lsass.exe Protocol: 41 (ipv6) to 92.242.144.10

[Guest]

[skeil909]

I blocked this outbound connection when it popped up this morning after logging into my PC. The only program I installed yesterday was the new Champions Online Beta from FilePlanet. I had rebooted several times during and since the install and not seen this message before. There are no additional (visible) services or applications running during or after boot up.

File Info: (looks normal)
c:\windows\system32\lsass.exe
Last modified: Tuesday, ‎April ‎21, ‎2009, ‏‎10:38:11 PM
Size: 30.5 KB (31,232 bytes)

That IP address comes up as:
OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv: 
PostalCode: 1001EB
Country:    NL

Any ideas what this is or what it's for?

[Toggie]

Welcome to the forum skeil909.

Lsass.exe is the Local Security service and is usually ok, although there are rogues. Make sure this is the genuine article.

Protocol 41 is used by IPv6, see my post here:

Re: Windows Vista NOT completely safe with CIS (IPv6).

[Creasy]

I blocked this outbound connection when it popped up this morning after logging into my PC. The only program I installed yesterday was the new Champions Online Beta from FilePlanet. I had rebooted several times during and since the install and not seen this message before. There are no additional (visible) services or applications running during or after boot up.

File Info: (looks normal)
c:\windows\system32\lsass.exe
Last modified: Tuesday, ‎April ‎21, ‎2009, ‏‎10:38:11 PM
Size: 30.5 KB (31,232 bytes)

That IP address comes up as:
OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv: 
PostalCode: 1001EB
Country:    NL

Any ideas what this is or what it's for?

Your IP look up is wrong.
Actual information for the IP is.

92.242.128.0 - 92.242.159.255
UK-BAREFRUIT-20071227
BAREFRUIT-AS Barefruit Ltd Autonomous System
country:UK

Don't worry.
It not an attack, you can allow it.
Because your ISP use "http://www.barefruit.co.uk/" DNS and HTTP service.
92.242.144.10 belongs to http://www.barefruit.co.uk/
Visit barefruit website. You will see what kind of service they provide.
You can call your ISP. They will say samething like me.

[Toggie]

If you use Comodos DNS servers, it's quite likely you will see redirects to Barefruit on occasion. The reason for this is they offer a service that replaces the usual 404 message with something more informative.

[skeil909]

Your IP look up is wrong.
Actual information for the IP is.

92.242.128.0 - 92.242.159.255
UK-BAREFRUIT-20071227
BAREFRUIT-AS Barefruit Ltd Autonomous System
country:UK

Networksolutions.com appears to be giving incorrect data.

[ediabid]

Networksolutions.com appears to be giving incorrect data.

This link to http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=92.242.144.10&submit.x=4&submit.y=5&submit=Search

gives the correct data. 

[frusty]

If you use Comodos DNS servers, it's quite likely you will see redirects to Barefruit on occasion. The reason for this is they offer a service that replaces the usual 404 message with something more informative.

  can you, or anyone, tell me why spoolsv.exe would be trying to connect there (92.242.144.10:xxx) when I attempt to print something from my computer?  That's what the firewall is telling me it's doing.  I haven't used my printer (Brother MFC 420CN) since before I recently updated Comodo Firewall and now I can't print or scan.  The printer's installation diagnostic software states it's installed correctly but unable to communicate.  I tried complete uninstall and reinstall of the printer software. 

Interestingly enough, I uninstalled and reinstalled CF BEFORE having this problem.  I thought it was kind of strange that it hadn't updated in a while and when I tried to manually update via the program, I got error messages.  Like I said, I uninstalled, ran CCleaner and DL'd it again.  Am I going to have to do uninstall-reinstall again? 

In any case, I still don't see why that should have to do with the spool server trying to route to breadfruit's site.

Please help before I go bald from pulling my hair out!   

oh, also FWIW I am only using the firewall not Comodo's antivirus.  I have avast AV.

[Toggie]

Welcome to the forum frusty.

I'd hazard a guess and suggest this is something to do with IPP (Internet Printing Protocol) which has been supported under Windows since XP, I think.

It's generally possible to disable this, so it's a way of checking. Which flavour of the OS are you using?

[frusty]

Welcome to the forum frusty.

I'd hazard a guess and suggest this is something to do with IPP (Internet Printing Protocol) which has been supported under Windows since XP, I think.

It's generally possible to disable this, so it's a way of checking. Which flavour of the OS are you using?

I'm using XP SP3

[Toggie]

I'm using XP SP3

If you're using XP Pro you have two methods at your disposal, if not you'll have to use the registry method.

Take look here:

http://technet.microsoft.com/en-us/library/bb490831.aspx

[jaeger-k]

Your IP look up is wrong.
Actual information for the IP is.

92.242.128.0 - 92.242.159.255
UK-BAREFRUIT-20071227
BAREFRUIT-AS Barefruit Ltd Autonomous System
country:UK

Don't worry.
It not an attack, you can allow it.
Because your ISP use "http://www.barefruit.co.uk/" DNS and HTTP service.
92.242.144.10 belongs to http://www.barefruit.co.uk/
Visit barefruit website. You will see what kind of service they provide.
You can call your ISP. They will say samething like me.

Thanks for this info, was effective for me too!
jk

[CTS_AE]

My screen saver was trying to connect to 92.242.144.10 on port 41
Now tell me why does
Windows\System32\Ribbons.scr need to connect to the internet?

odd thing though, is that this apparently seems to be comodo specific :\

[jay2007tech]

based on this
http://www.techspot.com/vb/topic149687.html
sounds like you got a MBR rootkit

I'd strongly would follow the steps in there

[HateBarefruit]

Since installing Comodo I have had several odd alerts regarding audiodg attempting to connect to Barefruit ip's

I've just blocked Barefruit's ip range.

This seems odd as hell to me that random programs would (for no apparent reason) attempt to connect...


~WDB

[Radaghast]

Unfortunately, the description of Audiodg.exe doesn't exactly provide many clues as to its function. Essentially, this system process loads in the context of svchost and provides isolation of third-party audio drivers and DRM processing. It also provides access to kernel mode components.

Barefruit is a company that works with DNS providers to display targeted advertising through landing pages, instead of the usual HTTP/DNS error pages. If I remember correctly, this company is used by UltraDNS who used to host Comodos DNS services - Comodo now have their own DNS services. 

To try and understand why you're seeing these connections, we'd need, if possible, a little more information, such as the IP address involved in the query, assuming it's not just barefruit. The type of audio software in use and whether it's using DRM.

[Tags:]