Zone Alarm Alerts

System Conflict With Hardware Address

Edit note - this thread may seem a little strange since I have just merged a thread from the Win98 section with a security thread but I really think the issues are connected and that we can get a better handle on the problem with both together. Newt


My internet connection (cable) seems to be dropping without apparent reason. I just got a message that said "The system has detected a conflict for IP address 20.20.20.70 with the system having hardware address

Code:

00:B0:D0:14:F8:F3

(Note-when previewing my post I noted that a Capital D shows up as a green smilie on my computer - don't know why.)

Later, when I tried to get back on the BBS I got the following message: The operation timed out when attempting to contact www.windows-help.net.

Any thoughts?

edit note: I fixed the smiley in the hardware address. Lots of them use a string that the forum will translate that way. Nothing you can avoid other than by putting the string in a code box. Newt

 

Hello virginia
Can't say I've ever seen that one

This is what I suggest you do first.

Make sure you have the up-to-date versions of Spybot, Ad-aware and HijackThis. All are free and available bellow.

Download Spybot, install and update. Then download Ad-aware, install, and update.

Spybot:
Go to Start > Programs >Spybot > Search & Destroy and choose Spybot S&D

Close ALL windows except Spybot S&D
Click the button to "Search for Updates" and download and install the Updates.
Next click the button "Check for Problems"
When Spybot is complete, it will be showing "RED" (RED) entries "BLACK" entries and "GREEN" (GREEN) entries in the window
Put a check mark beside the RED (RED) entries ONLY.
Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.

Ad-Aware FULL SCAN:

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.
Download HijackThis from link in my signature. Save it to a permanent folder (I create a new folder in C:\ named HJT). Open and hit scan, then save log. Once it is saved it will open in notepad. Select all from the edit button, copy and paste the results here. Don't fix anything with it yet! Someone experienced with the logs will advise you.

 

Hello LDTate,

I updated and ran both Spybot and AdAware last night so niether had very many entries. Haven't had the need to use HiJack this lately - thankfully. But here is the log I just ran. Thanks for your response. I see a number of entries relating to Symantec. I recently uninstalled NIS 2004. Biggest mistake I ever made was updating it. 2001 was fine but 2004 was a nightmare.

Logfile of HijackThis v1.97.7
Scan saved at 10:12:44 PM, on 8/16/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WSLOADER.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
N1 - Netscape 4: user_pref( "browser.startup.homepage ", "http://bluelight.my.yahoo.com "); (C:\Program Files\Netscape\Users\hbonner\prefs.js)
O2 - BHO: Citi Virtual Account Numbers Browser Helper Object - {E8C0F153-B768-4e68-B14F-40F0E8531675} - C:\WINDOWS\SYSTEM\BHOCITI.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\SYSTEM\BHOCITUS.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O9 - Extra button: Control Pad (HKLM)
O9 - Extra button: Citi (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .mov: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPQTW32.DLL
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\Plugins\npzzatif.dll
O12 - Plugin for .aif: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .php: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .wav: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {09C1A291-8E2A-11D0-BB0B-00AA001F4283} (Pinger Class) - http://www.pcpitstop.com/Ping.cab
O16 - DPF: {340FBD92-B7BB-11D2-8299-00104B27F81B} (ScanCtl Class) - http://outpost.zdnet.com/updates/resources/updates.cab
O16 - DPF: {451FCDEE-DCED-11D3-87DD-0090278F1040} (Yahoo! Voicemail Engine) - http://phone.yahoo.com/plugin/yumscom.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/ProductUpdates/content/opuc.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://images.ancestry.com/asfiles/files/install/MFImgVwr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/getdsl/system_check/images/MotivePreQual.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37880.4903587963
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB

 

I tend to think that your network card is going out. Do you know if it is onboard? or a card?

 

It is a NetGear FA311/FA312 PCI Adapter that I installed about two years ago. I may try to pick up a new card to put in since those are almost throwaways.

I plan to acquire two new computers in the near future. I may just step up my schedule a bit and put this unit on the back burner for the time being. Will see if any others come up with other ideas first.

Thanks for the ideas.

 

Edit note - this was the original post on the security thread. Newt

I am connected to the internet via cable and use Zone Alarm (Free Version). Every few minutes I get alerts on Zone Alarm as follows:

Incoming - "...blocked internet access to your computer (UDP Port 1045) from 198.61.142 (DNS). "

Outgoing - " blocked internet access to 20.20.20.255 (NetBIOS Datagram) from your computer."

I'm not sure what these mean - perhaps I inadvertantly configured Zone Alarm to cause these to occur. Since these two are about the only alerts I am now seeing, is there any problem with them and, if not, how can I change settings to keep these alerts from popping up? Also, is there a way to find out where/what these addresses are about?

 

The "Incoming" item is shown with an incomplete IP address (not enough number groups) so probably not the actual message but no way to figure out 'where/who' without the full IP address.

The "Outgoing" is suspicious and makes me wonder if your PC has been hijacked to act as a relay for traffic where the originator wants to hide the real origin.

Probably a good idea to make sure you have the latest versions of spybot (v1.3) and Ad-aware (SE or Personal) updated and run them along with a good online virus scan. Then get a copy of the latest version of Hijackthis (1.98.2 I think) and put it in a folder of it's own so not desktop and not any temp folder then run it to generate a log and post the log file here.

 

Newt,

I ran my updated AVG which found no problems. I also ran Housecall which found no problems either. Last evening I ran Spybot, AdAware, and HiJack this and posted the HiJack This log to another thread I posted in Windows 98 (System Conflict With Hardware Address). I think I got the link posted OK below. Wasn't sure how to include it. I assumed I had two separate problems but the problems in each of the threads may be related.

http://www.windowsbbs.com/showthread.php?t=34072

One other thought I just had. I started using Firefox, in addition to IE, a few days ago and I may have had both browsers open at once. Could that cause a problem?

Thanks for your help.

 

Not sure exactly what is causing the message you are seeing about a conflict with an IP address.

If your NIC is NetGear then the system is for sure seeing a different device (or maybe, as suggested, you have a card going bad) because the wired NetGear stuff should all be

00:09:5B:xx
00:0F:B5:xx
or possibly
00:02:E3 Lite-On Communications (but maybe some NetGear devices)

I am merging this thread with your security thread since I'm thinking that is more likely to be the problem here.

The 20.20.20.x address range ( 20.0.0.0 - 20.255.255.255 ) is assigned to CSC (Computer Sciences Corporation) who operate from Falls Church, VA so very possible the 20.20.20.70 address is one your ISP controls. Might be good to check with their tech support folks and let them know the thing you are seeing. It could be something they are doing or that they know about.

Since you scanned clean for virus infections and your HJT log looks good, I don't think you have a problem and the end result may be that you just have to shut off the firewall notifications about those probes.

 

Thanks Newt,

I think I will put a new card in and I will also pursue the suggestions in your latest post.

One note I thought I would add. Earlier this evening, the dialogue box indicating the "..conflict for IP address..." appeared again. I had been away from the computer for a while and when I clicked "OK" on the dialogue box it wouldn't go away as it ususally does. After numerous attempts, I started closing programs using Ctrl-Alt-Del. The dialogue box remained and when I closed out the AVG reference, the dialogue box went away. Don't know if it means anything, but thought I would mention it.

 

That conflict for IP address message is one reason you need to touch base with tech support for your ISP.

It's a perfectly normal and informative message in some circumstances but not yours from what you've said about your setup.

If I have two machines on my network that I try to give the same IP address, the first machine that starts will get that address. When the second tries, it will fail to connect and the attempt will trigger the message.

The rather strange number

Code:

00:B0:D0:14:F8:F3

is the MAC (hardware) address of the other device. Any piece of internet equipment will have a MAC address and no two will be the same. You need specialized software but it is possible to locate a machine by it's MAC if you need to.

The MAC addresses are unique but only in the last few sets of numbers. The first ones are company-specific and will tell you whose device it is. If you open a cmd window and run ipconfig /all you will see the maker and the MAC for any network cards you have. Mine is

and 00-60-97 (also written as 00:60:97) is a 3-com identifier.

00-B0-D0 is Dell.