Operating system: Windows XP Pro SP2
Product: Zonealarm Pro 6.5.722.000 (free)
file: vsmon.exe (location=C:\WINDOWS\system32\ZoneLabs, size=73.9 KB (75,768 bytes), file version=6.5.722.0)
Issue: vsmon.exe connecting to strange addresses.
I noticed lately thru tcpview (systernals) that vsmon.exe was connecting to the address 126.96.36.199 at regular intervals (for only a second or less at a time) without any user activity, and more so with user activity (particularly when i open any program from everything including notepad to powerdvd to adobe acrobat to winzip and more).
I also noticed that when i opened a program, that program would take a split second longer to load, and before it had finished loading, a connection would be established with the stated address, then closed almost immediately.
Believing this to be somewhat odd, i decided to run a couple online virus scans (trendmicro, bitdefender) and ran several major spyware scanners to see if there were any bugs on my system. They all came up with nothing significant (vsmon.exe was still connecting to the address in question). I then checked for rootkits with systernals and gmer. Systernals rootkitrevealer revealed nothing, and im still waiting to hear back from gmer on my scan log. I then tried blocking the address in question, but apparently to no avail. It appeared as though vsmon.exe was still able to make a connection with the address in question, because tcpview showed that if i tried opening any program, a connection was stil being "established" to the address a split second before the program had loaded. However, every program loaded faster when vsmon.exe did not establish a connection to the address!
I did a bit more searching around the web and came across a program called "XP TCP/IP Repair". Ran it, restarted my system, and as windows was loading up, my desktop screen appeared, but "explorer.exe" didnt appear to load or couldnt be loaded, because the taskmenu didnt appear. I hit Alt+Ctrl+Del and taskmangr came up, but i couldnt load explorer.exe manually so had to restart again. Restarted and then things came back to normal (albeit, the startup was a little slower than usual this time round). Back online, and tried to test to see if vsmon.exe would connect to 188.8.131.52 again by opening a program in my start menu, but no, instead it began connecting to 184.108.40.206 !
Ive run trace scans on both 220.127.116.11 and 18.104.22.168 and hit nothing but "thin air". (210 is apparently from "japan", and the 64 one is supposedly from "boston", according to neotrace)
I'm completely baffled. I have absolutely no idea what the **bleep** is going on here, and im hoping that there is someone here who can shed some light on what is happening and why vsmon.exe (at least on my system) is connecting to these random addresses (even after ive blocked them!).
Operating System:Windows XP Pro
Product Name:ZoneAlarm (Free)
Message Edited by Alias_ on 08-24-2006 06:56 AM