WTF? Notepad trying to contact the Internet

[novon]

Everytime I try to save a document to my desktop with Notepad, I get a ZoneAlarm pop-up that says it's trying to contact an outside IP address 204.127.199.8 . What the heck is going on?

Track:

Alert property Alert property value Technical explanation
Program Name Notepad A program running on your computer, which either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
Filename notepad.exe The filename of the program that ZoneAlarm Pro found on your computer.
Program Version 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) The version of Notepad running on your computer.
Program Size 69120 The size of the program executable file in bytes.
Program MD5 388b8fbc36a8558587afc90fb23a3b99 The MD5 hash, or number, that uniquely identifies the executable.
Date Modified Aug-04-2004 12:56:54 AM The date when notepad.exe was most recently modified.
Connect Type Access This value can be either Access, which is an Internet connection attempt by Notepad or Server, which indicates that Notepad is waiting for connections coming in from the Internet.
Remote Port 53 The port Notepad is using on the remote computer.
Remote IP Address 204.127.199.8 The IP address of the remote computer that caused the alert.
Alert Date May-23-2005 11:56:07 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.


OrgName: AT&T WorldNet Services
OrgID: ATTW
Address: 400 Interpace Parkway
City: Parsippany
StateProv: NJ
PostalCode: 07054
Country: US

NetRange: 204.127.0.0 - 204.127.255.255
CIDR: 204.127.0.0/16
NetName: ATTPLS
NetHandle: NET-204-127-0-0-1
Parent: NET-204-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.WORLDNET.ATT.NET
NameServer: NS2.WORLDNET.ATT.NET
Comment: __________________________________________
Comment: For matters pertaining to abuse, harassment
Comment: or spam, please contact abuse@att.net
Comment: __________________________________________
RegDate:
Updated: 1999-06-11

TechHandle: JC645-ARIN
TechName: Craig, John
TechPhone: +1-314-770-3395
TechEmail: jrcraig@att.com

OrgAbuseHandle: ATTAB-ARIN
OrgAbuseName: ATT Abuse
OrgAbusePhone: +1-919-319-8130
OrgAbuseEmail: abuse@att.net

OrgTechHandle: ICC-ARIN
OrgTechName: IP Customer Care
OrgTechPhone: +1-888-613-6330
OrgTechEmail: qhoang@att.com

OrgTechHandle: IPSWI-ARIN
OrgTechName: IP SWIP
OrgTechPhone: +1-888-613-6330
OrgTechEmail: help@ip.att.net

# ARIN WHOIS database, last updated 2005-01-03 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

 

[novon]

I just caught it accessing another IP 63.240.76.198 . I just reinstalled windows too. They both go to The San Jose are of CA.
CERFnet CERFNET-BLK-5 (NET-63-240-0-0-1)
63.240.0.0 - 63.242.255.255
Project Redwood ISP (AT&T Internal) ATTENS-NYC3-007708-2 (NET-63-240-76-0-1)
63.240.76.0 - 63.240.77.255

# ARIN WHOIS database, last updated 2005-01-04 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


CustName: Project Redwood ISP (AT&T Internal)
Address: 9805 Scranton Road
City: San Diego
StateProv: CA
PostalCode: 92121
Country: US
RegDate: 2001-11-16
Updated: 2001-11-16

NetRange: 63.240.76.0 - 63.240.77.255
CIDR: 63.240.76.0/23
NetName: ATTENS-NYC3-007708-2
NetHandle: NET-63-240-76-0-1
Parent: NET-63-240-0-0-1
NetType: Reassigned
Comment:
RegDate: 2001-11-16
Updated: 2001-11-16

TechHandle: CERF-HM-ARIN
TechName: AT&T Enhanced Network Services
TechPhone: +1-858-812-5000
TechEmail: notify@attens.com

OrgTechHandle: NETWO10-ARIN
OrgTechName: Network Provisioning
OrgTechPhone: +1-800-876-2373
OrgTechEmail: iptool@attens.com

# ARIN WHOIS database, last updated 2005-01-04 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database

 

[warcrow]

Google "Project Redwood ISP" and read through some of the top 10 hits. Also, if you're really worried....why not call some of those names in the /whois?

 

[MercenaryForHire]

You've got

W32.HLLW.Qaz.A

Fix tool located there.

- M4H

 

[shukusatsu]

Spybot, Bazooka, AVG, Trojan Guarder Gold generally catch all of that stuff...tells you how to get rid of it/does it automatically for you.

 

[novon]

Originally posted by: MercenaryForHire
You've got

W32.HLLW.Qaz.A

Fix tool located there.

- M4H

I just tried saving to the desktop from a different program and got the same contactin Internet problem, so it may not just Notepad.

Can anyone recommend a free Torjan checker?

 

[birdpup]

shukusatsu provided some recommendations. I prefer Lavasoft Adaware and AVG anti-virus. Spybot is also good.

 

[novon]

I figured out the IP's are Comcast Internet's DNS servers. Why would saving somehting to my desktop contact my ISP's DNS server? Any one know how to stop it?

 

[akugami]

Install Lavasoft's Adaware, run it. Download Grisoft's AVG Anti-VIrus and run that. It should catch most of the bugs in your system. Some you probably didn't even know you had. You can also use Spybot on the same system which may catch something that Adaware overlooks or is not aware of yet.

 

[biostud]

try in the software forum

otherwise you can run a online virus scan, from Trend or other companies.

 

[bocamojo]

Install Microsoft AntiSpyware and scan your system. Also the free AVG virus scanner. Between those two, you should be able to get your system cleaned up.