ZoneAlarm blocking intrusions

C

cc23

New Member
I'm posting this on behalf of a friend, who's got a little problem with her ZoneAlarm and attacks from different IP addresses. She uses Zonealarm and gets dozen of messages telling her that it's blocking hundreds of intrusions from different IPs. Lots of resources are going into this blocking which means that she can't even open any sites or links.
Any advice? Thanks!
 
Get a router that supports NAT. By design NAT does not allow remote hosts to connect to clients inside the private subnet. So, by design all those IPs trying to connect will not be allowed. Problem would be solved.
 
Hey, maybe she's got a few Spywares.
But can you specify, did all that start to happen when she installed ZoneAlarm? I happen to know a few people ( and then there was this case yesterday on this forum ) who had troubles with Zone Alarm. If all the problems appeared when she got the Alarm, she should delete it, or even better make a System Restore to a point when that wasn't happening.:cool:
 
Alright, thanks! But until then... anything else? Things haven't always been this way, so there must be something else she can do.
 
GameMaster said:
Hey, maybe she's got a few Spywares.
But can you specify, did all that start to happen when she installed ZoneAlarm? I happen to know a few people ( and then there was this case yesterday on this forum ) who had troubles with Zone Alarm. If all the problems appeared when she got the Alarm, she should delete it, or even better make a System Restore to a point when that wasn't happening.:cool:
Click to expand...
Nope... it only started happening today.
 
Hi... i'm aforementioned friend. I'm not quite sure what I just did, but I seem to be able to move around the net slightly more easily. Well ZA's acting up in a big way. I noticed pages were loading slowly or not at all and I couldn't imagine why because I could see that there was some data transfer happening in both directions - quite a bit, actually. so I checked up my firewall and I could see ZA blocking an intrusion every few seconds. Often there'd be three attempts from one IP. I have a messenger open, since that doesn't take up much 'energy'. The attacks were all from different IPs... I couldn't reach google so I IMed the addresses.... they were from all over the place... Hungary, Italy, Russia, Sweden, Taiwan. And all very anonymous. I tried restarting... adjusting my firewall settings... repairing the network... going into stealth mode etc. I just ran a scan (ZA, again) and it's come up clean. I've even cleaned up the cache, any cookies, temp files and assorted internet rubbish. Could it be because of a p2p programme? I don't have one running but surely it'd leave some sort of 'tracker' if that was the case?

Well, what I did then was make a new rule to block any intrusions that are aimed at my IP. the firewall's still busy and internet activity is still high, but it seems to give me a tiny bit more space.
 
You can leave it for a few days and see if the Zone Alarm will make your surfing easier.
If not, delete it and wait another day and see if you will surf better.
If not, install again and search for a help again:D
 
you could have been hijacked. I would run a hijack this log and then dump it into a reader. If you google both you could get it done. Post your log here too, if someone has time to run through it perhaps they can figure it out.
 
o.....kay




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:32:03, on 11-Dec-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AusLogics Visual Styler\themehelpersvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\BinarySense\HDDlife for Notebooks\HDDlife for Notebooks.exe
C:\Program Files\Startup Faster 2004\sfAgent.exe
C:\PROGRA~1\ALLTOT~1\ALLTOT~1.EXE
C:\Program Files\Say the Time\SayTime.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Radhika\Local Settings\Temporary Internet Files\Content.IE5\OHX3O8O2\HiJackThis[1].exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [StartupFaster] "C:\Program Files\Startup Faster 2004\StrpFstCfg.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-IN/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167231099863
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.abdn.ac.uk/~wdu007/webcam/AxisCamControl.ocx
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B205FEFB-55CF-4209-8D07-C5D79168C839}: NameServer = 218.248.255.193,61.1.96.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{D33C948D-4E0D-434C-8950-F518766E97C6}: NameServer = 218.248.240.79 218.248.240.135
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: AusLogics Windows Themes Helper (ALThemeHelper) - Unknown owner - C:\Program Files\AusLogics Visual Styler\themehelpersvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7650 bytes
 
C:\Program Files\AusLogics Visual Styler\themehelpersvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\PROGRA~1\ALLTOT~1\ALLTOT~1.EXE

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O4 - HKLM\..\Run: [StartupFaster] "C:\Program Files\Startup Faster 2004\StrpFstCfg.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP

O23 - Service: AusLogics Windows Themes Helper (ALThemeHelper) - Unknown owner - C:\Program Files\AusLogics Visual Styler\themehelpersvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe


Could you please enlighten me and tell me what a heck are these things?
Visual Styler,Diskeeper? and why : ALThemeHelper) - Unknown owner - C:\Program Files\AusLogics Visual
 
Diskeeper is my defragmenter, visual styler gives XP its theme, Startupfaster warns me when a programme wants to run at startup

And I have no idea why unknown owner etc. but what on earth does all that have to do with ZA when none of them access the internet?
 
Did you install any new software?
Is the P2P on when this is happening?

Try this. Find out your Public IP from here http://whatismyip.com/
Restart your PC. When it is turning off, restart the modem (not router).

When the PC is back on compare your new Ip to your old. IF it has changed restart the ZA WITHOUT the P2P and see if your getting the hits.

What I am checking is if the P2P is still sending keep alives, or checking your filed for availability. Since you restart your Modem your IP should change. Therefor the requests will not be going to your new location.

Let me know how it goes.
 
are these IPs the clients repeatedly hitting your machine?

O17 - HKLM\System\CCS\Services\Tcpip\..\{B205FEFB-55CF-4209-8D07-C5D79168C839}: NameServer = 218.248.255.193,61.1.96.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{D33C948D-4E0D-434C-8950-F518766E97C6}: NameServer = 218.248.240.79 218.248.240.135

I also saw an active x entry in your HJTL, are you using IE as your main browser?
 
Okay... I restarted the modem and the laptop and yes my IP address changed but now I'm getting a million blocked intrusions to my NEW IP (argh!) ... I was so sure that'd fix it!

Nope... those IPs aren't featuring.

And no again, my main browser is Opera, but because of all this commotion, it isn't working very well at all, so i switched to IE without add-ons
 
Do you have a router? If not I strongly suggest you get one because of the security increase. If anyone on your broadband subnet has a network active spyware/malware/virus file it could be pegging your machine trying to find a way in. Also, spammers from Eastern Europe are notorious for doing scans and trying to exploit machines. In the Far East over in Vietnam and China, their internet is filtered heavily by the government. They are also trying to tunnel into people's service to bypass any sort of filter they may encounter.

So, what i would do, is log some of the IPs hitting you, and go to like arin.net which is the registry for North America (assuming you live in the US, but your spelling on certain words tells me you are most likely British or Aus, or similar). If the IPs are registered to a different continent it will link to that page, and you can trace it back to the ISP it is issued to. That would at least give you an idea. You could then contact that ISP and let them know that you are getting pounced by a client on their network. I can tell you no matter where the ISP is in the world, none of them like hackers. So, they would look into it.

The router, would not allow any remote host the ability to connect (unless you specifically forward ports to a client on your network) to your network remotely. All those requests would hit your router too and not your local machine.
 
Well yes... Hungary, and Russia were on that list. I'm not in the US, no... and we have already tried to get a router but right now there really is no point since I'll be shifting base in a couple of months. I thought the IP address change would fix things. I can't think of anything else to do except.... wait :p

Something similar happened once before, but a simple restart fixed that. This is entirely new.
 
You must log in or register to reply here.
Back
Top