Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sygate Block Probe. Can Anyone Identify?


  • Please log in to reply
8 replies to this topic

#1 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:06:32 AM

Posted 04 February 2006 - 12:21 AM

Sygate is blocking the probe. I find no spyware/virus on my system.

File Version : 5.1.0.1108
File Description : Message Queuing Service (mqsvc.exe)
File Path : C:\WINDOWS\system32\mqsvc.exe
Process ID : 0x494 (Heximal) 1172 (Decimal)

Connection origin : remote initiated
Protocol : UDP
Local Address : 192.168.1.4
Local Port : 1029
Remote Name :
Remote Address : 220.164.140.231
Remote Port : 33266

Ethernet packet details:
Ethernet II (Packet Length: 948)
Destination: 00-c0-4f-29-a2-24
Source: 00-06-25-11-41-24
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 44
Protocol: 0x11 (UDP - User Datagram Protocol)
Header checksum: 0xf60 (Correct)
Source: 220.164.140.231
Destination: 192.168.1.4
User Datagram Protocol
Source port: 33266
Destination port: 1029
Length: 8
Checksum: 0xac29 (Correct)
Data (914 Bytes)

Binary dump of the packet:
0000: 00 C0 4F 29 A2 24 00 06 : 25 11 41 24 08 00 45 00 | ..O).$..%.A$..E.
0010: 03 A6 00 00 00 00 2C 11 : 60 0F DC A4 8C E7 C0 A8 | ......,.`.......
0020: 01 04 81 F2 04 05 03 92 : 29 AC 04 00 28 00 10 00 | ........)...(...
0030: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................
0040: 00 00 F8 91 7B 5A 00 FF : D0 11 A9 B2 00 C0 4F B6 | ....{Z........O.
0050: E6 FC 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................
0060: 00 00 00 00 00 00 01 00 : 00 00 00 00 00 00 00 00 | ................
0070: FF FF FF FF 3A 03 00 00 : 00 00 10 00 00 00 00 00 | ....:...........
0080: 00 00 10 00 00 00 53 59 : 53 54 45 4D 00 00 00 00 | ......SYSTEM....
0090: 00 00 00 00 00 00 10 00 : 00 00 00 00 00 00 10 00 | ................
00A0: 00 00 41 4C 45 52 54 00 : 00 00 00 00 00 00 00 00 | ..ALERT.........
00B0: 00 00 F6 02 00 00 00 00 : 00 00 F6 02 00 00 52 45 | ..............RE
00C0: 47 49 53 54 52 59 20 44 : 41 4D 41 47 45 44 0A 0A | GISTRY DAMAGED..
00D0: 0A 59 6F 75 72 20 57 69 : 6E 64 6F 77 73 20 72 65 | .Your Windows re
00E0: 67 69 73 74 72 79 20 69 : 73 20 63 6F 72 72 75 70 | gistry is corrup
00F0: 74 65 64 20 61 6E 64 20 : 6E 65 65 64 73 20 74 6F | ted and needs to
0100: 20 62 65 20 63 6C 65 61 : 6E 65 64 20 69 6D 6D 65 | be cleaned imme
0110: 64 69 61 74 65 6C 79 2E : 0A 0A 0A 43 6F 6D 70 72 | diately....Compr
0120: 6F 6D 69 73 65 64 20 72 : 65 67 69 73 74 72 79 20 | omised registry
0130: 66 69 6C 65 73 20 63 61 : 6E 20 6C 65 61 64 20 74 | files can lead t
0140: 6F 20 74 68 65 20 66 6F : 6C 6C 6F 77 69 6E 67 3A | o the following:
0150: 0A 0A 31 2E 20 43 6F 6D : 70 6C 65 74 65 20 61 63 | ..1. Complete ac
0160: 63 65 73 73 20 6F 66 20 : 79 6F 75 72 20 50 43 20 | cess of your PC
0170: 62 79 20 68 61 63 6B 65 : 72 73 0A 32 2E 20 53 6C | by hackers.2. Sl
0180: 6F 77 20 73 70 65 65 64 : 73 20 72 65 73 75 6C 74 | ow speeds result
0190: 69 6E 67 20 69 6E 20 73 : 6C 6F 77 20 64 6F 77 6E | ing in slow down
01A0: 6C 6F 61 64 73 20 6F 66 : 20 69 6E 74 65 72 6E 65 | loads of interne
01B0: 74 20 66 69 6C 65 73 0A : 33 2E 20 54 68 65 20 63 | t files.3. The c
01C0: 6F 6D 70 72 6F 6D 69 73 : 65 20 6F 66 20 70 65 72 | ompromise of per
01D0: 73 6F 6E 61 6C 20 69 6E : 66 6F 72 6D 61 74 69 6F | sonal informatio
01E0: 6E 20 73 74 6F 72 65 64 : 20 6F 6E 20 79 6F 75 72 | n stored on your
01F0: 20 63 6F 6D 70 75 74 65 : 72 0A 34 2E 20 43 6F 6D | computer.4. Com
0200: 70 6C 65 74 65 20 73 79 : 73 74 65 6D 20 66 61 69 | plete system fai
0210: 6C 75 72 65 20 72 65 73 : 75 6C 74 69 6E 67 20 69 | lure resulting i
0220: 6E 20 74 68 65 20 6E 65 : 65 64 20 66 6F 72 20 61 | n the need for a
0230: 20 63 6F 6D 70 6C 65 74 : 65 20 72 65 69 6E 73 74 | complete reinst
0240: 61 6C 6C 20 6F 66 20 79 : 6F 75 72 20 68 61 72 64 | all of your hard
0250: 20 64 72 69 76 65 2E 0A : 0A 54 6F 20 66 69 78 20 | drive...To fix
0260: 74 68 69 73 20 70 72 6F : 62 6C 65 6D 3A 0A 0A 31 | this problem:..1
0270: 2E 20 4F 70 65 6E 20 49 : 6E 74 65 72 6E 65 74 20 | . Open Internet
0280: 45 78 70 6C 6F 72 65 72 : 0A 32 2E 20 49 6E 20 74 | Explorer.2. In t
0290: 68 65 20 55 52 4C 20 46 : 69 65 6C 64 20 74 79 70 | he URL Field typ
02A0: 65 20 2D 20 20 77 77 77 : 2E 52 65 67 55 70 64 61 | e - www.RegUpda
02B0: 74 65 2E 6E 65 74 0A 33 : 2E 20 4E 6F 74 65 20 74 | te.net.3. Note t
02C0: 68 61 74 20 61 6C 6C 20 : 76 65 72 73 69 6F 6E 73 | hat all versions
02D0: 20 6F 66 20 77 69 6E 64 : 6F 77 73 20 61 72 65 20 | of windows are
02E0: 73 75 70 70 6F 72 74 65 : 64 2E 0A 34 2E 20 4F 6E | supported..4. On
02F0: 63 65 20 79 6F 75 20 6C : 6F 61 64 20 74 68 65 20 | ce you load the
0300: 70 72 6F 67 72 61 6D 2C : 20 63 6C 6F 73 65 20 74 | program, close t
0310: 68 69 73 20 77 69 6E 64 : 6F 77 2E 0A 0A 50 6C 65 | his window...Ple
0320: 61 73 65 20 6E 6F 74 65 : 20 74 68 61 74 20 6F 6E | ase note that on
0330: 63 65 20 79 6F 75 20 76 : 69 73 69 74 20 77 77 77 | ce you visit www
0340: 2E 52 65 67 55 70 64 61 : 74 65 2E 6E 65 74 20 61 | .RegUpdate.net a
0350: 6E 64 20 69 6E 73 74 61 : 6C 6C 20 74 68 65 20 0A | nd install the .
0360: 63 6C 65 61 6E 65 72 20 : 70 72 6F 67 72 61 6D 20 | cleaner program
0370: 79 6F 75 20 77 69 6C 6C : 20 6E 6F 74 20 72 65 63 | you will not rec
0380: 65 69 76 65 20 61 6E 79 : 20 6D 6F 72 65 20 72 65 | eive any more re
0390: 6D 69 6E 64 65 72 73 20 : 6F 72 20 70 6F 70 2D 75 | minders or pop-u
03A0: 70 73 20 6C 69 6B 65 20 : 74 68 69 73 20 6F 6E 65 | ps like this one
03B0: 2E 0A 0A 00 : | ....


Edited by acklan, 04 February 2006 - 12:22 AM.

"2007 & 2008 Windows Shell/User Award"

BC AdBot (Login to Remove)

 


m

#2 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:07:32 AM

Posted 05 February 2006 - 11:04 AM

Hi acklan

The way I read that, this is a failed attempt to place a popup on your computer from RegUpdate.net which now resolves to winregcleaner.com.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#3 acklan

acklan

    Bleepin' cat's meow

  • Topic Starter

  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:06:32 AM

Posted 05 February 2006 - 11:11 AM

Is this a legit program or sypware?
"2007 & 2008 Windows Shell/User Award"

#4 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:07:32 AM

Posted 05 February 2006 - 11:58 AM

I don't think its legit. I certainly wouldn't use any program that was introduced to me in a popup. It may or may not be spyware but I would almost bet its one of those that runs a scan and tries to entice you to buy it in order to fix the "problems" it has found.

Edited by Leurgy, 05 February 2006 - 12:00 PM.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#5 acklan

acklan

    Bleepin' cat's meow

  • Topic Starter

  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:06:32 AM

Posted 05 February 2006 - 12:05 PM

Tha's What I thought. I have already blocked it. I ha ve scanned for it but can not find it on the drive. The spyware that enables the popup I mean.
"2007 & 2008 Windows Shell/User Award"

#6 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:07:32 AM

Posted 05 February 2006 - 01:14 PM

That popup may have been generated by a website that was visited. I haven't used Sygate for awhile but does it incorporate a popup blocker?

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#7 dannyboy 950

dannyboy 950

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 05 February 2006 - 01:34 PM

It is not so much as a pop-up blocker but there are certain ports that are usueall spyware/malware ports.
These are blocked by default settings, 1026 also comes to mind.
I do not remember which port but one of that range is used by windows messageing which is often used to deliver adds and malware.

Most apps distributed this way have been found to be malware them selves or associated with it.

#8 acklan

acklan

    Bleepin' cat's meow

  • Topic Starter

  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:06:32 AM

Posted 05 February 2006 - 02:08 PM

Danny is right. It does not have a popup blocker, but I am running the Google and MS popup blockers.
I am curious which site placed it. I am very careful. This irratating.

Edited by acklan, 05 February 2006 - 02:09 PM.

"2007 & 2008 Windows Shell/User Award"

#9 dannyboy 950

dannyboy 950

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 19 February 2006 - 03:17 PM

Had any luck on finding more on this? Since it was a upd I think it was just a broadcast, not specifically aimed at you in particular.
A who is shows its from China just typical spam.

WHOIS results for 220.164.140.231
Generated by www.DNSstuff.com
Location: China [City: Yunnan, Yunnan]

ARIN says that this IP belongs to APNIC; I'm looking it up there.


Using 16 day old cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).

% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 220.163.0.0 - 220.165.255.255
netname: CHINANET-YN
descr: CHINANET yunnan province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: ZL48-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-YN
changed: **********@ns.chinanet.cn.net 20010711
status: ALLOCATED NON-PORTABLE
source: APNIC

person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: *********@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: *****@chinatelecom.com.cn 20051212
mnt-by: MAINT-CHINANET
source: APNIC

person: zhiyong liu
nic-hdl: ZL48-AP
e-mail: *****@mail.yn.cninfo.net
address: 136 beijin roadkunmingchina
phone: +86-871-3360605
fax-no: +86-871-3360614
country: CN
changed: *****@mail.yn.cninfo.net 20040426
mnt-by: MAINT-CHINANET-YN
source: APNIC



[If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address].



--------------------------------------------------------------------------------

When the server was last reloaded, we had 210336 IP addresses banned. We encourage you to view these pages in a browser or widget/extension.
You are not allowed to use automated programs to access this information, or you may be fined.

© Copyright 2000-2006 R. Scott Perry




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users