-
September 9th, 2002, 19:11 PM
#1
Junior Member
Windows Automatic Update problem?
Hi,
My first post, so please bear with me, I am going to recount a problem that I have posted on another board over the last week or so...
DAY 1
I am running XP Pro (all updates), IE 6 (all updates), NAV 2002 (all updates, virus defs current), ZoneAlarm (ver 3.1.291), AnalogX CookieWall (ver 1.01) and AdAware 5.83 (signature 038-16.08.2002).
I have an odd problem: Every hour, at about 53 minutes past the hour, my computer attempts to access three websites. The domains are hit.stats4all.com, angelfire.com, and scorpionsearch.com. If I am connected (dial-up), all I see is activity on the connection (dial-up and ZoneAlarm icons in the tray), but no browser pops up. I have disabled AutoDial, so if I am not connected, I get repeated requests to connect.
Neither NAV 2002 nor AdAware find anything in the way of malware, but something is going on. Can anyone help? This thing is driving me crazy!!!
To my knowledge, I have never been to an angelfire.com, hit.stats4all.com, or scorpionsearch.com website, except for the times it has connected on its own. And even then, there has been no browser or display of the site in any form.
This is probably just some benign way for some idiot to accrue more click counts for some advertisements. I really want to get rid of it though. It really bugs me that my system is trying to connect to the Internet without my permission, if you know what I mean. I want to figure out how to get rid of this stupid thing.
I haven't even had any luck trying to identify what starts this thing. I have validated everything in my startup, including my services. The only processes that I can't specifically identify in my task manager are all of the svchost.exe's, but how do you tell which svchost goes with which service? Here is a StartupList report, annotated to identify some of the less obvious entries:
StartupList report, 9/7/2002
Detected: Windows XP (WinNT 5.01.2600)
* Using verbose mode
==================================================
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSVCCDA.EXE (Creative Labs - Creative Service for CDROM Access)
?:\?\SAgent2.exe (C:\Program Files\Common Files\EPSON\EBAPI - EPSON Printer Status Agent)
?:\?\NAVAPSVC.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\Ofps.exe (HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OmniForm Printer\Image Path)
?:\?\NOPDB.EXE (C:\Program Files\Norton SystemWorks\Speed Disk - Norton Speed Disk)
C:\WINDOWS\system32\svchost.exe
?:\?\vsmon.exe (C:\WINDOWS\system32\ZoneLabs - TrueVector Service)
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\WFXSVC.EXE (Symantec WinFax PRO NT Service)
C:\WINDOWS\system32\MsPMSPSv.exe (WMDM PMSP Service)
?:\?\WFXMOD32.EXE (C:\Program Files\Norton SystemWorks\WinFax - WinFax Pro Serial Modem Driver)
C:\WINDOWS\system32\Fast.exe (Super Fast User Switcher)
C:\WINDOWS\system32\devldr32.exe (Creative Ring3 NT Inteface )
C:\WINDOWS\system32\LVComS.exe (Labtec WebCam)
C:\WINDOWS\system32\TaskSwitch.exe (CoolSwitch)
C:\WINDOWS\system32\Fast.exe
C:\Program Files\B's CLiP\Win2K\BSCLIP.EXE (B's Clip UDF CDRW)
?:\?\MBM5.exe (Motherboard Monitor)
C:\WINDOWS\system32\qttask.exe (Quicktime Tasks)
?:\?\Pptd40nt.exe (PaperPort PTD)
?:\?\WFXSWTCH.exe (C:\Program Files\Norton SystemWorks\WinFax)
C:\WINDOWS\system32\WFXSNT40.EXE
?:\?\NAVAPW32.EXE
C:\Program Files\Creative\ShareDLL\CTNotify.exe
C:\WINDOWS\system32\atiptaxx.exe (ATI Desktop Control Panel)
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\CTHELPER.EXE (Creative Technology Ltd - CtHelper Application)
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
?:\?\E_S10IC2.EXE (C:\WINDOWS\system32\spool\drivers\w32x86 - EPSON Status Monitor 3)
C:\WINDOWS\updatewiz.exe
?:\?\Mediadet.exe (C:\Program Files\Creative\ShareDLL - Disc Detector)
?:\?\WFXCTL32.EXE
?:\?\IAM.exe (C:\Program Files\CallWave - Internet Answering Machine)
?:\?\zonealarm.exe
C:\WINDOWS\FSScrCtl.exe (Screen Saver Control)
C:\Program Files\Internet Explorer\iexplore.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Carl O. Koch\Start Menu\Programs\Startup]
Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Controller.LNK = C:\Program Files\Norton SystemWorks\WinFax\WFXCTL32.EXE
EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
--------------------------------------------------
Checking Windows NT UserInit/Load:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
CoolSwitch = C:\WINDOWS\System32\taskswitch.exe
FastUser = C:\WINDOWS\System32\fast.exe
B'sCLiP = C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
MBM 5 = C:\PROGRA~1\MOTHER~1\MBM5.EXE
QuickTime Task = C:\WINDOWS\System32\qttask.exe
PaperPort PTD = c:\progra~1\vision~1\paperp~1\pptd40nt.exe
WFXSwtch = C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
WinFaxAppPortStarter = wfxsnt40.exe
NAV Agent = C:\PROGRA~1\NORTON~2\NORTON~4\navapw32.exe
UpdReg = C:\WINDOWS\Updreg.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
--------------------------------------------------
DAY 2
I ran experiment the tonight. I used the "Stop all Internet activity" feature in ZoneAlarm, then allowed the spontaneous dial-up to connect. I got two "Blocked Internet Multicast" and two "Generic Host Process for Win32 Services tried to connect to [IP addresses]" messages from ZoneAlarm.
The second two messages indicate to me that a service, loaded via one of my five svchost.exe processes, is what is trying to make these spontaneous connections. Is this a valid leap of logic? If so, how do I identify which one to kill?
As I said, I have already been through my services, both through the Microsoft Management Console and through the Registry directly, and didn't see anything amiss. I have to admit, however, that I am no expert with services or the Registry. I'm not bad, but not an expert.
DAY 3
I ran my experiment again tonight (I used the "Stop all Internet activity" feature in ZoneAlarm) and got the same results with one interesting addition:
--------------------------------------------------
Windows Automatic Update tried to connect to the internet (ln.doubleclick.net), but was denied access by the Internet Lock.
Program: Windows Automatic Update
Time: 9/8/2002 9:15:56 PM
--------------------------------------------------
Now why, might I ask, would Automatic Update be trying to connect to ln.doubleclick.net??? Has my Windows Automatic Update been hijacked by DoubleClick??? Or is this not what this means? If it has been hijacked, how do I get it back? I already searched the MS Knowledgebase with no relevant results.
DAY 4
I tried my experiment again. Here is the newest addition to the mystery directly quoted from the ZoneAlarm alert:
--------------------------------------------------
Windows Automatic Update tried to connect to the internet (www.angelfire.com), but was denied access by the Internet Lock.
Program: Windows Automatic Update
Time: 9/8/2002 11: 02:56 PM
--------------------------------------------------
What is going on here!? DoubleClick and Angelfire??? This can't be right. My virus software (NAV 2002 09-04-02 definitions) still finds nothing. And AdAware finds nothing.
I have taken away Windows Automatic Update's permission to access the Internet (ask first) through ZoneAlarm to see if other sites are using it. Should I also send this info to Symantec Antivirus Research Center (SARC) and see if they have an answer? Maybe Uncle Bill in Redmond would like to see this information.
Either something odd is going on here, or I am misunderstanding how these things are supposed to work. Of course, I could just be loosing my mind. I bet if I cleaned my computer's mind out and reloaded it, my anguish would end...but we must keep that option as the last resort. A system reload would be alot of work, and there is no educational value in a system reload. I want to beat this problem, educating myself as I go.
Sorry that this post is so long, but there was alot of info to impart. If ANYBODY has ANYTHING they think is relevant, or even a guess or two, please let me know.
Thanks in advance,
Carl
-
September 9th, 2002, 19:40 PM
#2
Head Honcho
Administrator
Welcome Carl.
Doubleclick.net is an Advertising and Marketing group used by thousands of sites to promote there products.
When you visit one of these sites they sometimes plant a doubleclick Cookie on your system.
Have you tried clearing your cookies to see if the problem goes away?
I would recommend you delete your cookies manually by going to your C:\Documents and Settings\~yourname~\Cookies folder, rather than using the clear option via Internet Options.Also clear your history folder.
You can also prevent Automatic Updates from trying to connect by disabling them.
Right click My Computer,select properties and on the Automatic Updates tab enable "Turn off Automatic Updating".
Apologies if i've suggested things you have already tried.
-
September 9th, 2002, 19:48 PM
#3
Junior Member
Windows Automatic Update problem?
Hello Reverend,
Thanks for your welcome. Yes, I know about DoubleClick.net. I am using CookieWall, and I delete every doubleclick cookie that comes in. I have gone into my cookies folder and cleared out all but the most basic ones (MSN, my tech forums, PCWorld, etc.). No changes.
I have already disabled my Automatic Update, for the time being, and it seems to have stopped the problem. But, I like Automatic Update, and would like to find a cure so I can continue to use it. Turning off Automatic Update might solve the short-term problem, but the big picture still exists...I want to eliminate the problem, not go around it. I hope you know what I mean.
Thanks again for your welcome and suggestions. Keep them coming...
Carl
-
September 9th, 2002, 19:49 PM
#4
Titanium Member
I don't want to encourage bad behavior, so I won't post information here. Instead I will provide link to site that describes setting up bogus accounts on angelfire using someone else's URL.
After reading this info you might email angelfire administrator to solicit their help.
Link removed
Last edited by Reverend; September 9th, 2002 at 20:23 PM.
-
September 9th, 2002, 19:57 PM
#5
Junior Member
New development: Remember that I have Automatic Update disabled...well, I just got a ZoneAlarm alert that Windows Automatic Update just tried to access the Internet. The IP address is 64.246.30.54 and the ARIN WhoIs database identifies the address with
OrgName: Everyones Internet, Inc.
OrgID: EVRY
Address: 3333 Katy Frwy Houston, TX 77007
Country: US
Comment:
RegDate: 1999-09-07
Updated: 2000-02-24
Anyone ever hear of them?
-
September 9th, 2002, 20:12 PM
#6
Head Honcho
Administrator
That IP is on the Verio network.
You may want to contact them
--------------------------------------------------------------------------------
Network Data
Network id#: 1
Verio, Inc. (NET-VRIO-129-250)
8005 South Chester Street
Englewood, CO 80112
US
Netname: VRIO-129-250
Netblock: 129.250.0.0 - 129.250.255.255
Maintainer: VRIO
Coordinator:
Verio, Inc. (VIA4-ORG-ARIN) [email protected]
303.645.1900
Domain System inverse mapping provided by:
NS0.VERIO.NET 129.250.15.61
NS1.VERIO.NET 204.91.99.140
NS2.VERIO.NET 129.250.31.190
ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
********************************************
Reassignment information for this block is
available at rwhois.verio.net port 4321
********************************************
Record last updated on 26-Sep-2001.
Database last updated on 27-Jun-2002 20:01:44 EDT.
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Registrant Data
Registrant id#: 1
The Data in the VeriSign Registrar WHOIS database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information about
or related to a domain name registration record. VeriSign does not guarantee
its accuracy. Additionally, the data may not reflect updates to billing contact
information. By submitting a WHOIS query, you agree to use this Data only
for lawful purposes and that under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via e-mail, telephone, or facsimile; or
(2) enable high volume, automated, electronic processes that apply to VeriSign
(or its computer systems). The compilation, repackaging, dissemination or
other use of this Data is expressly prohibited without the prior written
consent of VeriSign. VeriSign reserves the right to terminate your access to
the VeriSign Registrar WHOIS database in its sole discretion, including
without limitation, for excessive querying of the WHOIS database or for failure
to otherwise abide by this policy. VeriSign reserves the right to modify these
terms at any time. By submitting this query, you agree to abide by this policy.
Domain Name.......... verio.net
Creation Date........ 1996-12-07
Registration Date.... 2000-05-10
Expiry Date.......... 2007-12-06
Organisation Name.... Verio, Inc.
Organisation Address. 8005 South Chester Street
Organisation Address. Suite 200
Organisation Address. Englewood
Organisation Address. CO
Organisation Address. 80112
Organisation Address. UNITED STATES
Admin Name........... Hostmaster Verio
Admin Address........ 8005 South Chester Street
Admin Address........ Suite 200
Admin Address........ Englewood
Admin Address........ 80112
Admin Address........ CO
Admin Address........ UNITED STATES
Admin Email.......... [email protected]
Admin Phone.......... 214 290 8620
Admin Fax............ .
Tech Name............ Hostmaster Verio
Tech Address......... 8005 South Chester Street
Tech Address......... Suite 200
Tech Address......... Englewood
Tech Address......... CO
Tech Address......... 80112
Tech Address......... UNITED STATES
Tech Email........... [email protected]
Tech Phone........... 214 290 8620
Tech Fax............. .
Name Server.......... NS0.VERIO.NET
Name Server.......... NS1.VERIO.NET
Name Server.......... NS2.VERIO.NET
The previous information has been obtained either directly from the
registrant or a registrar of the domain name other than VeriSign.
_____
NeoTrace Copyright ©1997-2001 NeoWorx Inc
-
September 9th, 2002, 21:18 PM
#7
Techzonez Governor
Super Moderator
To be on the safe side, I suggest you scan your PC with a Trojan Remover program. Try this one, it is a fully functional program good for 30 days:
http://www.simplysup.com/
-
September 9th, 2002, 22:16 PM
#8
Junior Member
Trojan Remover - Scan Complete
No malicious files were found and no changes were made.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
Bookmarks