Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22

Thread: ZaPro 6.1.744.001: vsmon.exe strange access to IP 81.246.38.117

  1. #11
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: ZaPro 6.1.744.001: vsmon.exe strange access to IP 81.246.38.117

    http://windowsxp.mvps.org/winsock.htm after trying ASquared from emsisoft.com I would recommend the Ad-Aware SE from lavasoft.de with the LSP Explorer addin to review and understand what is happening with the LSP.
    http://www.sysinternals.com/Utilities/TcpView.html for viewing what process is what port.
    http://www.majorgeeks.com/download4521.html is the easy way to repair TCP/IP (free and recommended).
    Take care and TTYL Oldsod

    Message Edited by Oldsod on 05-12-200606:12 AM

    Operating System:
    Windows XP Home Edition
    Product Name:
    ZoneAlarm Pro
    Software Version:
    6.1
    If you are using skynet as a provider, yes blocking off the server will stop your internet service.

    Message Edited by Oldsod on 05-12-200606:14 AM
    Best regards.
    oldsod

  2. #12
    andrew_be Guest

    Default Re: ZaPro 6.1.744.001: vsmon.exe strange access to IP 81.246.38.117

    Hi Oldsod,

    I uninstalled XoftSpy, no changes, still this **bleep**ed connection to "mail.lamediatheque.be", but what is strange now I see that the is allocated to IP 194.78.133.200 (81.246.38.117 as well, found by "SmartWhois&quot.
    I checked all the processes using Essential NetTools: vsmon.exe is the rigt one, no vsmon.exe running from /system32/vsmon.exe
    The legitimate key for Zone Labs is the right one, nothing suspicious in the registry, everything looks like according to what I read here:
    http://download.zonelabs.com/bin/fre...yAlert/13.html
    PestPatrol, Lavasoft, Spysweeper, V-Com, Panda etc: none of them finds something suspicious after a full scan.
    I still don't understand...
    Very strange.

    Thanks man,

    Andrew


    Here below the content of the TCP stream to/from "mail.lamediatheque.be", Ethereal gives something similar:

    192.168.0.100=>mail.lamediatheque.be:80*370 bytes in i packet(s)
    GET /1/?A3L6YrAvbSdMnBFPUzui9WCiYVaTZFOnYqTcZZepv7jZUmVna XN0cnkgRWRpdG9yADUuMDAuMjE5NS42NzA3AE1pY3Jvc29mdCB Db3Jwb3JhdGlvbgBFbmdsaXNoIChVbml0ZWQgU3RhdGVzKQBDO lxXSU5OVFxyZWdlZGl0LmV4ZQA2LzE5LzIwMDMgMTI6MDU6MDQ %3D HTTP/1.1
    Host: pa2.zonelabs.com
    Accept-Encoding: gzip
    Accept: */*
    Content-Type: text/plain
    User-Agent: ZoneAlarm/6.1.744.001 (oem-1025; en-US) ZSP/2.1

    mail.lamediatheque.be:80=>192.168.0.100:1619*80 5 bytes in 1 packet(s)
    HTTP/1.1 200 OK
    Content-Length: 558
    Content-Type: application/octet-stream
    Last-Modified: Fri, 12 May 2006 08:29:55 GMT
    Response-Code: 200
    Expires: Fri, 12 May 2006 19:17:21 GMT
    Date: Fri, 12 May 2006 10:24:00 GMT
    Connection: keep-alive

    ZPDOCBIN..........
    ......( 0
    m.[
    J ~6
    Mj .Dz b .. v
    iLB.}
    ?L L/ yO". QI ^ HT
    9d
    j
    AV}32_| |A~
    ~. .G?
    k>U
    |'
    X H . .
    .Uq
    . u

    0z
    qz\8 >s
    ..o
    9 g $
    d

    ^$ \a . t|
    * _Nl X Q z
    R O}.V.}l ] TF
    y_a; 4
    u T $ , }.ze O A w
    .
    OM> 3
    .t '=GA L y |=
    W . (
    [
    .E.y- S
    6}H,X ~ g
    R

    .
    h. )
    z. N % .d+qk..$ .



    ..
    X
    I


    'wC. . J
    *
    b u.
    L

    6
    !
    `f
    (
    H uM!
    -p

    Z . . P+ v+Z
    .,V
    9
    ..
    . eI a.
    .sxW . .7
    ! b
    G . P .
    !u .
    2
    "
    v N
    l Ct..j #g
    , C
    |
    /:
    {
    E+/ %.2
    .

  3. #13
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: ZaPro 6.1.744.001: vsmon.exe strange access to IP 81.246.38.117

    Hi The True vector or commonly known as vsmon.exe is found in C:\WINDOWS\system32\ZoneLabs\vsmon.exe I would add it to the program list ( hit add button and search for it in viewer. Then give it super with all red check marks for any internet accesses and server rights (include email). Does it go internet or has it stopped? If it is still accessing the internet, it is not the firewall and is probably a worm. OLdsod
    Best regards.
    oldsod

  4. #14
    andrew_be Guest

    Default Re: ZaPro 6.1.744.001: vsmon.exe strange access to IP 81.246.38.117

    Hi OLdsod ,

    I added vsmon.exe in the Program Control list and blocked all Internet accesses, including mail: I lost acces to Internet, including mail.

    I'm gonna to run a full system scan in safe mode with no networking should be enough in a first step.

    Thanks!

    Andrew

  5. #15
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: ZaPro 6.1.744.001: vsmon.exe strange access to IP 81.246.38.117

    It is quite possible it is in the tcp/ip stack. It may be corrupted and require repair. The earlier posts I gave have sufficent links to help find. remove, repair the tcp/ip lsp, and hopefully get the machine clean. ASquared from emsisoft.com is an excellent worm detector. The Ewido from ewido.net is also recommendable. Both are free to use and free to update! Again, blocking off the servers from your provider in your pc will result in a loss of internet. Worms propagate very fast, so it it good to get it early before it spreads in your pc. Also do not send any mail to anyone- lest it spreads. Worms can be easily picked up from the internet(they often float around looking for a place to set up as a home) or dubious installs or from emails (corrupted servers or infected senders). Take care Oldsod

    Message Edited by Oldsod on 05-12-200608:12 AM
    Best regards.
    oldsod

  6. #16
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: ZaPro 6.1.744.001: vsmon.exe strange access to IP 81.246.38.117

    http://www.microsoft.com/security/incident/zotob.mspx Does show older Windows OS such as Windows 2000 are more vulnerable to worm infections than the Windows XP SP2. If you actually find any file related to the worm, try sending the file to here for an excellent multiple scan. http://virusscan.jotti.org/ I would highly recommend an entire scan of your pc from Kaspersky using the IE6. It will scan, detect and remove. http://www.kaspersky.com/virusscanner
    An alternative would be the TrendMicro
    http://housecall.trendmicro.com/
    Oldsod
    http://www.bitdefender.com/scan8/ Is also very good.

    Message Edited by Oldsod on 05-12-200608:32 AM
    Best regards.
    oldsod

  7. #17
    andrew_be Guest

    Default Re: ZaPro 6.1.744.001: vsmon.exe strange access to IP 81.246.38.117

    Hi,

    Thanks one more time!
    I'm gonna to try what you suggest ASAP.

    Other things I found: the packets sent contain "ZPDOCBIN", a Google search found 3 interesting bookmarks, one of them:
    http://www.broadbandreports.com/foru...=9999~start=20

    So it seems that ZaPro itself sents these packets, encrypted; nobody seems to have an answer nor the ZA team seemed to give any explanation about it...

    Still I'll scan my machine using the antivirus you mention.

    Thanks man!

    Andrew

    PS: I'll be "off" for a couple of hours

  8. #18
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: ZaPro 6.1.744.001: vsmon.exe strange access to IP 81.246.38.117

    Hi Are you using version 6.1.744.001 or an earlier version of ZA? Are you using a Beta? Have you seen or heard about,
    http://download.zonelabs.com/bin/fre...005/pr_22.html Will be back in the afternoon (my time).
    Oldsod

    Message Edited by Oldsod on 05-12-200609:16 AM
    Best regards.
    oldsod

  9. #19
    andrew_be Guest

    Default Re: ZaPro 6.1.744.001: vsmon.exe strange access to IP 81.246.38.117

    Hi,

    I'm using ZaPro 6.1.744.001, official release.

    What I read about "ZPDOCBIN" which is sent in the packets seems to indicate that it's a process made by ZoneLabs itself, but nobody seems to know what is the purpose and content of ZPDOCBIN...ZoneLabs doesn't give any explanation neither.

    http://www.dslreports.com/forum/rema...=flat~start=20

    Thanks a lot,

    Andrew

  10. #20
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: ZaPro 6.1.744.001: vsmon.exe strange access to IP 81.246.38.117

    http://forum.zonelabs.org/zonelabs/b...ssage.id=17380 Servers used by ZA. ZA version 6.1.744.001 has no phone home problems. Previos versions do have it. See previous link for disabling phone home. Oldsod
    http://www.security.nl/forum/i/90633/ How is your Dutch?

    Message Edited by Oldsod on 05-12-200610:20 AM
    http://seclists.org/lists/fulldisclo.../Feb/0080.html For a second opinion

    Message Edited by Oldsod on 05-12-200610:25 AM
    Best regards.
    oldsod

Page 2 of 3 FirstFirst 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •