Results 1 to 6 of 6

Thread: Was my system compromised?

  1. #1
    mcman Guest

    Default Was my system compromised?

    Dear community,

    Three days ago, I had an issue that may be a security breach, but I am not sure, so I would like to ask for your help to find out.

    When I was shutting down my computer and closing programs from the task bar, all of a sudden numerous windows popped up (at least 30 or so). Most of them seemed to be all kinds of instances of communication programs that I have in the task bar tray (although I did not click anything there), but some had unfamiliar names. Zone Alarm brought up one of those red alert messages stating that a VPN connection was now ready for use. The message apparently gave me two options to choose from and a button to press, but the message itself was blank, so I could not see what the options were and therefore didn't press anything. To my knowledge, I do not use VPN (this is my home computer). Also at the same time, my CPU was running at 100% and the process accounting for that CPU usage was "hpqtra08.exe", which should be just a process for my printer. My first instinct was to disconnect the router to kill my internet connection and having done that, I shut down all running processes by rebooting.

    In my Zone Alarm log, for Alert Type OS Firewall I found several messages that said "Windows Explorer was prevented from changing the behavior of ZoneAlarm Security Suite by modifying the file: ZLDIR*". Also, the next day I again had numerous windows pop up when I was just clicking something on the task bar (just a normal left click on a legitimate open program), but this time no mention of a VPN connection.

    Now, I'm confused about whether somebody compromised my system and if so, whether he's still on there. What can I do to find out? I could post the hijackthis log, but I was concerned the post would get too long.


    Operating System:Windows XP Pro
    Software Version:8.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    zaswing Guest

    Default Re: Was my system compromised?

    Ignore this one "Windows Explorer was prevented from changing the behavior of ZoneAlarm Security Suite by modifying the file: ZLDIR*" - any windows explorer look at a directory ZA uses is viewed with suspicion as ZA protects itself much as it can. Though a possibility of explorer compromised is always there unfortunately

    hpqtra08.exe in your first paragraph is HP imaging. If you have a HP computer or printer or scanner, it's likely ok, though you may want to scan that file using ZA and perhaps something like free a-squared - download, install, update and run scan

    VPN - I have no clue. Sounds suspicious to me.

    How about you run HijackThis log and post at bleepingcomputer or spywarehammer in case it's malware. Read instructions carefully before running HJT

    Any questionable ZAlog entries besides the HP thing? Post several here, perhaps someone will know how to react.

  3. #3
    mcman Guest

    Default Re: Was my system compromised?

    I posted the HJT log to I can't see any other entries in the ZA log that are not directly related to programs that I'm using. Are there any other ways I could find out if somebody is listening to what I'm doing?


  4. #4
    zaswing Guest

    Default Re: Was my system compromised?

    Well, for starters, a disclaimer - I'm not qualified to deal with possible malware diagnosis, just so you understand.

    As far as watching what's connected or listening, there is TCP/View, a tiny, useful utility that needs no installation, doesn't interfere, just displays things.

    It'll show you what you're connected to (Established) and what's LISTENING.
    If you're connected to a lot of places at one time you will get a lot of IPs to sift through, and might be rough to correlate to programs you use. That VPN thing - it might be just a legitimate connection one of your programs you run uses, or even ZA update uses VPN for a bit. Oh, don't change anything in your system now that you've posted HJT log at bleepingcomputer. It's ok to run TCP/View though.

    What did the ZA log show regarding VPN?
    Sounds to me like you got some popups acquired perhaps through IE on some bad site?

  5. #5
    mcman Guest

    Default Re: Was my system compromised?

    Thanks for working with me on this, zaswing. The ZA log showed nothing regarding VPN. It appeared as one of those popup bubbles that ZA has when it asks you about whether or not to allow a program or something similar. And it had a red frame around it. I don't think it's popups through IE. The multiple windows that popped up where instances of MSN messenger, Skype, Logitech Quickcam, Cisco Clean Access Agents and some other programs in my task bar tray. I hadn't clicked any of them though. Some windows had unfamiliar names, but I don't remember them. They didn't show anything though.

    The TCPView utility shows one established connection by MSN messenger (which I have running) and three processes that are listening:

    svchost.exe:1876 TCP mycomputer:2869 mycomputer:0

    System:4 TCP mycomputer:0

    System:4 TCP mycomputer:microsoft-ds mycomputer:0

    In the above, I replaced the name of my city with XYZ. Do these look okay to you?

  6. #6
    naivemelody Guest

    Default Re: Was my system compromised - probably not

    You mention Cisco Clean Access Agents ~VPN - click here >
    ( this is probably giving the VPN message)<hr>This application, in conjunction with both a Clean Access server and a Clean Access Manager, has become quite common in many universities and corporate environments today. It is capable of managing wired networks in an in-band or out-of-band configuration mode, or Wi-Fi and Virtual Private networks (VPN) in an in-band only configuration mode.<hr>Your other programs: MSN messenger, Skype, Logitech Quickcam &lt; are programs that usually require server rights and &quot;are constantly&quot; trying to access the net, and during pc shutdowns - will/ are still trying to connect/ ping out. ( my personal note: when I had MSN Live Messenger - this programs adds lots of files and is always pinging out to the net - what I do when I'm not using these types of programs is to &quot;reduce the access levels&quot; in ZA Program controls - to kinda &quot;shut- them- up.&quot; Of coruse when I am using the these programs IM's - I do have to remember to increase their 'access/ server rights')<hr>So finally in the end, your original suspicions 'appear to be benign.'
    For all of the IM's -skype, messenger, logitech cam - there are options/ settings/ preferences
    - where you 'either open yourself or you can reduce your open profile' - that will be up to you.- Whenever there is a ZA pop-up with a name/ program/ file - google it, search it.- If your a new ZA Suite user you may want to leave the ZA Program Control - level at &quot;Medium/ Auto-Learn&quot; for a
    while you use your most common programs - this will &quot;reduce the number of ZA Alerts.&quot;

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts