unrecognized IP address found on network shield (HELP)

[loraine2000]

Getting this out of the way first: I'm not at all computer savvy.

I run the free antivirus. Today I took a quick look at the network shield and noticed that one of the analyzed connections included the IP address 194.159.36.174, which I traced to Demon Internet in Britain. I don't have any connection to this ISP that I know of; I looked it up on McAfee siteadvisor and saw that demon.net is linked to bbc.co.uk. Under the "latest headlines" tab in firefox are a bunch of BBC rss links. Could this be the culprit? The  problem with this is that I don't know if I was currently using the internet at the time when I saw the IP address on the network shield.

A site that's also come up is dmoz.org, which as far as I can tell is benevolent, though I'm not sure. Is there any way I could look at the network shield history for a list of all connections that have been made?

I use the McAfee firewall, the setting is "Stealth" and I've banned the 194.159.36.0 IP range for now. Avast hasn't detected anything, and neither has McAfee. Should I be worried?

[ryan556]

If you believe you are infected and are getting pup ups. you should run malwarebyte's antimalware or superantispyware.
They are both free applications only run the free version not the paid.

www.malwarebytes.com www.superantispyware.com

Try running malwarebyte's full scan first and see what it detects and quarantine any infections. You do not want to delete any files they might be false positive's.  

[DavidR]

Yes the RSS is likely to be the culprit as it has to visit the sites you are subscribed to in order to get the latest feeds, etc.

The network shield will monitor all access to the IPs/domains to prevent you arriving at a site on its malicious sites list.

So I feel there is no need to ban any IP range, unless you have a reason to think there is something not as it should be.

[loraine2000]

I hope. But then I wonder what BBC and Demon Internet have to do with each other...is a script belonging to demon.net embedded on some parts of the BBC website? And why would it be, if it's just an ISP?

I regret not writing down the entire connection, so I hope I'm not remembering this incorrectly, but the IP address had -.in tacked onto the end of it, if I'm right. Is that significant in any way?

@ryan556: I haven't noticed any pop ups and avast hasn't detected any pups. My computer slows down up for a bit once in a while but I'm sure that's because McAfee and Avast are constantly in conflict with each other. Should I run malwarebytes anyway?

EDIT: it's just popped up again: the full connection is dns://194.159.36.174.in-addr-arpa.

[ryan556]

loraine2000 yes you should run malwarebytesfull scan it will update by it's self.
If their's anything their malwarebytes should find it.

[DavidR]

I hope. But then I wonder what BBC and Demon Internet have to do with each other...is a script belonging to demon.net embedded on some parts of the BBC website? And why would it be, if it's just an ISP?

I regret not writing down the entire connection, so I hope I'm not remembering this incorrectly, but the IP address had -.in tacked onto the end of it, if I'm right. Is that significant in any way?

<snip>

EDIT: it's just popped up again: the full connection is dns://194.159.36.174.in-addr-arpa.

As I said avast will intercept all IP and DNS connections also so that it can first check the domain isn't on the list of malicious sites, so it is doing its job as it should.

Demon is pretty big and could well be the host for a large number of services/sites (see image), so it is hard to say exactly what it is and you might be blocking a lot of hosted sites.

The in-arpa is a function to convert an IP address back into a more readable domain name, see http://en.wikipedia.org/wiki/.arpa and http://freesoft.org/CIE/Course/Section2/15.htm. So I'm not sure if there is anything untoward going on.

[loraine2000]

Ok, that's reassuring then. Because Demon's a British ISP I'd never heard of it before, it sent me into a bit of a panic...

I am still hesitant to run malwarebytes, though it's a valuable resource...I don't know how well McAfee and Avast would respond to it.

[Saty]

no worries~grin~

  malwarebytes works fine with Avast, and with your Mcafee firewall I assume all you need to do is allow it when the popup comes up.



Sats

[DavidR]

Ok, that's reassuring then. Because Demon's a British ISP I'd never heard of it before, it sent me into a bit of a panic...

I am still hesitant to run malwarebytes, though it's a valuable resource...I don't know how well McAfee and Avast would respond to it.

Just look at my signature, the free version of MBAM is on-demand and works just fine with avast (as does the paid version which has resident protection).

[loraine2000]

@all: installed it. Doesn't seem to clash with anything and looks like it works well. It hasn't found anything and I'm honestly shocked...guessed being fanatically diligent and using firefox/noscript/avast has paid off.

Thanks for everything!

[DavidR]

No problem, glad I could help.

Welcome to the forums.

[loraine2000]

Hmmm, was just taking a peek at the network shield again when I saw dns://154.97.85.70.in-addr.arpa. Traced it to AfriNIC (http://en.wikipedia.org/wiki/AfriNIC) which doesn't seem like something to worry about, but I was not using the internet at the time. I was running Malwarebytes, Microsoft Word, and Avast. Is this worrying?

When I queried this at afrinic.net, part of the description read:

 AfriNIC - www.afrinic.net
descr:          Allocation for Africa - This block is in use
descr:          by AfriNIC for allocating/assigning to networks
descr:          in the AfriNIC service region.
descr:          More information - whois.afrinic.net.
descr:          Abuse - please querry the whois db for the
descr:          contacts of the assigned/allocated prefix.

I've got no idea what this actually means. As I said, not computer savvy in the least. I'm guess the IP was assigned by afrinic, but to who? I originally thought that it meant that the IP was traced to somebody FROM afrinic headquarters. But I don't think that's the case.

Please assist. I could be making a mountain out of a molehill but I'm alarmed to say in the least. This IP address has popped up three times on the network shield, now. I can't figure out what it has to do with me, and if it's internet-related, why did it show up on the network shield when I wasn't using the internet?

[Gargamel360]

Me being also not very "computer savvy", I can say that yes, you probably are over-reacting, but caution never hurts   (well, unless you stop using your pc out of fear, but it would be called paranoia at that point)                                                                                    I also have things I don't recognize show up on Ntwk shield. Any nasties should bring up the red pop-up saying its blocked, and show up blocked on the graph as well.   (wasn't clear if these are "blocked or "analyzed" connections)   Your type of ISP connection would affect the answer to your last question, as some are always connected from startup, regardless if you are browsing or not.                               Trust the shields, they are the the best feature of Avast! and among the best in the market

[CharleyO]

***

Part of your problem might also be contained in this line from one of your above posts :

My computer slows down up for a bit once in a while but I'm sure that's because McAfee and Avast are constantly in conflict with each other.

It is never a good idea to run 2 resident av programs at the same time. That is just asking for trouble.


And, if I worried about every IP address that showed up in the Network shield that I do not recognize, I would never go on the internet.


***

[loraine2000]

@CharleyO: can you tell me how that would be troubling? Would running two AV programs ruin the effectiveness of some components of one or the other?

Your type of ISP connection would affect the answer to your last question, as some are always connected from startup, regardless if you are browsing or not.         

They're analyzed connections, to be clear. And regarding your post: I would not be so alarmed and would have assumed the same thing if I wasn't based in the States and hadn't found that the IP is apparently in Africa. Demon is probably connected to the BBC rss links, dmoz.org to firefox, but the afrinic IP I can't figure out. I will concede that I have a ridiculous tendency to overreact though...being a newbie to these sorts of things I have no idea what's bad or not.