Am I infected???

Hi,
Everything seems to be working well, no slowdowns etc. But, yesterday I started getting a popup after I turn the computer on and before I connect to the Internet (I'm on dial up). The message says that I, or a program, has requested info from a particular site and asks to connect. If I click "Cancel" a new request with a different site appears a few seconds later. I recorded the sites it is trying to connect to, some are:

clock.psu.edu
sundial.columbia.edu
ntp2b.mcc.ac.uk
ntplth.se
gandalf.theunixman.com
time.kfki.hu
time.mit.edu
vega.cbk.poznan.pl
ntp3.fau.de
time.nist.gov
tick.greyware.com
cuckoo.nevada.edu
etc etc I guess you get the idea.

I have the feeling that the system (Windows XP) or some program is trying to update the clock. So, I clicked on the Clock and unchecked the "update time on the internet" box, but no luck.
I started your sticky last night. Bitdefender found a few old viruses in my e-mail backup folders (specifically deleted emails) so I deleted them. Trojan found nothing. An odd thing happened while scannining with BitDefender, Avast (my AV program) found about 4 viruses pertaining to Win32:Sober-AB2(WRM) which I quarantined. I ran a full scan with Avast 2 days ago and it found nothing. Ad-Aware and SpyBot find nothing.

Tonight I will run Trend Micro's on line scan. If anybody has any suggestions I would appreciate it.

Thanks for your great site. Bob Schoner

 

Welcome to MajorGeeks!

Though, I'm rarely on here, I'll do my best to keep up. If it seems that I'm not posting, feel free to send me a private message.

Now, once you have completed the malware thread, please post a HiJackThis log as an attachment in this thread!

Either myself or someone else will help you.

 

Hi Again,
Since yesterday I ran Trend Micro's on line scan. It found Worm Sober AG; probably in a deleted e-mail that was never opened. I deleted it.

In the meantime I still get the pop ups asking to connect to the Internet (as long as I am not connected). I assume when I am connected it is getting all the info it wants.

I ran Hijack This; the log is attached (I hope). The only thing that I really don't recognize is:

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Any suggestions are most welcome.

Thanks Again, Bob Schoner

 

WOW! You're Good!

Ran per you're instructions, rebooted and waited a few minutes. Nothing happened (that's good), so I assume I'm ok. Will test a little more.

One other improvement. When I would try to run HJT I would get a message that said something like No Virus Found and HJT would shut down. By playing around I could get it to work. Now when I run HJT it opens normally.

One other thing. I am running AVAST as the AV. I am now getting messages from Avast that it has blocked something (lsass or some kind of Exploit). I'm assuming that this means Avast is working and I'm ok.

I am relying on Windows firewall, I guess I should have followed your advice and installed a better one. Will do that now.

And a final question. What did I have, does it have a name? I would never have guessed that something named Windows/WinSecurity was bad. How did I get it (E-Mail, WebSite or?)?

I have attached a new HJT log.

Thanks Again for your prompt help.
Bob Schoner

 

Hi again,

Thanks for the info. Unfortunately, the Avast message box would not stay up long enough for me to write down the info.

However, I took your advice and have installed a firewall. I'm using ZoneAlarm; SyGate crashed every time I started the computer.

Zone Alarm is now blocking something trying to access my PC about every 30-60 seconds. Here is the info I wrote down:
My Comp Port--------From---------------Their Port
23557------------84.228.185.44 ----------15473
1026-------------66.61.193.83------------12048
1026-------------221.211.255.14----------42581
1026-------------221.5.251.243-----------54813
TCP 135----------209.165.11.148----------TCP4230
1030-------------61.152.158.123----------34379
1026-------------62.216.220.149----------20846
1028-------------218.66.104.208----------59462
1026-------------61.138.136.27-----------38239
etc etc etc etc

I hope the column format comes thru.

It's really a pain in the neck. The "blocked message" box came up just about every time I started a new line, so I've had a lot more attacks just while typing this message.

Any suggestions? Should I disable the message and just let ZA do its stuff. I'd really like to know who's doing this but it looks like every server in the world is trying to get into my machine. Hope I didn't lose anything.

Thanks again for all your help.

Bob Schoner

 

Hi Again,

Wow! The only one I recognize is LightSpeed that's tied to Earthlink. EarthLink is my ISP provider (Dial Up).

Does everyone have this going on but they don't realize it? How did this happen that I got on somebody's list; maybe from a Spam list? I wonder how long they have been targeting me. Because of the info you sent me about the worm I looked in the shared files folder ( I have a wireless home network that is usually OFF) but I did not see anything I did not recognize.

You guys are doing a great job, but I'm afraid there are a lot like me out there. Under attack and don't even know it. Remember my first post; from the titles of the servers trying to connect I thought it was my system clock trying to update.

I'm a little spooked now. Is it worthwhile to sign up for ZA Pro?

Thanks again for all your help.

Bob Schoner

 

Hi Again,

Thanks for your patience and all the info. Everything seems to be working fine. Zone Alarm seems to be doing its job.

You suggested a site for info about the worm I had. It said:

"A text file named HOSTS may also be dropped into
C:\<Windows System32>\drivers\etc which may contain a list of anti-virus
and other security-related websites each bound to the IP loopback address of
127.0.0.1 which would effectively prevent access to these sites"

Out of curiosity I went to C:\Windows\System32\drivers\etc and found a file named Hosts. It looks like a Microsoft file, has some comments about what it does and then has a line:

127.0.0.1----------Local host

I assume this is ok??

Thanks again,

Bob Schoner

 

Hi Again,

Did the Malware link. Time to end with a big THANK YOU for all your help.

Bob Schoner

 

Hi Again (Sigh),

I seem to have a similar problem again. Sometimes (maybe two-three times a day) when I am not connected I get a pop up that says something is trying to connect to SP.CWFSERVICE.NET. I deny it.

Since the last problem I have uninstalled AVAST Free and Zone Alarm Free and replaced them with Zone Alarm Security Suite. I have also upgraded MS Office to Office 2003 and got the udates to it.

After the pop up started appearing I disabled System Restore and re ran the Trend Micro and Trojan on line scans (nothing found). I also reran SpyBot and AdAware SE (nothing found) and did a system scan for viruses and spyware with the new Zone Alarm scanner (nothing found).

I am attaching a new HJT log. Please review and advise. Thanks for all your help.

Bob Schoner

 

Hi Again,

I may have found the answer. By Googling CWFSERVICE I found some references to parental control that I have activated in Zone Alarm. And, by going to the Zone Alarm forum and doing a search for CWFSERVICE I found a reference to it by someone who was trying to get a site unblocked.

Although there is nothing in the Users Manual about it, this is probably what's going on. Seems a little strange though since I have automatic updates turned off and the manual seems to indicate that ZA checks each site when you access it; so I don't understand why it tries to connect when I am not connected to the internet.

Thanks Again,
Bob Schoner

 

Hi,

Thanks for your usual prompt response. The window that I see is not the ZA warning window. I assume it comes from XP; it tells me that something is trying to connect and asks what ISP I wish to use (since I am not connected when the alert pops up----Dial up remember).

I never thought of the software forum; good idea. Another thought I had while typing away here is to disable the Parental Controls feature and see if it goes away.

Thanks Again,
Bob Schoner