Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26

Thread: Dangerous!!please help...

  1. #11
    2nabote Guest

    Default Re: Dangerous!!please help...

    Sod,Googling service names and posting links for superficial and misleading statements, confirmingwhat we already know, that they are MS services, doesn't help anyone.MS services are a risk to every Wintel box on the planet. We wouldn't even need a firewall if that was not the case, would we? Your responses are obscure, inaccurate, and will cause more trouble than they are worth. Sorry to be blunt but you arewasting everyone's time on this topic.Underwhelmed

  2. #12
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Dangerous!!please help...

    Yes you are absolutely right!
    I will stop wasting my time.

    Oldsod
    Best regards.
    oldsod

  3. #13
    f_kawashima Guest

    Default A hypothesis

    Hello folks,

    I'm working on a hypothesis so as to collecting the information and testing the reproducibility that I want to imply some bug (derivative from June's MS security updates) in the Winlogon process routine could cause inconsistencies on the NTFS file system security features beyond the Journal's protective architecture. This could result in or impact on ZA 6.5.xxx issues and instabilities on network or security related applications runtime. Users run ZA 6.5.xxx on a FAT file system computer might not be affrected badly because the FAT system does not implement security.

    I think I'll be back sometime in this week, hopefully so.

    Regards

  4. #14
    hate_virus Guest

    Default Re: Dangerous!!please help...

    It's wondering,isn't??!
    Here is some of other attempts by wmiprvse.exe that ZA has blocked:

    OSFW,2006/06/22,22:26:16 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\vsmon.exe
    OSFW,2006/06/22,22:26:16 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,ZLDIR\zlclient.exe
    OSFW,2006/06/22,22:26:24 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\vsmon.exe
    OSFW,2006/06/22,22:26:24 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\vsdata.dll
    OSFW,2006/06/22,22:26:24 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\vsinit.dll
    OSFW,2006/06/22,22:26:24 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\vsutil.dll
    OSFW,2006/06/22,22:26:24 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\ssleay32.dll
    OSFW,2006/06/22,22:26:24 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\dbghelp.dll
    OSFW,2006/06/22,22:26:24 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\vsxml.dll
    OSFW,2006/06/22,22:26:26 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\zlcomm.dll
    OSFW,2006/06/22,22:26:26 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\zlcommdb.dll
    OSFW,2006/06/22,22:26:26 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\vsdb.dll
    OSFW,2006/06/22,22:26:26 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\vsruledb.dll
    OSFW,2006/06/22,22:26:26 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\vsvault.dll
    OSFW,2006/06/22,22:26:26 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\av.dll
    OSFW,2006/06/22,22:26:26 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\isafeif.dll
    OSFW,2006/06/22,22:26:26 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\imsecure.dll
    OSFW,2006/06/22,22:26:26 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\zlquarantine .dll
    OSFW,2006/06/22,22:26:26 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\qrbase.dll
    OSFW,2006/06/22,22:26:26 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\scheduler.dl l
    OSFW,2006/06/22,22:26:26 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\zlsre.dll
    OSFW,2006/06/22,22:26:26 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\srescan.dll
    OSFW,2006/06/22,22:26:26 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\zlparser.dll
    OSFW,2006/06/22,22:26:26 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\camupd.dll
    OSFW,2006/06/22,22:26:26 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\vsavpro.dll
    OSFW,2006/06/22,22:26:28 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,ZLDIR\zlclient.exe
    OSFW,2006/06/22,22:26:28 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\vspubapi.dll
    OSFW,2006/06/22,22:26:28 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,ZLDIR\framewrk.dll
    OSFW,2006/06/22,22:26:28 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\vsmonapi.dll
    OSFW,2006/06/22,22:26:28 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,ZLDIR\alert.zap
    OSFW,2006/06/22,22:26:28 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,ZLDIR\email.zap
    OSFW,2006/06/22,22:26:28 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,ZLDIR\filter.zap
    OSFW,2006/06/22,22:26:28 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,ZLDIR\firewall.zap
    OSFW,2006/06/22,22:26:28 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,ZLDIR\idlock.zap
    OSFW,2006/06/22,22:26:28 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,ZLDIR\imsecure.zap
    OSFW,2006/06/22,22:26:28 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,ZLDIR\privacy.zap
    OSFW,2006/06/22,22:26:28 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,ZLDIR\programs.zap
    OSFW,2006/06/22,22:26:28 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,ZLDIR\scan.zap
    OSFW,2006/06/22,22:26:28 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,ZLDIR\security.zap
    OSFW,2006/06/22,22:26:30 +3:30 GMT,BLOCKED,WMI,C:\WINDOWS\system32\wbem\wmiprvse. exe,FILE,WRITE,SRC,WINSYSDIR\ZoneLabs\isafeproduct .dll

    Because the main logs were archived so i could only post this report here,sorry anyway.

    Message Edited by hate-virus on 07-14-2006 07:16 AM

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.1

  5. #15
    forum_moderator Guest

    Default Re: A case study



    ZoneAlarm protects its own files, including LOGS. If you were hacked, that is where any evidence would be. So ZA won't let anything touch those files.

    Marcus


  6. #16
    jarvis Guest

    Default Re: A case study

    One thing to note is that these alerts for FILE WRITE to various ZA files can be generated when a process simply opens the file. It hasn't actually changed or even tried to change it. But maybe it opened it in such a way that it could then proceed to change it.

    If you have ever done any programing you will understand what I mean by "opening a file for read/write". Perhaps the process (WMI) opens various files for read/write when it really only needed to open them for read-only. ZA blocks the attempt to open the file for Read/Write for, if allowed, the process would have a "handle" on that file and could proceed to modify it.

  7. #17
    forum_moderator Guest

    Default Re: A case study



    As Jarvis says, it could be the coding in that program. You can open a file as RO (Read Only) or as RW (Read-Write). I expect that if a programmer might ever have a need to edit/change a file, he would code it to open the file RW.

    Marcus


  8. #18
    zaswing Guest

    Default Re: A case study

    Marcus, Tech Support doesn't seem to know about THE CASE STUDY. I've had in the log a similar occurence just recently. In this case, the log says, explorer.exe was attempting to write to ZLDIR\zaunintall.exe and zatutor.exe. I was nowhere near those files. It is possible that I scanned some file, possibly explorer.exe (see below) but I am making that up. No recollection of details. A day or two ago, I submitted a report where I asked Tech Support(ISSUE=489729) whether ZLDIR is a legitimate designation or some scumware addition and to explain the two log entries.Their answer is ZLDIR is ok - when you right click a ZA file to scan with ZA. But they did not answer what is it in the explorer what was trying to write, how and why. I subsequently found this fabulous CASE STUDY and attempted to replicate the Notepad scenario on the log files, as well as make copies of dll and exe files. Not one of those attempts got entered into the log, but I don't know whether the test is good replication of the CASE STUDY in that an attempt to copy might not be making the file RW as jarvis suggests.I can't explain why I can't repliacateopening with a notepad a live log.I hope this is coherent enough for you to be able to sift through and explain what's going on. I attach this as a reply here, but please, move it out if you prefer it be a new thread.
    Perhaps some of these events are related.
    A day or so prior to installing MS patches on 8/19 (8/8 downloads), I did have some error with explorer.exe. One dump file of some sort got sent to ZL automatically after I permitted the send. But I see several zip or dmp files in \internetLogs and all have explorer in the filename. The same day DrWatson wanted to run on explorer.exe sudden exit, and DrW actually failed, and a dump went to Microsoft. Looking for a corrupted exlplorer.exe, I ran scans. All the scans report a clean system (ZA does that job admirably well keeping it that way). HijackThis log looks no different than the one I've got from some months ago.I do not permit CCleaner to clean the ZA logs.Stuff I use: WindowsXP-home SP2, patched up to date. ZA Security Suite 6.1.744.001 resident, all controls enabled except IM which I don't use. Pest Patrol resident. Lavasoft Ad-Aware, Spybot S&D, CCleaner, a-squared, Ewido free on demand.

  9. #19
    jarvis Guest

    Default Re: A case study

    I tried opening ZALog.txt with Microsoft Excel, which normally tries to get an exclusive lock on the file to prevent other network users changing the file while you're editing it. (you get the "This file is being modified by User xxx, do you want to Open Read-only?" prompt).

    Anyway, opening the log file with Excel worked, but generated two log entries in ZA saying that Excel was trying to modify the file.

    I'd say whatever explorer is doing involves opening read-write or getting a lock on the file.

  10. #20
    zaswing Guest

    Default Re: A case study

    Jarvis, this makes perfect sense. I often grab zalog with or without <date> into word for instance, and am yet to see such message/alert.Once I took a log with <date> in it into Excel to parse the fields out, and don't recall the invasion.However, the puzzler for me, as I mentioned in my long blurb, was an attack on zatutor and zaunistall execs. I swear I wasn't touching them, wasn't running CCleaner, chkdisk, any such, and can't imagine what process might have truggered explorer to be the final invader. Keep posting more clues and thoughts, please.Let's take another angle: what settings for the internet access do you have for the Office products? I don't allow any of them to do internet, i.e. "?" and only allow in Excel has to go out for help.

Page 2 of 3 FirstFirst 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •