XP accessing 224.0.0.2 - advice please

[Zarbol Tsar]

Can I ask you specialists for some advice about my home PC.

I run XP Pro with all Microsoft patches except for SP2. I have got
only one PC attached to NTL broadband direct via a cable modem. My
PC is regularly scanned for viruses and for adware.

After booting up, my Sygate personal Firewall has recently been
asking me if I wish to allow these following programs to access
224.0.0.2

C:\windows\explorer.exe
C:\windows\system32\spoolerv.exe
C:\windows\system32\services.exe
C:\WINDOWS\System32\csrss.exe

also my antivirus program:
C:\Program Files\AntiVir PE\AVWIN.EXE

When I look up these program names on Google it seems that they are
probably not viruses.

But why do they want to access 224.0.0.2? And should I let them?

I have had some funny behaviour recently on my machine. When I ask
the PC to power down from the only open account, the PC says someone
else is logged on. But the other two accounts on the system are
logged off.

Could I have configured a network by mistake and the other account is
actually a network connection? How could I check if this is
happening.

Could this be linked with me plugging in my Canon Powershot/Ixus
digital camera recently to my USB port? The camera appeared as if it
was an extra drive.

Thank you for any help.

Zarbol




--





posted to
ntl.discussion.broadband.cm
uk.telecom.broadband
comp.security.misc
microsoft.public.windowsxp.security_admin

 

[Mike Scott]

Can I ask you specialists for some advice about my home PC.

I run XP Pro with all Microsoft patches except for SP2. I have got
only one PC attached to NTL broadband direct via a cable modem. My
PC is regularly scanned for viruses and for adware.

After booting up, my Sygate personal Firewall has recently been
asking me if I wish to allow these following programs to access
224.0.0.2

C:\windows\explorer.exe
C:\windows\system32\spoolerv.exe
C:\windows\system32\services.exe
C:\WINDOWS\System32\csrss.exe

also my antivirus program:
C:\Program Files\AntiVir PE\AVWIN.EXE

When I look up these program names on Google it seems that they are
probably not viruses.

But why do they want to access 224.0.0.2? And should I let them?

It's to do with IP routing. Block and forget.

 

[Ivor Jones]

It's to do with IP routing. Block and forget.

From grc.com's IDSERVE utility:

Initiating server query ...
Looking up the domain name for IP: 224.0.0.2
The domain name for the IP address is: ALL-ROUTERS.MCAST.NET
Connecting to the server on remote port: 25
[Connected] The remote connection was accepted but the server did not
return a connection greeting.

Ivor

 

[Steve Wyles]

From grc.com's IDSERVE utility:

Initiating server query ...
Looking up the domain name for IP: 224.0.0.2
The domain name for the IP address is: ALL-ROUTERS.MCAST.NET
Connecting to the server on remote port: 25
[Connected] The remote connection was accepted but the server did not
return a connection greeting.

Which won't give any useful information as addresses in the 224.0.0.0/24
are used for multicasting.

see http://www.cotse.com/CIE/RFC/1700/5.htm

In the original posters situation it is safe to either allow or block it
according to their own preference.

Steve

 

[T. Sean Weintz]

From grc.com's IDSERVE utility:

Initiating server query ...
Looking up the domain name for IP: 224.0.0.2
The domain name for the IP address is: ALL-ROUTERS.MCAST.NET
Connecting to the server on remote port: 25
[Connected] The remote connection was accepted but the server did not
return a connection greeting.

Ivor

LOL. It's a multicast address, idiot.

The guy who said "It's to do with IP routing. Block and forget." was
correct.

ANY address starting with 224 is not an address for a specific machine -
it's a multicast address. In this case, the multicast address that all
routers that respond to router discovery multicasts will listen for and
respond to.

His windows box is running router discovery. 224.0.0.2 is the "all
routers on this subnet" multicast address.

All IANA assigned multicast addresses can be found here:
http://www.iana.org/assignments/multicast-addresses

 

[Ivor Jones]

From grc.com's IDSERVE utility:

Initiating server query ...
Looking up the domain name for IP: 224.0.0.2
The domain name for the IP address is: ALL-ROUTERS.MCAST.NET
Connecting to the server on remote port: 25
[Connected] The remote connection was accepted but the server did
not return a connection greeting.

Ivor

LOL. It's a multicast address, idiot.

Was there any need for that..? I have never heard of multicast until today
so I had no idea what it was. Please don't be offensive.

Ivor

 

[Zarbol Tsar]

The guy who said "It's to do with IP routing. Block and forget."
was correct.

ANY address starting with 224 is not an address for a specific
machine - it's a multicast address. In this case, the multicast
address that all routers that respond to router discovery
multicasts will listen for and respond to.

His windows box is running router discovery. 224.0.0.2 is the
"all routers on this subnet" multicast address.

I am using a standalone PC (with no LAN) connected to a cable modem.

If I am running this "router discovery" then is it something I should
turn off?

 

[Steve Wyles]

On 18 Nov 2004, T. Sean Weintz wrote:

I am using a standalone PC (with no LAN) connected to a cable modem.

If I am running this "router discovery" then is it something I should
turn off?

No, you don't need to worry about it in any way. It's just one of those
mickysoft things.

Steve

 

[cw]

Was there any need for that..? I have never heard of multicast until
today so I had no idea what it was. Please don't be offensive.

Sounded more like a light hearted jest than an offensive hurl. Idiot ;0)

 

[Ivor Jones]

Sounded more like a light hearted jest than an offensive hurl.
Idiot ;0)

Calling someone an idiot just because they've never heard of something is
offensive.

Please don't do it, at least not to me.

<Plonk>

Ivor

 

[GreySoul]

No, you don't need to worry about it in any way. It's just one of those
mickysoft things.

Steve

Its not just an MS thing. I've seen other devices, such as wireless
routers, that like to send traffic to multicast addresses.

 

[Barry Margolin]

Calling someone an idiot just because they've never heard of something is
offensive.

Please don't do it, at least not to me.

When you answer questions like these in a technical newsgroup, you're
purporting to have some expertise on the subject. When it comes out
that you don't know a whole lot about the technology, retorts like that
are likely.

If you don't like it, don't post to Usenet, because it happens all the
time.

 

[Ivor Jones]

Barry Margolin wrote:

[snip]

When you answer questions like these in a technical newsgroup,
you're purporting to have some expertise on the subject. When it
comes out that you don't know a whole lot about the technology,
retorts like that are likely.

Why..?

Why is it necessary to be rude..? Would you call me an idiot to my face..?
Or is it only because you're hiding behind a keyboard..?

If you don't like it, don't post to Usenet, because it happens all
the time.

Again, why..? Why is it seemingly not possible to have sensible discussion
on Usenet..? Why could someone not simply have explained what I did not
know, rather than calling me an idiot..?

I don't like a lot of things, being called an idiot simply for being
unaware of something is one, being told not to post is another.

Ivor

 

[cw]

Calling someone an idiot just because they've never heard of something
is offensive.

Please don't do it, at least not to me.

And here's me thinking that the wink right after it would make it blatantly
obvious that my comment was a light hearted jest.

 

[Dave J]

Barry Margolin wrote:

[snip]

When you answer questions like these in a technical newsgroup,
you're purporting to have some expertise on the subject. When it
comes out that you don't know a whole lot about the technology,
retorts like that are likely.

Why..?

Why is it necessary to be rude..? Would you call me an idiot to my face..?
Or is it only because you're hiding behind a keyboard..?

I would quite possibly have called you an idiot to your face. I'd have
been smiling as I did so, and it could well have been taken as a
compliment.

Unfortunately, on a text only medium, we cannot know how Sean meant
it. I can only assume (from the LOL) that it was meant in an equally
lighthearted manner.

Plonking someone for an even more definitely lighthearted 'idiot!'
perhaps deserves the comment in a more serious frame of mind.

Oversensitivity on usenet is like using a schmitt trigger[1] to boost
a weak audio signal.

[1]
http://encarta.msn.com/encnet/features/dictionary/DictionaryResults.aspx?refid=1861702223
or for more detail
http://en.wikipedia.org/wiki/Schmitt_trigger

Dave J.

 

[Ivor Jones]

Dave J wrote:

[snip]

I would quite possibly have called you an idiot to your face. I'd
have been smiling as I did so, and it could well have been taken as
a compliment.

I can assure you it would not.

Unfortunately, on a text only medium, we cannot know how Sean meant
it. I can only assume (from the LOL) that it was meant in an equally
lighthearted manner.

I don't make assumptions. I take what I see at face value. If someone
calls me an idiot then to me that indicates they think I am an idiot.

Plonking someone for an even more definitely lighthearted 'idiot!'
perhaps deserves the comment in a more serious frame of mind.

Oversensitivity on usenet is like using a schmitt trigger[1] to
boost a weak audio signal.

If not liking offensive comments is being oversensitive then that's what I
am. I don't do it to others and I don't expect it to be done to me.

This discussion is becoming tiresome, so I propose to end it here. Just
don't be offensive to me is all I ask. Is that *so* unreasonable..?

Ivor

 

[Dave J]

And here's me thinking that the wink right after it would make it blatantly
obvious that my comment was a light hearted jest.

Schmitt trigger time.. Hysteresis is the word that applies..

 

[Dave J]

If not liking offensive comments is being oversensitive then that's what I
am. I don't do it to others and I don't expect it to be done to me.

Before now, I have seen a high proportion of a usenet group (or maybe
a mailing list, not sure now), one after the next, call a poster a
'prat' because he threatened to killfile anyone who did so.

The thinking being that they would rather not have their messages read
by an oversensitive pillock, and that it was his loss anyway.

This discussion is becoming tiresome, so I propose to end it here. Just
don't be offensive to me is all I ask. Is that *so* unreasonable..?

Don't take offense over such minor (and friendly) provocation is all I
ask. Is *that* so unreasonable..?

 

[Ivor Jones]

Dave J wrote:

[snip]

Don't take offense over such minor (and friendly) provocation is
all I ask. Is *that* so unreasonable..?

Calling someone an idiot isn't friendly in my book.

(Finally) end of discussion.

Ivor

 

[cw]

Schmitt trigger time.. Hysteresis is the word that applies..

Maybe he's american, they never seem to get the humour of a friendly dig
:0)