Results 1 to 7 of 7

Thread: Trojan/bot got past ZoneAlarmPro + NortonAV; help!

  1. #1
    bthere Guest

    Default Trojan/bot got past ZoneAlarmPro + NortonAV; help!

    Background: I've been using ZoneAlarm Pro since at least v4.5 (if not earlier)... not a newbie. I currently have 7.0.483, on a Windows XP/SP2 machine, along with Norton AntiVirus (2008, since newer revs don't co-exist with ZAPro), but all NAV definitions are up-to-date, and this is NAV-only, not one of the "suite" products, and the built-in firewall is disabled so as not to conflict with ZAPro.

    I also run Windows Update regularly, particularly in the few days after each month's Patch Tuesday.

    The problem began when I noticed pop-unders of the home page for an affiliated web site, for a site I stumbled across while surfing. It's literally been years since I saw an unexpected pop-up (never mind pop-under) with the combination of ZAPro and NAV. At first I thought it was just benign cross-site marketing (since the two sites ARE affiliated).

    Then I noticed overall slower performance, started looking closely at the ZA logs and i noticed there were a lot of connections being made to other IP addresses, with no apparent good reason. The vast majority were being made by winlogon.exe ... so I tweaked its out-of-the-box ZAPro configuration to give me an Alert every time it connected to a new address. (I went to ZA Program Control for the Windows NT Logon Application (aka winlogon.exe), and added an Expert rule that Allows, with an alert and a log entry, connections to the Internet and Trusted zones using any protocol at any time, just so I can see 'who' it's talking to.)

    Most of the addresses/URLs are unfamiliar. I tried blocking some, but that didn't stop it from reaching out to others.

    Sounds like my machine has been turned into a bot! Perhaps with a bogus "winlogon.exe"? There are a total of a half-dozen copies on my disk, all of various (but close) sizes and dates; 3 of them share the same version ID (5.1.2600.2180) and size, but one of those has different dates, as do all the other 3. None has a modified or created date within the past year. (Earlier today, I thought I had located another copy in \PreFetch with a very-recent modified date, but it's not there now. I don't understand the Windows \PreFetch mechanism; would this be a plausible "attack vector" for a bogus winlogon.exe?)

    I have done full spyware scans using ZoneAlarm (which, ONLY by using a Full-System scan, found 5 alleged Trojans which I quarantined... but none of those were in winlogon.exe. Subsequent research via Google indicates that at least a couple of those 5 are false-positives... and unfortunately, the quarantine does not display where the files were originally located. In any event, the winlogon outreaches are still continuing, so quarantining those 5 didn't solve the problem.

    Similarly I did full updates and scans with Norton AV, which found nothing. I will try some other spyware scanners (e.g. AdAware Free) shortly.

    What else can I/should I do??? I don't like the idea that my machine may be being used to infect others, and nothing is detecting the infection. What malware solutions would be good to investigate?

    Timeline: Noticed the pop-unders about a week ago. Identified (and enabled alert/logs for) the winlogon.exe activity in the past two days.

  2. #2
    bthere Guest

    Default Re: Trojan/bot got past ZoneAlarmPro + NortonAV; help!

    Another detail: Most of the spurious connections are targeting port 53 (DNS) although a lot are on 80 (HTTP) as well.

  3. #3
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,284

    Default Re: Trojan/bot got past ZoneAlarmPro + NortonAV; help!

    Hi!
    have your system cleaned by experts at spywarehammer.com or bleepingcomputer.com. See here for the links:

    http://forums.zonealarm.com/showthread.php?t=70448

    Cheers,
    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  4. #4
    Saltgrass Guest

    Default Re: Trojan/bot got past ZoneAlarmPro + NortonAV; help!

    You might watch task manager to see if you can connect the internet activity with some process. Click the CPU to put the highest usage at the top. When you think you see one, click on it so you can follow.

    Process Explorer is a more detailed version of Task Manger if you want to try that. Download it from Microsoft.

  5. #5
    bthere Guest

    Default Re: Trojan/bot got past ZoneAlarmPro + NortonAV; help!

    > You might watch task manager ...

    That's how I identified winlogon.exe as a suspect. (Although since it's a system program which hasn't changed... I expect that something else is using winlogon.exe as its agent.)

    Probably the "bad guy" is simply opening a network connection, which gets winlogon involved ... although that's an educated guess.

    Is there a way to figure out what program/process is opening the connection?

    (I also ran the Oct 2009 Microsoft Malicious Software Removal Tool in "full" mode... it ran for about 5 hours and found nothing.)

  6. #6
    bthere Guest

    Default Re: Trojan/bot got past ZoneAlarmPro + NortonAV; help!

    Quote Originally Posted by fax View Post
    Hi!
    have your system cleaned by experts at spywarehammer.com or bleepingcomputer.com. See here for the links:

    http://forums.zonealarm.com/showthread.php?t=70448

    Cheers,
    Fax
    Thanks, some questions...

    Why disable system restore? (perhaps to keep from saving a restore-point that incorporates this temporary configuration?)

    Why safe mode with networking? (why not just-plain safe mode, unplugged from the network? That would be my inclination)

    Is there a summary somewhere of why this requires V9? Based on recent-past ZoneAlarm upgrade experiences ... particularly 5.5 to 6, and 6 to 7 ... I'm VERY VERY hesitant to upgrade without allowing LOTS AND LOTS of time to do it and to wrangle with side-effects.

    Is a 7-to-9 direct upgrade possible, or do I need to go to 8 along the way?

  7. #7
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,284

    Default Re: Trojan/bot got past ZoneAlarmPro + NortonAV; help!

    Quote Originally Posted by bthere View Post
    Thanks, some questions...

    Why disable system restore? (perhaps to keep from saving a restore-point that incorporates this temporary configuration?)

    Why safe mode with networking? (why not just-plain safe mode, unplugged from the network? That would be my inclination)

    Is there a summary somewhere of why this requires V9? Based on recent-past ZoneAlarm upgrade experiences ... particularly 5.5 to 6, and 6 to 7 ... I'm VERY VERY hesitant to upgrade without allowing LOTS AND LOTS of time to do it and to wrangle with side-effects.

    Is a 7-to-9 direct upgrade possible, or do I need to go to 8 along the way?
    Just skip everything and have your system check by malware experts, last point. That was the purpose of the link!

    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •