63.240.76.198/Comcast/ZoneAlarm

I often get ZoneAlarm messages that such and such a program wants to access 63.240.76.198.
This URL is for
ns14.attbi.com
Additional information is
63.240.76.0 - 63.240.77.255
Project Redwood ISP (AT&T Internal)
9805 Scranton Road
San Diego, CA
Now this all looks legitimate. And I seem to remember that Comcast (my ISP) has some tie with AT&T and/or that AT&T provides services to Comcast.
But I cannot understand why programs having nothing to do with Comcast or AT&T want to access an AT&T site.
I usually just click Deny and nothing seems to be affected for good or bad.
A little research on Google suggests others have similar experiences, but the site to which access is wanted is different. No conclusion is reached on why this is happening or if there are good or bad consequences to how the request is handled.
I have used antivirus scans and scans for spyware/trojan detection. Nothing found.

Does any one else have this experience or know why this is happening?
I personally suspect it has something to do with Comcast.
Thanks.

P.S. Among the programs asking for this access are MS AntiSpyware and Norton AV, so these are not programs you would expect to be infected with malware. There are others. (If desired, I will keep an eye out to report which.) It may have to do with times when I manually update. But still, why an AT&T site?
P.P.S. I raised a related question here
http://www.windowsbbs.com/showthread.php?t=49631&page=1&pp=15
But there is not much purpose in reading that, since the above question is really different. (I am not 100% happy about updat32.exe, but I can live with it.)

 

TonyT--I have no router, but ran tracert on comcast.net with the following result
"
C:\>tracert www.comcast.net

Tracing route to www.comcast.net [204.127.205.8]
over a maximum of 30 hops:

1 9 ms 5 ms 5 ms 10.72.72.1
2 8 ms 8 ms 7 ms 68.86.206.33
3 7 ms 7 ms 8 ms 68.86.206.58
4 7 ms 7 ms 7 ms 68.35.172.66
5 27 ms 25 ms 24 ms 12.118.225.9
6 63 ms 63 ms 63 ms tbr2-p013801.dlstx.ip.att.net [12.123.17.62]
7 63 ms 63 ms 64 ms tbr1-cl6.sl9mo.ip.att.net [12.122.10.89]
8 62 ms 61 ms 62 ms tbr1-cl4.wswdc.ip.att.net [12.122.10.29]
9 61 ms 64 ms 63 ms 12.122.9.150
10 63 ms 63 ms 63 ms 12.122.10.53
11 60 ms 59 ms 59 ms 12.122.81.145
12 67 ms 73 ms 61 ms mdf1-gsr12-2-pos-7-0.nyc3.attens.net [12.122.255
.162]
13 62 ms 62 ms 60 ms sccsbix11-3-1.attbi.com [63.240.64.54]
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 61 ms 62 ms 61 ms www.comcast.net [204.127.205.8]

Trace complete. "

So att and attbi.com definitely involved (as servers?) in the route.

In fact the IP address given for comcast.net (204.127.205.8) at the beginning is actually owned by (or allocated to)

AT&T WorldNet Services
AT&T
200 S. LAUREL AVE.
MIDDLETOWN, NJ
although 68.86.206.33 is Comcast.

Are you therefore saying that these ZA messages are therefore caused by just a normal seeking of Domains when the programs involved want access to the net? And that I should just set ZA to allow?

I should have reported earlier that I find 63.240.76.198 in several places in my Registry under TCPIP keys as the DHCP Name Server.

Thanks for your help.

 

Not necessarily. Read Arie's recent post here and the article. There's lots going on behind your back. Deny is correct.

 

Shall we vote on whether I should be concerned or not?
I like TonyT's approach.
What would be placing DRM on my PC, especially when you consider the programs involved and that I scan with almost every scanner available?

P.S. I think it may be that Comcast has a relation with AT&T and that ZoneAlarm updates changed the settings in Program Control to Prompt whereas I had earlier set Allow. So now I have to re-Allow several program's access to the internet.

 

The important point from that article:

 

I think Sparrow has it right.

As far as as can tell from reading about MS's next OS, part of the Vista "experience" will be more of this kind of stuff.

Regards - Charles

 

I ran the RootkitRevealer (at least I hope I ran it; I opened it and clicked Scan) and after several minutes of scanning I got the message "Scan Complete:no discrepancies found ". I hope "no discrepancies" means I am free of Rootkits.
I also went into registry and looked for 63.240.76.198. I could hardly believe it, but no listings found!! So I looked for DHCPNameServer and found that all the values had been changed to different IP numbers, such as 68.87.85.98 and 68.87.69.146. These are Comcast IP numbers, not AT&T. Again I know I had read somewhere that Comcast was planning to switch to their own servers (or whatever) and away from AT&T. So it looks like this has finally happened.
Now I get ZA messages whether I will allow XXX.exe to access the new Comcast IP numbers.
I think I will just cave in and Allow, although I still do not understand the purpose, especially in the case of NAV.
I never did get the messages when I ran Symantec Live Update. In the case of NAV, it was only when installing the daily new virus definitions using the Intelligent Updater site. And it was only after I had downloaded and, as far as I could tell, had already installed the new definitions. So contacting for permission to access the Intelligent Updater site would not seem to be the purpose.
I do not know whether the MSAS pop ups are a prerequisite for getting MSAS updates (notification for which, but not installation, I have set to auto). Since there rarely is an update, I do not know whether denying access means I do not get the update or whether this also is an "after the fact" contact for, again, some unknown purpose.

 

Hey Jim,

MS AS had a update today > 5781.

My pratice is to manually look for updates before I scan which is usually every other day.

Regards - Charles

 

charlesvar--Interesting.
This AM my MSAS window showed definitions updated as of yesterday, Dec. 2. But then when I went to Help|About I was told "Spyware Definition Version: 5779 (12/2/2005 7:03:10 PM) ". So the date has changed, but the version # has stayed the same. This was all done automatically by MSAS.
So then, based on your info, I manually did File|Check for Updates, and sure enough now Help|About reads "Spyware Definition Version: 5781 (12/2/2005 7:03:10 PM) "
Weird.