Message poping up after installing security patches and updates

CBPerformance · 11-04-2003, 10:34 PM

After reading an article in the NZ PC world mag about security patches and updates, and felling a bit bored with not much to do, I thought I would run Windows update and check out the updates available for my PC.
I have not installed any patches or updates in the two years that I have owned the PC there were 19 available.
I had a quick read about these updates then preceded to install them. Everything went fine and the PC is working fine.
I also installed a couple of months ago Sygate personal firewall as some one hacked into my PC through a security hole in Internet Explorer and cause mayhem.
Now since I have installed these updates whenever I disconnect from the Internet I get a Message from sygate pop up

Dial-up Networking Application is trying to broadcast to [224.0.0.2].
Do you want to allow this program to access the network

It also gives the following details:

File Version : 4.90.3000
File Description : Dial-Up Networking Application
File Path : C:\WINDOWS\SYSTEM\RNAAPP.EXE
Process ID : FFF781F5 (Heximal) 4294410741 (Decimal)

Connection origin : local initiated

Ethernet packet details:
Ethernet II (Packet Length: 48)
Destination: 01-00-5e-00-00-02
Source: 44-45-53-54-00-00
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 24 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 1
Protocol: 0x2 (IGMP - Internet Group Management Message Protocol)
Header checksum: 0xef6b (Correct)
Source: 128.9.65.193
Destination: 224.0.0.2

Binary dump of the packet:
0000: 01 00 5E 00 00 02 44 45 : 53 54 00 00 08 00 46 00 | ..^...DEST....F.
0010: 00 20 17 1C 00 00 01 02 : 6B EF 80 09 41 C1 E0 00 | . ......k...A...
0020: 00 02 94 04 00 00 17 00 : F9 04 EF FF FF FA 6A 25 | ..............j%

The updates I installed were:

812709: Security Update
[Windows Me]

811630: Critical Update
[Windows Me]

Windows Share Level Password Update

Security Update,November 20, 2001

Security Update, December 17, 2001

Q323255: Security Update
[Windows Me]

Q323172: Security Update
[Windows Me]

Q329115: Security Update
[Windows Me]

Q329048: Security Update

Q329414: Security Update
[MDAC 2.5]

814078: Security Update
[Microsoft Jscript version 5.6,
Windows 98, Windows
Millennium Edition, Windows
NT 4.0]

816093: Security Update
Microsoft Virtual Machine
[Microsoft VM]

823559: Security Update for
Wicrosoft Windows

Security Update for Microsoft
Windows [KB819696]

Update for Windows Media
Player Script Commands
[KB828026]

Security Update for Microsoft
Windows ME [KB825119]

330994: April 2033, Security
Update for Outlook Express 6
SP1

October 2033, Cumulative
Patch for Internet Explorer 6
Service Pack 1 [KB828750]

Windows Me System Restore
Update

Microsoft Internet Explorer 6
Service Pack 1 [Windows 98,
Windows Me]

This message seems a bit strange to me as I only get it after I have disconnected . Does anyone have any idea why I would get this message.

**jgvernonco** · 11-05-2003, 10:45 AM

It sounds like some program there always wants to stay connected. Perhaps you have you internet options set to automatically dial, or you have set some program for auto-update.

If you have Windows auto-update enabled, it is often set to check for updates every five minutes (and you can't change that setting).

I don't know how that Trojan invasion was dealt with, or whether it coincided with the re-dial problem, but I would recommend that you download Spybot from the link below. After installation, have it check for updates, first, the run a scan. Have it fix everything in red. .

http://www.safer-networking.org/inde...&page=download

Let us know if this has any impact on the problem.

Good hunting!

CBPerformance · 11-09-2003, 11:43 PM

I am sorry it has taken sooo long for me to aknowledge you reply. I have been so busy with work that I have not even turned the PC on.
I checked my internet settings and they are not set to auto dial. Windows auto-update was enabled I fixed this but problem still there.
The Trojen problem was about 3 months ago and everything worked out fine with fixing that prob I don't believe they could be related.
I already have Spybot and Adaware installed and I did run them, removed Alexa Related and MS Works:Auto run ,MS Works: Program file..
No Change.:no:
Regards CB

**jgvernonco** · 11-09-2003, 11:50 PM

The next step is probably to doewnload Hijack This from the link below. Create, copy and paste a log here and somebody will have a look at it.

http://mjc1.com/mirror/hjt/

CBPerformance · 11-09-2003, 11:54 PM

Logfile of HijackThis v1.95.1
Scan saved at 8:55:32 PM, on 10/11/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MEDIA MANAGER\AIRSVCU.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWDELAY.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/...ch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Media Manager Indexer.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE
O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Run DAP (HKLM)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.yahoo.com/v43/yacscom.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...als/ymmapi.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.co.nz/resources/ne...cab?4,0,1009,0
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...927.7267824074

**jgvernonco** · 11-10-2003, 07:26 AM

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyOverride = localhost

If you are running a proxy, then your HJT log looks clean.

