window.

    I tried many times with netstat -abn. But I do not see any of the offending remote IPs.
    Then I tried with netstat -abno 1 > C:\netstat1.log, followed by netstat -abno 1 > C:\netstat2.log
    netstat1.log = first 4 connection attempts, netstat2.log = second 4 connection attempts.

    I think that it has to do with the offending connects being Protocol 41 : IPv6 (encapsulation). See the screen shot in the OP.

    View attachment netstat1.log
    View attachment netstat2.log
     
  14. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    Your *.log show only 127.0.0.1 connections ESTABLISHED by [AppleMobileDeviceService.exe], no active internet connections.

    Try to find domain name with netstat 3 -abf > C:\netstat.log , and surf.
     
  15. Memory

    Memory Guest

    I'm under the impression that it has nothing to do with surfing or a browser. The protocol 41 (IPv6 address in a IPv4 packet) will never show the true contents of the package with netstat.
    Like I posted earlier. The entries are already there right after logging in. The first thing I do after hitting Enter on the log in screen, is open up LnS to check the log. And each time the entries are already there.
    None of the browsers I use has permanent access to the internet, they always have to ask the first time they are fired up.
    I also tried the following. Start up the PC, and let it sit at the log in screen for 30 minutes. To check if the connection attempts also occur before log in. But the first 4, then next 4 entries are always logged with the log in time.
    So it is happening after/at log in. Unless LnS only protects, but does not log to the Console and Log windows, before the User is logged in.

    Netstat log for "netstat 3 -abf > C:\netstat.log" attached.
    The remote IP and domain name, have changed to ns1.domainmanager.com=64.40.103.249. See screen shots.

    I'll probably just reformat.

    View attachment netstat.log


    ns1_domainmanager.com_29-05-2010_08-05-12.png
    ns1.domainmanager.com_29-05-2010_08-17-50.png
     
    Last edited by a moderator: May 29, 2010
  16. Memory

    Memory Guest

    I was just now going to backup my files before the reformat. Did a quick check of the LnS log window. And I noticed that the remote IP and domain had changed into : 66-226-75-118.dedicated.abac.ne=66.226.75.118, still protocol 41, and type IP.
    It should be : 66-226-75-118.dedicated.abac.net=66.226.75.118 though. Either LnS is dropping the 't', or is it done purposely by "the other side" ?
    There's mostly pr0n cr.p hosted on that IP :
    Code:
    http://www.myipneighbors.net/?s=66.226.75.118
    Because I'm pretty determined now to find a fix for this pr0n cr.p, any new ideas before I do the format ?
    Continuing with the backup now.

    EDIT: : Forgot the screenshots :

    66-226-75-118.dedicated.abac.ne=66.226.75.118_31-05-2010_06-07-59-small.png 66-226-75-118.dedicated.abac.ne=66.226.75.118_31-05-2010 06-10-46.png
     
    Last edited by a moderator: May 31, 2010
  17. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
  18. Memory

    Memory Guest

    No, just checked. See screen shot.
    I double checked with notepad and did a find in the file for the domains and IPs. Nothing found.

    The block of IPs 10.0.0.170 - 179 is reserved for my Linux VMware VMs.
    They were added after the problem started.

    Spybot S&D was installed only recently and added all those cr.p sites to the hosts file.

    I do not think that the hosts file is involved because the traffic is of type IP, the otherway around. So no domain name is known on my PC. I think that LnS resolves the IP to a domain name before it logs it. On top of that it is also of Protocol 41, an IPv6 IP in a IPv4 packet. So I do not know if the IPs which are shown in the log are the ones we should be looking for.

    If only LnS would list the originating program, or PID in the log. But that is just whingeing on my part, mumble, mumble.

    Start_of_hosts_31-05-2010_15-27-41.png
     
  19. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
  20. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    It using teredo. If you want to turn off the tunnel, you simply must delete it. Then create it again if you need it.

    Use the netsh interface to see the syntax of the commands. cmd ==> netsh int ipv6 help is a good starting point.
     
  21. Memory

    Memory Guest

    @ellison64:
    Say I have installed Wireshark. Then what should I do ?
    Sorry, I do not know the program, only heard of it.


    @sparviero:
    I opened a cmd-window as Administrator, and checked with ipconfig /all whether there were any weird/new Tunnel adapters, and if they were connected. Just the usual 4 tunnel adapters and the first one listed was connected.

    Then, at the time the connection attempts occurred, I issued the ipconfig /all command a few times quickly. Nothing had changed.

    The I issued "netsh interface ipv6 reset" to kill any user specified settings". But I received this message in response to the command : "There's no user specified settings to be reset." I re-booted anyway.

    After the re-boot I disabled Teredo Tunneling with "netsh interface teredo set state disabled" and received "Ok." in response.

    I checked the state of the Teredo server : netsh interface teredo show state
    Teredo Parameters
    ---------------------------------------------
    Type : disabled
    Server Name : teredo.ipv6.microsoft.com.
    Client Refresh Interval : 30 seconds
    Client Port : unspecified
    State : offline
    Error : client is in a managed network

    Then I waited to see if the connections would re-occur. They did. So I re-booted.

    After the re-boot, and straight after the login, I went straight into LnS to display the Log window. But I could already see the first batch of 4 connection attempts.

    So I re-enabled Teredo with "netsh interface teredo set state default" and received "Ok." in response.

    I checked the state of the Teredo server : netsh interface teredo show state
    Teredo Parameters
    ---------------------------------------------
    Type : client
    Server Name : teredo.ipv6.microsoft.com.
    Client Refresh Interval : 30 seconds
    Client Port : unspecified
    State : offline
    Error : client is in a managed network
     
  22. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    press Ctrl+i
    this will open a list of available network interfaces. Click on Start button next to the one that you see packets being logged
     
  23. Memory

    Memory Guest

    Hey, thanks for your answer.
    I was caught up in another tab.
    Will get to it.
     
  24. Memory

    Memory Guest

    OK. Yesterday, after I posted, it was quite late so I downloaded WireShark this morning.

    I attached screen shots of the WireShark capture, and the LnS Log Window.
    The 8 blue "Router Sollicitation" lines in the WireShark capture, correspond to the 8 log entries at the top in the LnS Log window ( U-32 - U-39 ). And also to the 8 "1 message Uplink" entries at the bottom in the LnS Console window.

    I selected the first occurrence of the "Router Sollicitation" lines, to make the "Internet Protocol" in the window below it expand.
    No surprises here, and still not the source of the connection attempts.

    ns1.domainmanager.com_WireShark_01_01-06-2010 10-48-17.png ns1.domainmanager.com_WireShark_LnS_01_01-06-2010 10-44-20.png
     
  25. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    Try to disable all IPv6 components, except the IPv6 loopback interface.
    (Type 0xffffffff) This value also configures Windows to use Internet Protocol version 4 (IPv4) instead of IPv6 in prefix policies.

    http://support.microsoft.com/kb/929852#appliesto
     
Thread Status:
Not open for further replies.