How to know which program is connecting to domainmanager.com by IP ?

For some time now, I see this in my LnS log window (screenshot).
It is the only message being logged. Thankfully LnS covered my butt with the mighty "All other packets" rule.
I cannot find out which program is trying to connect to the net.

Most of the time it is green.domainmanager.com=216.194.67.56.
But it alternates between the following 3 IPs. But sometimes it is also mix of green and ns1.

There are lots of iffy sites hosted on these IP ranges.

I get this additional but useless (to me) information from this site : http://whois.gwebtools.com/

If only the Log window or the Packet's content window would show the originating program in a column, it would be easier.

I already let Spybot S&D hump all 6 hard disks over night. But it congratulated me with the fact that nothing was found.
I can only hope that this is harmless.

So my question is whether there is a way to find out which program it is which is trying to connect ?

http://i49.tinypic.com/nywa4p.png

 

see if MS TCPView gives you extra info you need

 

I downloaded and fired up TCPView.
I have the LnS Log window open on the left, so I can see when the batch of 8 attempts is occurring. On the right I have the TCPview window opened (running as Administrator) and sorted by ascending Protocol. This places all TCP protocol connections at the top and in clear view. But when the 8 connection attempts occur Nothing happens in the TCPview window.

 

another approach is to download and use Process Explorer as it will unlike tcpview show connections owned by the system. Right click on an .exe you think might be communicating (including system entry) then view tcp/ip tab. I'm assuming no malware though.

 

OK, I will do that now.
One thing which I forgot to mention is that when right after a (re)boot I open up the LnS Log window, I can already see the first 8 entries with connection attempts to domainmanager.com.
I already disabled all unnecessary startup programs and rebooted a couple of times, but the connnection attempts persist.

 

Restart the computer and call the ‘Driver Logs’ on the ‘Look ‘n’ Stop Console’ screen, should list applications that was recently active.

DLL Filtering on Win32 may also help.

 

I did as Cudni suggested (right-click+properties+TCP-tab) on each exe in the window. But nothing with the IPs, or domainmanager.com domain names listed.
It might have been "disguised" in IPv6 format though.

Also just did what Phant0m suggested and rebooted.
The output of the LnS "Console >> Driver Logs-button" (just after reboot) is here : http://i45.tinypic.com/dy5dhz.png
The output of the LnS "Log window" (just after reboot) is here : http://i49.tinypic.com/250ng37.png

 

I did some further tests this morning.
It are the 8 x "1 message Uplink" entries in the "Driver Logs".
Always 8. And in 2 batches of 4, with a delay from a couple of seconds upto 1 minute between the first 4 and the second 4.

 

DTaskManager is another little tool that could help you here. The "Ports" tab would help you to spot the process name (and its PID) using those connections. There is no need to install, it's a simple executable.

(I mostly use AnVir Task Manager Pro for this but it's a multi-functional bigger gun to install.)

 

Check to see if your registry has a key with a sub directory titled 'domain manager'.

 

Tried with DTaskManager, but nothing happens visually when the 8 connection attempts occur. not for local IP 10.0.0.103 (my PC on the LAN) and not for local IP 127.0.0.1.
I also do not see the IPs 216.194.67.56 and 64.40.103.249 anywhere in the remote IP column. Also all PID numbers show up as a dash. Everywhere.

I scanned the registry as Administrator and my own user id, but all that comes up are these matches :

 

When connection attempts run cmd console as administrator, and do netstat -anb command, or netstat 3 -anb > C:\netstat.log
Interval of 3 second saved in C:\netstat.log, to disable CTRL+C

 

The current remote IP is still "green.domainmanager.com=216.194.67.56" in the LnS Log window.

I tried many times with netstat -abn. But I do not see any of the offending remote IPs.
Then I tried with netstat -abno 1 > C:\netstat1.log, followed by netstat -abno 1 > C:\netstat2.log
netstat1.log = first 4 connection attempts, netstat2.log = second 4 connection attempts.

I think that it has to do with the offending connects being Protocol 41 : IPv6 (encapsulation). See the screen shot in the OP.

View attachment netstat1.log
View attachment netstat2.log

 

Your *.log show only 127.0.0.1 connections ESTABLISHED by [AppleMobileDeviceService.exe], no active internet connections.

Try to find domain name with netstat 3 -abf > C:\netstat.log , and surf.

 

I'm under the impression that it has nothing to do with surfing or a browser. The protocol 41 (IPv6 address in a IPv4 packet) will never show the true contents of the package with netstat.
Like I posted earlier. The entries are already there right after logging in. The first thing I do after hitting Enter on the log in screen, is open up LnS to check the log. And each time the entries are already there.
None of the browsers I use has permanent access to the internet, they always have to ask the first time they are fired up.
I also tried the following. Start up the PC, and let it sit at the log in screen for 30 minutes. To check if the connection attempts also occur before log in. But the first 4, then next 4 entries are always logged with the log in time.
So it is happening after/at log in. Unless LnS only protects, but does not log to the Console and Log windows, before the User is logged in.

Netstat log for "netstat 3 -abf > C:\netstat.log" attached.
The remote IP and domain name, have changed to ns1.domainmanager.com=64.40.103.249. See screen shots.

I'll probably just reformat.

View attachment netstat.log

 

I was just now going to backup my files before the reformat. Did a quick check of the LnS log window. And I noticed that the remote IP and domain had changed into : 66-226-75-118.dedicated.abac.ne=66.226.75.118, still protocol 41, and type IP.
It should be : 66-226-75-118.dedicated.abac.net=66.226.75.118 though. Either LnS is dropping the 't', or is it done purposely by "the other side" ?
There's mostly pr0n cr.p hosted on that IP :

Code:

http://www.myipneighbors.net/?s=66.226.75.118

Because I'm pretty determined now to find a fix for this pr0n cr.p, any new ideas before I do the format ?
Continuing with the backup now.

EDIT: : Forgot the screenshots :

 

Just wondering whether its anything to do with hosts file?...similar to the problem i had.Post 9 gives the fix...
https://www.wilderssecurity.com/showthread.php?t=265634
ellison

 

No, just checked. See screen shot.
I double checked with notepad and did a find in the file for the domains and IPs. Nothing found.

The block of IPs 10.0.0.170 - 179 is reserved for my Linux VMware VMs.
They were added after the problem started.

Spybot S&D was installed only recently and added all those cr.p sites to the hosts file.

I do not think that the hosts file is involved because the traffic is of type IP, the otherway around. So no domain name is known on my PC. I think that LnS resolves the IP to a domain name before it logs it. On top of that it is also of Protocol 41, an IPv6 IP in a IPv4 packet. So I do not know if the IPs which are shown in the log are the ones we should be looking for.

If only LnS would list the originating program, or PID in the log. But that is just whingeing on my part, mumble, mumble.

 

Maybe try a packet sniffer like wireshark?.It might show a bit more info.
http://www.wireshark.org/
ellison

 

It using teredo. If you want to turn off the tunnel, you simply must delete it. Then create it again if you need it.

Use the netsh interface to see the syntax of the commands. cmd ==> netsh int ipv6 help is a good starting point.

 

@ellison64:
Say I have installed Wireshark. Then what should I do ?
Sorry, I do not know the program, only heard of it.


@sparviero:
I opened a cmd-window as Administrator, and checked with ipconfig /all whether there were any weird/new Tunnel adapters, and if they were connected. Just the usual 4 tunnel adapters and the first one listed was connected.

Then, at the time the connection attempts occurred, I issued the ipconfig /all command a few times quickly. Nothing had changed.

The I issued "netsh interface ipv6 reset" to kill any user specified settings". But I received this message in response to the command : "There's no user specified settings to be reset." I re-booted anyway.

After the re-boot I disabled Teredo Tunneling with "netsh interface teredo set state disabled" and received "Ok." in response.

I checked the state of the Teredo server : netsh interface teredo show state
Teredo Parameters
---------------------------------------------
Type : disabled
Server Name : teredo.ipv6.microsoft.com.
Client Refresh Interval : 30 seconds
Client Port : unspecified
State : offline
Error : client is in a managed network

Then I waited to see if the connections would re-occur. They did. So I re-booted.

After the re-boot, and straight after the login, I went straight into LnS to display the Log window. But I could already see the first batch of 4 connection attempts.

So I re-enabled Teredo with "netsh interface teredo set state default" and received "Ok." in response.

I checked the state of the Teredo server : netsh interface teredo show state
Teredo Parameters
---------------------------------------------
Type : client
Server Name : teredo.ipv6.microsoft.com.
Client Refresh Interval : 30 seconds
Client Port : unspecified
State : offline
Error : client is in a managed network

 

press Ctrl+i
this will open a list of available network interfaces. Click on Start button next to the one that you see packets being logged

 

Hey, thanks for your answer.
I was caught up in another tab.
Will get to it.

 

OK. Yesterday, after I posted, it was quite late so I downloaded WireShark this morning.

I attached screen shots of the WireShark capture, and the LnS Log Window.
The 8 blue "Router Sollicitation" lines in the WireShark capture, correspond to the 8 log entries at the top in the LnS Log window ( U-32 - U-39 ). And also to the 8 "1 message Uplink" entries at the bottom in the LnS Console window.

I selected the first occurrence of the "Router Sollicitation" lines, to make the "Internet Protocol" in the window below it expand.
No surprises here, and still not the source of the connection attempts.

 

Try to disable all IPv6 components, except the IPv6 loopback interface.
(Type 0xffffffff) This value also configures Windows to use Internet Protocol version 4 (IPv4) instead of IPv6 in prefix policies.

http://support.microsoft.com/kb/929852#appliesto