Late thought...did you use DAP to download those patches. I remember a situation quite some time ago where the download was corrupted, and DAP appeared to be the problem.

As I remember, the updates were downloaded again, the slow way, and the problem was corrected.

I'll think some more.

Anybody else have any more ideas?

Chevy · 11-10-2003, 10:42 AM

Could be the releasing of the IP addy assigned by the ISP, or many other valid broadcasts.

Can you give us the Protocol and Port Number? That would help.

CBPerformance · 11-10-2003, 10:01 PM

I am not aware that I am using a proxy. No I do have DAP but it was not used

CBPerformance · 11-12-2003, 12:04 AM

I tryed a few things last night I uninstalled sygate and reinstalled it to see if that mad a dif, no such luck.
I did a Google search for 224.0.0.2 and came up with 4,970 sites related so I then did an advanced search and added Sygate came up with 47 sites, most of them related to kernel32.dll trying to ping 224.0.0.2.
224.0.0.2 is multicast, and it's really not going anywhere so they say.
But I did find a couple of sites relating to similar problems to mine
infact one persone had the exact problem I had, right down to the patch updates
Could this be some sort of a conflict between the MS security patches and Sygate?
I have uninstalled Sygate and installed Zone Alarm and no Message.
What are your thoughts please
CB

**jgvernonco** · 11-12-2003, 04:34 AM

Over in the security forum, I just last night posted a thread about my most recent experience with MS security patches.

I have never heard of this, but absolutely anything is possible.

It might be better to stick with Zone Alarm and avoid all the headaches.

Anyone else have a thought?

11-04-2003, 10:34 PM	#1 (permalink)
CBPerformance Registered User Join Date: Nov 2003 Location: New Zealand Posts: 22 OS: ME	Message poping up after installing security patches and updates After reading an article in the NZ PC world mag about security patches and updates, and felling a bit bored with not much to do, I thought I would run Windows update and check out the updates available for my PC. I have not installed any patches or updates in the two years that I have owned the PC there were 19 available. I had a quick read about these updates then preceded to install them. Everything went fine and the PC is working fine. I also installed a couple of months ago Sygate personal firewall as some one hacked into my PC through a security hole in Internet Explorer and cause mayhem. Now since I have installed these updates whenever I disconnect from the Internet I get a Message from sygate pop up Dial-up Networking Application is trying to broadcast to [224.0.0.2]. Do you want to allow this program to access the network It also gives the following details: File Version : 4.90.3000 File Description : Dial-Up Networking Application File Path : C:\WINDOWS\SYSTEM\RNAAPP.EXE Process ID : FFF781F5 (Heximal) 4294410741 (Decimal) Connection origin : local initiated Ethernet packet details: Ethernet II (Packet Length: 48) Destination: 01-00-5e-00-00-02 Source: 44-45-53-54-00-00 Type: IP (0x0800) Internet Protocol Version: 4 Header Length: 24 bytes Flags: .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset:0 Time to live: 1 Protocol: 0x2 (IGMP - Internet Group Management Message Protocol) Header checksum: 0xef6b (Correct) Source: 128.9.65.193 Destination: 224.0.0.2 Binary dump of the packet: 0000: 01 00 5E 00 00 02 44 45 : 53 54 00 00 08 00 46 00 \| ..^...DEST....F. 0010: 00 20 17 1C 00 00 01 02 : 6B EF 80 09 41 C1 E0 00 \| . ......k...A... 0020: 00 02 94 04 00 00 17 00 : F9 04 EF FF FF FA 6A 25 \| ..............j% The updates I installed were: 812709: Security Update [Windows Me] 811630: Critical Update [Windows Me] Windows Share Level Password Update Security Update,November 20, 2001 Security Update, December 17, 2001 Q323255: Security Update [Windows Me] Q323172: Security Update [Windows Me] Q329115: Security Update [Windows Me] Q329048: Security Update Q329414: Security Update [MDAC 2.5] 814078: Security Update [Microsoft Jscript version 5.6, Windows 98, Windows Millennium Edition, Windows NT 4.0] 816093: Security Update Microsoft Virtual Machine [Microsoft VM] 823559: Security Update for Wicrosoft Windows Security Update for Microsoft Windows [KB819696] Update for Windows Media Player Script Commands [KB828026] Security Update for Microsoft Windows ME [KB825119] 330994: April 2033, Security Update for Outlook Express 6 SP1 October 2033, Cumulative Patch for Internet Explorer 6 Service Pack 1 [KB828750] Windows Me System Restore Update Microsoft Internet Explorer 6 Service Pack 1 [Windows 98, Windows Me] This message seems a bit strange to me as I only get it after I have disconnected . Does anyone have any idea why I would get this message.

11-05-2003, 10:45 AM	#2 (permalink)
jgvernonco Old Timer Join Date: Sep 2003 Location: Northern Arizona Posts: 7,958 OS: Vista Home Premium, SP 27	It sounds like some program there always wants to stay connected. Perhaps you have you internet options set to automatically dial, or you have set some program for auto-update. If you have Windows auto-update enabled, it is often set to check for updates every five minutes (and you can't change that setting). I don't know how that Trojan invasion was dealt with, or whether it coincided with the re-dial problem, but I would recommend that you download Spybot from the link below. After installation, have it check for updates, first, the run a scan. Have it fix everything in red. . http://www.safer-networking.org/inde...&page=download Let us know if this has any impact on the problem. Good hunting! __________________ Donations keep TSF moving forward. Please help. http://www.myspace.com/speedbumpthecelt Last edited by jgvernonco; 11-05-2003 at 10:50 AM.

11-09-2003, 11:50 PM	#4 (permalink)
jgvernonco Old Timer Join Date: Sep 2003 Location: Northern Arizona Posts: 7,958 OS: Vista Home Premium, SP 27	The next step is probably to doewnload Hijack This from the link below. Create, copy and paste a log here and somebody will have a look at it. http://mjc1.com/mirror/hjt/ __________________ Donations keep TSF moving forward. Please help. http://www.myspace.com/speedbumpthecelt

11-10-2003, 07:26 AM	#6 (permalink)
jgvernonco Old Timer Join Date: Sep 2003 Location: Northern Arizona Posts: 7,958 OS: Vista Home Premium, SP 27	R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost If you are running a proxy, then your HJT log looks clean. Late thought...did you use DAP to download those patches. I remember a situation quite some time ago where the download was corrupted, and DAP appeared to be the problem. As I remember, the updates were downloaded again, the slow way, and the problem was corrected. I'll think some more. Anybody else have any more ideas? __________________ Donations keep TSF moving forward. Please help. http://www.myspace.com/speedbumpthecelt

11-10-2003, 10:42 AM	#7 (permalink)
Chevy Semi-Retired Manager, Microsoft Support Join Date: Jul 2003 Location: Notlob Posts: 5,382 OS: Vista Ultimate My System	Broadcast when Logging Off Could be the releasing of the IP addy assigned by the ISP, or many other valid broadcasts. Can you give us the Protocol and Port Number? That would help. __________________ “Last night I lay in bed looking up at the stars in the sky and I thought to myself, where the heck is the ceiling. ” - Unknown

11-09-2003, 11:43 PM	#3 (permalink)
CBPerformance Registered User Join Date: Nov 2003 Location: New Zealand Posts: 22 OS: ME	I am sorry it has taken sooo long for me to aknowledge you reply. I have been so busy with work that I have not even turned the PC on. I checked my internet settings and they are not set to auto dial. Windows auto-update was enabled I fixed this but problem still there. The Trojen problem was about 3 months ago and everything worked out fine with fixing that prob I don't believe they could be related. I already have Spybot and Adaware installed and I did run them, removed Alexa Related and MS Works:Auto run ,MS Works: Program file.. No Change.:no: Regards CB

11-09-2003, 11:54 PM	#5 (permalink)
CBPerformance Registered User Join Date: Nov 2003 Location: New Zealand Posts: 22 OS: ME	Logfile of HijackThis v1.95.1 Scan saved at 8:55:32 PM, on 10/11/2003 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\HPSYSDRV.EXE C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MEDIA MANAGER\AIRSVCU.EXE C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWDELAY.EXE C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\NOTEPAD.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/...ch/search.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost F1 - win.ini: run=hpfsched O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Media Manager Indexer.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Run DAP (HKLM) O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.yahoo.com/v43/yacscom.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...als/ymmapi.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.co.nz/resources/ne...cab?4,0,1009,0 O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...927.7267824074

11-10-2003, 10:01 PM	#8 (permalink)
CBPerformance Registered User Join Date: Nov 2003 Location: New Zealand Posts: 22 OS: ME	I am not aware that I am using a proxy. No I do have DAP but it was not used

11-12-2003, 12:04 AM	#9 (permalink)
CBPerformance Registered User Join Date: Nov 2003 Location: New Zealand Posts: 22 OS: ME	I tryed a few things last night I uninstalled sygate and reinstalled it to see if that mad a dif, no such luck. I did a Google search for 224.0.0.2 and came up with 4,970 sites related so I then did an advanced search and added Sygate came up with 47 sites, most of them related to kernel32.dll trying to ping 224.0.0.2. 224.0.0.2 is multicast, and it's really not going anywhere so they say. But I did find a couple of sites relating to similar problems to mine infact one persone had the exact problem I had, right down to the patch updates Could this be some sort of a conflict between the MS security patches and Sygate? I have uninstalled Sygate and installed Zone Alarm and no Message. What are your thoughts please CB

11-12-2003, 04:34 AM	#10 (permalink)
jgvernonco Old Timer Join Date: Sep 2003 Location: Northern Arizona Posts: 7,958 OS: Vista Home Premium, SP 27	Over in the security forum, I just last night posted a thread about my most recent experience with MS security patches. I have never heard of this, but absolutely anything is possible. It might be better to stick with Zone Alarm and avoid all the headaches. Anyone else have a thought? __________________ Donations keep TSF moving forward. Please help. http://www.myspace.com/speedbumpthecelt