-
September 9th, 2002, 19:11 PM
#1
Junior Member
Windows Automatic Update problem?
Hi,
My first post, so please bear with me, I am going to recount a problem that I have posted on another board over the last week or so...
DAY 1
I am running XP Pro (all updates), IE 6 (all updates), NAV 2002 (all updates, virus defs current), ZoneAlarm (ver 3.1.291), AnalogX CookieWall (ver 1.01) and AdAware 5.83 (signature 038-16.08.2002).
I have an odd problem: Every hour, at about 53 minutes past the hour, my computer attempts to access three websites. The domains are hit.stats4all.com, angelfire.com, and scorpionsearch.com. If I am connected (dial-up), all I see is activity on the connection (dial-up and ZoneAlarm icons in the tray), but no browser pops up. I have disabled AutoDial, so if I am not connected, I get repeated requests to connect.
Neither NAV 2002 nor AdAware find anything in the way of malware, but something is going on. Can anyone help? This thing is driving me crazy!!!
To my knowledge, I have never been to an angelfire.com, hit.stats4all.com, or scorpionsearch.com website, except for the times it has connected on its own. And even then, there has been no browser or display of the site in any form.
This is probably just some benign way for some idiot to accrue more click counts for some advertisements. I really want to get rid of it though. It really bugs me that my system is trying to connect to the Internet without my permission, if you know what I mean. I want to figure out how to get rid of this stupid thing.
I haven't even had any luck trying to identify what starts this thing. I have validated everything in my startup, including my services. The only processes that I can't specifically identify in my task manager are all of the svchost.exe's, but how do you tell which svchost goes with which service? Here is a StartupList report, annotated to identify some of the less obvious entries:
StartupList report, 9/7/2002
Detected: Windows XP (WinNT 5.01.2600)
* Using verbose mode
==================================================
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSVCCDA.EXE (Creative Labs - Creative Service for CDROM Access)
?:\?\SAgent2.exe (C:\Program Files\Common Files\EPSON\EBAPI - EPSON Printer Status Agent)
?:\?\NAVAPSVC.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\Ofps.exe (HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OmniForm Printer\Image Path)
?:\?\NOPDB.EXE (C:\Program Files\Norton SystemWorks\Speed Disk - Norton Speed Disk)
C:\WINDOWS\system32\svchost.exe
?:\?\vsmon.exe (C:\WINDOWS\system32\ZoneLabs - TrueVector Service)
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\WFXSVC.EXE (Symantec WinFax PRO NT Service)
C:\WINDOWS\system32\MsPMSPSv.exe (WMDM PMSP Service)
?:\?\WFXMOD32.EXE (C:\Program Files\Norton SystemWorks\WinFax - WinFax Pro Serial Modem Driver)
C:\WINDOWS\system32\Fast.exe (Super Fast User Switcher)
C:\WINDOWS\system32\devldr32.exe (Creative Ring3 NT Inteface )
C:\WINDOWS\system32\LVComS.exe (Labtec WebCam)
C:\WINDOWS\system32\TaskSwitch.exe (CoolSwitch)
C:\WINDOWS\system32\Fast.exe
C:\Program Files\B's CLiP\Win2K\BSCLIP.EXE (B's Clip UDF CDRW)
?:\?\MBM5.exe (Motherboard Monitor)
C:\WINDOWS\system32\qttask.exe (Quicktime Tasks)
?:\?\Pptd40nt.exe (PaperPort PTD)
?:\?\WFXSWTCH.exe (C:\Program Files\Norton SystemWorks\WinFax)
C:\WINDOWS\system32\WFXSNT40.EXE
?:\?\NAVAPW32.EXE
C:\Program Files\Creative\ShareDLL\CTNotify.exe
C:\WINDOWS\system32\atiptaxx.exe (ATI Desktop Control Panel)
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\CTHELPER.EXE (Creative Technology Ltd - CtHelper Application)
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
?:\?\E_S10IC2.EXE (C:\WINDOWS\system32\spool\drivers\w32x86 - EPSON Status Monitor 3)
C:\WINDOWS\updatewiz.exe
?:\?\Mediadet.exe (C:\Program Files\Creative\ShareDLL - Disc Detector)
?:\?\WFXCTL32.EXE
?:\?\IAM.exe (C:\Program Files\CallWave - Internet Answering Machine)
?:\?\zonealarm.exe
C:\WINDOWS\FSScrCtl.exe (Screen Saver Control)
C:\Program Files\Internet Explorer\iexplore.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Carl O. Koch\Start Menu\Programs\Startup]
Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Controller.LNK = C:\Program Files\Norton SystemWorks\WinFax\WFXCTL32.EXE
EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
--------------------------------------------------
Checking Windows NT UserInit/Load:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
CoolSwitch = C:\WINDOWS\System32\taskswitch.exe
FastUser = C:\WINDOWS\System32\fast.exe
B'sCLiP = C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
MBM 5 = C:\PROGRA~1\MOTHER~1\MBM5.EXE
QuickTime Task = C:\WINDOWS\System32\qttask.exe
PaperPort PTD = c:\progra~1\vision~1\paperp~1\pptd40nt.exe
WFXSwtch = C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
WinFaxAppPortStarter = wfxsnt40.exe
NAV Agent = C:\PROGRA~1\NORTON~2\NORTON~4\navapw32.exe
UpdReg = C:\WINDOWS\Updreg.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
--------------------------------------------------
DAY 2
I ran experiment the tonight. I used the "Stop all Internet activity" feature in ZoneAlarm, then allowed the spontaneous dial-up to connect. I got two "Blocked Internet Multicast" and two "Generic Host Process for Win32 Services tried to connect to [IP addresses]" messages from ZoneAlarm.
The second two messages indicate to me that a service, loaded via one of my five svchost.exe processes, is what is trying to make these spontaneous connections. Is this a valid leap of logic? If so, how do I identify which one to kill?
As I said, I have already been through my services, both through the Microsoft Management Console and through the Registry directly, and didn't see anything amiss. I have to admit, however, that I am no expert with services or the Registry. I'm not bad, but not an expert.
DAY 3
I ran my experiment again tonight (I used the "Stop all Internet activity" feature in ZoneAlarm) and got the same results with one interesting addition:
--------------------------------------------------
Windows Automatic Update tried to connect to the internet (ln.doubleclick.net), but was denied access by the Internet Lock.
Program: Windows Automatic Update
Time: 9/8/2002 9:15:56 PM
--------------------------------------------------
Now why, might I ask, would Automatic Update be trying to connect to ln.doubleclick.net??? Has my Windows Automatic Update been hijacked by DoubleClick??? Or is this not what this means? If it has been hijacked, how do I get it back? I already searched the MS Knowledgebase with no relevant results.
DAY 4
I tried my experiment again. Here is the newest addition to the mystery directly quoted from the ZoneAlarm alert:
--------------------------------------------------
Windows Automatic Update tried to connect to the internet (www.angelfire.com), but was denied access by the Internet Lock.
Program: Windows Automatic Update
Time: 9/8/2002 11: 02:56 PM
--------------------------------------------------
What is going on here!? DoubleClick and Angelfire??? This can't be right. My virus software (NAV 2002 09-04-02 definitions) still finds nothing. And AdAware finds nothing.
I have taken away Windows Automatic Update's permission to access the Internet (ask first) through ZoneAlarm to see if other sites are using it. Should I also send this info to Symantec Antivirus Research Center (SARC) and see if they have an answer? Maybe Uncle Bill in Redmond would like to see this information.
Either something odd is going on here, or I am misunderstanding how these things are supposed to work. Of course, I could just be loosing my mind. I bet if I cleaned my computer's mind out and reloaded it, my anguish would end...but we must keep that option as the last resort. A system reload would be alot of work, and there is no educational value in a system reload. I want to beat this problem, educating myself as I go.
Sorry that this post is so long, but there was alot of info to impart. If ANYBODY has ANYTHING they think is relevant, or even a guess or two, please let me know.
Thanks in advance,
Carl
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
Reply With Quote
Bookmarks