I recently installed ZA, and it was logging events where my computer was trying to connect to other computers outside my network. There were 4 sites, and they were websites I had visited in the past--odd sites like my insulation contractor, or my old high school. I found these sites listed in "My Network Places" and deleted them, and the "phone home" attempts ceased, except for one(my old high school). It still attempts to connect to the high school's IP every night at 3 or 4AM. How do I find the software/code/etc that is causing my PC to attempt this connection each night? I have searched the name, parts of name, with no luck. Any place I should be looking?

Thanks!

Best thing to do is post this is ZA forums first. Secondly when ZA detected your network did you select sharing?

For some reason, the registration at Zone Alarm keeps timing out. I have been unsuccessful over many days of attempts there. >:(

I selected high security for the internet zone(no sharing), and medium for the trusted zone(allows sharing). I just want to find the source of these "phone home" attempts. There must be something on my PC that initiates it.

Scans with Avira, Spybot S&D, Adaware, AVG, Defender, and Anonymizer Spyware have found nothing.

-{ Quote: "For some reason, the registration at Zone Alarm keeps timing out. I have been unsuccessful over many days of attempts there. >:(

I selected high security for the internet zone(no sharing), and medium for the trusted zone(allows sharing). I just want to find the source of these "phone home" attempts. There must be something on my PC that initiates it.

Scans with Avira, Spybot S&D, Adaware, AVG, Defender, and Anonymizer Spyware have found nothing." }-

You said, ZA was logging events... where?
What is listed under the firewall zones?

Have you checked carefully under the ZA program control for programs you do not recognise as MS or installed applications. Scrool them all and check (properties) their location.

Also try to avoid using not very reputable spyware scanner... (e.g. Anonymizer Spyware).

May be good to have your system checked by expert, for example, at castlecops:
http://www.castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

Please read mandatory steps before posting:
http://www.castlecops.com/t102301-Hijackthis_Guidelines_Read_Before_Posting.html

Cheers,
Fax

-{ Quote: "It still attempts to connect to the high school's IP every night at 3 or 4AM. " }-What browser are you using ?

If IE, did a Synchronize entry somehow get added ?

IE > Tools > Synchronize

Try Uninstalling & reinstalling. This will force the Firewall to rescan all the apps. Then make sure that all the permissions except maybe the Antivirus is set to ask. Make sure server permissions are set to ask. Then watch to see what program is asking for permission to connect to your old HighSchool. If you can locate the ip block it in the firewall. Then download A2 or SuperAntiSpyware free & see if you have any malware. This proceedure usually works to let you know what app is trying to do this.

-{ Quote: "I recently installed ZA, and it was logging events where my computer was trying to connect to other computers outside my network. There were 4 sites, and they were websites I had visited in the past--odd sites like my insulation contractor, or my old high school. I found these sites listed in "My Network Places" and deleted them, and the "phone home" attempts ceased, except for one(my old high school). It still attempts to connect to the high school's IP every night at 3 or 4AM. How do I find the software/code/etc that is causing my PC to attempt this connection each night? I have searched the name, parts of name, with no luck. Any place I should be looking?

Thanks!" }-

Do a whois on the ip which may no longer be your old school these things are not static over time. Find the web site name and then block that web site. This won't find the exe doing the phoning though it will tighten up the system. The list of blocking activity, check to see if it lists the exe's being used at time of block. Clean up your register and defrag if you haven't done that since ZA installed.

You are right to worry about phone homes.

What version / package in ZA family do you use?

-{ Quote: "You said, ZA was logging events... where?" }-

It logs them under "Alerts and Logs" under the Firewall heading. It says:

Packet sent from ***(IP address of my PC)TCP Port 4445 to ****(IP Address of old high school)(NetBIOS Session) was blocked

It blocks that one a couple times, then it tries another port on my PC, and uses a different port on the destination PC. It always tries both of them twice, always in the middle of the night, and then it doesn't try again till the next night

-{ Quote: "What is listed under the firewall zones?" }-

2 network controllers on my motherboard, DHCP server with a 192. address, two DNS servers, a loopback adapter with a 127. address, and my network printer


-{ Quote: "Have you checked carefully under the ZA program control for programs you do not recognise as MS or installed applications. Scrool them all and check (properties) their location." }-

all check out as legit

-{ Quote: "Also try to avoid using not very reputable spyware scanner... (e.g. Anonymizer Spyware)." }-

Is the whole Anonymizer program disreputable, or just the spyware scanner? It came along with the software for free.

-{ Quote: "What browser are you using ?

If IE, did a Synchronize entry somehow get added ?

IE > Tools > Synchronize" }-


I use Mozilla and IE--I couldn't find Synchronize anywhere under tools on either browser

-{ Quote: "Try Uninstalling & reinstalling. This will force the Firewall to rescan all the apps. Then make sure that all the permissions except maybe the Antivirus is set to ask. Make sure server permissions are set to ask. Then watch to see what program is asking for permission to connect to your old HighSchool. If you can locate the ip block it in the firewall. Then download A2 or SuperAntiSpyware free & see if you have any malware. This proceedure usually works to let you know what app is trying to do this." }-


ZA always blocks the outgoing packet, and I have the IP address/ports of the destination, so it never gets past the attempt stage. It just bugs me that it keeps trying!

-{ Quote: "Do a whois on the ip which may no longer be your old school these things are not static over time. Find the web site name and then block that web site. This won't find the exe doing the phoning though it will tighten up the system. The list of blocking activity, check to see if it lists the exe's being used at time of block. Clean up your register and defrag if you haven't done that since ZA installed.

You are right to worry about phone homes.

What version / package in ZA family do you use?" }-


It's still the high schools IP according to Whois. No sign of any exe's in the Zone Alarm logs. Is there anywhere in XP that logs exe's at a given time?

I will defrag now--what's the best way to clean up registry?

It's the free version of ZA, latest build.

-{ Quote: "It logs them under "Alerts and Logs" under the Firewall heading. It says:

Packet sent from ***(IP address of my PC)TCP Port 4445 to ****(IP Address of old high school)(NetBIOS Session) was blocked

It blocks that one a couple times, then it tries another port on my PC, and uses a different port on the destination PC. It always tries both of them twice, always in the middle of the night, and then it doesn't try again till the next night." }-

Look into your TCP/IP configuration and see if anything is in there. Also disable NETBIOS.


-{ Quote: "Is the whole Anonymizer program disreputable, or just the spyware scanner? It came along with the software for free." }-

Only the spyware scanner... was once listed as rouge. Now it is not but I would still not trust them.. there are free and better solutions (e.g. superantispyware)

Cheers,
Fax

-{ Quote: "It's still the high schools IP according to Whois. No sign of any exe's in the Zone Alarm logs. Is there anywhere in XP that logs exe's at a given time?" }-

Yes, the simplest way is use the build in ctrl>alt>delete to bring up task manager scan every single exe there and report back any exe you don't recognize. If it exposes an application you don't need or recognize we may be able to remove it. In the meantime, if you can do it, put the whois id's addy or site in the restricted sites list in IE. But I'm assuming IE is your browser, is that correct?

-{ Quote: "I will defrag now--what's the best way to clean up registry?" }-

Good on the defrag, restart PC after defrag please. To clean up
it means 2 steps. #1 scan for old or bad entries, then #2 compact the registry.

CCleaner is free an does step 1 but doesn't do 2. So I suggest you download a free trial of jv16 PowerTools (in Finland) and run registry clean up then reboot, then run registry compact. Reboot.

-{ Quote: " It's the free version of ZA, latest build." }-

Hmm, there is their standard free FW then the "recent" ZAAS which lets user pick his own AV tool. See below:

zaasSetup_70_408_000_en.exe I think that was a 1 year time limited deal.

Which ZA freebie did/do you use?

-{ Quote: "Yes, the simplest way is use the build in ctrl>alt>delete to bring up task manager scan every single exe there and report back any exe you don't recognize. If it exposes an application you don't need or recognize we may be able to remove it. In the meantime, if you can do it, put the whois id's addy or site in the restricted sites list in IE. But I'm assuming IE is your browser, is that correct?" }-

Whew! Long list, but they all seem legit

I use IE and Firefox. I put it in restricted site in IE, and downloaded Blocksite for Firefox and I'll add it there.



-{ Quote: "Good on the defrag, restart PC after defrag please. To clean up
it means 2 steps. #1 scan for old or bad entries, then #2 compact the registry.

CCleaner is free an does step 1 but doesn't do 2. So I suggest you download a free trial of jv16 PowerTools (in Finland) and run registry clean up then reboot, then run registry compact. Reboot." }-

Will do.



-{ Quote: "Hmm, there is their standard free FW then the "recent" ZAAS which lets user pick his own AV tool. See below:

zaasSetup_70_408_000_en.exe I think that was a 1 year time limited deal.

Which ZA freebie did/do you use?" }-

Version 7.0.462.000

-{ Quote: "Look into your TCP/IP configuration and see if anything is in there. Also disable NETBIOS.




Only the spyware scanner... was once listed as rouge. Now it is not but I would still not trust them.. there are free and better solutions (e.g. superantispyware)

Cheers,
Fax" }-

Where do I look in TCP/IP config in XP? I noticed my network printer uses NetBIOS--should I still disable it?(if so, how?)

Running Superantispyware as I type--thanks

-{ Quote: "Where do I look in TCP/IP config in XP? I noticed my network printer uses NetBIOS--should I still disable it?(if so, how?)

Running Superantispyware as I type--thanks" }-

On your active network connection (in systray), right click on it, select status. A new window will open up.

Click on Properties --> scrool down and select Internet Protocol (TCP/IP) --> properties --> Check on general tab for IPs that you do not recognise.
Usually it should be set to obtain an IP address automatically and to obtain DNS automatically. Unless you have custom settings.

Then click on advanced button --> WINS tab --> NetBIOS settings --> Disable NetBIOS

Check on DNS tab --> It should not list any DNS in the box (unless you have custom settings)

Cheers,
Fax

-{ Quote: "On your active network connection (in systray), right click on it, select status. A new window will open up.

Click on Properties --> scrool down and select Internet Protocol (TCP/IP) --> properties --> Check on general tab for IPs that you do not recognise.
Usually it should be set to obtain an IP address automatically and to obtain DNS automatically. Unless you have custom settings." }-

Both set on automatic

-{ Quote: "Then click on advanced button --> WINS tab --> NetBIOS settings --> Disable NetBIOS" }-

Done

-{ Quote: "Check on DNS tab --> It should not list any DNS in the box (unless you have custom settings)

Cheers,
Fax" }-

It did not list any DNS

Thanks. We will see what happens tonight!

-{ Quote: "Where do I look in TCP/IP config in XP? I noticed my network printer uses NetBIOS--should I still disable it?(if so, how?)

Running Superantispyware as I type--thanks" }-


Fatawan:

Be careful, disabling services particularly if you share resources like a network printer. Set them to manual first rather than disable. Then they will be available if needed.

The original issue you had was what exe is calling home to your old high school ip. Now as I understand it you have set up your browsers to block it.

Test your configuration and see if you can go to that site.

Using the same method for finding this phone home monitor it and see if it happens again. If it does then your PC is using another trusted exe to do that. Have you ever downloaded any files from that site in the past? You know, stuff like pictures anything? Schools have been know to be a source of trojans and a call home is trojan like behaviour.

Another idea is to add a HIPS to your set up. I would use ThreatFire (TF) from PCTools, it is also free and if you add all ZA folders to it's exclusion list so they will not clash. you should also put TF in ZA's exclusion lists. TF uses a behavior analysis method not signatures, so it is fast and if if sees this exe of yours run it should flag it and ask you for an ok! When in doubt deny them.

Let the thread know what happens.

-{ Quote: " Thanks. We will see what happens tonight!" }-

You're welcome, post back with the results ;)

Cheers,
Fax

-{ Quote: "Fatawan:

Be careful, disabling services particularly if you share resources like a network printer. Set them to manual first rather than disable. Then they will be available if needed.

The original issue you had was what exe is calling home to your old high school ip. Now as I understand it you have set up your browsers to block it.

Test your configuration and see if you can go to that site.

Using the same method for finding this phone home monitor it and see if it happens again. If it does then your PC is using another trusted exe to do that. Have you ever downloaded any files from that site in the past? You know, stuff like pictures anything? Schools have been know to be a source of trojans and a call home is trojan like behaviour.

Another idea is to add a HIPS to your set up. I would use ThreatFire (TF) from PCTools, it is also free and if you add all ZA folders to it's exclusion list so they will not clash. you should also put TF in ZA's exclusion lists. TF uses a behavior analysis method not signatures, so it is fast and if if sees this exe of yours run it should flag it and ask you for an ok! When in doubt deny them.

Let the thread know what happens." }-

The only thing I did at that site was send a message to an old teacher. There was an odd form you filled out, then chose the teacher from a scroll down list, and it sent your message. It did not use my Outlook Express. There was something there on the site. I don't recall having to download anything, but I may just not remember. Firefox blocks the site completely, while IE lets me go there but has the "Restricted Site" designation on the bottom of the screen. It doesn't seem to impede access at all???

I will see what happens overnight and let you helpful folks know in the morning. If it's still phoning home, I'll try that ThreatFire program. Fingers crossed! The registry cleaner had a lot of work to do--maybe there was something left in there.

Darn it. ET tried to phone home again last night. >:( At least this time, it only tried once per port! That's a step in the right direction I guess.

On to the next step......

I am running ThreatFire now--edit:it found nothing, but I will keep it on overnight at level 5 protection to see what alerts it conjures up.

Right before I went to bed I opened task manager. It showed 43 processes--this morning, there were also 43 processes running.

I appreciate everyone's input.

-{ Quote: "Darn it. ET tried to phone home again last night. >:( At least this time, it only tried once per port! That's a step in the right direction I guess.

On to the next step......

Right before I went to bed I opened task manager. It showed 43 processes--this morning, there were also 43 processes running.

I appreciate everyone's input." }-

Uuuhm, was still NETBIOS involved? Strange since you have disabled it...

Fax

-{ Quote: " I appreciate everyone's input." }-

Weird case... since you checked that there are no processes other than MS OS involved.
One thing, just in case, please check under control panel --> Performance and maintenance --> Sheduled tasks --> Empty?

Cheers,
Fax

I had enabled NetBIOS last night for the kids to print something. DOH! On the alerts though, only one says (NetBIOS Session), and one does not. If NetBIOS was disabled, would it still attempt to make contact?

-{ Quote: "If NetBIOS was disabled, would it still attempt to make contact?" }-

No it should not, you cut the carrier.
But you don't solve the problem that is... who/what is originating the call.

Cheers,
Fax

-{ Quote: "Weird case... since you checked that there are no processes other than MS OS involved.
One thing, just in case, please check under control panel --> Performance and maintenance --> Sheduled tasks --> Empty?

Cheers,
Fax" }-

Anonymizer spyware scan is the only thing under "Scheduled Tasks" in the COntrol Panel.

If I go back to the beginning, when four of these processes were trying to phone home each night, I finally stopped three of them when I found reference to them under "My Network Places". Each one was listed there--I can't recall the exact wording though. Is it odd for websites to be referenced there? When I deleted them, the other three stopped phoning home, while this high school website persists. Odd?

-{ Quote: "Anonymizer spyware scan is the only thing under "Scheduled Tasks" in the COntrol Panel.

If I go back to the beginning, when four of these processes were trying to phone home each night, I finally stopped three of them when I found reference to them under "My Network Places". Each one was listed there--I can't recall the exact wording though. Is it odd for websites to be referenced there? When I deleted them, the other three stopped phoning home, while this high school website persists. Odd?" }-

Yes, its odd... really new to me.
ZAfree does not have advanced means to control your network.

You could however, to start with, scroll through the ZA program control and change all green checks under Server column (trusted/Internet) to ? (question mark) and screen which executables are asking for server permissions and if any will do at that specific time.

Cheers,
Fax

I will do that tonight right before I go to bed. I will crank up the ThreatFire protection as well. Will it help to kill all possible processes under TaskManager and write down those that are active to compare in the morning? By the way, I do not have any web browser of any sort open at overnight, and there is not one open in the AM after these phone home attempts, if that matters.

-{ Quote: "I will do that tonight right before I go to bed. I will crank up the ThreatFire protection as well. Will it help to kill all possible processes under TaskManager and write down those that are active to compare in the morning? By the way, I do not have any web browser of any sort open at overnight, and there is not one open in the AM after these phone home attempts, if that matters." }-

Assuming that you have only standard MS OS components. No calls should happen from your PC to outside without a specific reason, certanly not on that specific IP.

But there may be components allowed to lissen to the internet that may react and answer to a call from the outside.

Setting ZA as indicated should highlight the culprit. Given the weird situation, I am not 100% sure it will be the case :blink: :blink:

By the way, have you double check that what is in the ZA trusted zone is correct? ie. the DHCP IP and DNSs IP really correspond to your IPs or ISP IPs? Check with the command prompt IPCONFIG /ALL

What else is in the Trusted Zone? And what is set to Internet (if any)?

Cheers,
Fax

-{ Quote: " By the way, have you double check that what is in the ZA trusted zone is correct? ie. the DHCP IP and DNSs IP really correspond to your IPs or ISP IPs? Check with the command prompt IPCONFIG /ALL

What else is in the Trusted Zone? And what is set to Internet (if any)?

Cheers,
Fax" }-

Internet Zone has only my Gigabit Ethernet controller-Packet Scheduler Miniport
Trusted Zone has DHCP Server(correct IP of my router), two DNS servers(with IP addresses of my ISP), Loopback adapter(with a 127.x.x.x address), and a printer and another PC on my network. Nothing else.

-{ Quote: "I will do that tonight right before I go to bed. I will crank up the ThreatFire protection as well. Will it help to kill all possible processes under TaskManager and write down those that are active to compare in the morning? By the way, I do not have any web browser of any sort open at overnight, and there is not one open in the AM after these phone home attempts, if that matters." }-

Hello Fatawan:

Yes I'm still working your case. By all means try to kill your own tasks, not the systems tasks and list before and after.

You have a router sharing with a 2nd PC? Do you have that router trusted or not? Do you trust that 2nd PC?

Try running with that second PC OFF line when you are on line.

Please confirm that you have jv16 and TF INSTALLED and have secured ALL your key user files on external media. This is very NB to you! Do you have all your application reinstall resources logged? IE the dvd/cd's and setup links for TF etc? Have you got the xp restore disks?

Based on your last post, refrain from using IE completely, only use your FF for now. I have set IE so it cannot start another application running, PC works fine without it. It maybe that this parasite ( yes you have one) is using IE to call home. But we don't know.

I want to research that address for your school out or the web site, please PM me those as you don't want that public.

On Task Manager I have 22 tasks running, 8 have my name on them, things like my AV and my FW/HIPS so for those you want to leave active. The other 14 processes I have are called systems tasks and 2 of those were created by my FW and AV vendors.

I think you said you had more than 40! That seems way to many but that is just an opinion.

Can you help me help you please?

Please post a jpg of your task manger screen display, you can use Paint to create the file and upload it to this forum as an attachment. I only say this in case you haven't done that before. If you don't want to display your user name publicly, you can use paint edit to erase it before uploading it. It's a good thing to know that as well!

I also need you to post the screen where you see the display of this phone home, ie the actual log file. Mask off any id data pointing to your personal information like your name/ip address.

There are several more steps for you to do and they are progressively more aggressive so we will go 1 at a time.

I believe you have said you ran some scans of AV's and ASW's? Which vendors have you used so far? I want to recommend a few new scans for parasites for you but don't want to duplicate what you have done already and waste your time or mine;D

This call home parasite will be gone when you are done, so hang in please.;D :thumb:

See you

-{ Quote: "Internet Zone has only my Gigabit Ethernet controller-Packet Scheduler Miniport
Trusted Zone has DHCP Server(correct IP of my router), two DNS servers(with IP addresses of my ISP), Loopback adapter(with a 127.x.x.x address), and a printer and another PC on my network. Nothing else." }-

OK! Sounds good.
I would however set the other PC as Internet for tonight to isolate any another external factor than your PC and the internet.

Also, once you have set the other PC as Internet you could limit the changing of the green checks to ? (Question mark) for the column named 'server' rights to the 'internet' and leave 'server' right to 'trusted' zone column as it is (for the moment).

This way something should happen, the fact that you have another PC connected was also an interesting info... ;)

Fax

-{ Quote: "

You have a router sharing with a 2nd PC? Do you have that router trusted or not? Do you trust that 2nd PC? Try running with that second PC OFF line when you are on line." }-

There are 5 PC's on this router, but only one on the network with this PC. The router and 2nd PC are Trusted. I will turn all of them off tonight. The other PCs are HTPC's and only get media center updates.



-{ Quote: "Please confirm that you have jv16 and TF INSTALLED and have secured ALL your key user files on external media. This is very NB to you! Do you have all your application reinstall resources logged? IE the dvd/cd's and setup links for TF etc? Have you got the xp restore disks?" }-

Yes to all



-{ Quote: "I want to research that address for your school out or the web site, please PM me those as you don't want that public." }-

Done


-{ Quote: "Can you help me help you please?

Please post a jpg of your task manger screen display, you can use Paint to create the file and upload it to this forum as an attachment. I only say this in case you haven't done that before. If you don't want to display your user name publicly, you can use paint edit to erase it before uploading it. It's a good thing to know that as well!

I also need you to post the screen where you see the display of this phone home, ie the actual log file. Mask off any id data pointing to your personal information like your name/ip address." }-

The image would not upload--I'll try again later.



-{ Quote: "I believe you have said you ran some scans of AV's and ASW's? Which vendors have you used so far? I want to recommend a few new scans for parasites for you but don't want to duplicate what you have done already and waste your time or mine;D " }-

Avira, AVG, Spybot S&D, Adaware, Anonymizer, Defender, ThreatFire, SuperAntispyware

-{ Quote: "This call home parasite will be gone when you are done, so hang in please.;D :thumb:" }-

Thanks, as always.

One other bit--I visited the website months ago, but installed ZA only recently. So, this could have been going on unhindered for months without my knowledge.

Hi:

I have PM'd you the site research, as there are way more ip's / sites you need to block.

Tonight, turnoff 4 out of 5 PC's, power down them down fully just have your 1 calling home 1 PC connected to router. Close off all possible applications you can except ZA FW, your AV, and TF. Close all browsers. Make sure ZA is maximum logging, clear logs before you start.

Exactly the same as last night with two attempts, just using 2 different ports on my PC, but targeting the same ports at the destination IP. No ThreatFire alerts, no difference in the processes open in Task Manager. All other PCs off.

-{ Quote: "Exactly the same as last night with two attempts, just using 2 different ports on my PC, but targeting the same ports at the destination IP. No ThreatFire alerts, no difference in the processes open in Task Manager. All other PCs off." }-

If you removed all green check marks from the server (internet) than it means that there is a process/executable that is set intentionally to call from your PC to the Internet. It may look like a normal process or with no specific suspicious name.

Unfortunately, here is not possible to attach Hijack logs. But you could do a final test for tonight. Boot your machine only with ZA and standard MS services and see what happens.

This way:
1.) Click Start -> Run
2.) Type MSConfig in the run box and click OK
3.) Once in MSConfig, click the Startup Tab
4.) Remove the checks from everything except ZLClient
5.) Click the Services Tab
6.) Place a check in "Hide All Microsoft Services"
7.) Now remove checks from everything other than TrueVector Internet
Monitor, and click OK.
8.) Restart your computer

NOTE: You can place your computer back into a normal startup process by
going back into msconfig and choosing the Normal Startup option on the
General tab.

With the above set-up we will be sure (unless you have been infected by an unknown malware) that only standard processes will be running on your system. If you do not get the call this way, you will only need to slowly to put back things in your boot up to when you find the culprit.

If also this fails, better to have your logs properly analysed by experts. There many forum based free services on the web for the purpose.

Cheers,
Fax
P.S. During the test period keep the IP of the other PC on the LAN as 'Internet' and checkmarks as before in ZA

-{ Quote: "Exactly the same as last night with two attempts, just using 2 different ports on my PC, but targeting the same ports at the destination IP. No ThreatFire alerts, no difference in the processes open in Task Manager. All other PCs off." }-

Hello Fatawan:

Good, you have at least eliminated the 4 PC's as part of the ongoing problem. This exe is hiding. Very devious:argh: If it was always present as a normal task it would show up. This ain't a normal task.

You may need/want to block these ip's and sites so any pressure you feel is reduced while you find and/or wipe out the parasite.

We know 99.9 % that it came from your school site, you could try the obvious and contact the web master there to see if he/she has heard of this or has a fix? You are probably not the only one with the issue.

(A) Blocking

Here are 2 ways with what you have now to block those sites and ips.

1) Load them into your hosts file, taking a backup first. See
http://www.mvps.org/winhelp2002/hosts.htm

2) Load ALL the sites and addy's into SpywareBlaster (SB). >TOOLS>CUSTOMBLOCKING, you can use SB to backup your host file first.

It is just possible the school site is already there in host as allowed, if so, just edit it to point to 127.0.0.1 your own PC and the connection should fail to go anywhere. Make sure you add the other sites used by your school as additional security.

It is too bad the free FW doesn't let you block sites and ip's.
Check again with ZA technical support or help that this is for sure the case, best to verify all data received here including mine! If it did block this whole blocking need would be over! If you can obtain and post a ZA link to this data on ZA free non blocking it would be good verification. ;D

(B) Find and wipe out if possible

Let's now try some extra web based AV/ASW scanners 1 by 1 to TRY to find this elusive parasite. No guareentees of course.

1. http://www.bitdefender.com/scan8/ie.html
2. http://www.kaspersky.com/remoteviruschk.html
3. http://us.mcafee.com/root/mfs/default.asp?affid=294
4. http://security.norton.com/sscv6/default.asp?langid=ie&venid=sym

We should run CCleaner after each run and after all 4 are run then several jv16 clean ups including search cleans for each key word in each scanner, more on this if you do this work. Some web scanners find and remove others only find. If it finds only record the file name and path in detail and go search for it and try to delete the exe, dll what ever. Delete the whole folder unless it is a windows sys folder. Check here before doing this.

(C) Install Nod 32 on trial (I use this product)

http://www.eset.com/download/free_trial_download.php

The way NOD 32 works is it checks each file before opening and each exe before running.


(D) Use Spybot Search and Destroy to research you system start and your process list in advanced mode.

More on this is you get to this point.

Don't get discouraged, this has become a valuable thread for many members including me! You know there is a solution so it is only a matter of how many methods you can put up with! 8)

I will keep helping you to the end of it!

-{ Quote: "

We know 99.9 % that it came from your school site, you could try the obvious and contact the web master there to see if he/she has heard of this or has a fix? You are probably not the only one with the issue." }-

I sent an e-mail, and have not received a response

-{ Quote: "(A) Blocking

Here are 2 ways with what you have now to block those sites and ips.

1) Load them into your hosts file, taking a backup first. See
http://www.mvps.org/winhelp2002/hosts.htm

2) Load ALL the sites and addy's into SpywareBlaster (SB). >TOOLS>CUSTOMBLOCKING, you can use SB to backup your host file first.

It is just possible the school site is already there in host as allowed, if so, just edit it to point to 127.0.0.1 your own PC and the connection should fail to go anywhere. Make sure you add the other sites used by your school as additional security." }-

I will look at the HOSTS file info later. On SpywareBlaster, I only see the ability to block CLSID's under custom blocking. How do I block IP ranges?

-{ Quote: "It is too bad the free FW doesn't let you block sites and ip's.
Check again with ZA technical support or help that this is for sure the case, best to verify all data received here including mine! If it did block this whole blocking need would be over! If you can obtain and post a ZA link to this data on ZA free non blocking it would be good verification. ;D " }-

I will check again, but essentially it only lets me pull down TRUSTED from the menu, not BLOCKED(it is not there). I will check with ZA.

-{ Quote: "(B) Find and wipe out if possible

Let's now try some extra web based AV/ASW scanners 1 by 1 to TRY to find this elusive parasite. No guareentees of course.

1. http://www.bitdefender.com/scan8/ie.html
2. http://www.kaspersky.com/remoteviruschk.html
3. http://us.mcafee.com/root/mfs/default.asp?affid=294
4. http://security.norton.com/sscv6/default.asp?langid=ie&venid=sym

We should run CCleaner after each run and after all 4 are run then several jv16 clean ups including search cleans for each key word in each scanner, more on this if you do this work. Some web scanners find and remove others only find. If it finds only record the file name and path in detail and go search for it and try to delete the exe, dll what ever. Delete the whole folder unless it is a windows sys folder. Check here before doing this." }-

Nothing found on all 4 scans.

-{ Quote: "(C) Install Nod 32 on trial (I use this product)

http://www.eset.com/download/free_trial_download.php

The way NOD 32 works is it checks each file before opening and each exe before running.


(D) Use Spybot Search and Destroy to research you system start and your process list in advanced mode.

More on this is you get to this point." }-

On the To-Do list.

-{ Quote: "Don't get discouraged, this has become a valuable thread for many members including me! You know there is a solution so it is only a matter of how many methods you can put up with! 8)

I will keep helping you to the end of it!" }-

Not discouraged yet! Obviously something inside my PC wants to contact that IP address.

I apologize for one mistake. I forgot what Fax had said about making sure all the ZA program controls should be set to "?" I will absolutely do that tonight and once again report back.

-{ Quote: "If you removed all green check marks from the server (internet) than it means that there is a process/executable that is set intentionally to call from your PC to the Internet. It may look like a normal process or with no specific suspicious name.

Unfortunately, here is not possible to attach Hijack logs. But you could do a final test for tonight. Boot your machine only with ZA and standard MS services and see what happens.

This way:
1.) Click Start -> Run
2.) Type MSConfig in the run box and click OK
3.) Once in MSConfig, click the Startup Tab
4.) Remove the checks from everything except ZLClient
5.) Click the Services Tab
6.) Place a check in "Hide All Microsoft Services"
7.) Now remove checks from everything other than TrueVector Internet
Monitor, and click OK.
8.) Restart your computer

NOTE: You can place your computer back into a normal startup process by
going back into msconfig and choosing the Normal Startup option on the
General tab.

With the above set-up we will be sure (unless you have been infected by an unknown malware) that only standard processes will be running on your system. If you do not get the call this way, you will only need to slowly to put back things in your boot up to when you find the culprit.

If also this fails, better to have your logs properly analysed by experts. There many forum based free services on the web for the purpose.

Cheers,
Fax
P.S. During the test period keep the IP of the other PC on the LAN as 'Internet' and checkmarks as before in ZA" }-

I forgot about removing all the green check marks--DOH! Will do this tonight along with the start-up changes. Ok to do them simultaneously?

-{ Quote: "I forgot about removing all the green check marks--DOH! Will do this tonight along with the start-up changes. Ok to do them simultaneously?" }-

yes, its OK.

We need to find the source of the problem. Than you can worry about blocking IPs or adding more security tools.

Cheers,
Fax

-{ Quote: " sent an e-mail, and have not received a response" }-

Right, they may never reply, hope I'm wrong.

I took another look following your PM and am very sure now that IF you signed up for email newsletters that this is what is happening, some exe got installed NOT a parasite in the sense that you asked for the service ( if you did) and it is calling your amla mater to see if there is any news etc. Have you been receiving email from them?



-{ Quote: "I will look at the HOSTS file info later. On SpywareBlaster, I only see the ability to block CLSID's under custom blocking. How do I block IP ranges?" }-

You can't put in ranges, but the web sites should translate okay, or just put in the ip's one by one, there aren't that many. I just did it so I know it takes a numeric addy. If you get a FW that can block ranges and or sites that would be the way to deal with this blocking part but that is for later.


-{ Quote: "I will check again, but essentially it only lets me pull down TRUSTED from the menu, not BLOCKED(it is not there). I will check with ZA." }-

Okay, it must be right then, disappointing. But I'm glad you checked



-{ Quote: "Nothing found on all 4 scans. " }-

Great News! The chances then of this being a real parasite/virus/ evil trojan IMHO are now as near zero as you can get. This is good. Less risk. Most likely a call for that newsletter, given you did sign up.

-{ Quote: "]On the To-Do list." }-

NOD 32 would open the call home if it is not a known virus or bad program as per it's definition. TF likes it as well! This doesn't knock out NOD 32 as good tool for you in the future. It also scans all exe's in memory so that is a possible .


-{ Quote: " Not discouraged yet! Obviously something inside my PC wants to contact that IP address. " }-

Agreed, I suspect the email service, unless you didn't sign up.

-{ Quote: "I apologize for one mistake. I forgot what Fax had said about making sure all the ZA program controls should be set to "?" I will absolutely do that tonight and once again report back." }-

Not a problem, nobody is ever 100%!! Not in this field, learning all the time only way to go IMO!! 8)

Out of curiosity will you stay up to monitor the prompts from ZA?

Does this thing alway call at the same time of day? I have this wild idea of forcing it out by setting the computer clock wrong on purpose to let you get started on your time not this calling exe!

Capture the logs please so if you id it you can post it's file name/ folder etc.

Does that school have a windows folder on you programs folder on C? If it does check it for dll's, exe, or files with dates about 1 year ago or no extensions. But I fear this won't be that easy!

Good luck!8)

-{ Quote: "I took another look following your PM and am very sure now that IF you signed up for email newsletters that this is what is happening, some exe got installed NOT a parasite in the sense that you asked for the service ( if you did) and it is calling your amla mater to see if there is any news etc. Have you been receiving email from them?" }-

I never signed up for the newsletter. I only sent a message to a teacher via the "contact us" page. I got a single e-mail reply from the teacher, but I do not get any e-mails from the school.

-{ Quote: "Out of curiosity will you stay up to monitor the prompts from ZA?

Does this thing alway call at the same time of day? I have this wild idea of forcing it out by setting the computer clock wrong on purpose to let you get started on your time not this calling exe!" }-

I won't stay up--I only get 5 hours of sleep, but I need those 5 hours!:) It always happens in the 3-4AM time period, but not the exact same time.

-{ Quote: "Does that school have a windows folder on you programs folder on C? If it does check it for dll's, exe, or files with dates about 1 year ago or no extensions. But I fear this won't be that easy!" }-

No instance of any part of the school's name or website anywhere on my PC.

Wooohooo!

ET did not phone home last night! This is with nothing but MS services and ZA running.

Next step?

-{ Quote: "Wooohooo!

ET did not phone home last night! This is with nothing but MS services and ZA running.

Next step?" }-

GREAT! ;D

Now start to enable back the items you have unchecked, lets say by group of four or five (keep note of them).

Start with the services and then move to the startup items.

Then wait for the call home... ;)
It will take time... but you will get there!

Cheers,
Fax

-{ Quote: "Wooohooo!

ET did not phone home last night! This is with nothing but MS services and ZA running.

Next step?" }-

Great news!

So now you know those exe's and ZA's exe's aren't calling home to school !

You need to proceed to id the ET which must be in or triggered by one of the applications you did not run.

Started with the original 40 plus task, take the list and high lite the innocent ones from last night ( green?)

Tonight mark in ? all the tasks added by allowing email as follows try exactly the same thing but add your email client(s) and tick them green in ZA. Then keep this up til ET hits again! It's Miss Scarlet on the library with the pipe wrench

ET still exists (maybe)

BTW I was sad to realize that SpyBlaster does NOT prevent block access to the school site/ip only claims to prevent active x. Shows the folly of not remembering to read help! I was able to prevent access to the site using PG 2. I now need to find out if my FW does the same on "blocked" sites. It worked on youtube, but not on a specific ip >:(

Stay with it!;D

I discovered one other possible error in what I was doing that could have affected results. When running the jv16 registry cleaner yesterday, I noticed you have to go to each "branch" on the tree of results and hit "fix". It doesn't do them all at once. When I was cleaning up after all those online AV scans yesterday, I figured that out and cleaned up everything possible. So, just as a test to see if THAT was the real cure last night, I am going to turn everything back on for start-up and see if ET phones home or not. If he does, I will go back to turning things back on one by one. I am hoping it was just some lost fragment in the registry doing all this. CCleaner didn't fix it, but maybe the jv16 did??? I'd like to find out by re-enabling everything tonight and see what happens. Sound like a decent plan?

-{ Quote: "I discovered one other possible error in what I was doing that could have affected results. When running the jv16 registry cleaner yesterday, I noticed you have to go to each "branch" on the tree of results and hit "fix". It doesn't do them all at once. When I was cleaning up after all those online AV scans yesterday, I figured that out and cleaned up everything possible. So, just as a test to see if THAT was the real cure last night, I am going to turn everything back on for start-up and see if ET phones home or not. If he does, I will go back to turning things back on one by one. I am hoping it was just some lost fragment in the registry doing all this. CCleaner didn't fix it, but maybe the jv16 did??? I'd like to find out by re-enabling everything tonight and see what happens. Sound like a decent plan?" }-

Hi Fatawan:

It is tedious to go one by one, so you can try!

FWIW, in jv16 if you hold Ctrl down and left click on each branch of it's tree user can highlight more than 1 then hit fix, all will be done in one pass.

What happened on the ZA log question?

Hello,

Just curious. as anyone looked at "smb"? (I did note that port 4445 was being used,.. was this actually 445?)

I also noted the need to remove certain sites from "My network places", when/how have these been added?

I would look at Wins and Lmhosts to check for any entries, entries within these can cause update function to verify.

Please advise

-{ Quote: "Hello,

Just curious. as anyone looked at "smb"? (I did note that port 4445 was being used,.. was this actually 445?)

I also noted the need to remove certain sites from "My network places", when/how have these been added?

I would look at Wins and Lmhosts to check for any entries, entries within these can cause update function to verify.

Please advise" }-

Did I write 4445? Sorry--thats 445(and 139)--these were the ports on the destination IP address at the high school. As for the entries in My Network Places, it appears they were put there after some kind of download--at least I know that in the case of my insulation contractor website, and an FTP site for Intel downloads. Not sure about my high school as I don't recall downloading anything(maybe I tried and aborted??? I sure don't remember if I did).

Where do I look in Wins and Lmhosts?

-{ Quote: "Hi Fatawan:

What happened on the ZA log question?" }-

I'm not sure what the question was?? There was absolutely nothing logged overnight. Zero.

-{ Quote: "Hello,

Just curious. as anyone looked at "smb"? (I did note that port 4445 was being used,.. was this actually 445?)

I also noted the need to remove certain sites from "My network places", when/how have these been added?

I would look at Wins and Lmhosts to check for any entries, entries within these can cause update function to verify.

Please advise" }-

Hello Stem:

Good we can use your help here on Fatawan's ET thread puzzle!

On smb, here is mine posted only as a model in case it helps you tell us how to view/edit/delete enteries. For my own part I have always questioned these duplicates, but what would and ET look like in this folder? In mine the red is PC Tools spam monitor db. I hope I don't have ET's evil twin in here.

SMBINST.EXE System Management BIOS Driver Installer C:\I386

SMBINST.EXE System Management BIOS Driver Installer C:\WINDOWS\SYSTEM32

smbinst.exe System Management BIOS Driver Installe C:\WINDOWS\SYSTEM32\DLLCACHE

SmBayes.db C:\Documents and Settings\xxxx\Application Data\Spam Monitor

SmBayes.db C:\Documents and Settings\NetworkService\Application Data\Spam Monitor

SMB6W.DL_ C:\I386
MRXSMB.SYS C:\I386
MSSMBIOS.SYS C:\I386
mrxsmb.sys C:\WINDOWS\Driver Cache\I386
mrxsmb.sys C:\WINDOWS\SYSTEM32\DLLCACHE
mssmbios.sys C:\WINDOWS\SYSTEM32\DLLCACHE
mrxsmb.sys C:\WINDOWS\SYSTEM32\DRIVERS
MSSMBIOS.SYS C:\WINDOWS\SYSTEM32\DRIVERS
mrxsmb.sys C:\WINDOWS\$hf_mig$\KB885250\SP2QFE
mrxsmb.sys C:\WINDOWS\$hf_mig$\KB885835\SP2QFE
mrxsmb.sys C:\WINDOWS\$hf_mig$\KB914389\SP2QFE

-{ Quote: "I'm not sure what the question was?? There was absolutely nothing logged overnight. Zero." }-

Hi again:

I know that your ZA is not allowing this phone home to succeed. That is good.

I was asking if their log (when the attempt was made) could be made to include the exe and path where the program being blocked lives? Maybe this is more a question for ZA!

-{ Quote: "Where do I look in Wins and Lmhosts?" }-

Probably Stem refers to the smb settings we have already reviewed initially (TCP/IP panel).

See this tutorial on how to get there:
http://csg.trinhall.cam.ac.uk/tips/smb/winxp

Of course the tutorial is targeted to a university campus so don't take those IP numbers into your systems :D but check around for entries that should not be there. However if it was a TCP issues, it should have also happened when you started with ZA and XP standard services.

And I doubt its an issue with registry cleaners...

Cheers,
Fax

With everything back as it was in the start-up menu, there was once again NO phone home! Wooohooo!

If that changes, I will be back here to update you all.

Perhaps it was something leftover that jv16 cleared out yesterday. Whatever it was, it has stopped, and for that, I thank you all very much.:thumb:

-{ Quote: "With everything back as it was in the start-up menu, there was once again NO phone home! Wooohooo!

If that changes, I will be back here to update you all.

Perhaps it was something leftover that jv16 cleared out yesterday. Whatever it was, it has stopped, and for that, I thank you all very much.:thumb:" }-

Great! ;D
Keep watching ... 8)

Cheers,
Fax

-{ Quote: "With everything back as it was in the start-up menu, there was once again NO phone home! Wooohooo!

If that changes, I will be back here to update you all.

Perhaps it was something leftover that jv16 cleared out yesterday. Whatever it was, it has stopped, and for that, I thank you all very much.:thumb:" }-

Okay, that is good news for sure.

You so many scans and cleans anyone of them could have done ET in!

My only regret is not knowing exactly what the id was of the executable.

But that is just academic now.


PS I'm looking at Stem's hint on those folders to see what I can clean out my self. In this security quest less is better!

See you!;D