Results 1 to 3 of 3

Thread: Under spy site attack (?)

  1. #1
    ems Guest

    Default Under spy site attack (?)



    In ZoneAlarm Security Suit 7.0.483, since I could not bring to work
    none of the newer versions (V8. and extreme )

    OK,

    While testing a site which had sent spam / scam to a friend, ZoneAlarm blocked an attempt of installing a spy program o whatever. In the system try alert I got a fast message telling me that. The message was so fast that I could hardly read it anyway. The spy site blocking alerts logged the site twice and I got the corresponding IP via the lookup facility of
    ZA at the Firewall/Zones section. The IP returned by the lookup is 195.78.228.204. I set this IP in the blocked zone.

    I run the ZASS spyware and antivirus facilities and got nothing (everything apparently clean). Then I run
    tfsbl.exe (Rootkit detecter and eraser) nothing found; everything clean. In the meantime ProcessGuard was also running, which, supposedly, prevents any installation of rootkits and drivers and also prevents any modification of any program. I finally run sfc/ scannow to restore the original XP-SP3 Windows protected files.

    But today, I discovered in the ZASS Alert & Logs /Log viewer several attempts by Firefox, Outlook and Mantispm.exe
    to outgoing connect the IP 195.78.228.204:53 blocked by ZASS. Since I clean the logs on a 48 hours basis I only could discover attempts at yesterday (may 27) and today (may 28). Thirty (30) Attempts in total.

    This time I also put the IPs in my hardware firewall (router).

    Again,
    I run today the ZA Spyware and nothing was detected.

    Moreover, right now the ZASS spy blocker has logged
    another two attempts over my system from two different-named sites, but with the same IP (89.17.220.221), again I have put both, names and IPs, in the ZA blocked zone and in the hardware firewall (router)

    After this, I have downloaded the Trojan Hunter trial version. Trojan Hunter has detected several versions of (Agent.2008). In different locations, which
    might be false positives (?). The THunter report was:

    Found trojan file: C:\hp\bin\AUTOTKIT.EXE (Agent.2088)

    Found trojan file: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoTBar.exe (Agent.2088)

    Found trojan file: C:\hp\EXPLOREBAR\AUTOTKIT.EXE (Agent.2088)

    Found trojan file: C:\Program Files\RBW Platinum And Butterfly Desktop\MouseHook.dll (TrojanDownloader.Agent.3105)

    How many of theese are known to be false positives in TH, since ZASS does not detect them?

    So,my questions are:

    What could be going on?

    Any trojan cleaner free?

    By the way, I am still in ZASS v7 since I could not upgrade to extreme despite I have 150 days extended download left. As soon as I try to upgrade my system freezes and I have tried more than twenty times with both version 8 and v 8 extreme. And I followed every thing advised in the foro but no way. Is there anything new to let me upgrade?

    (Sorry for so
    many edits, I did not want to lose the connection,
    and
    I have sent the massage several times while trying to explain the situation as clearly as possible. I beg your pardon)

    Regards

    ems

    Message Edited by ems on 05-28-2009 05:54 AM

    Message Edited by ems on 05-28-2009 05:56 AM

    Message Edited by ems on 05-28-2009 06:02 AM

    Message Edited by ems on 05-28-2009 06:05 AM

    Message Edited by ems on 05-28-2009 06:06 AM

    Message Edited by ems on 05-28-2009 08:48 AM

    Message Edited by ems on 05-28-2009 08:49 AM

    Message Edited by ems on 05-28-2009 10:46 AM

  2. #2
    ems Guest

    Default Re: Under spy site attack (?)



    Hi,

    After my first post above I have been following the issue and got something which seems rare (to me)

    The program alerts has logged several outgoing attempts as follows:

    ZLClient has been blocked from connecting to 209.85.229.100:53 (This is what puzzle me most)
    Iexplore has been blocked from connecting to 209.85.229.100:80
    Firefox has been blocked from connecting to 209.85.227.113:53
    Firefox has been blocked from connecting to 209.85.229.100:53

    Any help will be really wellcome

    Ems

    Adding more info: I have reviewed the log file of may 26 and found several connection (outgoing) attempts to 195.78.228.204. The spying site supposedly intercepted by ZASS. Theese outgoing connections were blocked without any intervention on my part which seems to mean that ZASS took care of the event
    from the begining and recorded the offending IP and now it is blocking the connections to it (in any case the hardware firewall is also alert. Good). But it tells me that the nasty thing is in my computer and neither the antivirus not the antispywere can detect it.


    So, please,
    what to do.


    Message Edited by ems on 05-28-2009 10:28 AM

    Message Edited by ems on 05-28-2009 11:11 AM

  3. #3
    Charles_B Guest

    Default Re: Under spy site attack (?)


Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •