Results 1 to 5 of 5

Thread: Ports that were previously open in Zone Alarm free now apparently closed following trojan attack

  1. #1
    milo_oshea Guest

    Default Ports that were previously open in Zone Alarm free now apparently closed following trojan attack



    I am running Windows XP SP3

    Zone Alarm free edition

    Spybot

    SpywareBlaster

    Ad-aware

    AVG8.0 free edition

    IE7.0

    Opera9.2

    My daughter has unintentionally downloaded the tinyproxy\tinyproxy.exe Trojan on to one of our PCs from bebo.




    Either as a result of this or coincidentally IE7.0 started launching at start-up with Facebook appearing as the home page (it is not our default home page)




    AVG run in safe mode appears to have successfully found and deleted the relevant files.




    We have changed my daughter s password on Facebook.




    When running IE7.0 or Opera9.2, we can now only access the Lloyds Bank website. All others produce error messages. Windows/IE7.0 diagnoses the problem as the following ports being closed:




    HTTP 80

    HTTPS 443

    FTP 21




    Previously there was no problem accessing the internet, but it seems it is impossible to open ports in Zone Alarm free edition, but presumably they were open before.




    Any ideas what the problem is and suggestions for solutions would be very welcome!





    Thanks in advance for any help you can offer.




    Regards,

    Milo










    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm (Free)

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Ports that were previously open in Zone Alarm free now apparently closed following trojan attack

    Does the internet connection work properly when the ZA is disabled from starting with windows and then immediately reboot to have the setting take effect?

    Have tried to reset the TCP/IP stack of windows?
    Use the "netsh int ip reset c:\resetlog.txt" command (do not use the quotation marks!) and then reboot?

    Have you inspected the LSP to see if there are any malware .dll injected into it?
    Use the "netsh winsock show catalog" command (do not use the quotation marks!).

    Did you clear the ARP cache?
    Use the "netsh interface ip delete arpcache" command (do not use the quotation marks!).

    Have you tried to ping the gateway or router or dhcp server of your provider?
    (Use the "ping" and a space and then the IP, again with no quotation marks)
    Does the tracert work for an internet server for example, google.com
    (use the "tracert" and then a space and then google.com, again with no quotation marks).

    Is the Tea Timer of the Spybot disabled?
    This does occasionally conflict with the ZA.

    Is the window's filtering TCP/IP filtering disabled?
    (1. Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.
    2. Right-click the local area connection that you want to modify, and then click Properties.
    3. On the General tab, in the This connection uses the following items list, click Internet Protocol (TCP/IP), and then click Properties.
    4. Click Advanced, and then click the Options tab.
    5. In the Optional Settings dialog box, click TCP/IP Filtering, and then click the Properties tab.
    6. Click to clear the Enable TCP/IP Filtering (All adapters) check box, and then click OK.)

    When you say open ports, do you mean actual opened ports to allow incoming connections from the internet or do you just mean allowing the outgoing traffic?
    There should be no need to have opened ports in the firewall just to allow application's outgoing traffic as this is controlled by the stately packet inspection per the applications outgoing requests.

    Just a few thoughts.
    Oldsod.
    Best regards.
    oldsod

  3. #3
    milo_oshea Guest

    Default Re: Ports that were previously open in Zone Alarm free now apparently closed following trojan attack

    Thanks for the comments, many of which are too technical for me. I'll investigate what I can and consult my local pundits about ones I don't understand if I still haven't solved the problem.
    To show my level of ignorance e.g. I don't understand what you me by 'actual opened ports to allow incoming connections from the internet or do you just mean allowing the outgoing traffic'. When I try to access eg the BBC website, I receive an error message. In contrast, when I attempt to log on to my bank account, I am able to do so.
    (though I am not choosing to complete the process, given the compromised status of the PC in question).
    Regards,
    Milo

  4. #4
    milo_oshea Guest

    Default Re: Ports that were previously open in Zone Alarm free now apparently closed following trojan attack

    I've uninstalled ZA, rebooted. No difference.
    Reset TCP/IP stack - no difference.
    Managed to get to LSP catalog - double dutch to me, but nothing obviously to do with tinyproxy etc.
    Pinged my gateway router - appears to connect. LAN works - but I can't log on to the router from either browser, though it is accessible from other computers on the network.
    TCP/IP filtering is disabled.
    Tracert works e.g. to Google.com & Google.co.uk.
    Tracert eventually times out when I try to access Virgin.net - our own ISP.
    Symptoms are all unchanged. Still can't access standard websites from either IE7.0 or Opera9.2.
    Tea Timer not installed - and I have tried disabling Spybot - but previously everything worked fine with Spybot in place.
    Thanks for the help so far.
    Regards,
    Milo




    Message Edited by Milo_Oshea on 11-04-2008 10:36 AM

  5. #5
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Ports that were previously open in Zone Alarm free now apparently closed following trojan attack

    Follow these instructions to the "T":

    http://www.bleepingcomputer.com/forums/topic131299.html

    I think there maybe some pieces left over from that troyan that is causing the problem.

    It maybe even the AVG causing the problems, although somehow I doubt that.
    Technically if you can tracert and ping, and have https (use secure sites such as logins for banks) and not have any working http (regular outgoing internet to the usual sites), then there is a problem maybe not with windows, but still with malware.

    I really can't find anything definite on how or what this trojan does or did. Limited results. There could be many things left not checked and the list could be sizeable.

    I would suggest to do a system file check after using the cleanup tool. If the internet does not still work properly - it is possible a few of the window files got damaged or deleted.

    http://www.updatexp.com/scannow-sfc.html

    Other than that, If it still does not work properly, I would suggest to try another forum.
    Maybe the AVG or SpyBot forum - if they can not help you, at the least they maybe able to point in the right direction for help.
    It is very possible the good people at the beepingcomputer.com forum maybe of assistance - with a posted hjt log to check for any other malware on the computer and with the partial loss of the internet access.

    Please refer the beepingcomputer peoples to this thread when you post there. They will be able to see what has been done/tried and what still needs to be done.
    It will save you and them both time and effort.
    Oldsod.

    Message Edited by Oldsod on 11-04-2008 03:56 PM
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •