• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Spock

224.0.0.22

16 posts in this topic

I have been getting a request to allow many of myprograms to access this IP address (224.0.0.22). When I did a whois on it, one of the first pieces of information I got was, "If you have detected this address apparently assigned to a

remote computer, the IP address is in error or has been forged."

 

I have permanently blocked it every time it has popped up but it seems to ask every time I run a new program. Does anyone have any idea what I can do about this annoyance?

Edited by Spock

Share this post


Link to post
Share on other sites

Hi spock, welcome to the forums.

 

Sorry it has taken so long to get back to you but we have been swamped.

 

Please run HijackThis and post a current log. I will be happy to take a look at it for you.

Share this post


Link to post
Share on other sites
Hi spock, welcome to the forums.

 

Sorry it has taken so long to get back to you but we have been swamped.

 

Please run HijackThis and post a current log.  I will be happy to take a look at it for you.

 

Done ...

 

Logfile of HijackThis v1.99.1

Scan saved at 7:50:44 PM, on 10/24/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Internet\AVGFRE~1\avgamsvr.exe

C:\Internet\AVGFRE~1\avgupsvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\ezSP_Px.exe

C:\Program Files\Sony\HotKey Utility\HKserv.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Internet\AVGFRE~1\avgcc.exe

C:\Program Files\Sony\HotKey Utility\HKWnd.exe

C:\Internet\AVGFRE~1\avgemc.exe

C:\Internet\Security\Spybot14\TeaTimer.exe

C:\WINDOWS\System32\svchost.exe

C:\Internet\Security\CookieWall\cookie.exe

C:\Internet\Pop-Up Stopper\dpps2.exe

C:\Games\D2\Teamspeak2_RC2\TeamSpeak.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Internet\Security\Sygate\SPF\smc.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Internet\HiJackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pctalk.info/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://pctalk.info/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://pctalk.info/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = GNR Associates

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Internet\Security\Spybot14\SDHelper.dll

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\Internet\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\Internet\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [smcService] C:\Internet\Security\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Internet\Security\Spybot14\TeaTimer.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O15 - Trusted Zone: http://download.windowsupdate.com

O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

 

http://update.microsoft.com/windowsupdate/...b?1120126058608

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -

O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Internet\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Internet\AVGFRE~1\avgupsvc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Internet\Security\Sygate\SPF\smc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

O23 - Service: V2i Protector - PowerQuest Corporation - C:\Util\Drive Image 7.0\Agent\PQV2iSvc.exe

 

=========================

 

I also got an error message as follows:

 

An unexpected error has occurred at procedure: modMain_CheckOther1Item()

Error #5 - Invalid procedure call or argument

 

Please email me at merijn@spywareinfo.com, reporting the following:

* What you were trying to fix when the error occurred, if applicable

* How you can reproduce the error

* A complete HijackThis scan log, if possible

 

Windows version: Windows NT 5.01.2600

MSIE version: 6.0.2900.2180

HijackThis version: 1.99.1

 

This message has been copied to your clipboard.

Click OK to continue the rest of the scan.

 

[Added]

Hmm. I don't know why the following line is in there, so it has already been deleted:

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

 

I think I've removed that line or something similar in the past.

Edited by Spock

Share this post


Link to post
Share on other sites

Hi Spock,

 

While doing the following fixes you will need to turn off TeaTimer in Spybot S&D:

 

Open Spybot and click on Mode and check Advanced Mode:

Check yes to next window.

Click on Tools in bottom left hand corner:

Click on Resident.

Uncheck Resident "TeaTimer" box.

Close Spybot.

After cleaning your system reverse these steps and re-enable the protection applets for TeaTimer.

 

 

Run HijackThis and place checks beside each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -

 

If you, or an administrator, set these restrictions on purpose (i.e., if you used Spybot's Home Page and Option Lock down features in the Immunize section, or you used a similar program to place them, leave them alone. Otherwise check them also.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

 

After you check these items, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

 

 

Please download, install, update and scan your system with the free version of Ewido trojan scanner:

  1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  3. From the main ewido screen, click on update in the left menu, then click the Start update button.
  4. After the update finishes (the status bar at the bottom will display "Update successful"). Close Ewido.
  5. Please download CCleaner, install it but do not run it yet.
  6. Boot into safe mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
  7. Run CCleaner and clean out your Temporary and Temporary Internet Files.
  8. Run ewido, click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
  9. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  10. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread.
  11. Reboot in Normal mode.
  12. Run HijackThis and post a new log along with the ewido report.

 

You will need to disable QuickTime from running when Windows starts from the QuickTime properties, otherwise the entry will just keep coming back.

Share this post


Link to post
Share on other sites

As required:

 

HiJackThis:

=======

Logfile of HijackThis v1.99.1

Scan saved at 2:55:57 PM, on 10/28/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Internet\Security\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\ezSP_Px.exe

C:\Program Files\Sony\HotKey Utility\HKserv.exe

C:\Internet\AVGFRE~1\avgcc.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Sony\HotKey Utility\HKWnd.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Internet\AVGFRE~1\avgamsvr.exe

C:\Internet\AVGFRE~1\avgupsvc.exe

C:\Internet\ewido\ewidoctrl.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Internet\AVG Free\avgemc.exe

C:\WINDOWS\System32\svchost.exe

C:\Internet\HiJackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pctalk.info/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://pctalk.info/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://pctalk.info/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = GNR Associates

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Internet\Security\Spybot14\SDHelper.dll

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\Internet\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\Internet\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [smcService] C:\Internet\Security\Sygate\SPF\smc.exe -startgui

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O15 - Trusted Zone: http://download.windowsupdate.com

O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120126058608

O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Internet\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Internet\AVGFRE~1\avgupsvc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: ewido security suite control - ewido networks - C:\Internet\ewido\ewidoctrl.exe

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Internet\Security\Sygate\SPF\smc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

O23 - Service: V2i Protector - PowerQuest Corporation - C:\Util\Drive Image 7.0\Agent\PQV2iSvc.exe

 

 

=============================

=============================

---------------------------------------------------------

ewido security suite - Scan report

---------------------------------------------------------

 

+ Created on: 4:23:13 AM, 10/28/2005

+ Report-Checksum: 3A54B159

 

+ Scan result:

 

C:\Program Files\Common Files\Sony Shared\Visualizer\ExlGen.dll -> Dialer.Generic : Cleaned with backup

H:\DL\Util\WinNT\ntfsdos.zip/UHANFO.EXE -> Trojan.DOS.ControlDuSockets.a : Error during cleaning

H:\DL\Util\Password\pspv140.zip/pspv.exe -> Backdoor.Beastdoor.206.d : Error during cleaning

H:\DL\Util\Password\showcdkey.zip/showcdkey.exe -> TrojanSpy.Lucyfer : Error during cleaning

 

 

::Report End

=============================

=============================

Regarding the errors above:

 

I sometimes use psp on my own or client computers when passwords need to be recovered. Do you know of anything else that will do the same job and not be reported as a Trojan?

 

Same for showcdkey.

 

ntfsdos I hardly ever use any more but still do periodically to show students that MSs products aren't as secure as they would have us believe.

Share this post


Link to post
Share on other sites

Hi Spock,

 

The HijackThis log looks fine so lets try SilentRunners and see if it shows anything.

 

Please download SilentRunners from here:

http://www.silentrunners.org/Silent%20Runners.vbs

Save it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.

Share this post


Link to post
Share on other sites

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ezShieldProtector for Px" = "C:\WINDOWS\System32\ezSP_Px.exe" ["Easy Systems Japan Ltd."]

"HKSERV.EXE" = "C:\Program Files\Sony\HotKey Utility\HKserv.exe" ["Sony Corporation"]

"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]

"RoxioEngineUtility" = ""C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"" ["Roxio"]

"AVG7_CC" = "C:\Internet\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

"AVG7_EMC" = "C:\Internet\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]

"SmcService" = "C:\Internet\Security\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

-> {CLSID}\InProcServer32\(Default) = "C:\Internet\Security\Spybot14\SDHelper.dll" ["Safer Networking Limited"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"

-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]

"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\upnpui.dll" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Util\CD Creator 6\DragToDisc\shellex.dll" ["Roxio"]

"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}" = "My Media"

-> {CLSID}\InProcServer32\(Default) = "C:\Util\CD Creator 6\AudioCentral\MediaSX.dll" ["Roxio, Inc."]

"{336B02CE-F88A-4aea-8731-79EF94D3723A}" = "Free AOL & Unlimited Internet.url"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\aod\aodshext.dll" [null data]

"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQ\ICQShExt.dll" ["ICQ"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Util\WinRAR\rarext.dll" [null data]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Internet\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Internet\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

 

HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {CLSID}\InProcServer32\(Default) = "C:\Internet\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Util\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Util\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {CLSID}\InProcServer32\(Default) = "C:\Internet\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Util\WinRAR\rarext.dll" [null data]

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

 

Enabled Screen Saver:

---------------------

 

HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sspipes.scr" [MS]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]

000000000005\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 28

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4}" = "JunoBar" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Internet\Juno\toolbar.dll" [empty string]

 

Explorer Bars

 

Dormant Explorer Bars in "View, Explorer Bar" menu

 

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{6224F700-CBA3-4071-B251-47CB894244CD}\

"ButtonText" = "ICQ Pro"

"MenuText" = "ICQ"

"Exec" = "C:\PROGRA~1\ICQ\ICQ.exe" ["ICQ Inc."]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"

 

 

Miscellaneous IE Hijack Points

------------------------------

 

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

 

Added lines (compared with English-language version):

[strings]: START_PAGE_URL=http://www.sony.com/vaiopeople

 

Missing lines (compared with English-language version):

[strings]: 1 line

 

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

"{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}" = "URLSearchHook Class" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\JUSearch\SearchEnh1.dll" ["United Online, Inc."]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

AVG7 Alert Manager Server, Avg7Alrt, "C:\Internet\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]

AVG7 Update Service, Avg7UpdSvc, "C:\Internet\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]

Canon Camera Access Library 8, CCALib8, "C:\Program Files\Canon\CAL\CALMAIN.exe" ["Canon Inc."]

ewido security suite control, ewido security suite control, "C:\Internet\ewido\ewidoctrl.exe" ["ewido networks"]

HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}

IPv6 Helper Service, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]

RIP Listener, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}

Simple TCP/IP Services, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]

Sygate Personal Firewall, SmcService, "C:\Internet\Security\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]

V2i Protector, V2i Protector, "C:\Util\Drive Image 7.0\Agent\PQV2iSvc.exe" ["PowerQuest Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

 

 

----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 593 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

took 33 seconds.

---------- (total run time: 662 seconds)

Share this post


Link to post
Share on other sites

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ezShieldProtector for Px" = "C:\WINDOWS\System32\ezSP_Px.exe" ["Easy Systems Japan Ltd."]

"HKSERV.EXE" = "C:\Program Files\Sony\HotKey Utility\HKserv.exe" ["Sony Corporation"]

"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]

"RoxioEngineUtility" = ""C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"" ["Roxio"]

"AVG7_CC" = "C:\Internet\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

"AVG7_EMC" = "C:\Internet\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]

"SmcService" = "C:\Internet\Security\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

-> {CLSID}\InProcServer32\(Default) = "C:\Internet\Security\Spybot14\SDHelper.dll" ["Safer Networking Limited"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"

-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]

"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\upnpui.dll" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Util\CD Creator 6\DragToDisc\shellex.dll" ["Roxio"]

"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}" = "My Media"

-> {CLSID}\InProcServer32\(Default) = "C:\Util\CD Creator 6\AudioCentral\MediaSX.dll" ["Roxio, Inc."]

"{336B02CE-F88A-4aea-8731-79EF94D3723A}" = "Free AOL & Unlimited Internet.url"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\aod\aodshext.dll" [null data]

"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQ\ICQShExt.dll" ["ICQ"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Util\WinRAR\rarext.dll" [null data]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Internet\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Internet\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

 

HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {CLSID}\InProcServer32\(Default) = "C:\Internet\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Util\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Util\WinRAR\rarext.dll" [null data]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {CLSID}\InProcServer32\(Default) = "C:\Internet\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Util\WinRAR\rarext.dll" [null data]

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

 

Enabled Screen Saver:

---------------------

 

HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sspipes.scr" [MS]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]

000000000005\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 28

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4}" = "JunoBar" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Internet\Juno\toolbar.dll" [empty string]

 

Explorer Bars

 

Dormant Explorer Bars in "View, Explorer Bar" menu

 

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{6224F700-CBA3-4071-B251-47CB894244CD}\

"ButtonText" = "ICQ Pro"

"MenuText" = "ICQ"

"Exec" = "C:\PROGRA~1\ICQ\ICQ.exe" ["ICQ Inc."]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"

 

 

Miscellaneous IE Hijack Points

------------------------------

 

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

 

Added lines (compared with English-language version):

[strings]: START_PAGE_URL=http://www.sony.com/vaiopeople

 

Missing lines (compared with English-language version):

[strings]: 1 line

 

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

"{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}" = "URLSearchHook Class" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\JUSearch\SearchEnh1.dll" ["United Online, Inc."]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

AVG7 Alert Manager Server, Avg7Alrt, "C:\Internet\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]

AVG7 Update Service, Avg7UpdSvc, "C:\Internet\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]

Canon Camera Access Library 8, CCALib8, "C:\Program Files\Canon\CAL\CALMAIN.exe" ["Canon Inc."]

ewido security suite control, ewido security suite control, "C:\Internet\ewido\ewidoctrl.exe" ["ewido networks"]

HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}

IPv6 Helper Service, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]

RIP Listener, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}

Simple TCP/IP Services, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]

Sygate Personal Firewall, SmcService, "C:\Internet\Security\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]

V2i Protector, V2i Protector, "C:\Util\Drive Image 7.0\Agent\PQV2iSvc.exe" ["PowerQuest Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

 

 

----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 593 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

took 33 seconds.

---------- (total run time: 662 seconds)

Share this post


Link to post
Share on other sites

Hi Spock,

 

The logs all look good :thumbsup:

 

224.0.0.22 is a multicast ip address for Internet Group Management Protocol (IGMP). Most likely this is resulting from either TeamSpeak or GoogleTalk. Did you install either of them shortly before you noticed the requests?

Share this post


Link to post
Share on other sites
...Most likely this is resulting from either TeamSpeak or GoogleTalk.  Did you install either of them shortly before you noticed the requests? ...

 

I never noticed any problems with TeamSpeak but I did just install GoogleTalk. Think I will uninstall it to see if I still get the same indications.

 

Why are they asking all my other programs, some of which were never meant to interface with the Internet, to report anything at all? To be that is blatant spying! :techsupport:

Share this post


Link to post
Share on other sites

Hi Spock,

 

I wish I could tell you exactly what is going on but I really have no idea. From everything I could find about IGMP there is nothing to indicate that it is malware related.

Share this post


Link to post
Share on other sites
Hi Spock,

 

I wish I could tell you exactly what is going on but I really have no idea.  From everything I could find about IGMP there is nothing to indicate that it is malware related.

313747[/snapback]

Thanks for trying. I will remove the block on the IP and see if I still get the "phoning home" warnings now that GoogleTalk is gone.

 

If I don't get any more, guess what won't be put back on my computer ...

Share this post


Link to post
Share on other sites

Hi Spock,

 

Would you please let me know if removing GoogleTalk resolves the problem in case it comes up again?

 

Thanks

Share this post


Link to post
Share on other sites
... Would you please let me know if removing GoogleTalk resolves the problem in case it comes up again? ...

 

I had planned on posting right here. So far all's quiet on the Eastern front. No extraneous messages. If I haven't heard anything by Tuesday, I would pretty much blame GoogleTalk.

Share this post


Link to post
Share on other sites

OK, I was just printing out a Word document and got the following error. This doesn't mean that GoogleTalk is innocent, it just means that whatever was installed to connect is still there. I did a search of the registry after uninstalling GoogleTalk and removed two entries. There may be others which need to be removed.

 

I am also now going to remove TeamSpeak. :(

 

"Spooler SubSystem App (spoolsv.exe) is trying to broadcast to [224.0.0.22]. Do you want to allow this program to access the network?"


File Version :  5.1.2600.2696
File Description :	Spooler SubSystem App (spoolsv.exe)
File Path :  C:\WINDOWS\system32\spoolsv.exe
Process ID :  0x654 (Heximal) 1620 (Decimal)

Connection origin :	local initiated
Protocol :  Raw Ethernet
Local Address :  192.168.0.3
Local Port :  0 
Remote Name :  	
Remote Address :	224.0.0.22
Remote Port :  	0 

Ethernet packet details:
Ethernet II (Packet Length: 68)
Destination:  01-00-5e-00-00-16
Source:  08-00-46-97-b8-9e
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 24 bytes
Flags:
 .0.. = Don't fragment: Not set
 ..0. = More fragments: Not set
Fragment offset:0
Time to live: 1
Protocol: 0x2 (IGMP - Internet Group Management Message Protocol)
Header checksum: 0xf7c3 (Correct)
Source: 192.168.0.3
Destination: 224.0.0.22

Binary dump of the packet:
0000:  01 00 5E 00 00 16 08 00 : 46 97 B8 9E 08 00 46 00 | ..^.....F.....F.
0010:  00 28 C0 16 00 00 01 02 : C3 F7 C0 A8 00 03 E0 00 | .(..............
0020:  00 16 94 04 00 00 22 00 : F9 01 00 00 00 01 04 00 | ......".........
0030:  00 00 E0 00 00 FC 00 00 : 01 18 FF 53 4D 42 25 00 | ...........SMB%.
0040:  00 00 00 18             :                         | ....            

Share this post


Link to post
Share on other sites

Hi Spock,

 

Just wanted to let you know that I haven't forgotten about you, I am still trying to see if I can find what is causing the IGMP broadcasts but am not having much luck. At least from everything I have found so far it doesn't look like it is malware that is causing it.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0