Results 1 to 8 of 8

Thread: Windows Automatic Update problem?

  1. #1
    Junior Member carlkoch's Avatar
    Join Date
    Sep 2002
    Location
    Southern Utah, USA
    Posts
    4

    Unhappy Windows Automatic Update problem?

    Hi,

    My first post, so please bear with me, I am going to recount a problem that I have posted on another board over the last week or so...

    DAY 1

    I am running XP Pro (all updates), IE 6 (all updates), NAV 2002 (all updates, virus defs current), ZoneAlarm (ver 3.1.291), AnalogX CookieWall (ver 1.01) and AdAware 5.83 (signature 038-16.08.2002).

    I have an odd problem: Every hour, at about 53 minutes past the hour, my computer attempts to access three websites. The domains are hit.stats4all.com, angelfire.com, and scorpionsearch.com. If I am connected (dial-up), all I see is activity on the connection (dial-up and ZoneAlarm icons in the tray), but no browser pops up. I have disabled AutoDial, so if I am not connected, I get repeated requests to connect.

    Neither NAV 2002 nor AdAware find anything in the way of malware, but something is going on. Can anyone help? This thing is driving me crazy!!!

    To my knowledge, I have never been to an angelfire.com, hit.stats4all.com, or scorpionsearch.com website, except for the times it has connected on its own. And even then, there has been no browser or display of the site in any form.

    This is probably just some benign way for some idiot to accrue more click counts for some advertisements. I really want to get rid of it though. It really bugs me that my system is trying to connect to the Internet without my permission, if you know what I mean. I want to figure out how to get rid of this stupid thing.

    I haven't even had any luck trying to identify what starts this thing. I have validated everything in my startup, including my services. The only processes that I can't specifically identify in my task manager are all of the svchost.exe's, but how do you tell which svchost goes with which service? Here is a StartupList report, annotated to identify some of the less obvious entries:

    StartupList report, 9/7/2002
    Detected: Windows XP (WinNT 5.01.2600)
    * Using verbose mode
    ==================================================

    Running processes:

    C:\WINDOWS\system32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\CTSVCCDA.EXE (Creative Labs - Creative Service for CDROM Access)
    ?:\?\SAgent2.exe (C:\Program Files\Common Files\EPSON\EBAPI - EPSON Printer Status Agent)
    ?:\?\NAVAPSVC.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\system32\Ofps.exe (HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OmniForm Printer\Image Path)
    ?:\?\NOPDB.EXE (C:\Program Files\Norton SystemWorks\Speed Disk - Norton Speed Disk)
    C:\WINDOWS\system32\svchost.exe
    ?:\?\vsmon.exe (C:\WINDOWS\system32\ZoneLabs - TrueVector Service)
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\WFXSVC.EXE (Symantec WinFax PRO NT Service)
    C:\WINDOWS\system32\MsPMSPSv.exe (WMDM PMSP Service)
    ?:\?\WFXMOD32.EXE (C:\Program Files\Norton SystemWorks\WinFax - WinFax Pro Serial Modem Driver)
    C:\WINDOWS\system32\Fast.exe (Super Fast User Switcher)
    C:\WINDOWS\system32\devldr32.exe (Creative Ring3 NT Inteface )
    C:\WINDOWS\system32\LVComS.exe (Labtec WebCam)
    C:\WINDOWS\system32\TaskSwitch.exe (CoolSwitch)
    C:\WINDOWS\system32\Fast.exe
    C:\Program Files\B's CLiP\Win2K\BSCLIP.EXE (B's Clip UDF CDRW)
    ?:\?\MBM5.exe (Motherboard Monitor)
    C:\WINDOWS\system32\qttask.exe (Quicktime Tasks)
    ?:\?\Pptd40nt.exe (PaperPort PTD)
    ?:\?\WFXSWTCH.exe (C:\Program Files\Norton SystemWorks\WinFax)
    C:\WINDOWS\system32\WFXSNT40.EXE
    ?:\?\NAVAPW32.EXE
    C:\Program Files\Creative\ShareDLL\CTNotify.exe
    C:\WINDOWS\system32\atiptaxx.exe (ATI Desktop Control Panel)
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\system32\CTHELPER.EXE (Creative Technology Ltd - CtHelper Application)
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    ?:\?\E_S10IC2.EXE (C:\WINDOWS\system32\spool\drivers\w32x86 - EPSON Status Monitor 3)
    C:\WINDOWS\updatewiz.exe
    ?:\?\Mediadet.exe (C:\Program Files\Creative\ShareDLL - Disc Detector)
    ?:\?\WFXCTL32.EXE
    ?:\?\IAM.exe (C:\Program Files\CallWave - Internet Answering Machine)
    ?:\?\zonealarm.exe
    C:\WINDOWS\FSScrCtl.exe (Screen Saver Control)
    C:\Program Files\Internet Explorer\iexplore.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Carl O. Koch\Start Menu\Programs\Startup]
    Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    Controller.LNK = C:\Program Files\Norton SystemWorks\WinFax\WFXCTL32.EXE
    EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

    --------------------------------------------------

    Checking Windows NT UserInit/Load:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    CoolSwitch = C:\WINDOWS\System32\taskswitch.exe
    FastUser = C:\WINDOWS\System32\fast.exe
    B'sCLiP = C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
    MBM 5 = C:\PROGRA~1\MOTHER~1\MBM5.EXE
    QuickTime Task = C:\WINDOWS\System32\qttask.exe
    PaperPort PTD = c:\progra~1\vision~1\paperp~1\pptd40nt.exe
    WFXSwtch = C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
    WinFaxAppPortStarter = wfxsnt40.exe
    NAV Agent = C:\PROGRA~1\NORTON~2\NORTON~4\navapw32.exe
    UpdReg = C:\WINDOWS\Updreg.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
    H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

    --------------------------------------------------

    DAY 2

    I ran experiment the tonight. I used the "Stop all Internet activity" feature in ZoneAlarm, then allowed the spontaneous dial-up to connect. I got two "Blocked Internet Multicast" and two "Generic Host Process for Win32 Services tried to connect to [IP addresses]" messages from ZoneAlarm.

    The second two messages indicate to me that a service, loaded via one of my five svchost.exe processes, is what is trying to make these spontaneous connections. Is this a valid leap of logic? If so, how do I identify which one to kill?

    As I said, I have already been through my services, both through the Microsoft Management Console and through the Registry directly, and didn't see anything amiss. I have to admit, however, that I am no expert with services or the Registry. I'm not bad, but not an expert.

    DAY 3

    I ran my experiment again tonight (I used the "Stop all Internet activity" feature in ZoneAlarm) and got the same results with one interesting addition:

    --------------------------------------------------
    Windows Automatic Update tried to connect to the internet (ln.doubleclick.net), but was denied access by the Internet Lock.

    Program: Windows Automatic Update
    Time: 9/8/2002 9:15:56 PM
    --------------------------------------------------

    Now why, might I ask, would Automatic Update be trying to connect to ln.doubleclick.net??? Has my Windows Automatic Update been hijacked by DoubleClick??? Or is this not what this means? If it has been hijacked, how do I get it back? I already searched the MS Knowledgebase with no relevant results.

    DAY 4

    I tried my experiment again. Here is the newest addition to the mystery directly quoted from the ZoneAlarm alert:

    --------------------------------------------------
    Windows Automatic Update tried to connect to the internet (www.angelfire.com), but was denied access by the Internet Lock.

    Program: Windows Automatic Update
    Time: 9/8/2002 11: 02:56 PM
    --------------------------------------------------

    What is going on here!? DoubleClick and Angelfire??? This can't be right. My virus software (NAV 2002 09-04-02 definitions) still finds nothing. And AdAware finds nothing.

    I have taken away Windows Automatic Update's permission to access the Internet (ask first) through ZoneAlarm to see if other sites are using it. Should I also send this info to Symantec Antivirus Research Center (SARC) and see if they have an answer? Maybe Uncle Bill in Redmond would like to see this information.

    Either something odd is going on here, or I am misunderstanding how these things are supposed to work. Of course, I could just be loosing my mind. I bet if I cleaned my computer's mind out and reloaded it, my anguish would end...but we must keep that option as the last resort. A system reload would be alot of work, and there is no educational value in a system reload. I want to beat this problem, educating myself as I go.

    Sorry that this post is so long, but there was alot of info to impart. If ANYBODY has ANYTHING they think is relevant, or even a guess or two, please let me know.

    Thanks in advance,

    Carl


  2. #2
    Head Honcho Administrator Reverend's Avatar
    Join Date
    Apr 2002
    Location
    England
    Posts
    14,838
    Welcome Carl.
    Doubleclick.net is an Advertising and Marketing group used by thousands of sites to promote there products.
    When you visit one of these sites they sometimes plant a doubleclick Cookie on your system.

    Have you tried clearing your cookies to see if the problem goes away?
    I would recommend you delete your cookies manually by going to your C:\Documents and Settings\~yourname~\Cookies folder, rather than using the clear option via Internet Options.Also clear your history folder.
    You can also prevent Automatic Updates from trying to connect by disabling them.
    Right click My Computer,select properties and on the Automatic Updates tab enable "Turn off Automatic Updating".

    Apologies if i've suggested things you have already tried.

    =========== Please Read The Forum Rules ===========

  3. #3
    Junior Member carlkoch's Avatar
    Join Date
    Sep 2002
    Location
    Southern Utah, USA
    Posts
    4

    Windows Automatic Update problem?

    Hello Reverend,

    Thanks for your welcome. Yes, I know about DoubleClick.net. I am using CookieWall, and I delete every doubleclick cookie that comes in. I have gone into my cookies folder and cleared out all but the most basic ones (MSN, my tech forums, PCWorld, etc.). No changes.

    I have already disabled my Automatic Update, for the time being, and it seems to have stopped the problem. But, I like Automatic Update, and would like to find a cure so I can continue to use it. Turning off Automatic Update might solve the short-term problem, but the big picture still exists...I want to eliminate the problem, not go around it. I hope you know what I mean.

    Thanks again for your welcome and suggestions. Keep them coming...

    Carl

  4. #4
    Titanium Member efc's Avatar
    Join Date
    Sep 2002
    Location
    North Central Arkansas
    Posts
    2,103
    I don't want to encourage bad behavior, so I won't post information here. Instead I will provide link to site that describes setting up bogus accounts on angelfire using someone else's URL.

    After reading this info you might email angelfire administrator to solicit their help.


    Link removed
    Last edited by Reverend; September 9th, 2002 at 20:23 PM.

  5. #5
    Junior Member carlkoch's Avatar
    Join Date
    Sep 2002
    Location
    Southern Utah, USA
    Posts
    4
    New development: Remember that I have Automatic Update disabled...well, I just got a ZoneAlarm alert that Windows Automatic Update just tried to access the Internet. The IP address is 64.246.30.54 and the ARIN WhoIs database identifies the address with

    OrgName: Everyones Internet, Inc.
    OrgID: EVRY
    Address: 3333 Katy Frwy Houston, TX 77007
    Country: US
    Comment:
    RegDate: 1999-09-07
    Updated: 2000-02-24

    Anyone ever hear of them?

  6. #6
    Head Honcho Administrator Reverend's Avatar
    Join Date
    Apr 2002
    Location
    England
    Posts
    14,838
    That IP is on the Verio network.
    You may want to contact them


    --------------------------------------------------------------------------------
    Network Data
    Network id#: 1
    Verio, Inc. (NET-VRIO-129-250)
    8005 South Chester Street
    Englewood, CO 80112
    US

    Netname: VRIO-129-250
    Netblock: 129.250.0.0 - 129.250.255.255
    Maintainer: VRIO

    Coordinator:
    Verio, Inc. (VIA4-ORG-ARIN) [email protected]
    303.645.1900

    Domain System inverse mapping provided by:

    NS0.VERIO.NET 129.250.15.61
    NS1.VERIO.NET 204.91.99.140
    NS2.VERIO.NET 129.250.31.190

    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE



    ********************************************

    Reassignment information for this block is

    available at rwhois.verio.net port 4321

    ********************************************

    Record last updated on 26-Sep-2001.
    Database last updated on 27-Jun-2002 20:01:44 EDT.

    The ARIN Registration Services Host contains ONLY Internet
    Network Information: Networks, ASN's, and related POC's.
    Please use the whois server at rs.internic.net for DOMAIN related


    Registrant Data
    Registrant id#: 1
    The Data in the VeriSign Registrar WHOIS database is provided by VeriSign for
    information purposes only, and to assist persons in obtaining information about
    or related to a domain name registration record. VeriSign does not guarantee
    its accuracy. Additionally, the data may not reflect updates to billing contact
    information. By submitting a WHOIS query, you agree to use this Data only
    for lawful purposes and that under no circumstances will you use this Data to:
    (1) allow, enable, or otherwise support the transmission of mass unsolicited,
    commercial advertising or solicitations via e-mail, telephone, or facsimile; or
    (2) enable high volume, automated, electronic processes that apply to VeriSign
    (or its computer systems). The compilation, repackaging, dissemination or
    other use of this Data is expressly prohibited without the prior written
    consent of VeriSign. VeriSign reserves the right to terminate your access to
    the VeriSign Registrar WHOIS database in its sole discretion, including
    without limitation, for excessive querying of the WHOIS database or for failure
    to otherwise abide by this policy. VeriSign reserves the right to modify these
    terms at any time. By submitting this query, you agree to abide by this policy.



    Domain Name.......... verio.net
    Creation Date........ 1996-12-07
    Registration Date.... 2000-05-10
    Expiry Date.......... 2007-12-06
    Organisation Name.... Verio, Inc.
    Organisation Address. 8005 South Chester Street
    Organisation Address. Suite 200
    Organisation Address. Englewood
    Organisation Address. CO
    Organisation Address. 80112
    Organisation Address. UNITED STATES

    Admin Name........... Hostmaster Verio
    Admin Address........ 8005 South Chester Street
    Admin Address........ Suite 200
    Admin Address........ Englewood
    Admin Address........ 80112
    Admin Address........ CO
    Admin Address........ UNITED STATES
    Admin Email.......... [email protected]
    Admin Phone.......... 214 290 8620
    Admin Fax............ .

    Tech Name............ Hostmaster Verio
    Tech Address......... 8005 South Chester Street
    Tech Address......... Suite 200
    Tech Address......... Englewood
    Tech Address......... CO
    Tech Address......... 80112
    Tech Address......... UNITED STATES
    Tech Email........... [email protected]
    Tech Phone........... 214 290 8620
    Tech Fax............. .
    Name Server.......... NS0.VERIO.NET
    Name Server.......... NS1.VERIO.NET
    Name Server.......... NS2.VERIO.NET


    The previous information has been obtained either directly from the
    registrant or a registrar of the domain name other than VeriSign.
    _____
    NeoTrace Copyright ©1997-2001 NeoWorx Inc

    =========== Please Read The Forum Rules ===========

  7. #7
    Techzonez Governor Super Moderator Conan's Avatar
    Join Date
    Apr 2002
    Location
    Philippines
    Posts
    3,920
    To be on the safe side, I suggest you scan your PC with a Trojan Remover program. Try this one, it is a fully functional program good for 30 days:

    http://www.simplysup.com/

  8. #8
    Junior Member carlkoch's Avatar
    Join Date
    Sep 2002
    Location
    Southern Utah, USA
    Posts
    4
    Trojan Remover - Scan Complete

    No malicious files were found and no changes were made.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •