CBPerformance

After reading an article in the NZ PC world mag about security patches and updates, and felling a bit bored with not much to do, I thought I would run Windows update and check out the updates available for my PC.
I have not installed any patches or updates in the two years that I have owned the PC there were 19 available.
I had a quick read about these updates then preceded to install them. Everything went fine and the PC is working fine.
I also installed a couple of months ago Sygate personal firewall as some one hacked into my PC through a security hole in Internet Explorer and cause mayhem.
Now since I have installed these updates whenever I disconnect from the Internet I get a Message from sygate pop up

Dial-up Networking Application is trying to broadcast to [224.0.0.2].
Do you want to allow this program to access the network

It also gives the following details:

File Version : 4.90.3000
File Description : Dial-Up Networking Application
File Path : C:\WINDOWS\SYSTEM\RNAAPP.EXE
Process ID : FFF781F5 (Heximal) 4294410741 (Decimal)

Connection origin : local initiated

Ethernet packet details:
Ethernet II (Packet Length: 48)
Destination: 01-00-5e-00-00-02
Source: 44-45-53-54-00-00
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 24 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 1
Protocol: 0x2 (IGMP - Internet Group Management Message Protocol)
Header checksum: 0xef6b (Correct)
Source: 128.9.65.193
Destination: 224.0.0.2

Binary dump of the packet:
0000: 01 00 5E 00 00 02 44 45 : 53 54 00 00 08 00 46 00 | ..^...DEST....F.
0010: 00 20 17 1C 00 00 01 02 : 6B EF 80 09 41 C1 E0 00 | . ......k...A...
0020: 00 02 94 04 00 00 17 00 : F9 04 EF FF FF FA 6A 25 | ..............j%

The updates I installed were:

812709: Security Update
[Windows Me]

811630: Critical Update
[Windows Me]

Windows Share Level Password Update

Security Update,November 20, 2001

Security Update, December 17, 2001

Q323255: Security Update
[Windows Me]

Q323172: Security Update
[Windows Me]

Q329115: Security Update
[Windows Me]

Q329048: Security Update

Q329414: Security Update
[MDAC 2.5]


814078: Security Update
[Microsoft Jscript version 5.6,
Windows 98, Windows
Millennium Edition, Windows
NT 4.0]

816093: Security Update
Microsoft Virtual Machine
[Microsoft VM]

823559: Security Update for
Wicrosoft Windows

Security Update for Microsoft
Windows [KB819696]

Update for Windows Media
Player Script Commands
[KB828026]

Security Update for Microsoft
Windows ME [KB825119]

330994: April 2033, Security
Update for Outlook Express 6
SP1

October 2033, Cumulative
Patch for Internet Explorer 6
Service Pack 1 [KB828750]




Windows Me System Restore
Update

Microsoft Internet Explorer 6
Service Pack 1 [Windows 98,
Windows Me]



This message seems a bit strange to me as I only get it after I have disconnected . Does anyone have any idea why I would get this message.

jgvernonco

It sounds like some program there always wants to stay connected. Perhaps you have you internet options set to automatically dial, or you have set some program for auto-update.

If you have Windows auto-update enabled, it is often set to check for updates every five minutes (and you can't change that setting).

I don't know how that Trojan invasion was dealt with, or whether it coincided with the re-dial problem, but I would recommend that you download Spybot from the link below. After installation, have it check for updates, first, the run a scan. Have it fix everything in red. .

http://www.safer-networking.org/inde...&page=download

Let us know if this has any impact on the problem.

Good hunting!

CBPerformance

I am sorry it has taken sooo long for me to aknowledge you reply. I have been so busy with work that I have not even turned the PC on.
I checked my internet settings and they are not set to auto dial. Windows auto-update was enabled I fixed this but problem still there.
The Trojen problem was about 3 months ago and everything worked out fine with fixing that prob I don't believe they could be related.
I already have Spybot and Adaware installed and I did run them, removed Alexa Related and MS Works:Auto run ,MS Works: Program file..
No Change.:no:
Regards CB

jgvernonco

The next step is probably to doewnload Hijack This from the link below. Create, copy and paste a log here and somebody will have a look at it.

http://mjc1.com/mirror/hjt/

CBPerformance

Logfile of HijackThis v1.95.1
Scan saved at 8:55:32 PM, on 10/11/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MEDIA MANAGER\AIRSVCU.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWDELAY.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/...ch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Media Manager Indexer.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE
O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Run DAP (HKLM)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.yahoo.com/v43/yacscom.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...als/ymmapi.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.co.nz/resources/ne...cab?4,0,1009,0
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...927.7267824074

jgvernonco

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyOverride = localhost

If you are running a proxy, then your HJT log looks clean.

Late thought...did you use DAP to download those patches. I remember a situation quite some time ago where the download was corrupted, and DAP appeared to be the problem.

As I remember, the updates were downloaded again, the slow way, and the problem was corrected.

I'll think some more.

Anybody else have any more ideas?

Chevy

Could be the releasing of the IP addy assigned by the ISP, or many other valid broadcasts.

Can you give us the Protocol and Port Number? That would help.

CBPerformance

I am not aware that I am using a proxy. No I do have DAP but it was not used

CBPerformance

I tryed a few things last night I uninstalled sygate and reinstalled it to see if that mad a dif, no such luck.
I did a Google search for 224.0.0.2 and came up with 4,970 sites related so I then did an advanced search and added Sygate came up with 47 sites, most of them related to kernel32.dll trying to ping 224.0.0.2.
224.0.0.2 is multicast, and it's really not going anywhere so they say.
But I did find a couple of sites relating to similar problems to mine
infact one persone had the exact problem I had, right down to the patch updates
Could this be some sort of a conflict between the MS security patches and Sygate?
I have uninstalled Sygate and installed Zone Alarm and no Message.
What are your thoughts please
CB

jgvernonco

Over in the security forum, I just last night posted a thread about my most recent experience with MS security patches.

I have never heard of this, but absolutely anything is possible.

It might be better to stick with Zone Alarm and avoid all the headaches.

Anyone else have a thought?