Zone Alarm Blocking ???

Anonymizer spyware scan is the only thing under "Scheduled Tasks" in the COntrol Panel.

If I go back to the beginning, when four of these processes were trying to phone home each night, I finally stopped three of them when I found reference to them under "My Network Places". Each one was listed there--I can't recall the exact wording though. Is it odd for websites to be referenced there? When I deleted them, the other three stopped phoning home, while this high school website persists. Odd?

 

Yes, its odd... really new to me.
ZAfree does not have advanced means to control your network.

You could however, to start with, scroll through the ZA program control and change all green checks under Server column (trusted/Internet) to ? (question mark) and screen which executables are asking for server permissions and if any will do at that specific time.

Cheers,
Fax

 

I will do that tonight right before I go to bed. I will crank up the ThreatFire protection as well. Will it help to kill all possible processes under TaskManager and write down those that are active to compare in the morning? By the way, I do not have any web browser of any sort open at overnight, and there is not one open in the AM after these phone home attempts, if that matters.

 

Assuming that you have only standard MS OS components. No calls should happen from your PC to outside without a specific reason, certanly not on that specific IP.

But there may be components allowed to lissen to the internet that may react and answer to a call from the outside.

Setting ZA as indicated should highlight the culprit. Given the weird situation, I am not 100% sure it will be the case

By the way, have you double check that what is in the ZA trusted zone is correct? ie. the DHCP IP and DNSs IP really correspond to your IPs or ISP IPs? Check with the command prompt IPCONFIG /ALL

What else is in the Trusted Zone? And what is set to Internet (if any)?

Cheers,
Fax

 

Internet Zone has only my Gigabit Ethernet controller-Packet Scheduler Miniport
Trusted Zone has DHCP Server(correct IP of my router), two DNS servers(with IP addresses of my ISP), Loopback adapter(with a 127.x.x.x address), and a printer and another PC on my network. Nothing else.

 

Hello Fatawan:

Yes I'm still working your case. By all means try to kill your own tasks, not the systems tasks and list before and after.

You have a router sharing with a 2nd PC? Do you have that router trusted or not? Do you trust that 2nd PC?

Try running with that second PC OFF line when you are on line.

Please confirm that you have jv16 and TF INSTALLED and have secured ALL your key user files on external media. This is very NB to you! Do you have all your application reinstall resources logged? IE the dvd/cd's and setup links for TF etc? Have you got the xp restore disks?

Based on your last post, refrain from using IE completely, only use your FF for now. I have set IE so it cannot start another application running, PC works fine without it. It maybe that this parasite ( yes you have one) is using IE to call home. But we don't know.

I want to research that address for your school out or the web site, please PM me those as you don't want that public.

On Task Manager I have 22 tasks running, 8 have my name on them, things like my AV and my FW/HIPS so for those you want to leave active. The other 14 processes I have are called systems tasks and 2 of those were created by my FW and AV vendors.

I think you said you had more than 40! That seems way to many but that is just an opinion.

Can you help me help you please?

Please post a jpg of your task manger screen display, you can use Paint to create the file and upload it to this forum as an attachment. I only say this in case you haven't done that before. If you don't want to display your user name publicly, you can use paint edit to erase it before uploading it. It's a good thing to know that as well!

I also need you to post the screen where you see the display of this phone home, ie the actual log file. Mask off any id data pointing to your personal information like your name/ip address.

There are several more steps for you to do and they are progressively more aggressive so we will go 1 at a time.

I believe you have said you ran some scans of AV's and ASW's? Which vendors have you used so far? I want to recommend a few new scans for parasites for you but don't want to duplicate what you have done already and waste your time or mine

This call home parasite will be gone when you are done, so hang in please.

See you

 

OK! Sounds good.
I would however set the other PC as Internet for tonight to isolate any another external factor than your PC and the internet.

Also, once you have set the other PC as Internet you could limit the changing of the green checks to ? (Question mark) for the column named 'server' rights to the 'internet' and leave 'server' right to 'trusted' zone column as it is (for the moment).

This way something should happen, the fact that you have another PC connected was also an interesting info...

Fax

 

There are 5 PC's on this router, but only one on the network with this PC. The router and 2nd PC are Trusted. I will turn all of them off tonight. The other PCs are HTPC's and only get media center updates.

Yes to all

Done

The image would not upload--I'll try again later.

Avira, AVG, Spybot S&D, Adaware, Anonymizer, Defender, ThreatFire, SuperAntispyware

Thanks, as always.

One other bit--I visited the website months ago, but installed ZA only recently. So, this could have been going on unhindered for months without my knowledge.

 

Hi:

I have PM'd you the site research, as there are way more ip's / sites you need to block.

Tonight, turnoff 4 out of 5 PC's, power down them down fully just have your 1 calling home 1 PC connected to router. Close off all possible applications you can except ZA FW, your AV, and TF. Close all browsers. Make sure ZA is maximum logging, clear logs before you start.

 

Exactly the same as last night with two attempts, just using 2 different ports on my PC, but targeting the same ports at the destination IP. No ThreatFire alerts, no difference in the processes open in Task Manager. All other PCs off.

 

If you removed all green check marks from the server (internet) than it means that there is a process/executable that is set intentionally to call from your PC to the Internet. It may look like a normal process or with no specific suspicious name.

Unfortunately, here is not possible to attach Hijack logs. But you could do a final test for tonight. Boot your machine only with ZA and standard MS services and see what happens.

This way:
1.) Click Start -> Run
2.) Type MSConfig in the run box and click OK
3.) Once in MSConfig, click the Startup Tab
4.) Remove the checks from everything except ZLClient
5.) Click the Services Tab
6.) Place a check in "Hide All Microsoft Services"
7.) Now remove checks from everything other than TrueVector Internet
Monitor, and click OK.
8.) Restart your computer

NOTE: You can place your computer back into a normal startup process by
going back into msconfig and choosing the Normal Startup option on the
General tab.

With the above set-up we will be sure (unless you have been infected by an unknown malware) that only standard processes will be running on your system. If you do not get the call this way, you will only need to slowly to put back things in your boot up to when you find the culprit.

If also this fails, better to have your logs properly analysed by experts. There many forum based free services on the web for the purpose.

Cheers,
Fax
P.S. During the test period keep the IP of the other PC on the LAN as 'Internet' and checkmarks as before in ZA

 

Hello Fatawan:

Good, you have at least eliminated the 4 PC's as part of the ongoing problem. This exe is hiding. Very devious If it was always present as a normal task it would show up. This ain't a normal task.

You may need/want to block these ip's and sites so any pressure you feel is reduced while you find and/or wipe out the parasite.

We know 99.9 % that it came from your school site, you could try the obvious and contact the web master there to see if he/she has heard of this or has a fix? You are probably not the only one with the issue.

(A) Blocking

Here are 2 ways with what you have now to block those sites and ips.

1) Load them into your hosts file, taking a backup first. See
http://www.mvps.org/winhelp2002/hosts.htm

2) Load ALL the sites and addy's into SpywareBlaster (SB). >TOOLS>CUSTOMBLOCKING, you can use SB to backup your host file first.

It is just possible the school site is already there in host as allowed, if so, just edit it to point to 127.0.0.1 your own PC and the connection should fail to go anywhere. Make sure you add the other sites used by your school as additional security.

It is too bad the free FW doesn't let you block sites and ip's.
Check again with ZA technical support or help that this is for sure the case, best to verify all data received here including mine! If it did block this whole blocking need would be over! If you can obtain and post a ZA link to this data on ZA free non blocking it would be good verification.

(B) Find and wipe out if possible

Let's now try some extra web based AV/ASW scanners 1 by 1 to TRY to find this elusive parasite. No guareentees of course.

1. http://www.bitdefender.com/scan8/ie.html
2. http://www.kaspersky.com/remoteviruschk.html
3. http://us.mcafee.com/root/mfs/default.asp?affid=294
4. http://security.norton.com/sscv6/default.asp?langid=ie&venid=sym

We should run CCleaner after each run and after all 4 are run then several jv16 clean ups including search cleans for each key word in each scanner, more on this if you do this work. Some web scanners find and remove others only find. If it finds only record the file name and path in detail and go search for it and try to delete the exe, dll what ever. Delete the whole folder unless it is a windows sys folder. Check here before doing this.

(C) Install Nod 32 on trial (I use this product)

http://www.eset.com/download/free_trial_download.php

The way NOD 32 works is it checks each file before opening and each exe before running.


(D) Use Spybot Search and Destroy to research you system start and your process list in advanced mode.

More on this is you get to this point.

Don't get discouraged, this has become a valuable thread for many members including me! You know there is a solution so it is only a matter of how many methods you can put up with!

I will keep helping you to the end of it!

 

I sent an e-mail, and have not received a response

I will look at the HOSTS file info later. On SpywareBlaster, I only see the ability to block CLSID's under custom blocking. How do I block IP ranges?

I will check again, but essentially it only lets me pull down TRUSTED from the menu, not BLOCKED(it is not there). I will check with ZA.

Nothing found on all 4 scans.

On the To-Do list.

Not discouraged yet! Obviously something inside my PC wants to contact that IP address.

I apologize for one mistake. I forgot what Fax had said about making sure all the ZA program controls should be set to "?" I will absolutely do that tonight and once again report back.

 

I forgot about removing all the green check marks--DOH! Will do this tonight along with the start-up changes. Ok to do them simultaneously?

 

yes, its OK.

We need to find the source of the problem. Than you can worry about blocking IPs or adding more security tools.

Cheers,
Fax

 

Right, they may never reply, hope I'm wrong.

I took another look following your PM and am very sure now that IF you signed up for email newsletters that this is what is happening, some exe got installed NOT a parasite in the sense that you asked for the service ( if you did) and it is calling your amla mater to see if there is any news etc. Have you been receiving email from them?

You can't put in ranges, but the web sites should translate okay, or just put in the ip's one by one, there aren't that many. I just did it so I know it takes a numeric addy. If you get a FW that can block ranges and or sites that would be the way to deal with this blocking part but that is for later.

Okay, it must be right then, disappointing. But I'm glad you checked

Great News! The chances then of this being a real parasite/virus/ evil trojan IMHO are now as near zero as you can get. This is good. Less risk. Most likely a call for that newsletter, given you did sign up.

NOD 32 would open the call home if it is not a known virus or bad program as per it's definition. TF likes it as well! This doesn't knock out NOD 32 as good tool for you in the future. It also scans all exe's in memory so that is a possible .

Agreed, I suspect the email service, unless you didn't sign up.

Not a problem, nobody is ever 100%!! Not in this field, learning all the time only way to go IMO!!

Out of curiosity will you stay up to monitor the prompts from ZA?

Does this thing alway call at the same time of day? I have this wild idea of forcing it out by setting the computer clock wrong on purpose to let you get started on your time not this calling exe!

Capture the logs please so if you id it you can post it's file name/ folder etc.

Does that school have a windows folder on you programs folder on C? If it does check it for dll's, exe, or files with dates about 1 year ago or no extensions. But I fear this won't be that easy!

Good luck!

 

I never signed up for the newsletter. I only sent a message to a teacher via the "contact us" page. I got a single e-mail reply from the teacher, but I do not get any e-mails from the school.

I won't stay up--I only get 5 hours of sleep, but I need those 5 hours! It always happens in the 3-4AM time period, but not the exact same time.

No instance of any part of the school's name or website anywhere on my PC.

 

Wooohooo!

ET did not phone home last night! This is with nothing but MS services and ZA running.

Next step?

 

GREAT!

Now start to enable back the items you have unchecked, lets say by group of four or five (keep note of them).

Start with the services and then move to the startup items.

Then wait for the call home...
It will take time... but you will get there!

Cheers,
Fax

 

Great news!

So now you know those exe's and ZA's exe's aren't calling home to school !

You need to proceed to id the ET which must be in or triggered by one of the applications you did not run.

Started with the original 40 plus task, take the list and high lite the innocent ones from last night ( green?)

Tonight mark in ? all the tasks added by allowing email as follows try exactly the same thing but add your email client(s) and tick them green in ZA. Then keep this up til ET hits again! It's Miss Scarlet on the library with the pipe wrench

ET still exists (maybe)

BTW I was sad to realize that SpyBlaster does NOT prevent block access to the school site/ip only claims to prevent active x. Shows the folly of not remembering to read help! I was able to prevent access to the site using PG 2. I now need to find out if my FW does the same on "blocked" sites. It worked on youtube, but not on a specific ip

Stay with it!

 

I discovered one other possible error in what I was doing that could have affected results. When running the jv16 registry cleaner yesterday, I noticed you have to go to each "branch" on the tree of results and hit "fix". It doesn't do them all at once. When I was cleaning up after all those online AV scans yesterday, I figured that out and cleaned up everything possible. So, just as a test to see if THAT was the real cure last night, I am going to turn everything back on for start-up and see if ET phones home or not. If he does, I will go back to turning things back on one by one. I am hoping it was just some lost fragment in the registry doing all this. CCleaner didn't fix it, but maybe the jv16 did I'd like to find out by re-enabling everything tonight and see what happens. Sound like a decent plan?

 

Hi Fatawan:

It is tedious to go one by one, so you can try!

FWIW, in jv16 if you hold Ctrl down and left click on each branch of it's tree user can highlight more than 1 then hit fix, all will be done in one pass.

What happened on the ZA log question?

 

Hello,

Just curious. as anyone looked at "smb"? (I did note that port 4445 was being used,.. was this actually 445?)

I also noted the need to remove certain sites from "My network places", when/how have these been added?

I would look at Wins and Lmhosts to check for any entries, entries within these can cause update function to verify.

Please advise

 

Did I write 4445? Sorry--thats 445(and 139)--these were the ports on the destination IP address at the high school. As for the entries in My Network Places, it appears they were put there after some kind of download--at least I know that in the case of my insulation contractor website, and an FTP site for Intel downloads. Not sure about my high school as I don't recall downloading anything(maybe I tried and aborted I sure don't remember if I did).

Where do I look in Wins and Lmhosts?

 

I'm not sure what the question was?? There was absolutely nothing logged overnight. Zero.