Zone Alarm Blocking ???

I recently installed ZA, and it was logging events where my computer was trying to connect to other computers outside my network. There were 4 sites, and they were websites I had visited in the past--odd sites like my insulation contractor, or my old high school. I found these sites listed in "My Network Places" and deleted them, and the "phone home" attempts ceased, except for one(my old high school). It still attempts to connect to the high school's IP every night at 3 or 4AM. How do I find the software/code/etc that is causing my PC to attempt this connection each night? I have searched the name, parts of name, with no luck. Any place I should be looking?

Thanks!

 

Best thing to do is post this is ZA forums first. Secondly when ZA detected your network did you select sharing?

 

For some reason, the registration at Zone Alarm keeps timing out. I have been unsuccessful over many days of attempts there.

I selected high security for the internet zone(no sharing), and medium for the trusted zone(allows sharing). I just want to find the source of these "phone home" attempts. There must be something on my PC that initiates it.

Scans with Avira, Spybot S&D, Adaware, AVG, Defender, and Anonymizer Spyware have found nothing.

 

You said, ZA was logging events... where?
What is listed under the firewall zones?

Have you checked carefully under the ZA program control for programs you do not recognise as MS or installed applications. Scrool them all and check (properties) their location.

Also try to avoid using not very reputable spyware scanner... (e.g. Anonymizer Spyware).

May be good to have your system checked by expert, for example, at castlecops:
http://www.castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

Please read mandatory steps before posting:
http://www.castlecops.com/t102301-Hijackthis_Guidelines_Read_Before_Posting.html

Cheers,
Fax

 

What browser are you using ?

If IE, did a Synchronize entry somehow get added ?

IE > Tools > Synchronize

 

Try Uninstalling & reinstalling. This will force the Firewall to rescan all the apps. Then make sure that all the permissions except maybe the Antivirus is set to ask. Make sure server permissions are set to ask. Then watch to see what program is asking for permission to connect to your old HighSchool. If you can locate the ip block it in the firewall. Then download A2 or SuperAntiSpyware free & see if you have any malware. This proceedure usually works to let you know what app is trying to do this.

 

Do a whois on the ip which may no longer be your old school these things are not static over time. Find the web site name and then block that web site. This won't find the exe doing the phoning though it will tighten up the system. The list of blocking activity, check to see if it lists the exe's being used at time of block. Clean up your register and defrag if you haven't done that since ZA installed.

You are right to worry about phone homes.

What version / package in ZA family do you use?

 

It logs them under "Alerts and Logs" under the Firewall heading. It says:

Packet sent from ***(IP address of my PC)TCP Port 4445 to ****(IP Address of old high school)(NetBIOS Session) was blocked

It blocks that one a couple times, then it tries another port on my PC, and uses a different port on the destination PC. It always tries both of them twice, always in the middle of the night, and then it doesn't try again till the next night

2 network controllers on my motherboard, DHCP server with a 192. address, two DNS servers, a loopback adapter with a 127. address, and my network printer

all check out as legit

Is the whole Anonymizer program disreputable, or just the spyware scanner? It came along with the software for free.

 

I use Mozilla and IE--I couldn't find Synchronize anywhere under tools on either browser

 

ZA always blocks the outgoing packet, and I have the IP address/ports of the destination, so it never gets past the attempt stage. It just bugs me that it keeps trying!

 

It's still the high schools IP according to Whois. No sign of any exe's in the Zone Alarm logs. Is there anywhere in XP that logs exe's at a given time?

I will defrag now--what's the best way to clean up registry?

It's the free version of ZA, latest build.

 

Look into your TCP/IP configuration and see if anything is in there. Also disable NETBIOS.

Only the spyware scanner... was once listed as rouge. Now it is not but I would still not trust them.. there are free and better solutions (e.g. superantispyware)

Cheers,
Fax

 

Yes, the simplest way is use the build in ctrl>alt>delete to bring up task manager scan every single exe there and report back any exe you don't recognize. If it exposes an application you don't need or recognize we may be able to remove it. In the meantime, if you can do it, put the whois id's addy or site in the restricted sites list in IE. But I'm assuming IE is your browser, is that correct?

Good on the defrag, restart PC after defrag please. To clean up
it means 2 steps. #1 scan for old or bad entries, then #2 compact the registry.

CCleaner is free an does step 1 but doesn't do 2. So I suggest you download a free trial of jv16 PowerTools (in Finland) and run registry clean up then reboot, then run registry compact. Reboot.

Hmm, there is their standard free FW then the "recent" ZAAS which lets user pick his own AV tool. See below:

zaasSetup_70_408_000_en.exe I think that was a 1 year time limited deal.

Which ZA freebie did/do you use?

 

Whew! Long list, but they all seem legit

I use IE and Firefox. I put it in restricted site in IE, and downloaded Blocksite for Firefox and I'll add it there.

Will do.

Version 7.0.462.000

 

Where do I look in TCP/IP config in XP? I noticed my network printer uses NetBIOS--should I still disable it?(if so, how?)

Running Superantispyware as I type--thanks

 

On your active network connection (in systray), right click on it, select status. A new window will open up.

Click on Properties --> scrool down and select Internet Protocol (TCP/IP) --> properties --> Check on general tab for IPs that you do not recognise.
Usually it should be set to obtain an IP address automatically and to obtain DNS automatically. Unless you have custom settings.

Then click on advanced button --> WINS tab --> NetBIOS settings --> Disable NetBIOS

Check on DNS tab --> It should not list any DNS in the box (unless you have custom settings)

Cheers,
Fax

 

Both set on automatic

Done

It did not list any DNS

Thanks. We will see what happens tonight!

 

Fatawan:

Be careful, disabling services particularly if you share resources like a network printer. Set them to manual first rather than disable. Then they will be available if needed.

The original issue you had was what exe is calling home to your old high school ip. Now as I understand it you have set up your browsers to block it.

Test your configuration and see if you can go to that site.

Using the same method for finding this phone home monitor it and see if it happens again. If it does then your PC is using another trusted exe to do that. Have you ever downloaded any files from that site in the past? You know, stuff like pictures anything? Schools have been know to be a source of trojans and a call home is trojan like behaviour.

Another idea is to add a HIPS to your set up. I would use ThreatFire (TF) from PCTools, it is also free and if you add all ZA folders to it's exclusion list so they will not clash. you should also put TF in ZA's exclusion lists. TF uses a behavior analysis method not signatures, so it is fast and if if sees this exe of yours run it should flag it and ask you for an ok! When in doubt deny them.

Let the thread know what happens.

 

You're welcome, post back with the results

Cheers,
Fax

 

The only thing I did at that site was send a message to an old teacher. There was an odd form you filled out, then chose the teacher from a scroll down list, and it sent your message. It did not use my Outlook Express. There was something there on the site. I don't recall having to download anything, but I may just not remember. Firefox blocks the site completely, while IE lets me go there but has the "Restricted Site" designation on the bottom of the screen. It doesn't seem to impede access at all

I will see what happens overnight and let you helpful folks know in the morning. If it's still phoning home, I'll try that ThreatFire program. Fingers crossed! The registry cleaner had a lot of work to do--maybe there was something left in there.

 

Darn it. ET tried to phone home again last night. At least this time, it only tried once per port! That's a step in the right direction I guess.

On to the next step......

I am running ThreatFire now--edit:it found nothing, but I will keep it on overnight at level 5 protection to see what alerts it conjures up.

Right before I went to bed I opened task manager. It showed 43 processes--this morning, there were also 43 processes running.

I appreciate everyone's input.

 

Uuuhm, was still NETBIOS involved? Strange since you have disabled it...

Fax

 

Weird case... since you checked that there are no processes other than MS OS involved.
One thing, just in case, please check under control panel --> Performance and maintenance --> Sheduled tasks --> Empty?

Cheers,
Fax

 

I had enabled NetBIOS last night for the kids to print something. DOH! On the alerts though, only one says (NetBIOS Session), and one does not. If NetBIOS was disabled, would it still attempt to make contact?

 

No it should not, you cut the carrier.
But you don't solve the problem that is... who/what is originating the call.

Cheers,
Fax