vsmon.exe & 1025 help find trojan

Discussion in 'Port Explorer' started by BlueStar50, Jul 16, 2004.

Thread Status:
Not open for further replies.
  1. BlueStar50

    BlueStar50 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    15
    W98SE, Port Explorer v1.800

    I have had a problem with netstat reporting:
    Prot. Local Remote State
    TCP 0.0.0.0:1025 0.0.0.0:0 Listening
    I had suspected that my firewall was causing this because when I am offline and close the program, the port number gets closed too. Then if I reopen it the local port number changes to the next highest and is listening. I have contacted Zone Alarm in the past over this and they stated the firewall does not listen on any ports and that I must be infected with a trojan/virus or something :eek:. I have tried a full NAV in the safe mode and Pest Patrol, but nothing has been found. I fully uninstall ZAP, cleaned the registry of it and reinstalled it only to have the same thing happen.

    Trying to resolve this I have tried Port Explorer, TDS-3 and Wormguard3, seriously thinking to buy the $99 suite if it solved this mystery I have been working on for over a month now. The results are posted below. If under this trail period you can help me get this suite to tell me why port 1025 is listening, then I will still consider buying it even though the TDS-3 posed such a loss of time for me due to the bad 07-12-04 update. Seeing TrojanDropper.ÿÿÿÿÿÿÿÿÿ all over the place after ZAP tech support told me I was infected really had me up for hours seeing several files on the 40GB hard drive eaten up with it :D. I came to the board to see if there was a way to salvage any of the files only to find out it was done by a bad update. With the new update nothing was found.

    Of course WormGuard is just a protection item, but it has a crash problem I will have to search it's board over. I haven't been able to connect at my highest speed in quite a while and twice today with it on I have gotten on at my faster speed thus I hope this is due to it and not just a fluke ;).

    Port Explorer states in red that my Zone Alarm Pro "VSMON.EXE" is causing it to be listening and from reading the board this is normal for it to appear in red.
    13/07/2004 07:57:49am OPEN Other 0.0.0.0:0 0.0.0.0:0 Success 0 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-521123
    13/07/2004 07:57:50am OPEN TCP 0.0.0.0:0 0.0.0.0:0 Success 0 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-521123
    13/07/2004 07:57:50am LISTEN TCP 0.0.0.0:1370 0.0.0.0:0 Success C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-521123
    vsmon says it has a total of 2 sockets which I guess is what the Statistics TCP calls the Passive Open Connections of 2.

    The TCP Stats also said Active Open Connections where 25 which I need to know what this means. I hadn't at that point opened any programs on the net, thus if this doesn't reflect the number of times DNS where sent on port 53 by ZAP to log incomming attempts I need to know this.

    I used Socket Spy to see what vsmon was up to and it was mainly doing udp's to port 53 (DNS server). Then it was I guess adding privacy settings to pages I saved since I really don't know how to read this stuff. Zonealarm says their program doesn't leave a port listening, but does say it will add privacy settings to pages you save and I am sure does the DNS to add locations to its report.
    Is there a way to print out the Socket Spy log or save it to view it later or have someone else to view it to see if anything is off o_O

    My firewall has been taking a lot more hits than it ever has in the past and some from the same IP address's it seems. As far as I can tell and from all I have read I guess ZAP's vsmon.exe has been altered to allow a trojan to cause this port to listening since ZAP says it shouldn't be. So how do I go about finding out if a trojan is causing this o_O Or prove vsmon.exe is really doing this and tech support didn't tell me the truth.

    PE looks like a great program but it will definately take more than a month to get the hang of it :rolleyes:. But if this problem can be solved in that time, I definately hope it get the suite or at least get it.
     
  2. BlueStar50

    BlueStar50 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    15
    Since vsmon.exe belongs to my firewall should I dare attempt this from another post?
    "How about if you had spyware trying to phone home or a Trojan using your machine as a bot. There is malware out there that likes to bypass your firewall or you may have inadvertantly given something permission, with PE you can see these events and stop them whilst you investigate the cause."
    If so how would I stop these events while I investigate it with PE?

    WG (only one I leave running auto) evidently is helping me connect faster for some reason. Thus I may buy the suite Monday if anyone can get me started at where to start on a problem like this and answer one important question like is the members area a lot better/faster place to get help with the problem I have at hand? I can't afford to pay $99 on a program I'm not able to use to solve things like this if there is not any help on it.

    Remember I've been trying to solve this thing for over a month now, and when I finally found a program like PE that is suppose to be able to help me solve it I can't help getting a little anxious. I'm leary of using it without knowing what I am doing though because I wouldn't want anything to back fire and get hacked while using it.
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Well, I'm rather surprised at what Zone Labs support told you because in my experience as a long time user of ZAP, I am certain that the Privacy feature in ZAP does indeed open a local port and listen as you have seen it. It is easy to check and confirm. You already done one test, turning ZAP off and the port closes and nothing listens there. But, you can try this, too. Fully disable the Privacy functions (only the Privacy functions) via ZAP interface > Privacy panel > Main tab > turn off all three items there. Restart system (I say to reboot just to absolutely confirm that you've fully cycled ZAP and nothing remains that would confuse the issue.)

    When the system comes up, operate as you normally would and see if that port (or another) listens in the way. It shouldn't. Then go back into the Privacy panel and enable all the Privacy funcstions again and just recheck to see if ZAP is listening - it should be.

    I've confirmed this over and over in the past as normal functionality. My guess was always that ZAP listened locally on the system as part of what it needed to do in order to filter all the objects in the network datastream that can be controlled and managed by those Privact functions. (To pull out ActiveX items, cookies, etc. it has to get into the data stream somehow, so this is my guess as to what and why.)

    Note that all my testing also shows that ZAP also protects this port so that it is not being exposed from the outside (the Internet). It's just used locally.
     
  4. BlueStar50

    BlueStar50 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    15
    Great relief to hear this, now there is no need to get PE :) except I want to learn more of what is going on while I am online. The bucks are slim around here, but this suite seems well worth getting as long as I don't get another scare like I did with TDS3. I came along this company a few years back, but PE seemed to complicated to me back then and it still does some but I've learned a lot since then.

    I suspected what you said to be true even before I used PE which is the only thing I have found that will show what processes are opening ports in W98SE. But since ZAP tech support told me something was wrong and having read where netstat could be hijacked to not reporting open ports I know even ZAP could possible have been hijacked if one of my expert rules failed to operate the way I though it would. From the spy log (what little I could tell from it which wasn't much, privacy settings was what is causing this). My site doesn't have any cookies, scripts, etc. on it but the privacy settings are added to the page if I save it off of the Net. I knew the port was protected & stealth from the ShieldsUp site, thanks to Steve I have had my bindings secured for a long time.

    One other question you might know the answer to since your a long time user of ZAP, what happens when your year is up? Will the program still work and you just can't update it? I'll read the liscense to see if I agreed to uninstall it, and if not I may let it lapse a while until I get my bills paid down some or go with the free version until then.

    I'll give your steps a try after I get offline tonight. I always run a full NAV on C and partitions that have IE, OE files in them before I will restart or shut down the computer.

    Thanks for the info. Monday I hope to have time to buy the suit.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there Blue,
    i'm a little lost in your messages what you see and what you want.
    Port Explorer shows you almost realtime all connections between your system and internet.
    Just fire up Port Explorer and you see it happen, you can decide to enable spying on a certain application and see that happen, can look in the log files and you see what happened when you might not have been looking for a while.
    The learning curve is less then 5 minutes i think?

    The data from the socket spying is collected in the capture.bin. As that grows rather fast on a busy conmnection, it's adviced to look in your Port Explorer directory if you want to keep that data for later review and change it's name, for instance capture170704.bin or whatever you can recognise easy. Port Explorer creates a new capture.bin when needed in a new session. You can load such older capture.bin's in the Socket Spy GUI and look again.
    You can open the capture.bin file in wordpad if you like, but the results will be less readable then via Port Explorer itself; you can copy to clipboard parts you want to keep, etc.

    For ZoneAlarm, you will see if you have the socket spy on it when you start it or connect to internet it immediately checks for possible updates and your version etc. Hidden as it is, Port Explorer sees it.

    Port Explorer is a very good addition to see what is really going on on your system and locate which application is responsible for it.
    If that is a trojan, you see what and where, can spy and block and kill it, finding it in your system and get rid of it. Etc.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Members area.

    We have this Official Public DiamondCS forum overhere at the Wilders Forum, open for any visitor.

    We have the General DiamondCS forum at the DiamondCS server, requires visitor registration to that forum.

    We have the TDS Private Forum for Licensed TDS operators at the DiamondCS server, requires registration for the forum as a visitor and extra access with the license.

    We have the Member Area on the DiamondCS site for registered users of any of the products; those are your personal pages with stuff only for yourself, code, access to full downloads of the programs you registered, some members only goodies, access only for licensed users and only to pages related to programs you registered. It is no discussion area, that happens in the forums.

    Further there is support via emails.
     
  7. BlueStar50

    BlueStar50 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    15
    LowWaterMark
    Your right it closed the port doing this and seems that their Techie didn't know it does this. Thanks for easing my mind and my *puppy* 's thank you too since there will be more time for them now :).
     
  8. BlueStar50

    BlueStar50 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    15
    Jooske
    The learning curve is less then 5 minutes i think?
    True on how to use the program but trying to really translate the Socket Spy log for the unreadable parts will take a lot longer :). Thanks for the tips on the capture.bin.
    ZAP is not suppose to be calling home to check for updates or sending logs. I check for updates manually on everything.
    The info on forums will come in handy too. Later tonight I hope to have time to buy TDS-3, WG3 and PE in the suite since they are very handy programs. I had WG3 crashing on me and now TDS-3 is due to MSVBVM60.dll so I'll have to solve that before moving on to getting them. I have MS Agent blocked thus since I ran across posts on it, that may be why. I bet by the end of the week though it will be a purchase.
    The only draw back to PE is it will not let you close system process's that have been hung open for some reason. But it is great to see what process's are being used on what ports in W98SE which I haven't found any other programs doing and being able to spy on what is going on.
    This time it appears it all was a false problem, but with as many hits as my firewall is taking now it will be worth while to keep an eye on things.
    Thanks for the feedback.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Open Port Explorer
    enable spying on VSMON.exe
    enable logging file
    connect to internet
    Now look in both the capture.bin and the log and tell me what you see.
    You will see i am right with ZA sending a call home and seeing your connection and you are you etc.
    No matther if you enabled or disabled auto-update (which ZA doesn't).

    Don't worry about the unreadable parts in the capture.bin, the readable parts give you enough to have an idea what it is about.
    You might like to have TDS Port Listen on one of the same ports where you see something happening and see the packets there, put it on port 80 for instance to see some more happening.

    The Port Explorer helpfile is very informative, will give you lot of information what it is all about.

    You will see in your ZA in the programs there is a loopback, which might be on port 1025 and 0 both on your local host. For firewall info you'll find a wealth on info in the firewall forums here.
    When you see a TIME_WAIT there is no reason to close it as the connection closes by itself, there is no data on it anyway.
    You'll notice on your win98se system Port Explorer frees the space left by dead sockets much quicker reclaiming it for use by other programs much quicker then without Port Explorer installed.
     
    Last edited: Jul 18, 2004
  10. poogimmal

    poogimmal Registered Member

    Joined:
    May 7, 2004
    Posts:
    79
    hard thread (for me) to follow:
    ZA is an autostart on my w2k, Port Explorer always shows it in blue as

    --------------------------------------------------------------------------------------------------------------------------------------------------------
    | NAME | CREATION | PID | PROTOCOL | LOCAL ADDRESS | LOCAL PORT | REMOTE ADDRESS | REMOTE PORT | PORT STATUS | SENT | RECVD |
    --------------------------------------------------------------------------------------------------------------------------------------------------------
    | vsmon.exe | 20:06 25/07/2004 | 1332 | Other | 0.0.0.0 | 0 | 192.168.1.1 | 0 | CONNECTING | 1/40 | 0/0 |
    --------------------------------------------------------------------------------------------------------------------------------------------------------

    hope that is readable format. I have ZA set not to phone home unless I tell
    it to. Port Explorer is excellent and has been problem free for me
    (other than my post of today re DNS :)
     
  11. BlueStar50

    BlueStar50 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    15
    poogimmal
    Thanks for the feedback, but the above posts cleared up my problem.
    I have mine set not to phone home either and after applying the DHCP Fix by AnalogX and deleting some entries in the registry I thought pretained to Sam Spades Tools it now shows up as a Time-Wait Status.

    Here is what mine shows: (I tried to make it more readable :eek:)
    -------------------------------------------------------------------------
    | NAME | CREATION | PID | PROTOCOL | LOCAL ADDRESS | LOCAL PORT |
    | TrueVector Service | 22:28 26/07/2004 | -126425 | TCP | 0.0.0.0 | 1025 |

    REMOTE ADDRESS | REMOTE PORT | PORT STATUS | SENT | RECVD |
    0.0.0.0 | 0 | TIME_WAIT | 0/0 | 0/0 |
    -------------------------------------------------------------------------

    Compared to yours (in same format as mine)
    -------------------------------------------------------------------------
    | NAME | CREATION | PID | PROTOCOL | LOCAL ADDRESS | LOCAL PORT |
    | vsmon.exe | 20:06 25/07/2004 | 1332 | Other | 0.0.0.0 | 0 |

    REMOTE ADDRESS | REMOTE PORT | PORT STATUS | SENT | RECVD |
    192.168.1.1 | 0 | CONNECTING | 1/40 | 0/0 |
    -------------------------------------------------------------------------
    Yours shows a connection to a remote address of 192.168.1.1 with 1/40 sent. Mine has never shown it connecting. I have both the check for updates and phone reports home turned off, so if both of these are off too on yours something may be up that you need to check into.
     
Thread Status:
Not open for further replies.