Results 1 to 6 of 6

Thread: !!! vsmon.exe connecting to strange addresses - help!!!

  1. #1
    alias_ Guest

    Default !!! vsmon.exe connecting to strange addresses - help!!!

    Operating system: Windows XP Pro SP2
    Product: Zonealarm Pro 6.5.722.000 (free)
    file: vsmon.exe (location=C:\WINDOWS\system32\ZoneLabs, size=73.9 KB (75,768 bytes), file version=6.5.722.0)

    Issue: vsmon.exe connecting to strange addresses.


    I noticed lately thru tcpview (systernals) that vsmon.exe was connecting to the address 210.61.32.231 at regular intervals (for only a second or less at a time) without any user activity, and more so with user activity (particularly when i open any program from everything including notepad to powerdvd to adobe acrobat to winzip and more).

    I also noticed that when i opened a program, that program would take a split second longer to load, and before it had finished loading, a connection would be established with the stated address, then closed almost immediately.

    Believing this to be somewhat odd, i decided to run a couple online virus scans (trendmicro, bitdefender) and ran several major spyware scanners to see if there were any bugs on my system. They all came up with nothing significant (vsmon.exe was still connecting to the address in question). I then checked for rootkits with systernals and gmer. Systernals rootkitrevealer revealed nothing, and im still waiting to hear back from gmer on my scan log. I then tried blocking the address in question, but apparently to no avail. It appeared as though vsmon.exe was still able to make a connection with the address in question, because tcpview showed that if i tried opening any program, a connection was stil being "established" to the address a split second before the program had loaded. However, every program loaded faster when vsmon.exe did not establish a connection to the address!

    I did a bit more searching around the web and came across a program called "XP TCP/IP Repair". Ran it, restarted my system, and as windows was loading up, my desktop screen appeared, but "explorer.exe" didnt appear to load or couldnt be loaded, because the taskmenu didnt appear. I hit Alt+Ctrl+Del and taskmangr came up, but i couldnt load explorer.exe manually so had to restart again. Restarted and then things came back to normal (albeit, the startup was a little slower than usual this time round). Back online, and tried to test to see if vsmon.exe would connect to 210.61.32.231 again by opening a program in my start menu, but no, instead it began connecting to 64.86.142.90 !

    Ive run trace scans on both 210.61.32.231 and 64.86.142.90 and hit nothing but "thin air". (210 is apparently from "japan", and the 64 one is supposedly from "boston", according to neotrace)

    I'm completely baffled. I have absolutely no idea what the **bleep** is going on here, and im hoping that there is someone here who can shed some light on what is happening and why vsmon.exe (at least on my system) is connecting to these random addresses (even after ive blocked them!).

    Please, help!
    lol

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm (Free)
    Software Version:6.5

    Message Edited by Alias_ on 08-24-2006 06:56 AM

  2. #2
    alias_ Guest

    Default Re: !!! vsmon.exe connecting to strange addresses - help!!!

    Also, to see my Hijack log, go here ---> http://forums.spywareinfo.com/index....howtopic=83757

  3. #3
    jarvis Guest

    Default Re: !!! vsmon.exe connecting to strange addresses - help!!!

    Did you ever try the ZA Pro trial and later revert back to ZA Free when it was over?

    The behaviour you describe sounds like ZA connecting to the SmartDefense server to establish a program configuration. SmartDefense can tell ZA whether to allow the program access or server rights or even to kill it and prevent it from running if it is known malware.

    SmartDefense is not active in the free version, but if you used the trial, it could still be active even after reverting to the free version.

    See also this post - SmartDefense used to be called "Program Advisor" (pa2.zonelabs.com) but I have experienced it using ps2.zonelabs.com instead.

    Try using the windows command NSLOOKUP (do Start --> Run and type nslookup). Type in pa2.zonelabs.com and see what the IP address is, and compare that to TCPView. Also try it with ps2.zonelabs.com

  4. #4
    alias_ Guest

    Default Re: !!! vsmon.exe connecting to strange addresses - help!!!

    Hi there Jarvis,

    thank you for you reply, i appreciate it

    Did what you suggested. The addresses the come up are different to the ones i had been seeing in the tcp/ip view list.

    Anyway, i ended up reinstalling windows and all the updates. I then installed za version 5.5.094.00 and ran it with no probs, but it wasnt until today, after i installed the latest za free version, that i noticed vsmon make a connection to w13.www.narod.ru. I also notice now that every time i go to open a program, whether it be notepad or whatever, vsmon.exe tries to make a connection to akamaitechnologies, which i think is probably okay, but this also never happend with the previous version i ran.

    I placed vsmon.exe in the programs list and denied it access to both trusted and internet.

    Now whenver i open a program, tcp/ip shows:

    vsmon.exe:xxxx TCP lyricus-101:1480 a210-55-105-39.deploy.akamaitechnologies.com:http SYN_SENT

    Still a bit weird to me tho as to why vsmon would connect to akamaitechnologies almost every time i open a program. It slows down my system noticably. This just doesnt seem normal to me. Does anyone know what's going on?

  5. #5
    alias_ Guest

    Default Re: !!! vsmon.exe connecting to strange addresses - help!!!

    Ok.

    i finally figured out that the akamaitechnologies address that vsmon was connecting to has something to do with the Program Advisor located under Program Control>Main. Since turning this function off completely it seems that vsmon no longer attempts a connection to akamaitechnologies, and therefore, does not slow down my system when i open a program. Sweet!

    Still wondering about w13.www.narod.ru though. Prolly some spyware **bleep** hmmm.

  6. #6
    jarvis Guest

    Default Re: !!! vsmon.exe connecting to strange addresses - help!!!

    vsmon does a DNS lookup for pa2.zonelabs.com or ps2.zonelabs.com to get the SmartDefense info. ZoneLabs uses Akamai to run servers in various countries to cope with the large number of these requests. They set up the DNS record for pa2.zonelabs.com to point to your nearest akamai server, or possibly the least busy server. This is why a reverse-DNS lookup or WhoIS for the IP, gives you an akamai address.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •