Zone Alarm message

[Devil2U]

Every few days, Zonealarm informs that this program is trying to access the internet. All it is called is a straight line. It some times uses different ports.

Check out this image for the warning it gives me.
http://www.digicon-sa.com/ppbb.../zonealarm_strange.jpg
A whois lookup on that ip says that it is Road Runner.

I have run full sweeps with Ad-aware, SpyBot Search and Destroy, Bazooka, AVG, and AntiVir. They have cleared out minor things over the months....but this particular issues has been going on for a long time.

Any advice or information would be appreciated.
Thanks.

 

[lenjack]

Why not deny it permanently, so won't see that anymore. If it was something you needed, you'd know by now.

 

[boshuter]

Denying it permanently would probably work if you don't care that there is an unknown program running and trying to access the internet. I guess some people can live with that. Try seeing if there are any strange processes running when you get that warning. You may also want to try running "hijack this" to see if there are any strange listings in there. If you run hijack this and don't know what some of the stuff is, post your log and someone will help you sort it out.

 

[ThePiston]

Might be Road Runner's way of telling the mother ship that you're online... why did you install their software anyway? You don't have to install it to use their network.

 

[mechBgon]

Try getting a free trial version of McAfee VirusScan 9.0 from McAfee, arm all of its options (Trojans, spyware, adware, dialers, heuristic detection, scanning within executables) and then run an exhaustive scan on your system to see what it can dredge up.

Also, you have broadband, right? Do you have a router between your system and the modem? You can usually set home routers to block all unnecessary ports as a damage-containment measure. Many new threats are using uncommon ports to run services on your system behind your back.

Ports you would probably want open:

20
21
25
53
80
110
123
443

Disallow TCP and UDP traffic on the rest (block 0 to 19, 22 to 24, 26 to 52, 54 to 79, 81 to 109, 111 to 122, 124 to 442, 444 to 65535).

Besides that, run Microsoft Baseline Security Analyzer to see if your system's vulnerable to exploitation. If it says your Administrator accounts have weak or blank passwords, run this command to set strong passwords for the built-in Admin account, and any other Admin-class accounts your system has too:

net user Administrator Devil2U@AT or use some other good non-dictionary password of your choice. This prevents malware from easily using Admin credentials on your computer to work beneath the surface.

 

[Devil2U]

I do not use RoadRunner, so I do not know why it is trying access them.
I have denied it access to the internet in the past (and told zonealarm to remember) but it always comes back after awhile.
And yes, I do have a hardware router also running.

 

[mechBgon]

Right, so are you still driving around tied to the exterior of the car with bungee cords, or did you do the other stuff I suggested in the post above, so you're inside the car with your seatbelt fastened?

 

[Xtremist]

Download this:
http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Load it up and you can keep an eye out for what exact process is trying to access what/where/etc... It's a lifesaver.

 

[Devil2U]

So I ran McAfee VirusScan Online and it found nothing.

Tonight the incident happened again... here is another screen cap.
http://www.digicon-sa.com/ppbb...zonealarm_strange1.jpg

Now what happened was (whatever this thing is) was able to force Zone Alarm to shutdown. Zone Alarm of course restarted. The odd part is this all occured while I was playing Battlefield 1942. And the port is was wanting to utilize was 14567; that is the default port for BF1942.

A whois on the ip returned these results.
IP Address: 209.80.7.110
Intelenet Communications INTELENET-209 (NET-209-80-0-0-1)
209.80.0.0 - 209.80.63.255
Rightclick ICI-RIGHTCLICK-1 (NET-209-80-4-0-1)
209.80.4.0 - 209.80.7.255

I also ran the MS Baseline Security Analyzer and the following is the report.
Sooo much information, I am not quite sure how to proceede with its results. I am using a strong password (numbers&letters)

I guess I am back to being confused as I was before.

 

[Abe Froman]

Wow

 

[mechBgon]

I am using a strong password (numbers&letters)

Did you do likewise for the system's hidden built-in Administrator account, using the command I gave you above in bold type?

If it were me and I had unknown stuff shutting down ZoneAlarm, that Windows installation would be outta there. Pull the network cable, reformat, and get stuff set up tight this time

 

[Devil2U]

I fear you may be right about a complete re-install.

As a last ditch effort, I am going to update to SP2, enable the windows fireware, disable zonealarm, and see if that helps....

Otherwise, I am going to be in a world of sh1t with a re-intall...what a pain.

 

[jaykleg]

Well, disabling ZoneAlarm will get rid of the messages, but I don't know what actual good that would do if you have badware on the system. SP2 should have been applied long ago. You may be closing the corral gate after the horses have bolted.

Did you follow any of the advice above about trying to identify exactly what process is trying to use your Internet connection? It's still possible that this is an innocent bit of software doing what it's supposed to be doing. (ZoneAlarm going down might, or might not, be the fault of this process.)

But, if you can't find out for certain that your system is clean, I recommend you wipe it. I would certainly do so for any system of mine that behaved that way -- if I couldn't give it a clean bill of health, that is.

 

[Devil2U]

I ran TCPview and got the following information.
Everything looks normal, but then again I am not a networking expert so

[System Process]:0 TCP 127.0.0.1:11526 127.0.0.1:1170 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:11526 127.0.0.1:1176 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:11526 127.0.0.1:1177 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:11526 127.0.0.1:1178 TIME_WAIT
alg.exe:1660 TCP 127.0.0.1:1104 0.0.0.0:0 LISTENING
AOLDial.exe:2444 UDP 127.0.0.1:1083 *:*
aoltpspd.exe:1816 TCP 127.0.0.1:11526 0.0.0.0:0 LISTENING
aoltpspd.exe:1816 TCP 127.0.0.1:11527 0.0.0.0:0 LISTENING
aoltpspd.exe:1816 TCP 127.0.0.1:11528 0.0.0.0:0 LISTENING
aoltpspd.exe:1816 TCP 127.0.0.1:11529 0.0.0.0:0 LISTENING
aoltpspd.exe:1816 TCP 127.0.0.1:11530 0.0.0.0:0 LISTENING
aoltpspd.exe:1816 TCP 127.0.0.1:11531 0.0.0.0:0 LISTENING
aoltpspd.exe:1816 TCP 127.0.0.1:11532 0.0.0.0:0 LISTENING
aoltpspd.exe:1816 TCP 127.0.0.1:11533 0.0.0.0:0 LISTENING
aoltsmon.exe:1752 TCP 127.0.0.1:11500 0.0.0.0:0 LISTENING
AVGNT.EXE:2480 TCP 127.0.0.1:1026 127.0.0.1:18350 ESTABLISHED
AVGUARD.EXE:1724 TCP 0.0.0.0:18350 0.0.0.0:0 LISTENING
AVGUARD.EXE:1724 TCP 127.0.0.1:18350 127.0.0.1:1026 ESTABLISHED
iexplore.exe:3676 UDP 127.0.0.1:1087 *:*
lsass.exe:832 UDP 0.0.0.0:500 *:*
lsass.exe:832 UDP 0.0.0.0:4500 *:*
svchost.exe:1068 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
svchost.exe:1160 UDP 127.0.0.1:123 *:*
svchost.exe:1160 UDP 192.168.0.3:123 *:*
svchost.exe:1208 UDP 0.0.0.0:1027 *:*
svchost.exe:1208 UDP 0.0.0.0:1081 *:*
svchost.exe:1300 UDP 127.0.0.1:1900 *:*
svchost.exe:1300 UDP 192.168.0.3:1900 *:*
System:4 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
System:4 TCP 192.168.0.3:139 0.0.0.0:0 LISTENING
System:4 UDP 0.0.0.0:445 *:*
System:4 UDP 192.168.0.3:137 *:*
System:4 UDP 192.168.0.3:138 *:*
Xfire.exe:2756 TCP 192.168.0.3:1107 216.136.177.199:25999 ESTABLISHED
Xfire.exe:2756 UDP 0.0.0.0:1106 *:*
Xfire.exe:2756 UDP 0.0.0.0:1117 *:*
Xfire.exe:2756 UDP 127.0.0.1:1075 *:*

HOWEVER
It just did that stupid connection attempt again...here is the ip and a whois lookup:
IP: 127.0.0.1
Record Type: IP Address
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

It was trying to utilize port 11526. The TCPView shows that severl apps (unpon reboot) are still communicating with that same IP, 127.0.0.1

Any thoughts? Cause I am unsure. :?
I am currenly running Security Task Manager in an effort to better understand the items that are running on my system.

 

[morkinva]

Originally posted by: Xtremist
Download this:
http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Load it up and you can keep an eye out for what exact process is trying to access what/where/etc... It's a lifesaver.

Dude.... awesome program :gift:

 

[RacerChuck]

Could be Road Runners Mail server attempting to be contacted by a worm. Why don't you audit your processes and check suspicious ones with Task Manager.

If your running 2000 you can have the old tried and true msconfig program, to check your start up routine, by going here:

http://www.perfectdrivers.com/howto/msconfig.html

 

[RacerChuck]

Edit:

Opps - I posted before I read morkinva's reply.

That program is much more comprehensive than trying to use generic windows components

 

[Xtremist]

Well to start with. The IP you did the lookup on is a reserved IP address that basically means "this computer". No matter what computer you're using, if it's got TCP/IP loaded, that IP means "this computer". FYI, it's a good way to test if the basics of your TCP/IP stack are working correctly as it will take out any sort of external routing from the equation. At any rate... It appears from your TCPView output that the offending exe is aoltpspd.exe. At least that'd be my guess. Googling it turns out that it's AOL's "Top Speed" technology crap. Are you running AOL? If so, change But either way it appears that's what it is. I would say it's definately except I don't know if that was taken the exact time the connection attempt was made.

TCPView will highlight new and exiting processes and you can turn up the time for it to show this as well (too lazy to tell you where). I'd turn it up to the max (9 sec I believe?) and then see if any new processes were created at the time when it tried to make the connection. If NOT, then it's definately the AOL crap.

So there ya go, mystery solved

 

[Devil2U]

yes, aol sucks.....its not my main isp (dslextreme is) but i have an aol email account so

thanks for the advise Xtremist. It will put that in action and try hopefully get to the bottom of this issue.
I'll keep this updated when I get more info....leaving home for the holidays, so it might be a few weeks.

 

[TheLizardMan]

Use sygate as a firewall you noob. and YES! You need to format NOW! Your comp is slow as a goat!

The windows firewall will only block incoming attacks anyway.