PDA

View Full Version : suspicious activity



neddy
10-10-2002, 10:38 AM
My PC sends a 330 byte packet to who knows where every 35 seconds over my Jetstream connection. At the same time, any drop down menu gets zapped and the hourglass appears.
I think it started when I upgraded Zonealarm to version 3.1. Reverting back to 2.6 hasn't helped. I now have ZA locked down with the stop button unless I'm surfing or emailing.
Virus scans show nothing, and the various spyware programs I've run haven't helped.
Running 98SE, IE6 with latest patches.
Any theories?

MarkB
10-10-2002, 10:56 AM
If it started when zonealarm was upgraded try removing it completely.
Uninstall it and remove all references to it.

Regcleaner is good to use through the software tab to remove all registry keys, plus you can back them up if you change your mind.

Then see if it still happens. If not install zonealarm version you want and see what happens.

Could also try swatit, a trojan and bot remover. They updated their signature files today so could be something new on your system dialing home.

tweak\'e
10-10-2002, 12:49 PM
zonealarm have full instructions on how to cleanout ZA remains before installing a new/old ver.

remove all the items in the program list and wait to see if zonealarm picks up any program trying to access the net. if nothing happens allow your browser (with blank page) and see if the fault happens. it could well be something working through your browser.

MoNk
10-10-2002, 02:42 PM
www.lavasoft.nu

get adaware and run a scan. see whats up, then remove all the advertising material - see if that fixes it.

neddy
11-10-2002, 09:24 AM
Thanks for all the replies.
Unfortunately, none have fixed the problem, which I now doubt is caused by Zone Alarm - after all, no one else seems to be affected by it.
Meantime, going nuts...

BIFF
11-10-2002, 04:04 PM
Try this:
http://analyzer.polito.it/

just run a capture, and grab everything going past. Then have a look for your packet and view it's destination and it's contents.

neddy
11-10-2002, 07:27 PM
Thanks Biff
I installed Analyzer, but afraid it's just too techie for me - I haven't a clue how to set it up for a start

BIFF
11-10-2002, 09:49 PM
OK, I'm sure you can muddle you way through this.

Install the Analyzer, and install the WinPCap drivers (there is a link to these on the analyzer site).
The Analyser program doesn't create shortcuts in the Start menu etc, just use explorer to go to the folder where you installed it and double click the Analyzer.exe file.
Then shut down zone alarm. Connect to the internet. Let the connection settle and load Analyzer. Then press the little Green Network Adapter icon. If you use a network card to connect to the internet then select that adapter, else select WAN adapter (or similar) if on dialup. Press OK and leave it alone for 5 minutes. Press the Stop button once you're sure you have caught one of the packets.
You will see all packets in the Network column. The source IP address is on the left and the destination is on the right. Look for ones originating from your computer's IP address (you can find out your IP using the WinIPcfg command under Win9x/ME, or the ipconfig /all command under 2K or XP).
If you left the connection to settle before begining the capture there should be very few packet to look through fortunatly.
If you spy the suspect packet you believe is the dodgy one you can highlight it and look in the Data container below. The data will show in the pane on the right. If the packet contains any plain text it will show up in the right most secion of the data between the square brackets [ ]. It's likely that it wont contain anything recognisable however. You can open a command prompt and type Ping -a destination address
This will turn the IP into an address which may help you figure out what the offending app is. Good luck, hope this blurb helps you or someone else out there on Press F1.

Danger
12-10-2002, 01:15 AM
I think I read about ZA doing this on the CNET site/downloads/user opinions. It was awhile ago now so can't be sure, but I seem to remember someone not being to happy that ZA needed to send info home regualaly for some reason.

Susan B
12-10-2002, 12:17 PM
We've just had a thread in the last week or so about how ZoneAlarm has some "interesting" "reporting features" built in to it. Can't find the thread now but a search should turn it up.

neddy
14-10-2002, 09:21 AM
Thanks again Biff
Yep, managed to muddle through your fine instructions and captured the offending packet which is mostly hex zeroes, but has my name twice at the end, with last 3 digits of my phone number. Probably not doing any harm, but disrupts PC ops all the same.
The heading data is as follows
1 | 10:51:03.007745 | FFFFFF-FFFFFF | 444553-540000 | IP: 169.254.1.1 => 255.255.255.255 (328) | UDP: Length= 308, Port (68 => 67) DHCP: Request |
The originating IP is not mine, and pinging it timed out. The second IP is the DCHP server (Whatever!) Pinging that returns Unknown Host.
How to identify the rogue?
cheers