Results 1 to 10 of 10

Thread: Rat... Rat... Rat...ZA Free version on Windows 8

  1. #1
    Join Date
    Aug 2013
    Posts
    5

    Default Rat... Rat... Rat... ZA Free version on Windows 8

    We have a 64bit Windows 8 system running ZoneAlarm (free version) that's suddenly showing a ZoneAlarm dialog consisting of a series of single digit numbers in circles (0 to 6) followed by the text "rat... rat... rat..." (there are more of these)

    Hovering the mouse over each "rat..." or circled number produces a tooltip with the text "Rating".

    There is one button at bottom center labeled "Close".

    Any ideas what this might be?

    I recently successfully ran DISM followed by SFC to clean up corruption of system files, if that has any relevance.

    Snc11476mini.jpg

    ZoneAlarm version number is 11.0.768.000. To the best of my knowledge all patches have been applied to Win8.

    I have searched online for the string "rat... etc" and come up empty. If (big IF) this is an attempted exploit of the free version, the paid version may have the same vulnerability.

    ==============

    It's possible this is a spoofed dialog, designed to look like a genuine ZoneAlarm object. It may be the result of injected code, inserted into a valid web page or piece of online software (from Facebook or online merchant such as Vons/Pavilions).

    It's possible that clicking on either the "Close" button or the "close window" (x) / pressing Alt-F4 will cause attached code to execute, installing malware (possibly a remote access trojan or RAT).

    In the past, to dump such an exploit all you had to do was to go into Task Manager, find the offending browser process/page and stop the process, and then immediately reboot to clear anything that might be lingering in memory.

    I've read that there are exploits that can circumvent even this action, so for now I still have the dialog visible while I try to get more information.

    If anyone from ZoneAlarm/Checkpoint is reading this, it would be helpful to know whether there is ANY circumstance under which this dialog could legitimately be produced. I'd be surprised if it could, but you never know - a Summer intern with a warped sense of humor could have added it (worse things have happened).

    Since this is Windows 8, the usual paths to a solution are either masked or missing (thanks, Microsoft!) and while I'd be comfortable hacking Windows XP (which is running on the second system I have, which is NOT currently suffering the same problem, and which I am using to make these requests for help), Windows 8 is a bridge too far.

    The circled numbers (0 to 6) are a puzzle too.

    Since this is the free version of ZA I understand that ZA don't offer support (although I'd like to know why, since it's leaving a gaping hole in security that isn't presumably being investigated and therefore could affect the paid version) but it would help tremendously if I knew that this is a known issue, and even more so, how I can ensure the Windows 8 system doesn't end up being compromised (and in the process, losing us the contents of our bank accounts if the RAT grabs access credentials when we conduct online banking).

    I continue to search for anyone else reporting this "rat... rat... rat... rat... " dialog and I'll provide any useful info here should anyone else hit the same problem.

    This may be a "zero day" exploit, in which case it's all the more important to help me get it resolved.

    ==============

    Examining (carefully) the dialog reveals that the Close button does not exhibit normal behavior. Moving the cursor over the control does not cause the arrow cursor to change to a pointing finger, nor does the command button control exhibit dotted line highlights as a result of tabbing from one control to another (in fact, tabbing between controls does not work). Right clicking in the dialog window produces nothing. Moving the cursor over the close control (x) produces a color change that seems slightly off. Right clicking in the top left corner of the window elicits a pop-up with only two options: "Move", and "x Close Alt-F4", arranged in the wrong format (a vertical line as separator rather than horizontal).

    The top left corner of the dialog is missing the ZA logo, and the left hand upper pane has only the word ZoneAlarm, and lacks "Free Antivirus + Firewall" underneath that. The phrase "ZoneAlarm Free Antivirus + Firewall" is rendered in text at the very top of the dialog, which doesn't match the genuine ZA dialogs.

    What's puzzling is the fake dialog doesn't seem to appear in Task Manager as anything other than a genuine ZA process - until I noticed that it's only the group title that has the appearance of being genuine; when you open the group you see that the entry corresponding to the fake dialog lacks the ZA icon. Quite where it came from is still up for grabs. I have other screenshots available if anyone wants them (I have isolated the Windows 8 system by going into Device Manager and disabling all networking devices so that communication with the 'Net is not possible, hence the lack of actual screen grabs).

    This gives me some hope that the probable code attached to controls in the dialog may not execute if I simply dump the process from within Task Manager.

    For now, I've invoked the genuine ZA app for a full virus scan, and we'll see if it spots any active code ready to execute.
    Last edited by AncientBrit; August 2nd, 2013 at 10:48 PM. Reason: Continuing observations of the dialog

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: Rat... Rat... Rat...ZA Free version on Windows 8

    First of all, relax, sit-back and no panic. No conspiracy theory of hackers please.. lol. Nowadays they couldn't careless about ZA dialog boxes. They go for money not for modifying a ZA pop-up survey

    What is likely happening there is either corruption of the ZA databases, where settings are stored or screen resolution problems. That screenshot should normally show a rating about your experience with ZA. It happens once after few days of use after install.

    If you need help from other users, you should
    - post full details of the system and other security tools installed,
    - the screenshot is weird, sounds like you took from a camera on a CRT screen?? Windows 8 comes with Snipping tool to take screenshot...
    - the screenshot is enormously large; this may indicate that you have altered the standard resolution/font size/etc... Is this the case? If yes, try the windows defaults as ZA does NOT support custom setup of the screen resolution/font size.

    Finally start clean:

    1. Re-download the latest version of ZAfree from here: Looking for the latest version? Watch out to choose the right installer

    2. Remove you current ZA from your OS control panel (add/remove programs in XP, Uninstall an application in WIN7 or WIN8).

    3. Reboot the PC

    4. Turn ON Windows firewall if off (ZA will take care of turning it off once installed).

    5. Download and save to the desktop the ZA removal tool:
    http://download.zonealarm.com/bin/fr...load/clean.exe


    6. Run the ZA removal tool

    7. Reboot the PC

    8. Install the latest version ZAfree you downloaded from point 1.
    without touching any default settings,
    and Do Not Restore Saved Settings from the old install.
    Last edited by fax; August 2nd, 2013 at 10:49 PM.

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    Join Date
    Aug 2013
    Posts
    5

    Default Re: Rat... Rat... Rat...ZA Free version on Windows 8

    Hi Guru

    Thanks for your response - an interesting idea. I'm still a little skeptical (unless you are absolutely positive that a corrupt survey is the culprit; I've used ZA on various systems over the years and never encountered the survey; the Win8 machine has had ZA since December last year, so that survey has been a long time creeping up on us :)).

    First, though, here's the reason for my panic: money IS the key factor. The machine is used for online banking and credit card management by my wife (disabled and bed-bound), and since we are homeless (two+ years now) and cannot afford to have a single dollar go missing from our meager survival funds, it's vital that we have total confidence in the system. I keep it so locked down that I only just learned the account password from my better half so she can sleep while I work on bringing it back to some resemblance of life :)

    Our identities have been stolen twice in the last decade (thanks to USPS - a long story and luckily without us losing a cent directly) so we are naturally hypersensitive about anything that smacks of an intrusion. Friends have lost hundreds of dollars to hacks of varying forms, so that's another reason to be antsy :)

    We've had one genuine virus in over 18 years of using up to six systems so our vigilance has been paying off compared with family and friends, who have been regularly plagued with various horrors.

    So I'll play it safe, whether panic is warranted or not :) I'd much rather be safe than sorry, any day.

    Once the scan has completed, I'll dump out using approaches I trust (Task Manager) and run further system tests (CHKDSK at reboot, SFC and if necessary DISM) to make sure everything else is kosher, and then follow your advice with regard to wiping, downloading and installing ZA sans prior settings.

    With regard to the screenshot, yes, I used a 12M camera to photograph a Samsung notebook with an LCD panel - I'd disabled network access, so I couldn't use the usual alt-PrntScrn method, and I had little in the way of resources to manipulate the image except for an extremely old copy of PaintShopPro 6 on the XP machine, which doesn't bring megabyte-sized jpegs down to a few K without some quirks (and the original was moire'd to h-e-hockeysticks and back, to add to the problems). I needed a cheap and cheerful way to get an image of the problem into the post and this was the best I could do.

    Apologies if I didn't include all the system info - I presented what I thought would be relevant. Hopefully there won't be a next time...

    Thanks once again - much appreciated.

  4. #4
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: Rat... Rat... Rat...ZA Free version on Windows 8

    yes, again no panic. An hacker would not care less to modify a pop-up of a survey

    If you use your system for banking and experienced security problems in the past then you should run proper paid security on the system including reputable antivirus systems.

    Have your system checked by professional, for example, at bleeping computer. See here below for details:

    Malware Clean-up Guidance and for the future:

    xyz was not detected. What I should do?

    Thanks and good luck!

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  5. #5
    Join Date
    Aug 2013
    Posts
    5

    Default Re: Rat... Rat... Rat...ZA Free version on Windows 8

    Quote Originally Posted by fax View Post
    ...If you use your system for banking and experienced security problems in the past then you should run proper paid security on the system including reputable antivirus systems.
    As I said, it's precisely because we HAVEN'T had security problems that I pushed the panic button. The identity theft was due to incompetence by the US Postal Service (long story, but one that shows complacency gets you into trouble if you make unwarranted assumptions).

    Hackers exploit the innocuous, as a friend of mine discovered when he hit alt-F4 to remove an apparent ad and promptly installed severe malware on his system. He was down for a week and it cost him thousands to get his system back - and he HAD paid security on his system.

    When we can afford to use the paid versions we do, but when the recession began to bite in 2007, "should" and "could" took on new meaning. We're still trying to get back up off our knees.

    Thanks once again for the help - much appreciated. I think we can return to normal programming...:)

    PS: Just spotted that your screen name is "fax" not "guru". Oops.
    Last edited by AncientBrit; August 3rd, 2013 at 10:31 AM. Reason: Append PS

  6. #6
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: Rat... Rat... Rat...ZA Free version on Windows 8

    You're welcome!

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  7. #7
    Join Date
    Aug 2013
    Posts
    5

    Default Re: Rat... Rat... Rat... ZA Free version on Windows 8

    Just a final note. Closing the odd dialog triggered Windows Authentication and an error that claimed a new license needed to be purchased (!) That was resolved without needing to call M$.

    I reverted the system to the last restore point (7/29) and then ran CHDSK /spotfix (seemed OK) and SFC /scannow (found errors and fixed them). Ran SFC again and found no reported errors.

    After various reboots in between, I re-enabled online access, enabled Windows firewall as suggested, and downloaded the ZA cleaner and a fresh copy of ZA (which insisted on installing, so I stopped that, and disabled online access).

    Uninstallation via CPL seemed to go OK (usual heads-ups from ZA), cleaner seemed to go OK (with various reboots in between), then re-enabled online access and ran the fresh ZA installer, which seemed to go OK.

    So far, so good.

    I can't tell whether ZA screwed with the database(s) or vice versa, but either way we seem to be back on track (just as I read of a screw-up that redirected access to banks' websites - including our own - on 7/24!).

    The price of freedom is eternal... frustration :)

    I can forgive myself for thinking the corrupt dialog was a partially failed phishing attempt. The only reason we know about Stuxnet is because there was a flaw that allowed it to escape the confines of its intended environment; the odd ZA dialog seemed to be in the same class (i.e., flawed and therefore inadvertently visible).

    I have written interception code for dialog controls myself (legitimate purposes, I hasten to add) so I know what's possible.

    Many thanks to fax for providing key info that helped defuse the problem!

  8. #8
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: Rat... Rat... Rat...ZA Free version on Windows 8

    You will only know in a few days if this has fixed your issue as the pop-up will appear after few days of use. Otherwise follow the other suggestions including having your system checked at bleeping computer and ensure all software installed is fully up to date. Again, no paranoia and no panic.

    Unless there are no other questions I will close soon this thread as we have said all we could say about it. If you need to reopen it please PM me. But please, not for reporting hackers invading your house

    Finally think seriously to step up your protection with paid solutions (e.g. security suites) as they also come with official support. This is particularly relevant if you use the system for payments and banking!

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  9. #9
    Join Date
    Aug 2013
    Posts
    5

    Default Re: Rat... Rat... Rat...ZA Free version on Windows 8

    Thanks for the invitation. But we have no house - not even an apartment. We're living in a hotel, one of the highest risk environments for hacking. I think I'll keep a level of paranoia and panic going for a while longer :)

    I can think seriously all I want - it won't put more cash in my wallet. I have to work within the confines of what's feasible, regardless of what's desirable. So paid solutions will stay a distant goal, of necessity. As will so many other things :(

    Many thanks for your help and input - much appreciated.
    Last edited by fax; August 4th, 2013 at 02:26 AM. Reason: quoting not needed

  10. #10
    Join Date
    Dec 2002
    Location
    San Carlos, California
    Posts
    1,636

    Default Re: Rat... Rat... Rat... ZA Free version on Windows 8

    Quote Originally Posted by AncientBrit View Post
    We have a 64bit Windows 8 system running ZoneAlarm (free version) that's suddenly showing a ZoneAlarm dialog consisting of a series of single digit numbers in circles (0 to 6) followed by the text "rat... rat... rat..." (there are more of these)

    Hovering the mouse over each "rat..." or circled number produces a tooltip with the text "Rating".

    There is one button at bottom center labeled "Close".

    Any ideas what this might be?

    I recently successfully ran DISM followed by SFC to clean up corruption of system files, if that has any relevance.

    Snc11476mini.jpg

    ZoneAlarm version number is 11.0.768.000. To the best of my knowledge all patches have been applied to Win8.

    I have searched online for the string "rat... etc" and come up empty. If (big IF) this is an attempted exploit of the free version, the paid version may have the same vulnerability.

    ==============

    It's possible this is a spoofed dialog, designed to look like a genuine ZoneAlarm object. It may be the result of injected code, inserted into a valid web page or piece of online software (from Facebook or online merchant such as Vons/Pavilions).

    It's possible that clicking on either the "Close" button or the "close window" (x) / pressing Alt-F4 will cause attached code to execute, installing malware (possibly a remote access trojan or RAT).

    In the past, to dump such an exploit all you had to do was to go into Task Manager, find the offending browser process/page and stop the process, and then immediately reboot to clear anything that might be lingering in memory.

    I've read that there are exploits that can circumvent even this action, so for now I still have the dialog visible while I try to get more information.

    If anyone from ZoneAlarm/Checkpoint is reading this, it would be helpful to know whether there is ANY circumstance under which this dialog could legitimately be produced. I'd be surprised if it could, but you never know - a Summer intern with a warped sense of humor could have added it (worse things have happened).

    Since this is Windows 8, the usual paths to a solution are either masked or missing (thanks, Microsoft!) and while I'd be comfortable hacking Windows XP (which is running on the second system I have, which is NOT currently suffering the same problem, and which I am using to make these requests for help), Windows 8 is a bridge too far.

    The circled numbers (0 to 6) are a puzzle too.

    Since this is the free version of ZA I understand that ZA don't offer support (although I'd like to know why, since it's leaving a gaping hole in security that isn't presumably being investigated and therefore could affect the paid version) but it would help tremendously if I knew that this is a known issue, and even more so, how I can ensure the Windows 8 system doesn't end up being compromised (and in the process, losing us the contents of our bank accounts if the RAT grabs access credentials when we conduct online banking).

    I continue to search for anyone else reporting this "rat... rat... rat... rat... " dialog and I'll provide any useful info here should anyone else hit the same problem.

    This may be a "zero day" exploit, in which case it's all the more important to help me get it resolved.

    ==============

    Examining (carefully) the dialog reveals that the Close button does not exhibit normal behavior. Moving the cursor over the control does not cause the arrow cursor to change to a pointing finger, nor does the command button control exhibit dotted line highlights as a result of tabbing from one control to another (in fact, tabbing between controls does not work). Right clicking in the dialog window produces nothing. Moving the cursor over the close control (x) produces a color change that seems slightly off. Right clicking in the top left corner of the window elicits a pop-up with only two options: "Move", and "x Close Alt-F4", arranged in the wrong format (a vertical line as separator rather than horizontal).

    The top left corner of the dialog is missing the ZA logo, and the left hand upper pane has only the word ZoneAlarm, and lacks "Free Antivirus + Firewall" underneath that. The phrase "ZoneAlarm Free Antivirus + Firewall" is rendered in text at the very top of the dialog, which doesn't match the genuine ZA dialogs.

    What's puzzling is the fake dialog doesn't seem to appear in Task Manager as anything other than a genuine ZA process - until I noticed that it's only the group title that has the appearance of being genuine; when you open the group you see that the entry corresponding to the fake dialog lacks the ZA icon. Quite where it came from is still up for grabs. I have other screenshots available if anyone wants them (I have isolated the Windows 8 system by going into Device Manager and disabling all networking devices so that communication with the 'Net is not possible, hence the lack of actual screen grabs).

    This gives me some hope that the probable code attached to controls in the dialog may not execute if I simply dump the process from within Task Manager.

    For now, I've invoked the genuine ZA app for a full virus scan, and we'll see if it spots any active code ready to execute.


    This is an In Client Message (ICM) that comes up 21 days after a new install or upgrade and is a survey asking on a scale of 1-10 would you recomend ZA to someone.

    For some reson the message is corrupt. We saw two other examples of this with missing text and numbers, but not the words Rat.

    Sorry you got this message but there is nothing to be alarmed about.

    We are looking into the issue on our side to figure out what went wrong.

    Forum Moderator
    Last edited by Forum-Moderator; August 5th, 2013 at 04:04 PM.
    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Free version for Windows 7
    By GeorgeVI in forum ZoneAlarm Installation
    Replies: 9
    Last Post: November 14th, 2009, 10:24 AM
  2. Will there ever be a release of the free version for Windows 7 64-bit?
    By Drowsiness in forum General - Questions that don't fit any other category
    Replies: 5
    Last Post: October 28th, 2009, 05:23 AM
  3. Free Firewall version gone after Windows workaround version loaded
    By annb in forum Windows and ZoneAlarm Messages and Alerts
    Replies: 2
    Last Post: July 19th, 2008, 01:40 AM
  4. I have the free 2.6.362 version installed on Windows 98....
    By davidcash in forum ZoneAlarm Installation
    Replies: 0
    Last Post: March 1st, 2008, 06:57 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •