Zone Alarm Blocking ???

Discussion in 'other firewalls' started by Fatawan, Feb 2, 2008.

Thread Status:
Not open for further replies.
  1. Fatawan

    Fatawan Registered Member

    Joined:
    Oct 17, 2006
    Posts:
    26
    I recently installed ZA, and it was logging events where my computer was trying to connect to other computers outside my network. There were 4 sites, and they were websites I had visited in the past--odd sites like my insulation contractor, or my old high school. I found these sites listed in "My Network Places" and deleted them, and the "phone home" attempts ceased, except for one(my old high school). It still attempts to connect to the high school's IP every night at 3 or 4AM. How do I find the software/code/etc that is causing my PC to attempt this connection each night? I have searched the name, parts of name, with no luck. Any place I should be looking?

    Thanks!
     
  2. Dieselman

    Dieselman Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    795
    Best thing to do is post this is ZA forums first. Secondly when ZA detected your network did you select sharing?
     
  3. Fatawan

    Fatawan Registered Member

    Joined:
    Oct 17, 2006
    Posts:
    26
    For some reason, the registration at Zone Alarm keeps timing out. I have been unsuccessful over many days of attempts there. :mad:

    I selected high security for the internet zone(no sharing), and medium for the trusted zone(allows sharing). I just want to find the source of these "phone home" attempts. There must be something on my PC that initiates it.

    Scans with Avira, Spybot S&D, Adaware, AVG, Defender, and Anonymizer Spyware have found nothing.
     
  4. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    You said, ZA was logging events... where?
    What is listed under the firewall zones?

    Have you checked carefully under the ZA program control for programs you do not recognise as MS or installed applications. Scrool them all and check (properties) their location.

    Also try to avoid using not very reputable spyware scanner... (e.g. Anonymizer Spyware).

    May be good to have your system checked by expert, for example, at castlecops:
    http://www.castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

    Please read mandatory steps before posting:
    http://www.castlecops.com/t102301-Hijackthis_Guidelines_Read_Before_Posting.html

    Cheers,
    Fax
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    What browser are you using ?

    If IE, did a Synchronize entry somehow get added ?

    IE > Tools > Synchronize
     
  6. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    484
    Try Uninstalling & reinstalling. This will force the Firewall to rescan all the apps. Then make sure that all the permissions except maybe the Antivirus is set to ask. Make sure server permissions are set to ask. Then watch to see what program is asking for permission to connect to your old HighSchool. If you can locate the ip block it in the firewall. Then download A2 or SuperAntiSpyware free & see if you have any malware. This proceedure usually works to let you know what app is trying to do this.
     
  7. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Do a whois on the ip which may no longer be your old school these things are not static over time. Find the web site name and then block that web site. This won't find the exe doing the phoning though it will tighten up the system. The list of blocking activity, check to see if it lists the exe's being used at time of block. Clean up your register and defrag if you haven't done that since ZA installed.

    You are right to worry about phone homes.

    What version / package in ZA family do you use?
     
  8. Fatawan

    Fatawan Registered Member

    Joined:
    Oct 17, 2006
    Posts:
    26
    It logs them under "Alerts and Logs" under the Firewall heading. It says:

    Packet sent from ***(IP address of my PC)TCP Port 4445 to ****(IP Address of old high school)(NetBIOS Session) was blocked

    It blocks that one a couple times, then it tries another port on my PC, and uses a different port on the destination PC. It always tries both of them twice, always in the middle of the night, and then it doesn't try again till the next night

    2 network controllers on my motherboard, DHCP server with a 192. address, two DNS servers, a loopback adapter with a 127. address, and my network printer


    all check out as legit

    Is the whole Anonymizer program disreputable, or just the spyware scanner? It came along with the software for free.
     
  9. Fatawan

    Fatawan Registered Member

    Joined:
    Oct 17, 2006
    Posts:
    26

    I use Mozilla and IE--I couldn't find Synchronize anywhere under tools on either browser
     
  10. Fatawan

    Fatawan Registered Member

    Joined:
    Oct 17, 2006
    Posts:
    26

    ZA always blocks the outgoing packet, and I have the IP address/ports of the destination, so it never gets past the attempt stage. It just bugs me that it keeps trying!
     
  11. Fatawan

    Fatawan Registered Member

    Joined:
    Oct 17, 2006
    Posts:
    26

    It's still the high schools IP according to Whois. No sign of any exe's in the Zone Alarm logs. Is there anywhere in XP that logs exe's at a given time?

    I will defrag now--what's the best way to clean up registry?

    It's the free version of ZA, latest build.
     
  12. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Look into your TCP/IP configuration and see if anything is in there. Also disable NETBIOS.


    Only the spyware scanner... was once listed as rouge. Now it is not but I would still not trust them.. there are free and better solutions (e.g. superantispyware)

    Cheers,
    Fax
     
  13. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Yes, the simplest way is use the build in ctrl>alt>delete to bring up task manager scan every single exe there and report back any exe you don't recognize. If it exposes an application you don't need or recognize we may be able to remove it. In the meantime, if you can do it, put the whois id's addy or site in the restricted sites list in IE. But I'm assuming IE is your browser, is that correct?

    Good on the defrag, restart PC after defrag please. To clean up
    it means 2 steps. #1 scan for old or bad entries, then #2 compact the registry.

    CCleaner is free an does step 1 but doesn't do 2. So I suggest you download a free trial of jv16 PowerTools (in Finland) and run registry clean up then reboot, then run registry compact. Reboot.

    Hmm, there is their standard free FW then the "recent" ZAAS which lets user pick his own AV tool. See below:

    zaasSetup_70_408_000_en.exe I think that was a 1 year time limited deal.

    Which ZA freebie did/do you use?
     
  14. Fatawan

    Fatawan Registered Member

    Joined:
    Oct 17, 2006
    Posts:
    26
    Whew! Long list, but they all seem legit

    I use IE and Firefox. I put it in restricted site in IE, and downloaded Blocksite for Firefox and I'll add it there.



    Will do.



    Version 7.0.462.000
     
  15. Fatawan

    Fatawan Registered Member

    Joined:
    Oct 17, 2006
    Posts:
    26
    Where do I look in TCP/IP config in XP? I noticed my network printer uses NetBIOS--should I still disable it?(if so, how?)

    Running Superantispyware as I type--thanks
     
  16. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    On your active network connection (in systray), right click on it, select status. A new window will open up.

    Click on Properties --> scrool down and select Internet Protocol (TCP/IP) --> properties --> Check on general tab for IPs that you do not recognise.
    Usually it should be set to obtain an IP address automatically and to obtain DNS automatically. Unless you have custom settings.

    Then click on advanced button --> WINS tab --> NetBIOS settings --> Disable NetBIOS

    Check on DNS tab --> It should not list any DNS in the box (unless you have custom settings)

    Cheers,
    Fax
     
    Last edited: Feb 2, 2008
  17. Fatawan

    Fatawan Registered Member

    Joined:
    Oct 17, 2006
    Posts:
    26
    Both set on automatic

    Done

    It did not list any DNS

    Thanks. We will see what happens tonight!
     
  18. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Fatawan:

    Be careful, disabling services particularly if you share resources like a network printer. Set them to manual first rather than disable. Then they will be available if needed.

    The original issue you had was what exe is calling home to your old high school ip. Now as I understand it you have set up your browsers to block it.

    Test your configuration and see if you can go to that site.

    Using the same method for finding this phone home monitor it and see if it happens again. If it does then your PC is using another trusted exe to do that. Have you ever downloaded any files from that site in the past? You know, stuff like pictures anything? Schools have been know to be a source of trojans and a call home is trojan like behaviour.

    Another idea is to add a HIPS to your set up. I would use ThreatFire (TF) from PCTools, it is also free and if you add all ZA folders to it's exclusion list so they will not clash. you should also put TF in ZA's exclusion lists. TF uses a behavior analysis method not signatures, so it is fast and if if sees this exe of yours run it should flag it and ask you for an ok! When in doubt deny them.

    Let the thread know what happens.
     
  19. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    You're welcome, post back with the results ;)

    Cheers,
    Fax
     
  20. Fatawan

    Fatawan Registered Member

    Joined:
    Oct 17, 2006
    Posts:
    26
    The only thing I did at that site was send a message to an old teacher. There was an odd form you filled out, then chose the teacher from a scroll down list, and it sent your message. It did not use my Outlook Express. There was something there on the site. I don't recall having to download anything, but I may just not remember. Firefox blocks the site completely, while IE lets me go there but has the "Restricted Site" designation on the bottom of the screen. It doesn't seem to impede access at allo_O

    I will see what happens overnight and let you helpful folks know in the morning. If it's still phoning home, I'll try that ThreatFire program. Fingers crossed! The registry cleaner had a lot of work to do--maybe there was something left in there.
     
  21. Fatawan

    Fatawan Registered Member

    Joined:
    Oct 17, 2006
    Posts:
    26
    Darn it. ET tried to phone home again last night. :mad: At least this time, it only tried once per port! That's a step in the right direction I guess.

    On to the next step......

    I am running ThreatFire now--edit:it found nothing, but I will keep it on overnight at level 5 protection to see what alerts it conjures up.

    Right before I went to bed I opened task manager. It showed 43 processes--this morning, there were also 43 processes running.

    I appreciate everyone's input.
     
    Last edited: Feb 3, 2008
  22. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Uuuhm, was still NETBIOS involved? Strange since you have disabled it...

    Fax
     
    Last edited by a moderator: Feb 3, 2008
  23. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Weird case... since you checked that there are no processes other than MS OS involved.
    One thing, just in case, please check under control panel --> Performance and maintenance --> Sheduled tasks --> Empty?

    Cheers,
    Fax
     
  24. Fatawan

    Fatawan Registered Member

    Joined:
    Oct 17, 2006
    Posts:
    26
    I had enabled NetBIOS last night for the kids to print something. DOH! On the alerts though, only one says (NetBIOS Session), and one does not. If NetBIOS was disabled, would it still attempt to make contact?
     
  25. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    No it should not, you cut the carrier.
    But you don't solve the problem that is... who/what is originating the call.

    Cheers,
    Fax
     
Loading...
Thread Status:
Not open for further replies.