ZA pro...New program alert??!

crashNburn11 · #1 February 17th, 2003, 03:45 AM

"?&õw©&õwà0üwœ&õw¸Æ is trying to access the internet, would you like to allow this connection?"

I've never seen this before...has anyone else? First off, I denied access for this program, then I hit the "more information" option and here's what it said; (and BTW, the IP address the program was trying to access was my loop back address...127.0.0.1. I'm just wondering what this program is).

---> here

Also, the firewall was confused as to wether this was an incoming or out going request. Anoter thing, since it said the IP address that caused the alart was my loop back address 127.0.0.1, I thought there wasn't much need for concern till I read the 'whois' tab on the link I gave above, stating...

" Any address that begins with "127" is a loopback address. The most commonly used loopback address is 127.0.0.1.

This address cannot be used as the IP address of a computer on the Internet. It only has meaning on the computer that generated it. .Therefore, if this is an inbound alert, the source address was probably forged in order to hide the identity of the sender.

Like I said, I don't know wether it was inbound or out.

TIA for any help

**AnnMarie** · #2 February 17th, 2003, 06:03 AM

Hi Crash - Well, I have never seen that before. It might be a good idea if we had a look at your startups.

Go here and download and run Startup List. It will generate a log file. Copy the log and paste it back into this thread

crashNburn11 · #3 February 17th, 2003, 07:23 AM

Hey, thanks for the quick response.

StartupList report, 2/17/2003, 2:05:04 AM
StartupList version: 1.51
Started from : C:\Documents and Settings\XXXXXX\Local Settings\Temp\Temporary Directory 1 for startuplist.zip\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\edited\Local Settings\Temp\Temporary Directory 1 for startuplist.zip\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
DeadAIM = rundll32.exe "C:\Program Files\AIM95\DeadAIM.ocm",ExportedCheckODLs

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once

washindex = C:\Program Files\Washer\washidx.exe "Edited"

**AnnMarie** · #4 February 17th, 2003, 07:30 AM

No problem but I will need to see the entire log. I cannot see if there might be something on your system by looking at part of it.

crashNburn11 · #5 February 17th, 2003, 07:58 AM

Opps

... sry, thought I copied the whole thing the first time. Lets try that agin...

StartupList report, 2/17/2003, 2:34:49 AM
StartupList version: 1.51
Started from : C:\Documents and Settings\xxxxxx\Local Settings\Temp\Temporary Directory 3 for startuplist.zip\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\XXXXx\Local Settings\Temp\Temporary Directory 3 for startuplist.zip\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
DeadAIM = rundll32.exe "C:\Program Files\AIM95\DeadAIM.ocm",ExportedCheckODLs

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once

washindex = C:\Program Files\Washer\washidx.exe "XXXXX"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce

washindex = C:\Program Files\Washer\washidx.exe "XXXXX"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
AKiller = "C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe"
AIM = C:\Program Files\AIM95\aim.exe -cnetwait.odl

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once

washindex = C:\Program Files\Washer\washidx.exe "XXXXX"

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.co...663.9163194444

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations:

|||\??\C:\WINDOWS\Unnero.exe

--------------------------------------------------
End of report, 4,773 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

**AnnMarie** · #6 February 17th, 2003, 08:58 AM

Hi Crash - well, your startups are fine. I have searched the Internet and found one very similar incident reported in a security forum. This was the question:

"ZA Pro keeps telling me that the following Advanced Program is trying to
connect to the internet through several of my programs,
'?&õw©&õwà0üwo&õwÐF."

Unfortunately there was no solution. The poster was advised to run a virus check. However it also turned out that the same thing happened to another poster after updating ZA. Have you just updated? If so, I would fire off a question the ZA Labs and see what they might have to say about it. In the meantime, dont let it out and run an online virus check here. BTW..disable Norton first.

Keep us posted, I would be most interested in what ZA have to say.

crashNburn11 · #7 February 18th, 2003, 02:28 AM

Hey, thanks for checking though.

Well, I read the same post as you, and performed the same steps (virus scan etc..)...nothing turned up. I just went a head and reinstalled (and updated) ZA...hasn't been back since. I will also try and drop ZA staff an email.

**AnnMarie** · #8 February 18th, 2003, 04:17 AM

Sounds like it might be a bug in ZA Crash. Let us know what ZA Labs say when they reply.