Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: ZAP false positive security warnings

  1. #1
    bohemian_one Guest

    Default ZAP false positive security warnings

    For 3 months ZAP has logged blocked outbound connection attempts to reach a malware site, syssecuritypage.com. My machine was running 6.1.744.001 when this started, I updated to 6.5.737.000 and it continued.

    Yesterday I performed a low level reformat of my disc drive, reloaded XP Pro and downloaded a fresh copy of 6.5.737.000. Now ZAP is telling me msimn.exe (O.E.) is attempting to reach syssecuritypage.com. I ran msimn.exe through the on-line virus scan at virustotal.com, it was clean. Before the reinstall ZAP warned that Internet Explorer, Firefox, explorer.exe and winlogon.exe were attempting to reach syssecuritypage.

    I ve run security scans with ZAP anti-spyware, NOD32, Spysweeper, Trojan Hunter, Spybot and Ad Aware. Before reloading my OS I additionally ran scans with hijackthis, several rootkit, SmitFraud, Vundo and other detection software packages. All scans were negative.

    Syssecuritypage is one of the Smit Fraud Trojans, see http://www.virusvault.co.uk/fusionbb...ic.php?tid/81/ . I ran SmitFraudFix, a tool developed to detect and remove this pest, nothing was found.

    The wipe and new OS install should have removed all malware. Now I suspect ZAP maybe recording false positives as I ve not seen any of the behavior of a SmitFraud infection, pop ups warning that a PC is infected and advice to download their security software to remove the pests.

    I need to find out whether ZAP is recording false positives and how to either stop the warnings or find out why they are occurring. I d appreciate any help you could provide.

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Pro
    Software Version:6.5

  2. #2
    Join Date
    Dec 2002
    Location
    Mikado Michigan
    Posts
    2,596

    Default Re: ZAP false positive security warnings

    After your system was fixed, did you turn off system restore and then reboot and turn it back on? Did you change your homepage? Also you may want to go to http://forum.malwareremoval.com/view...07f3b8314034afand get some help in making sure all evidence of the Trojan is gone.
    My homes are SpywareHammer.com and DonHoover.net and BleepingComputer.com


    Consumer Security - 2011 & 2012

    Tilting at windmills hurts you more than the windmills.
    -From the Notebooks of Lazarus Long
    Senior of the Howard Families

  3. #3
    bohemian_one Guest

    Default Re: ZAP false positive security warnings

    Hoov,

    Yes, after I reinstalled XP from scratch System Restore was turned off and emptied. I have been working with people at a malware web site and locally for 2 months trying to track down this pest. What I would like to learn from Zone Labs is how to gather additional information about ZAP's Alert Log entries. The ones I have quesitons about offer little info and nothing from the web, only "Your computer was restricted from connecting to a restricted site," an IP address and port. The site is one I manually blocked in the firewall tab in ZAP.

    I've written ZAP tech support two times asking for info, either I get canned responses which are useless or no response at all.

    I've discovered ZAP giving false positive warnings, last week it warned that a utility was adding three well known rootkit keys to the registry which simply was not true. The internal ZAP reference database has incorrect information. I need to find out if ZAP is misinterpreting what it is detecting and giving false warnings.

    One of three possible scenarios:

    1.) ZAP false positive?
    2.) Injected .DLL malware?
    3.) Boot sector malware that can survive a low level format?

    I wish Zone Lab's tech support would get their act together.

  4. #4

    Default Re: ZAP false positive security warnings

    Well, if you low-level format a hard drive most things would get wiped out. The CA signatures used by ZA aren't exactly free of false positives.

  5. #5
    Join Date
    Dec 2002
    Location
    Mikado Michigan
    Posts
    2,596

    Default Re: ZAP false positive security warnings

    While it is possible that ZoneAlarm is giving a false positive, I find it strange that its only happening to you. That said, you mention rootkit. I know rootkits can be very hard to ferret out. Low Level formats are not the fix they once used to be. I do know something about rootkits, and I know that I know enough to just be dangerous. Try going to http://www.castlecops.com/f233-Rootkit_Revelations.htmland work with the folks there on seeing if you have a rootkit (which is possible). The Castlecops staff that work that board have just spent the last 7 months or so doing research into rootkits and tools, and they would be able to better help you to make sure you don't have a rootkit. Go over there and let them know who helped you remove all your malware, and that you either have a rootkit, or something that is causing false positives pointing to a rootkit. The reason I am asking you to do this, is you have a rootkit, then nothing we do here will help you. If you are free of rootkits, then we will have to dig further.
    My homes are SpywareHammer.com and DonHoover.net and BleepingComputer.com


    Consumer Security - 2011 & 2012

    Tilting at windmills hurts you more than the windmills.
    -From the Notebooks of Lazarus Long
    Senior of the Howard Families

  6. #6
    bohemian_one Guest

    Default Re: ZAP false positive security warnings

    Hoov,

    I've been working with the experts at Castle Cops for two months. I've run all sorts of security scans, rootkits and otherwise, without finding the mystery lurking malware (MLM.) We've narrowed it down to the three options mentioned in my last post, 1.) ZAP false positives, 2.) DLL injection 3.) Boot sector malware that can survive a low level format.

    Before I purchase new disc drives and discard years of data, I'd like to get a better response from Zone Labs about the warnings ZAP is raising. ZAP's firewall tab IP lookup has now given syssecuritypage.com a new IP address, 209.85.51.157, that the Castle Cops folks are questioning.

    I know you've been a guru for a long time, could you please contact your Zone Lab's sources and gather additional info for me? Perhaps how to create expert rules to log blocked attempts to the blocked site?

    I ran Microsoft's Port Reporter software, that verified the outgoing connection attempts but it wasn't able to identify the local originating file. The MLM has used winlogon.exe, explorer, I.E., Firefox and recently O.E.; it's like a flea, hopping from host to host. We haven't been able to track down the local originating source.

    I'm not a computer newbie either; was writing mainframe assembly code 30 years ago.

    How about some real assistance from Zone Labs?

    Thanks.

    Dylan

  7. #7
    Join Date
    Dec 2002
    Location
    Mikado Michigan
    Posts
    2,596

    Default Re: ZAP false positive security warnings

    I will see if I can get you some help. I just found your thread over there.A few more questions. Have you tried resetting the ZA settings database? Also if your computer fails to connect to the site does it continue to try. Or is it one time only?
    My homes are SpywareHammer.com and DonHoover.net and BleepingComputer.com


    Consumer Security - 2011 & 2012

    Tilting at windmills hurts you more than the windmills.
    -From the Notebooks of Lazarus Long
    Senior of the Howard Families

  8. #8
    bohemian_one Guest

    Default Re: ZAP false positive security warnings

    After reading my Castle Cops thread, I trust you understand the effort that has gone into tracking down this malware.

    Yes, I have reset ZAP's database files more than once, performed a clean switch uninstall two times and migrated from version 6.1.744.001 to version 6.5.737.000.

    The outbound blocked connection frequency varies, usually bursts of 5 pings each time; some days nothing, other days one, two, five, 20+. The time of day is usually at random although for ~7 days it was each hour on the hour, to the second. Since the system wipe 3 days ago, msimn.exe (Outlook Express) was blocked two times and today Firefox was blocked once. These executables have been run through on-line virus checkers and their properties are correct. The hidden malware is hijacking legitimate system files to execute the outbound 5 ping bursts, but hiding elsewhere. For the first ~6 weeks, it only used winlogon.exe, then explorer.exe, then the browsers and finally O.E., which I normally do not use.

    Please note that when I last performed a clean switch reinstall of 6.5.737.000, something on my system changed and ZAP logged thousands of blocked svchost loopbacks to my local machine. I had been manulipulating the Hosts file, adding 127.0.0.1 Malware website entries, although the file's contents looked ok I reset it using a Castle Cops utility, the blocked loopbacks disappeared. I don't know whether ZAP install or the malware caused the problem.

  9. #9
    Join Date
    Dec 2002
    Location
    Mikado Michigan
    Posts
    2,596

    Default Re: ZAP false positive security warnings

    You may have gotten the impression that have made it all the way though your other thread, I haven't, but I am working on it. After reading the first couple pages, something started nagging at me, and I went back and reread it a couple times before I figured out what was bothering me. You said,<HR>Looking through my Zone Alarm log, I've noticed that for the last eight days, windows/system32/winlogon.exe has attempted to connect to www. syssecuritypage. net, a known spyware site.
    <HR>Let me know if you have done this, but have you used Process Explorer to look at all that is using Winlogon? Even in a normally operating system, there are many entries shown in Process explorer that are using winlogon. One of them could be the cause of the problem. Process Explorer is available at http://www.sysinternals.com/Utilitie...sExplorer.htmlThe new version will even let you know if that process is using TCP/IP and what IP its contacting.
    My homes are SpywareHammer.com and DonHoover.net and BleepingComputer.com


    Consumer Security - 2011 & 2012

    Tilting at windmills hurts you more than the windmills.
    -From the Notebooks of Lazarus Long
    Senior of the Howard Families

  10. #10
    bohemian_one Guest

    Default Re: ZAP false positive security warnings

    Hoov,

    Yes, I've used process explorer and other similar utilities suggested by Castle Cops, excluding the logs I posted,look at pages ~8 to 14 on the other process / scan software. The problem we've been facing is that nothing unusual is showing up. In specific answer to your question, nothing unusual was using winlogon. Nothing unusual was using explorer, I.E., Firefox and O.E.; I posted logs and nothing was found. I ran ~50 /windows system files through on-line virus / malware scanners, all clean.

    Injected DLLs have been suggested, hiding themselves inside system files and undetectable by all the scans we've thrown at them. The low level format and OS reinstall is puzzleing, except for rare boot sector viruses nothing escapes the total wipe. Which leads me to question the accuracy of ZAP's warnings.

    Either I find the malware or discard my disc drives and start over again.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •