Results 1 to 4 of 4

Thread: Trying to access the internet?

  1. #1
    Junior Member Voivod's Avatar
    Join Date
    Feb 2007
    Posts
    16

    Default Trying to access the internet?

    Ran a quick scan with RootAlyzer then decided to run a deep scan. In the middle of (or rather, a while after starting the scan) ZoneAlarm popped up a warning that RootAlyzer.exe was attempting to accesss the internet.

    It shouldn't be doing that, should it?

  2. #2
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    No, it surely should not!
    Unless you open the About dialog and press the Update button of course, in which case it'll download a file of a few bytes of size. That file will be downloaded from http://www.safer-networking.org/updates/rootalyzer.ini.

    Did ZoneAlarm tell you which site it tried to connect to?
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  3. #3
    Junior Member Voivod's Avatar
    Join Date
    Feb 2007
    Posts
    16

    Default

    Nope didn't hit the update and no destination IP address listed in the ZA log. I denied access when it popped up.

    This has been happening with other apps including a screensaver. Randomly popping up the ZA alerter with a request for net access. Windows is up to date. Updated and run AVG AV, SpyBot and AdAware none of them have found anything other than some cookies.

    Addendum - Even Windows Defender came up blank
    Last edited by Voivod; 2008-04-17 at 22:17.

  4. #4
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    That's kind of spooky. You could try a tool like ActivePorts (or inside Spybot-S&D, Tools, Process List, the tab named Open Network Ports at the bottom, which does the same), to check which ports are opened in which application.

    In theory, malware could easily inject a single thread into a different application to use that context for communicating with the outside. That's not an easy thing to code though, so quite rare.

    If ZA shows no IP, did it open a port in "listen" mode maybe (trying to act as a server)? The above (ActivePorts or Spybot-S&D) would show that, and if not, possibly an IP or domain name which might help in finding out more (if something actually would go to the length of implementing such a method, it would be quite well hidden otherwise). Unless it's all a bug in ZA of course, haven't used that in a while and can't say anything about it, just mentioned to avoid imagining too many things on the possible rootkit side
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •