Results 1 to 7 of 7

Thread: Malware interfering with ZoneAlarm firewall

  1. #1
    rob_c Guest

    Default Malware interfering with ZoneAlarm firewall



    The following happened last weekend. Can anyone identify the malware from the description below and say what else it does?

    The key points are that the malware:<UL><UL><LI>Attempts to run itself on start-up even when set not to</LI><LI>Disables Zone Alarm (Client at least), sets itself to be allowed access to the internet and after setting Zone Alarm to deny it access to the internet it deletes Zone Alarm exe files from the hard drive!</LI><LI>Attempts to stop HijackThis from running</LI><LI>LAN communications have been affected</LI>[/list][/list]

    Sequence of events:

    I noticed the ZoneAlarm icon wasn t showing in the task bar as it usually does.

    The Windows Close Program dialogue box showed that smss and csrss were running and Zone Alarm client, which normally runs on start-up, wasn t.

    [Because the only OS I have ever run is Win98SE (and not XP or 2000) this indicates to me that a virus or Trojan was likely to present (because Win98SE doesn t have smss or csrss, and a number of Trojans use these filenames which are the same as genuine ones used by XP and 2000, and which XP and 2000 will not close.)]

    I ran Zone Alarm and noticed that smss/csrss (by which I mean smss or csrss - I can t remember which) was set to allow access to the internet without confirmation being required.

    I ran msconfig and saw that smss/csrss was listed and set to run at start-up. I used msconfig to set it to not start.

    I set Zone Alarm to always deny smss/csrss access to the internet.

    The next time I restarted the PC, Zone Alarm failed to run and I discovered zonealarm.exe and zlclient.exe files (and only these two from the ZoneAlarm folder) had been deleted!

    Msconfig showed that smss/csrss had reinstated itself to run on startup.

    I attempted to start HijackThis but it closed down within about 3 seconds on each of the 4 attempts I made.

    I saved the current registry using regedit and restored in turn previous registries back as far as 9 months ago, but in each case smss/cmscc ran on start-up, so I restored the current registry.

    Using Windows Close Program I ended smss/csrss. [I was probably able to do this only because Win98SE doesn t use it, while 2000 and XP would think it was their own file and not allow it to be closed.] I was then able to open HijackThis normally.

    I compared the HijackThis report with reports I d saved from previous scans which I d routinely taken when things seemed to be operating OK. I deleted a number of keys.

    ZoneAlarm now runs on start-up and smss/csrss doesn t so I seem to have achieved something.

    However, communications with my other PC (via a router) have stopped. For this I use the NetBEUI protocol. Both PCs can access the internet (via the router) so TCP/IP (dynamic addressing) works OK. When I connect the 2 PCs directly (not via the router) they still don t recognise each other s existence.

    I m still trying to sort this problem and I m wondering if the malware was trying to force LANs to operate with TCP/IP when the option was available.

    I ve moved csrss.exe, smss.exe and csrss.ini along with the folder they were in to a different location. The folder had a seemingly random 8-letter name and came directly under windows\system.

    Is there any more I should be doing to deal with the aftermath of this infection?

    Operating System:Windows 98-SE (Second Edition)
    Product Name:ZoneAlarm (Free)
    Software Version:6.0

  2. #2
    mnaines Guest

    Default Re: Malware interfering with ZoneAlarm firewall

    CSRSS.exe is a Windows system file, which is why you are getting that response. Its a harmless file that the OS uses, so there is no need to deny it access to the internet.

  3. #3
    rob_c Guest

    Default Re: Malware interfering with ZoneAlarm firewall

    Thanks for your reply, mnaines. However, as I pointed out in the square brackets, there is malware about that calls itself csrss.exe. (Try a Google search on csrss.) The Microsoft file is, as you say,harmless, but if it's not in the correct folder this indicates the likelihood of it not being an MS file and that malevolence isat play.In my case this is further supported by the fact that Win98SE doesn't use csrss.exe and by the symptoms I described.Malware uses the name csrss because of Windows XP and 2000's failure to distinguish the disguised file from its own file and so it won't shut it down.

  4. #4

    Default Re: Malware interfering with ZoneAlarm firewall


    <BLOCKQUOTE><HR>Rob-C wrote:
    Thanks for your reply, mnaines. However, as I pointed out in the square brackets, there is malware about that calls itself csrss.exe. (Try a Google search on csrss.) The Microsoft file is, as you say,harmless, but if it's not in the correct folder this indicates the likelihood of it not being an MS file and that malevolence isat play.In my case this is further supported by the fact that Win98SE doesn't use csrss.exe and by the symptoms I described.Malware uses the name csrss because of Windows XP and 2000's failure to distinguish the disguised file from its own file and so it won't shut it down.
    <HR></BLOCKQUOTE>
    Nice reasoning. Furthermore, I don't think the legitimate csrss.exe needs to access the internet.
    My first move will be to totally reinstall as the malware may have already corrupted ZA.

  5. #5
    rob_c Guest

    Default Re: Malware interfering with ZoneAlarm firewall

    Good point. I've recently (since the attack and after dealing with it all) upgraded to the latest version 6.1 which I did without uninstalling the previous version. I also allowed it to use my previous settings. Will this have done the job of dealing with any corruption? All my settings stilllook OK and I've had no further problem.However, I think I'm going to answer my own question by saying that the only way I can be sure is to remove ZA completely, then re-install from scratch.

  6. #6

    Default Re: Malware interfering with ZoneAlarm firewall


    <BLOCKQUOTE><HR>Rob-C wrote:
    However, I think I'm going to answer my own question by saying that the only way I can be sure is to remove ZA completely, then re-install from scratch.
    <HR></BLOCKQUOTE>This will be safer.

  7. #7
    spm Guest

    Default Re: Malware interfering with ZoneAlarm firewall

    Hi, Chiawaikian ... you said that you don't think the legitimate csrss.exe needs to access the internet. This is the Client/Server Runtime file in MS XP. I don't understand ... how can it be the Client/Server Runtime service and not need to access the internet? Sorry if this is a dumb question ... the file I have listed in Program Control in ZASS appears to be the legitimate file (correct path) and is set to System by SmartDefense. System auto settings give it access to the internet but not server or mail access. Is that what you meant? That it doesn't act as a server to the internet? Thanks for any info ... spm

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •