# zone alarm users



## ukboy (Nov 22, 2002)

i installed zone alarm 2 days ago and since i have had warnings of nearly 50 high-rated intrusions that have been blocked, mainly through port 127 which is unregistered but said, on some message boards, to be a trojan remote server. has any body else experienced this and if so is any thing wrong, i also check my system regularly so there should be no virus's or spyware.
this is my startup list incase you wanted to check it for me.
StartupList report, 28/11/2002, 20:01:57
StartupList version: 1.35.0
Started from : C:\Documents and Settings\Harry's.BEAMISHCOMPUTER\Local Settings\Temp\Temporary Directory 1 for startuplist135[1].zip\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Harry's.BEAMISHCOMPUTER\Local Settings\Temp\Temporary Directory 1 for startuplist135[1].zip\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Microsoft Works Calendar Reminders.lnk = ?
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
WorksFUD = C:\Program Files\Microsoft Works\wkfud.exe
Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yacscom.dll
CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\System32\opuc.dll
CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2002112001/housecall.antivirus.com/housecall/xscan53.cab

[{7A32634B-029C-4836-A023-528983982A49}]
CODEBASE = http://fdl.msn.com/public/chat/msnchat42.cab

[Yahoo! Audio UI1]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yacsui.dll
CODEBASE = http://chat.yahoo.com/cab/yacsui.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37577.5160416667

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\OUTC.DLL
CODEBASE = http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

[{E87A6788-1D0F-4444-8898-1D25829B6755}]
CODEBASE = http://fdl.msn.com/public/chat/msnchat4.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

--------------------------------------------------
End of report, 8,048 bytes
Report generated in 1.640 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Luthorcrow (Jun 1, 2002)

Hhmm, my port reference lists 127 as Locus PC-Interface Conn Server. A search for "trojan"+"port 127" came up blank on Google. What is your reference for this being a port used by trojans?

Also, on the attack log is it listed as inbound or outbound? Are all of the listed attacks from the same IP or similar IPs?

Also, when I used ZA Plus & ZA Pro I noticed that it tended to over notify you of issues that really weren't attacks but just internet background noise. What is the description and what priority level is ZA listing it as?

I would suggest creating an advanced rule for that port if you are really worried but to my knowledge ZA doesn't have that option.


----------



## bassetman (Jun 7, 2001)

Ukboy, have you seen the reply to one of you other posts?
http://forums.techguy.org/showthread.php?s=&threadid=104446


----------



## ukboy (Nov 22, 2002)

sorry i actually meand port 1027 this is the post
post


----------

