lsass.exe Protocol: 41 (ipv6) to 92.242.144.10

skeil909 · August 18, 2009, 4:36pm

I blocked this outbound connection when it popped up this morning after logging into my PC. The only program I installed yesterday was the new Champions Online Beta from FilePlanet. I had rebooted several times during and since the install and not seen this message before. There are no additional (visible) services or applications running during or after boot up.

File Info: (looks normal)
c:\windows\system32\lsass.exe
Last modified: Tuesday, ‎April ‎21, ‎2009, ‏‎10:38:11 PM
Size: 30.5 KB (31,232 bytes)

That IP address comes up as:
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

Any ideas what this is or what it’s for?

system · August 18, 2009, 4:45pm

Welcome to the forum skeil909.

Lsass.exe is the Local Security service and is usually ok, although there are rogues. Make sure this is the genuine article.

Protocol 41 is used by IPv6, see my post here:

Re: Windows Vista NOT completely safe with CIS (IPv6).

Creasy · August 19, 2009, 11:13am

Your IP look up is wrong.
Actual information for the IP is.

92.242.128.0 - 92.242.159.255
UK-BAREFRUIT-20071227
BAREFRUIT-AS Barefruit Ltd Autonomous System
country:UK

Don’t worry.
It not an attack, you can allow it.
Because your ISP use “http://www.barefruit.co.uk/” DNS and HTTP service.
92.242.144.10 belongs to http://www.barefruit.co.uk/
Visit barefruit website. You will see what kind of service they provide.
You can call your ISP. They will say samething like me.

system · August 19, 2009, 11:28am

If you use Comodos DNS servers, it’s quite likely you will see redirects to Barefruit on occasion. The reason for this is they offer a service that replaces the usual 404 message with something more informative.

skeil909 · August 19, 2009, 5:06pm

Networksolutions.com appears to be giving incorrect data.

ediabid · August 25, 2009, 3:09am

This link to http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=92.242.144.10&submit.x=4&submit.y=5&submit=Search

gives the correct data.

frusty · September 9, 2009, 7:01am

??? can you, or anyone, tell me why spoolsv.exe would be trying to connect there (92.242.144.10:xxx) when I attempt to print something from my computer? That’s what the firewall is telling me it’s doing. I haven’t used my printer (Brother MFC 420CN) since before I recently updated Comodo Firewall and now I can’t print or scan. The printer’s installation diagnostic software states it’s installed correctly but unable to communicate. I tried complete uninstall and reinstall of the printer software.

Interestingly enough, I uninstalled and reinstalled CF BEFORE having this problem. I thought it was kind of strange that it hadn’t updated in a while and when I tried to manually update via the program, I got error messages. Like I said, I uninstalled, ran CCleaner and DL’d it again. Am I going to have to do uninstall-reinstall again?

In any case, I still don’t see why that should have to do with the spool server trying to route to breadfruit’s site.

Please help before I go bald from pulling my hair out! ;D

oh, also FWIW I am only using the firewall not Comodo’s antivirus. I have avast AV.

system · September 9, 2009, 7:19am

Welcome to the forum frusty.

I’d hazard a guess and suggest this is something to do with IPP (Internet Printing Protocol) which has been supported under Windows since XP, I think.

It’s generally possible to disable this, so it’s a way of checking. Which flavour of the OS are you using?

frusty · September 9, 2009, 5:11pm

I’m using XP SP3

system · September 10, 2009, 12:54am

I'm using XP SP3

If you’re using XP Pro you have two methods at your disposal, if not you’ll have to use the registry method.

Take look here:

jaeger-k · March 21, 2010, 9:33pm

Thanks for this info, was effective for me too!
jk

CTS_AE · December 6, 2010, 4:22am

My screen saver was trying to connect to 92.242.144.10 on port 41
Now tell me why does
Windows\System32\Ribbons.scr need to connect to the internet?

odd thing though, is that this apparently seems to be comodo specific :\

jay2007tech · December 8, 2010, 11:29pm

based on this

sounds like you got a MBR rootkit :-[

I’d strongly would follow the steps in there

HateBarefruit · November 26, 2011, 7:01pm

Since installing Comodo I have had several odd alerts regarding audiodg attempting to connect to Barefruit ip’s

I’ve just blocked Barefruit’s ip range.

This seems odd as hell to me that random programs would (for no apparent reason) attempt to connect…

~WDB

Radaghast · November 26, 2011, 9:09pm

Unfortunately, the description of Audiodg.exe doesn’t exactly provide many clues as to its function. Essentially, this system process loads in the context of svchost and provides isolation of third-party audio drivers and DRM processing. It also provides access to kernel mode components.

Barefruit is a company that works with DNS providers to display targeted advertising through landing pages, instead of the usual HTTP/DNS error pages. If I remember correctly, this company is used by UltraDNS who used to host Comodos DNS services - Comodo now have their own DNS services.

To try and understand why you’re seeing these connections, we’d need, if possible, a little more information, such as the IP address involved in the query, assuming it’s not just barefruit. The type of audio software in use and whether it’s using DRM.