Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: Blocked Intrusions, Same source

  1. #1
    concerned_user Guest

    Default Blocked Intrusions, Same source

    About half of the intusions shown in Zone Labs log are from the same IP adress.
    It seems to belong to
    a user at the same ISP I use (a local company).
    Is someone I know trying to hack my computer?

    Operating System:
    Windows XP Home Edition
    Product Name:
    ZoneAlarm Internet Security Suite
    Software Version:

    Message Edited by concerned_user on 01-29-200706:11 AM

  2. #2
    Join Date
    Dec 2005

    Default Re: Blocked Intrusions, Same source

    What is the IP and the port(s) involved?

    Best regards.

  3. #3
    concerned_user Guest

    Default Re: Blocked Intrusions, Same source

    The source IP is 65-165-164-8-????
    the last 4 digits seem to be different.
    The port is different, for example in the length of time it took me to log in to the forum, and check Zone Alarm log for the address, I got 5 notices of blocked intrusions, all
    from this IP.
    The ports were TCP 3684, TCP 3738, TCP 3730, TCP 3671, and TCP 3621.
    Thank you for your help, this is worrying me esp. because recently my computer has shown symptoms of malware, virus or something (slowing, crashing, eccentric glitches etc.) although several programs besides ZA haven't found anything.
    I'm afraid my computer is being hacked or attacked.

  4. #4
    Join Date
    Dec 2005

    Default Re: Blocked Intrusions, Same source


    A). Have the DNS and DHCP servers been added as Trusted in the Zones of the Firewall of the ZA? If the ZA is misconfigured, then the intrusions could be a false reading or misleading...

    Make sure your DNS and DHCP server IP's are in your Firewall's Trusted zone. Finding DNS and DCHP servers, etc

    1. Go to Run type in command , hit 'ok', and type ipconfig /all then press enter. In the returned data list will be a line DNS and DHCP Servers with the IP address(s) listed out to the side.
    2. In ZA on your machine on the Firewall>Zones tab click Add and then select IP Address. Make sure the Zone is set to Trusted.
    3. Click OK and then Apply and see if that works to fix it.
    4. The loopback or localhost ( must be listed as Trusted.
    5. The Generic Host Process (svchost.exe) must have server rights for the Trusted Zone.
    Plus it must have both Trusted and Internet Access.

    B). Does your printer software or the spoolsv.exe have access to the Internet Zone or server rights for the Internet Zone? Is File and Printer Sharing enabled in the
    Properties of the Network Connections?

    C). Have you contacted your Internet provider and made an inquiry about this? They can give information about these events and if there is a hacker on their network, they can easily track the individual(s) down. They will require the logs found in the C\WINDOWS\Internet Logs called zalog.txt
    Please do not delete these or lose these as they are proof of any hacking events. They will have to be forwarded to your provider and they will examine the logs and they will have physical proof from your end to match their server's logs.

    D). Ports and trojan matches (but not limited to what I found)

    Zero trojans matched the ports listed.

    E). Okay lets try some scans and maybe we can find some trojan or malware:

    Online scans (free) , use the IE browser since they use activeX and use all three:

    Scanner (free) to download and just run:

    Freeware scanners for download/install/update and run and use all three:

    Please remember to file the names of infections, plus the sizes, time/dates, locations and any possible information given by the scanners.

    Once these scan are completed, the try a HJT forum (just choose one forum):

    HJT forums are free, have expert advice, and most often the given advice will clean the PC from any thing missed or unremovable.


    Message Edited by Oldsod on 01-29-2007 10:37 PM
    Best regards.

  5. #5
    Join Date
    Dec 2005

    Default Re: Blocked Intrusions, Same source

    Okay this is the result of a trace route (in the command) for this IP:

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\SKYRIDER>tracert

    Tracing route to []
    over a maximum of 30 hops:

    1 <1 ms <1 ms <1 ms 192.168.x.x
    2 9 ms 6 ms 8 ms
    3 8 ms 8 ms 6 ms 66.x.x.x
    4 8 ms 10 ms 6 ms "edited"
    5 11 ms 8 ms 8 ms "edited"
    6 8 ms 9 ms 7 ms 66.x.x.x
    7 24 ms 24 ms 23 ms "edxited"
    8 110 ms 111 ms 112 ms []
    9 112 ms 113 ms 115 ms []
    10 112 ms 111 ms 113 ms []
    11 112 ms 114 ms 114 ms []

    12 115 ms 115 ms 114 ms [
    13 273 ms 223 ms 277 ms []

    14 227 ms 224 ms 300 ms []

    15 222 ms 221 ms 220 ms []
    16 184 ms 184 ms 191 ms []
    17 239 ms 239 ms 308 ms []
    18 533 ms 415 ms 425 ms []

    Trace complete.

    C:\Documents and Settings\SKYRIDER>


    This is the result for the ping (in the command):

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\SKYRIDER>ping

    Pinging with 32 bytes of data:

    Reply from bytes=32 time=695ms TTL=113
    Reply from bytes=32 time=520ms TTL=113
    Reply from bytes=32 time=454ms TTL=113
    Reply from bytes=32 time=531ms TTL=113

    Ping statistics for
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 454ms, Maximum = 695ms, Average = 550ms

    C:\Documents and Settings\SKYRIDER>


    The nslookup command for the IP failed. It got stuck at my OpenDNS servers and went nowhere.

    I tried the IP in the browser using the http port and the ports listed and no conections were made. Yes, the IP address itself can be entered in the address bar of the browser instead of URLs.


    Take care.

    Best regards.

  6. #6
    concerned_user Guest

    Default Re: Blocked Intrusions, Same source

    Thank you for your help (and patience).
    I'm nor familiar with the meaning of these codes.
    Does this mean someone with the user name SkyRider is trying to hack my computer, or something called SkyRider is on my computer?
    I'm on my way to work, so I haven't had time to try the suggestions in your previous message, (although I've already ran some of the programs, and my computer hangs when I try the online scanners) I'm going to try the other suggestion as soon as I can.
    I can't thank you enough for your help!

  7. #7
    Join Date
    Dec 2005

    Default Re: Blocked Intrusions, Same source

    Please do not interept the SkyRider as a threat. It is just the copy and paste of the result from the command. The SkyRider is the name of my PC/User Name. I am quite sure your PC has it's own name or you have your own name or some special special name.

    It fact I call all my machines the same name and lways use the same user name. I never register the PCs with any personal information. It make life eaier for me and it confuses Microsoft- they still have no idea of who I am or have any personal information about me.

    I was merely showing the attempts made to find and contact this server.

    Make sure the full time guard of the resident antivirus is disabled, when doing the online scans. Or in other words disable the antivirus in the ZASS before doing the online scans- that way there is no interference from having two antiviruses run at the same time.

    If the scanners have a difficulty in scanning when the PC is actually booted and running the OS, then try a free DOS scanner that will scan the PC when it is still not actually running ( in many ways this is a superior scan since it has nothing hindering it):

    Note you may need F12 to boot from the D Drive (CD/DVD drive) to do the scans. It maybe complicated the first few times, but after that it is easy. Don't forget the Enter key after the commands. You may actually need some help with this type of scaan from a knowledgeable friend or colleague.


    Message Edited by Oldsod on 01-30-2007 10:53 AM
    Best regards.

  8. #8
    concerned_user Guest

    Default Re: Blocked Intrusions, Same source

    I have tried the suggestions in your previous message.
    The scanning programs found some tracking cookies but nothing else.
    In ZA my DNS servers were not set to trusted, however changing this did not stop the problem.
    In the results of ipconfig it showed DHCP enabled: NO.
    The printer ports and spoolsv.exe
    do not have internet access.
    I have been studying ZA log more closely, and realized that not all alerts are from the IP ending in .8 there are multiple 65.165.164 but the endings are .8
    .66 .53 .45 .4 .22 .10 and .29
    Within the last three days (and I've been online very little because I've been at work most of the day)
    there have been 63 blocked intrusions from 65.165.164 addresses.
    Of them 15 were http, 2 were https, 4 were NetBios, 5 were sent to port 135, 1 sent to port 4444, 1 sent to port 8721, 4 were routed, 2 outgoing, and 29 sent to port 445.
    My computer is not networked. The alerts seem to come in batches, for example this morning there were 8 alerts in less than 7 minutes.
    Thank You for all of your help

  9. #9
    Join Date
    Dec 2005

    Default Re: Blocked Intrusions, Same source

    Are there any programs or components with server allowed or set for the Internet Zone? Remove the server rights for the Internet Zone.

    Any Internet Messengers or Google desktop running?

    If so disable these from running with the startup of Windows.


    My Computer > Properties > Remote > Remote Assistance is disabled?

    Also in the Properties of the Network Connections is the File and Printer Sharing unchecked?

    Under the Properties of the Internet Protocol TCP/IP > Advanced > Wins > is the LMHostlookup unchecked and the Disable NetBIOS checked?

    Best regards.

  10. #10
    concerned_user Guest

    Default Re: Blocked Intrusions, Same source

    These Components have a check mark
    under Access:


    Windows Genuine Advantage Validation


    Windows Genuine Advantage Validation Library


    Adobe Acrobat IE Helper Version 7.0 for ActiveX


    Macromedia Flash Player 8.0 r22


    Media Catalog Proxy/Stub


    Client Interface


    IOffice Antivirus Module


    Shell Execution Monitor


    Microsoft Office XP component


    Microsoft Update Web Control


    Java(TM) 2 Platform Standard Edition Library


    Windows Update ClientAPI


    Windows AutoUpdate Engine


    Windows Update client proxy stub


    Windows Update client proxy stub 2


    Windows Update Web Control


    zlabscan shell extinsion


    Generic Host Process for Win32 Services

    C:\Windows\system32\svchost.exe has Access Trusted and Internet, Server Trusted and Internet (I just changed Server Internet to ask)

    Internet Explorer

    C:\Program Files\Internet Explorer\iexplorer.exe
    has Access trusted and Internet

    LSA Shell (Export Version)

    has Access Trusted and Internet

    Outlook Express

    C:\Program Files\Outlook Express\msimn.exe

    has Access Trusted and Internet

    Run a DLL as an App

    has Access Trusted and Internet

    Services and controller app

    has Access Trusted and Internet

    Spam Filter

    C:\Program Files\Zone Alarm\MailFrontier\manispm.exe

    has Access Trusted and Internet

    Usrenet Logon Application


    has Access Trusted and Internet

    Windows Defender command line utility

    C:\Program files\windows defender\MpCmdRun.exe

    has Access Trusted and Internet

    Windows Explorer

    has Access Trusted and Internet

    Windows Media Player Network Sharing Service

    C:\Program Files\Windows Media Player\wmpnetwk.exe has Access Trusted and Internet

    Windows NT Logon Application


    has Access Trusted and Internet

    Windows NT Session Manager


    has Access Trusted and Internet

    Zone Alarm Updating Client


    has Access Trusted and Internet


    There are no Messenger Services or google desktop running.

    Remote Assistance is not disabled.

    File and Printer sharing is unchecked.

    LMHostlookup is checked, so is Disable NetBIOS.

    Thank You

Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts