TCP/IP Communication Intercepted

techfreelance
techfreelance used Ask the Experts™
on
Hi all,

I just downloaded a couple of applications, one of them Visual Route, and while having a look at it I found something strange. It starts tracing the route from my computer, then into our firewall after that it goes into the ISP but following that it comes back into a network that is shown as 'private use' and the two first octects are the same that my network (192.168.xxx.xxx). The computer is not in our network though (I belive).
It all seems strange to me, dunno whether is supposed to do so.

I include two of the reports I got from Visual Route.

Please help as this matter is quite urgent and important.

Thanks in advanced,
techfreelance.

=====================================================
=== VisualRoute report on Dec 16, 2003 9:59:57 AM ===
=====================================================

Report for www.yahoo.com [216.109.118.66]

Analysis: 'www.yahoo.com'  was found in 13 hops. Connections to HTTP port 80 are working.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| Hop | %Loss | IP Address      | Node Name                             | Location   | Tzone | ms  | Graph      | Network                                                |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| 0   |       | 192.168.23.27   | aec-cad.aspect.local                  | ...        |       |     |            | (private use)                                          |
| 1   |       | 192.168.23.1    | -                                     | ...        |       | 0   | x          | (private use)                                          |
| 2   |       | 213.120.208.159 | imsnet-cl12-hg29.ealing.mdip.bt.net   | Ealing, UK | *     | 250 | x--------  | BT Public Internet Service                             |
| 3   |       | 192.168.250.200 | -                                     | ...        |       | 235 | x-------   | (private use)                                          |
| 4   |       | 172.16.95.28    | -                                     | ...        |       | 229 | x--------  | (private use)                                          |
| 5   |       | 213.1.119.149   | btfl02-gig7-7.imsnet3.btopenworld.com | -          |       | 214 | x-------   | BT-IMSNET                                              |
| 6   |       | 194.72.9.245    | core2-pos4-3.ealing.ukcore.bt.net     | Ealing, UK | *     | 243 | x-------   | Frame Relay Customer Network                           |
| 7   |       | 194.72.17.86    | transit2-pos4-0.ealing.ukcore.bt.net  | Ealing, UK | *     | 204 | x-------   | Transit network                                        |
| 8   |       | 166.49.168.37   | t2c2-p1-0.uk-eal.concert.net          | -          |       | 225 | x------    | RIPE Network Coordination Centre RIPE-ERX-166-49-128-0 |
| 9   |       | 166.49.164.22   | t2c2-p5-0.us-ash.concert.net          | -          |       | 291 | -x-----    | RIPE Network Coordination Centre RIPE-ERX-166-49-128-0 |
| 10  |       | 206.223.115.16  | exchange-cust1.ash.equinix.net        | -          |       | 273 | -x-----    | Equinix, Inc. EQUINIX-IX-ASH                           |
| 11  |       | 216.109.120.161 | ge-0-3-0-p34.msr1.dcn.yahoo.com       | -          |       | 274 | -x-----    | HotJobs.com, Ltd. HOTJOBS                              |
| 12  |       | 216.109.120.142 | vl30.bas1-m.dcn.yahoo.com             | -          |       | 273 | -x-----    | HotJobs.com, Ltd. HOTJOBS                              |
| 13  |       | 216.109.118.66  | www.yahoo.com                         | -          |       | 285 | -x-------- | HotJobs.com, Ltd. HOTJOBS                              |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Roundtrip time to www.yahoo.com, average = 285ms, min = 97ms, max = 2346ms -- Dec 16, 2003 9:59:57 AM




======================================================
=== VisualRoute report on Dec 16, 2003 10:14:01 AM ===
======================================================

Report for www.experts-exchange.com [64.156.132.140]

Analysis: 'www.experts-exchange.com'  was found in 17 hops. It is a HTTP server .

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| Hop | %Loss | IP Address      | Node Name                               | Location             | Tzone  | ms   | Graph      | Network                                                |
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| 0   |       | 192.168.23.27   | aec-cad.aspect.local                    | ...                  |        |      |            | (private use)                                          |
| 1   |       | 192.168.23.1    | -                                       | ...                  |        | 0    | x          | (private use)                                          |
| 2   |       | 213.121.145.15  | lineone-cl10-hg12.bletchley.mdip.bt.net | Bletchley, UK        | *      | 3272 |   ---x---  | BT-MDIP-2                                              |
| 3   |       | 192.168.254.61  | -                                       | ...                  |        | 3335 |   ---x---  | (private use)                                          |
| 4   |       | 172.16.93.30    | -                                       | ...                  |        | 3408 |   ---x---  | (private use)                                          |
| 5   |       | 213.120.62.213  | -                                       | ?(United Kingdom)    | *      | 3262 |   ---x---  | BT-IMSNET                                              |
| 6   |       | 213.120.62.177  | -                                       | ?(United Kingdom)    | *      | 3383 |   ---x---  | BT-IMSNET                                              |
| 7   |       | 62.6.197.137    | core2-pos4-2.bletchley.ukcore.bt.net    | Bletchley, UK        | *      | 3220 |   ---x---  | BTnet Infrastructure                                   |
| 8   |       | 62.6.196.249    | core2-pos13-0.ealing.ukcore.bt.net      | Ealing, UK           | *      | 3303 |   ---x---  | BTnet Infrastructure                                   |
| 9   |       | 194.72.17.86    | transit2-pos4-0.ealing.ukcore.bt.net    | Ealing, UK           | *      | 3162 |   ---x---  | Transit network                                        |
| 10  |       | 166.49.168.33   | t2c2-p8-0.uk-eal.concert.net            | -                    |        | 3356 |   ---x---  | RIPE Network Coordination Centre RIPE-ERX-166-49-128-0 |
| 11  |       | 212.113.11.253  | so-3-0.ipcolo2.london2.level3.net       | London, UK           | *      | 3422 |   ---x---  | E3 customer links (bank 2)                             |
| 12  |       | 212.187.129.193 | unknown.Level3.net                      | -                    |        | 3341 |   ---x---  | London 2 Gateway infrastructure                        |
| 13  |       | 212.187.128.138 | so-1-0-0.bbr1.Washington1.Level3.net    | Washington, DC, USA  | -05:00 | 3400 |   ---x---  | Transatlantic cable systems                            |
| 14  |       | 64.159.0.246    | so-0-2-0.bbr2.losangeles1.level3.net    | Los Angeles, CA, USA | -08:00 | 3454 |   ---x---- | Level 3 Communications, Inc. LC-ORG-ARIN               |
| 15  |       | 64.159.1.209    | ge-9-0.hsa1.losangeles1.level3.net      | Los Angeles, CA, USA | -08:00 | 3412 |   ---x---  | Level 3 Communications, Inc. LC-ORG-ARIN               |
| 16  |       | 209.245.88.50   | EXPERTS-EXCH.hsa1.Level3.net            | -                    |        | 3487 |   ----x--  | Level 3 Communications, Inc. LEVEL3-CIDR               |
| 17  |       | 64.156.132.140  | www.experts-exchange.com                | ...                  |        | 3425 |   ---x---  | Level 3 Communications, Inc. LC-ORG-ARIN               |
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Roundtrip time to www.experts-exchange.com, average = 3425ms, min = 1437ms, max = 5108ms -- Dec 16, 2003 10:14:01 AM

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hi techfreelance,
192.168.xxx.xxx is part of a group of addresses which are designated as 'non-routable' so that they can be used in 'off the net' private networks. 'Outward facing' nodes cannot use these addresses. My best guess is thet if they are not on your LAN, they are a part of your ISP's LAN throught which your connection is being routed internally. Obviously the way to check this is to contact your ISP and ask. A pal of mine made a very similar observation about NTL broadband, and I made the same recommendation. I still have to get any feedback.

Regards .. Alan

Author

Commented:
Thanx Alan.

I have used an IP Scanner to see if these addresses are in my network, and they are.
Now I'm even more confused. We only have 5 clients 1 server 1 switch/hub and 1 firewall, and when I do a search I'm getting replies and open ports from all of these:

IP                           Ping                  Hostname                     Open Ports

192.168.248.1                33 ms                 N/A                          80,81,82,83,119
192.168.248.11               33 ms                 N/A                          80,81,82,83,119
192.168.248.12               33 ms                 N/A                          80,81,82,83,119
192.168.248.23               33 ms                 N/A                          80,81,82,83,119
192.168.248.2                35 ms                 N/A                          80,81,82,83,119
192.168.248.14               34 ms                 N/A                          80,81,82,83,119
192.168.248.3                36 ms                 N/A                          80,81,82,83,119
192.168.248.4                36 ms                 N/A                          80,81,82,83,119
192.168.248.5                36 ms                 N/A                          80,81,82,83,119
192.168.248.13               37 ms                 N/A                          80,81,82,83,119
192.168.248.18               37 ms                 N/A                          80,81,82,83,119
192.168.248.19               37 ms                 N/A                          80,81,82,83,119
192.168.248.6                38 ms                 N/A                          80,81,82,83,119
192.168.248.7                38 ms                 N/A                          80,81,82,83,119
192.168.248.8                39 ms                 N/A                          80,81,82,83,119
192.168.248.9                40 ms                 N/A                          80,81,82,83,119
192.168.248.10               40 ms                 N/A                          80,81,82,83,119
192.168.248.15               39 ms                 N/A                          80,81,82,83,119
192.168.248.17               40 ms                 N/A                          80,81,82,83,119
192.168.248.20               39 ms                 N/A                          80,81,82,83,119
192.168.248.16               41 ms                 N/A                          80,81,82,83,119
192.168.248.21               46 ms                 N/A                          80,81,82,83,119
192.168.248.24               49 ms                 N/A                          80,81,82,83,119
192.168.248.25               49 ms                 N/A                          80,81,82,83,119
192.168.248.26               56 ms                 N/A                          80,81,82,83,119
192.168.248.33               83 ms                 N/A                          80,81,82,83,119
192.168.248.34               84 ms                 N/A                          80,81,82,83,119
192.168.248.35               106 ms                N/A                          80,81,82,83,119
192.168.248.27               66 ms                 N/A                          80,81,82,83,119
192.168.248.22               67 ms                 N/A                          80,81,82,83,119
192.168.248.29               66 ms                 N/A                          80,81,82,83,119
192.168.248.28               70 ms                 N/A                          80,81,82,83,119
192.168.248.31               73 ms                 N/A                          80,81,82,83,119
192.168.248.32               76 ms                 N/A                          80,81,82,83,119
192.168.248.30               78 ms                 N/A                          80,81,82,83,119
192.168.248.37               108 ms                N/A                          80,81,82,83,119
192.168.248.36               114 ms                N/A                          80,81,82,83,119
192.168.248.38               109 ms                N/A                          80,81,82,83,119
192.168.248.48               161 ms                N/A                          80,81,82,83,119
192.168.248.40               123 ms                N/A                          80,81,82,83,119
192.168.248.39               118 ms                N/A                          80,81,82,83,119
192.168.248.50               189 ms                N/A                          80,81,82,83,119
192.168.248.42               137 ms                N/A                          80,81,82,83,119
192.168.248.41               150 ms                N/A                          80,81,82,83,119
192.168.248.43               145 ms                N/A                          80,81,82,83,119
192.168.248.44               155 ms                N/A                          80,81,82,83,119
192.168.248.46               154 ms                N/A                          80,81,82,83,119
192.168.248.45               153 ms                N/A                          80,81,82,83,119
192.168.248.47               157 ms                N/A                          80,81,82,83,119
192.168.248.52               223 ms                N/A                          80,81,82,83,119
192.168.248.53               226 ms                N/A                          80,81,82,83,119
192.168.248.49               184 ms                N/A                          80,81,82,83,119
192.168.248.51               211 ms                N/A                          80,81,82,83,119
192.168.248.54               230 ms                N/A                          80,81,82,83,119
192.168.250.5                84 ms                 N/A                          80,81,82,83,119
192.168.250.6                97 ms                 N/A                          80,81,82,83,119
192.168.250.16               183 ms                N/A                          80,81,82,83,119
192.168.250.15               192 ms                N/A                          80,81,82,83,119
192.168.250.4                90 ms                 N/A                          80,81,82,83
192.168.250.8                111 ms                N/A                          80,81,82,119
192.168.250.9                105 ms                N/A                          80,81,82,83,119
192.168.250.13               174 ms                N/A                          80,81,82,83,119
192.168.250.2                142 ms                N/A                          80,81,82,83,119
192.168.250.3                137 ms                N/A                          80,81,82,83,119
192.168.250.10               132 ms                N/A                          81,82,83,119
192.168.250.1                143 ms                N/A                          80,81,82,83,119
192.168.250.11               161 ms                N/A                          80,81,82,83,119
192.168.250.12               165 ms                N/A                          80,81,82,83,119
192.168.250.14               186 ms                N/A                          80,81,82,83,119
192.168.250.17               582 ms                N/A                          80,81,82,83,119
192.168.250.25               568 ms                N/A                          80,81,82,83,119
192.168.250.26               569 ms                N/A                          80,81,82,83,119
192.168.250.18               588 ms                N/A                          80,81,82,83,119
192.168.250.19               607 ms                N/A                          80,81,82,83,119
192.168.250.20               610 ms                N/A                          80,81,82,83,119
192.168.250.7                87 ms                 N/A                          119
192.168.250.200              418 ms                N/A                          79,80,81,82,83,119
192.168.251.6                144 ms                N/A                          80,81,82,83,119
192.168.251.8                147 ms                N/A                          80,81,82,83,119
192.168.251.9                149 ms                N/A                          80,81,82,83,119
192.168.251.4                152 ms                N/A                          80,81,82,83,119
192.168.251.7                154 ms                N/A                          80,81,82,83,119
192.168.251.3                242 ms                N/A                          80,81,82,83,119
192.168.251.12               148 ms                N/A                          80,81,82,83,119
192.168.251.15               151 ms                N/A                          80,81,82,83,119
192.168.251.16               158 ms                N/A                          80,81,82,83,119
192.168.251.1                236 ms                N/A                          80,81,82,83,119
192.168.251.2                246 ms                N/A                          80,81,82,83,119
192.168.251.10               143 ms                N/A                          80,81,82,83,119
192.168.251.13               157 ms                N/A                          80,81,82,83,119
192.168.251.5                154 ms                N/A                          80,81,82,83,119
192.168.251.11               140 ms                N/A                          80,81,82,83,119
192.168.251.14               154 ms                N/A                          80,82,119
192.168.251.21               584 ms                N/A                          80,81,82,83,119
192.168.251.19               591 ms                N/A                          80,81,82,83,119
192.168.251.18               596 ms                N/A                          80,81,82,119
192.168.251.20               579 ms                N/A                          81,82,83,119
192.168.251.200              155 ms                N/A                          79,80,81,82,83,119
192.168.255.2                31 ms                 N/A                          81,82,83,119
192.168.255.1                31 ms                 N/A                          80,81,82,83,119
192.168.255.3                35 ms                 N/A                          119
192.168.255.5                42 ms                 N/A                          80,81,82,83,119
192.168.255.6                42 ms                 N/A                          82,83,119
192.168.255.4                44 ms                 N/A                          80,81,82,83,119
192.168.254.27               505 ms                N/A                          80,81,82,83,119
192.168.254.4                670 ms                N/A                          80,81,82,83,119
192.168.254.18               490 ms                N/A                          80,82,83,119
192.168.254.24               500 ms                N/A                          80,82,83,119
192.168.254.21               505 ms                N/A                          81,82,83,119
192.168.254.25               506 ms                N/A                          81,82,83,119
192.168.255.7                61 ms                 N/A                          80,82,83,119
192.168.255.8                63 ms                 N/A                          80,81,82,83,119
192.168.255.12               90 ms                 N/A                          80,81,82,83,119
192.168.255.9                69 ms                 N/A                          80,81,82,83,119
192.168.255.11               101 ms                N/A                          80,81,82,83,119
192.168.255.15               94 ms                 N/A                          80,81,82,83,119
192.168.255.17               93 ms                 N/A                          80,81,82,83,119
192.168.255.10               80 ms                 N/A                          80,81,82,83,119
192.168.255.14               85 ms                 N/A                          80,81,82,83,119
192.168.255.18               111 ms                N/A                          80,81,82,83,119
192.168.255.19               132 ms                N/A                          80,81,82,83,119
192.168.255.21               153 ms                N/A                          80,81,82,83,119
192.168.254.2                682 ms                N/A                          80,81,83,119
192.168.254.3                677 ms                N/A                          81,82,83,119
192.168.255.27               258 ms                N/A                          80,81,82,83,119
192.168.255.23               222 ms                N/A                          80,81,82,83
192.168.254.5                674 ms                N/A                          80,81,82,83,119
192.168.255.13               96 ms                 N/A                          80,81,82,83
192.168.255.26               241 ms                N/A                          80,81,82,83
192.168.255.22               159 ms                N/A                          80,81,82,83
192.168.255.20               147 ms                N/A                          80,81,82,83
192.168.255.25               230 ms                N/A                          80,82,83,119
192.168.255.24               232 ms                N/A                          82,83,119
192.168.254.10               549 ms                N/A                          82,83,119
192.168.255.200              152 ms                N/A                          79,80,81,82,83,119
192.168.254.20               491 ms                N/A                          80,83
192.168.254.1                686 ms                N/A                          81,82,119
192.168.254.23               500 ms                N/A                          80,83
192.168.254.6                666 ms                N/A                          81,82,119
192.168.254.22               501 ms                N/A                          80,119
192.168.254.19               491 ms                N/A                          81
192.168.254.7                689 ms                N/A                          80,82


What is replying? and Where is it? 192.168.xxx.xxx is my network as far as I now ...

Please help.

Many thanks,
tech

techfreelance,
 If you refer to rfc 1918 (http://www.faqs.org/rfcs/rfc1918.html) you will find that the following ranges of addresses are reserved for private network use. Not you will notice for YOUR private network use. _Anybody_ who can isolate their network from the Internet at large may use a group of these numbers to form a network. The principle is thet open IP (backbone Internet) routers will not route to, from, or through nodes with these addresses (i.e. Non-Routable). This means that to connect such networks to the Internet, they must be privately routed to a public(routable) IP address.

    10.0.0.0        -   10.255.255.255  (10/8 prefix)
    172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
    192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

If you look at your Visual route reports, you will see that the route is as follows:

 192.168.23.27      - Presumably on your internal network
 192.168.23.1       -          Ditto ? connection to DSL ?
 213.120.208.159    - Either youre outward facing routed public IP or (more likeley)the ISP's endpoint for your DSL
                      connection
 192.168.250.200    - Internal to your ISP's private network routed (privately) from 213.120.208.159
 172.16.95.28       - Internal to your ISP's private network routed (privately) from 192.168.250.200
 213.1.119.149      - Public (external) to your ISP's private network routed (privately) from 172.16.95.28
 -- And then further on through the public networks.

Ping may show an external machine, particularly if your network's subnet masks permit it (i.e. the ip address range is similar), I'm curious to know what would happen if an IP on your ISP's private network conflicted with one on yours??

It's obvious that the route from your network to the Internet at large is privately routed through your ISP's private network before reaching the Internet, otherwise, your pings being returned from the external addresses sinply wouldn't get there (or back).
.. Alan
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

Author

Commented:
Thanx Alan but I need to add a couple of things,

First of all is I now that 192.168.0.0 is for private use and is not for me only (Not that greedy... :o]  ), but the way I understand it, this is my internal network address and not my public (WAN) address. Hence, I don't understand why I'm getting replies from the external private address 192.168.0.0 and not its public address ...

The second is I did as you said and contacted my ISP. Apparently their networks start by 194.xxx.xxx.xxx, but I also have to say that the guy's answers were not as technical as yours ...

Don't give me wrong Alan. I belive what you say and makes perfect sense, but still don't understand quite well what I exposed in my first point.
Would appreciate if you could clarify this matter.

Thanks in advanced,
Tech.
Sorry If I was too technical.

The 192....... addresses are not _Publicly_ routable. This means that any such addresses that you see are being privately routed, either by you (not so, or you'd know what they were), or by your ISP. (or even their suppliers (BT)). I would suggest that your ISP, or their supplier, is routing you through a part of their private network, before you reach the public network.
You have been in contact with your ISP (Lineone or Tiscali I guess) who've indicated their internal network address range.  Have they or you contacted the carrier (BT) to check where they are routing?

I should contact them again, and e-mail the first part of your route report (the bit up to the line ending in btnet (2nd report)) and ask them why you are being routed through a private network. I don't think it's anything to worry about however.

.. Alan

Author

Commented:
Alan,

Thanks once again, and please always be as technical as you can. Is the only way I get to understand whats going on.

Regards,
Tech.
I have to agree with ADSaunders here.
Most likely your ISP is using these IP addresses internally in their own private routing infrastructure. Normally you wouldn't notice because of NAT's and such, but traceroute causes each router to record its own idea of its IP address.
re: Your IP scan
What are you using for a router?
Have you tried to traceroute any of these addresses?
What is the IP range in use at your site?

BTW: It's very common for ISP's to use 'private' ip addresses inside their networks. They have to conserve routable addresses just like everyone.
Staff IT Engineer
Commented:
There is a simple explanation here:

The private use address are the private network between YOU and your ISP (no where else).  There is almost ALWAYS a private network between the ISP and the user, most the time I have seen 10.x.x.x but in this case there is a 192.168.x.x.

Think about the following picture

Internet ---------> ISP ---[private network]-------> User
Public IP --------> Private IP --------------------User1
                                         \_____________ User 2
                                          \____________  User 3

Keep in mind that the 10.0.0.0, 172.16.x.x, and 192.168.x.x are only going to "stop" if you put in the recomended ACL's on your router.  They cannot be registered or used for public servers,  traffic on the interenet can travel through any number of private netowrks before it reaches it destination.

Author

Commented:
Hi all,

Thank you all for your answers.

I've got a last question.
After runing a netstat -n I got the following:

Active Connections

  Proto  Local Address               Foreign Address          State
  TCP    127.0.0.1:1048            127.0.0.1:1083             ESTABLISHED (My Machine)
  TCP    127.0.0.1:1083            127.0.0.1:1048             ESTABLISHED (My Machine)
  TCP    192.168.23.27:1062     192.168.23.2:445          ESTABLISHED (Our Server)
  TCP    192.168.23.27:1085     213.113.166.231:3531   ESTABLISHED (RIPE Network Coordination Centre)
  TCP    192.168.23.27:1086     192.168.23.2:1026        ESTABLISHED (Our Server)
  TCP    192.168.23.27:1089     192.168.23.2:1215        ESTABLISHED (Our Server)
  TCP    192.168.23.27:1091     12.129.205.220:80        ESTABLISHED (CERFnet ATTENS-LAX1-1)
 

I actually connected to http://12.129.205.220 and is a web page that only says 'PlaceHolder'. From a whois search I found this is AT&T Managed Services. I went to the web page (http://www.attens.com) and there is a load of tools to manage the network ...
Now this shouldn't be happening. I don't understand why a connection is being stablish since start up ...

Guys, I've got the feeling that this computer (at work) is being intercepeted. I'm just trying to find how is being done ...

Please let me know what you think about these netstat results.

Many thanks,
Fred.
Hi Fred,
In all these comments, you have not actually stated who your ISP is.
It could be that they (your ISP) is managing the network connection through AT&T (or AT&T are managing it on their behalf). If your ISP are unable to satisfy you as to why this connection has been established, then try one or more of the spyware checkers that are available to ensure that some program on this machine is not 'phoning home' without your knowledge.
Here are some links:
AdAware: http://www.lavasoftusa.com/
SpyBot-S&D: http://security.kolla.de/news.php?lang=en
These and others are listed by sunray_2003 in this question:
 http://www.experts-exchange.com/Security/Win_Security/Q_20792529.html

.. Alan
Hi Fred,
In all these comments, you have not actually stated who your ISP is.
It could be that they (your ISP) is managing the network connection through AT&T (or AT&T are managing it on their behalf). If your ISP are unable to satisfy you as to why this connection has been established, then try one or more of the spyware checkers that are available to ensure that some program on this machine is not 'phoning home' without your knowledge.
Here are some links:
AdAware: http://www.lavasoftusa.com/
SpyBot-S&D: http://security.kolla.de/news.php?lang=en
These and others are listed by sunray_2003 in this question:
 http://www.experts-exchange.com/Security/Win_Security/Q_20792529.html

.. Alan
Are you running kaaza?

Author

Commented:
Chicagoan,

I did have Kazaa installed a while ago, but I uninstall it.


Tech.
That's (3531 tcp) a p2p port that's used by P2PNetworking.exe which is installed by kaaza.
I'd backup you data files and wife that box if you don't know what's going on.
You can do a virus and spyware check, but if it's phoning home and you don't know why, I'd go for the Civil War Sugeon approach - amputate.

Commented:
the private ip's are your isp's , they frequestnly have pvt ips on their routers for some reason and since the traffic is still on their backbone it does not cause any issues...my boss freaked out over the same thing with a nextep traceroute but its nothing to be concerned about..

its just something isp's do , i asked a mate about who works for a teir 1 isp and he said its quite normal...notice how its on the bt network still , in between public ip's listed routers...
TYPO wfe=wipe above^^^
If your problem is Kazaa, you could try this .. http://www.webattack.com/get/kazaagone.html. I haven't tried it, never bothered installing Kazaa, but it is by the same author as Hijack This, a tool often recommended by experts here.

.. Alan

Commented:
here is an example trace from my work to an ip of a box i own

Tracing route to 202.59.98.219 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.1.1.254 <------------------------------------------------------------- internal work ip
  2    10 ms    10 ms    31 ms  210-89-xxx-xxx.nexnet.net.au [210.89.xxx.xxx] <------------------------------one of our external ateway ip's
3    10 ms    10 ms     9 ms  172.31.174.14
  4     9 ms     9 ms     9 ms  192.168.2.66 <--------------------------------------------------------------router on a private IP
  5    10 ms     9 ms    10 ms  210-0-94-225.nexnet.net.au [210.0.94.225]
  6    10 ms    10 ms    10 ms  210-0-94-78.nexnet.net.au [210.0.94.78]
  7     9 ms     9 ms     9 ms  FastEthernet2-1.pic2.Sydney.telstra.net [139.130
.5.85]
  8    10 ms    10 ms     9 ms  GigabitEthernet3-16.pic1.Sydney.telstra.net [203
.50.12.121]
  9    11 ms    10 ms     9 ms  GigabitEthernet10-2.ken-core4.Sydney.telstra.net
 [203.50.12.126]
 10     9 ms     9 ms     9 ms  GigabitEthernet0-1.ken22.Sydney.telstra.net [203
.50.20.32]
 11    11 ms    10 ms    10 ms  ozemail9.lnk.telstra.net [139.130.4.58]
 12    12 ms    10 ms    10 ms  331.AT-3-0-0.XR1.SYD4.ALTER.NET [210.80.2.133]
 13     *       11 ms    10 ms  0.SO-0-1-0.XR2.SYD2.ALTER.NET [210.80.33.221]
 14    15 ms    11 ms    18 ms  311.ATM7-0.GW7.SYD2.ALTER.NET [210.80.33.190]
 15    11 ms    12 ms    11 ms  flow-syd2-gw.aspac.customer.alter.net [203.166.4
3.6]
 16    24 ms    15 ms    11 ms  172.31.1.2
 17   198 ms   218 ms   213 ms
<-----------------------------snip------------------------------------------------->


so as you can see its quite normal to have you network path be routed over a router with a private IP address....you dont have to worry about the FBI or NSA or CIA or BSA kicking in your door at 5am to raid you for your kazza downloading...your more likley to recieve a cease and desist letter from your ISP then anything else.
or a Christmas card from the RIAA...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial