Solved

Unauthorized program trying to talk to internet

Posted on 2004-10-09
23
218 Views
Last Modified: 2013-12-04
ZoneAlarm says that some program with strange characters for a name is trying to access the internet. The program has size zero. ??? How can that program do anything?

I answered permanent NO, but wonder what the deal is.

The program name is ÜýTퟗÊ4C, where ퟗ is ퟗ
(That's ampersand #55255 semicolon)

This has happened from time to time (usually months apart). To date, no permanent problem that I know of. I just delete the size zero file.

So this question is to find out what the nature of the attack (if there was one) is. Maybe this is just a bug in WindowsNT?

Mac
0
Comment
Question by:QBasic
  • 7
  • 7
  • 5
  • +1
23 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12267917
Have you done this ?

Check for spywares and virus in the system

Spyware:
--------

Some of the experts here have helped in compiling all the important spyware tools and they are listed in this thread
http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html

My recommendation would be to start with spybot ,ad-ware ,CWshredder and get the log from Hijackthis and save the log and paste it here http://hijackthis.de/index.php?langselect=english to analyze it  

After installing them, First Update them and then run


virus scanner:
---------------

http://vil.nai.com/vil/stinger/

http://housecall.trendmicro.com/

0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12267923
DO this aswell

Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there except Anti-virus.Reboot the machine and check if the error occurs.
If not, then enable one at a time in the same startup tab and find the application that might cause this
at startup

Remove temporary internet files, folders and cookies
Also remove windows Temp files going to

1) Start --> run --> typein:  %systemroot%/temp
2) Start  --> run --> typein: %temp%


Go to add/remove programs and remove any  unwanted program

Scan for virus in Safe mode and Normal mode

Post back how it goes
0
 
LVL 49

Assisted Solution

by:sunray_2003
sunray_2003 earned 100 total points
ID: 12267945
QBasic,
> Maybe this is just a bug in WindowsNT?

Check the task manager to see any exe file you donot recognise.
May be Zonealarm doesnot know the program that is trying to connect to internet and hence showing those junk signs.

You may want also do chkdsk , disk cleanup in your machine.

Make sure your machine is fully updated..

SR
0
 
LVL 17

Assisted Solution

by:Lobo042399
Lobo042399 earned 100 total points
ID: 12268267
Hi QBasic,

It sounds like a dialer or downloader. I would do a scan with TrojanRemover and an online scan at Symantec. The 0 size seems indicative that the program is not acting alone, but in conjunction with another file, probably a DLL or EXE.

A scan with Process Explorer while this program is active may also render some valuable info on its nature.

You can download Process Explorer and TrojanRemover from:

http://www.gatesofdelirium.com/ee/tools/

Good Vibes!

Lobo
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12268295
No, it's not a "bug" in "WINDOWS" - it's an unpleasant "Nasty" -
Download and install (Dare I say this!) - HijackThis - put in it's own folder, run it and post
a link to your log here - just the link! OK!?!
Here's the link to acquire HijackThis:
http://www.gatesofdelirium.com/ee/tools/
(put in it's own folder, with ALL browser windows closed - run it)
And: here's where to post your log for analysis:
http://www.hijackthis.de/index.php?langselect=english
Save the link to your log and post it back here.
Do not post your HijackThis log here!
Any questions - let us know?!?!

Regards...
RF
0
 

Author Comment

by:QBasic
ID: 12271229
0
 
LVL 12

Accepted Solution

by:
rossfingal earned 200 total points
ID: 12271593
Hi!

Took a look at your log.
Are you running Win 2000 or NT 4.0?
This entry would seem to indicate NT 4:
C:\winnt\system32\rasman.exe

One thing you should do is update Internet Explorer to, at least, version 6.0, Service Pack 1
(Your log shows: MSIE: Internet Explorer v5.50 SP1 - 5.50.4522.1800 )
Also, make sure you've applied all the latest service packs, patches, fixes, etc. for
Windows and IE!
You're computer is vulnerable.

The following entry is marked as "Nasty" -
O4 - Global Startup: Office Startup.lnk = E:\Program Files\Microsoft
Office\Office\OSA.EXE               Nasty
Nasty               The entered application 'Office Startup.lnk (OSA.EXE)' was identified: 'Office Startup (Exploer.exe )'. Hit
rate: 47 % (result)               Must be fixed!
It's not really "nasty" - however, it's a known resource hog and should probably be fixed.

This entry is safe:
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
It's related to this entry:
C:\winnt\System32\nddeagnt.exe
Info here:
http://www.mac-net.com/569484.page

This entry should be fixed:
O13 - WWW. Prefix: http://

Check through the 015 Trusted Zone entries and make sure you added all of them.

Do you know what these entries are:
         O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rcas-campus
        O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rcas-campus

As far as this strange entry: "ÜýTퟗÊ4C"
I did a search on it and it came up with one result -
When I clicked on the link it immediately wanted to download something called: "c garte snake info.txt" - Uh Oh!
Don't know what that is?!?
Download and run "GetService" from:
http://www.bleepingcomputer.com/files/spyware/getservice.zip
Put it on your Desktop and run it.
Go through the log that it generates and see if it shows up -
if it does, note what it is and post it back here.
(I think GetService will run on NT)

Good luck!
RF
0
 

Author Comment

by:QBasic
ID: 12271970
My system is WindowsNT, cloned (legally) from my office computer when I worked on a project named RCAS.

I don't need those RCAS entries any more. Do you know how to remove them? If not, no biggie. This question is closed. Thanks.

Mac
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12271974
I wonder why this should not be a split.. Hijackthis has been posted in my first comment and RF solved the issue
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12272027
>QBasic
Just have HijackThis fix them if they show up again, don't worry - they're harmless.
Also, sunray_2003 does make a valid point - SR was the person that ponted you in the right
direction, I just "stumbled by" and gave some input.
At EE we like group efforts - that way no one of us get's the blame - OOPS! - I mean "credit"  :)
Post a request at Community Support and have the question reopened:
http://www.experts-exchange.com/Community_Support/
Then split the points any way you want:
http://www.experts-exchange.com/Community_Support/help.jsp#hi69

>SR  :)

I'm glad anyone could give you some help!

Regards..
RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12273413
No response from anyone?!?
RF
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 49

Expert Comment

by:sunray_2003
ID: 12273417
RF

I made a point , you supported the point , next is to wait for the rest

SR
0
 

Author Comment

by:QBasic
ID: 12273818
Sorry to cause confusion. Here was my rationale

1) I asked about ÜýTퟗÊ4C.

2) I did not ask about general search for spyware stuff.

sunray ignored my specific question and went into general virus checking. That might be useful to some, but I already know about those kinds of things and was interested only in ZoneAlarm notifications about programs of zero size with funny names. Thus (sorry sunray) I judged the response as not addressing the question and, should nobody else ever respond, I would have awarded zero points.

Lobo didn't do as much work as sunray, and essentially had the same approach - ignore my specific question and instead launch into general how-to-disinfect details. But Lobo came close to addressing the question when mentioning DLLs.

rossfingal also went down the "ignore my question" path. But anyway, I did the hijackthis thing out of frustration with having my question ignored.

I presume anyone could have analyzed the log, but it so happened that rossfingal did and, more importantly to me, said

As far as this strange entry: "ÜýTퟗÊ4C"
I did a search on it and it came up with one result .... blah

Now it so happens that the "c garte snake info.txt" reference he gave was just some kind of data file for a biology type application (they meant garter snake) and I suspect the search just randomly hit some binary in an EXE file or something and thus the answer was not useful, but AT LEAST it finally addressed my question.

I finally concluded that I would not get the response I wanted, namely:

"Yes, many people who use ZoneAlarm have reported attempts to access the internet from zero-size programs with strange names. The names appear to be randomly generated and thus contain unusual characters. These are the result of an attempt to hijack your computer for eventual  denial-of-service attacks. The fact that ZoneAlarm stopped the attempt means you were not hijacked. As the attempt failed, the trail ends and there is no way to track down who was doing that."

(The above is a sample of someone addressing my problem - it is bogus speculative guessing on my part)

So I decided to close the question as obviously no expert knew anything about Zone Alarm and zero-size bogus names. And as rossfingle appeared to have done the most work and actually researched the name I provided, I gave him the points.

I did not realize this would be a problem and I don't want to get into any debate here. rossfingle: if you have a suggested distribution other than my judgement of 0-0-300, let me know and I will distribute that way just to have peace.  

Mac
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12273933
Hi QBasic,

the reason why I recommended the use of Process Explorer was because those random names are exactly that... random. It's impossible for any antivirus or anti-spyware program to list all possible combinations those names can have, so doing a search with the name itself would be useless... as you found out. Those randomly named files usually work in tandem with other hidden DLL's or EXE's. Hence the use of Process Explorer, which can shed light on the names of those hidden files that are generating the random ones.

Sorry if I didn't explain this properly during my first comment. If you're still having the problem, I'd suggest that you run Process Explorer. You can save a log as a txt file and either post it here or upload it and post a link.

No worries about the points situation on my side.  I'm just glad I can help.

Good Vibes!

Lobo
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12275390
>> sunray ignored my specific question and went into general virus checking

NOBODY can specifically say what that junk program Zonealarm is asked to connect , unless , basic homework of checking virus and spywares are done.
Virus scanning is the first and best approach to start the process of troubleshooting in cases like this. It is NOT even worth to do spyware check before virus scanning or I should say no use  and not the way it should be ..

My point is , I had lead you to use Hijackthis to see what is going wrong in your system. Mind you , Hijackthis is always the last step to be taken and all other spyware removal tools should be used before that.

EE is always team effort. Most of the credit should go to Rossfingal as he pointed out the bad guy in the log.. that is absolutely understandable. ..
0
 

Author Comment

by:QBasic
ID: 12279400
Waiting for an allocation recommendation, such as 100-100-100,
or 50, 50, 200 so I don't have to go through this again.

Thanks,

Mac
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12282493
For the effort of giving you suggestions to start with and explaining why there should be a split, I would be happy with 100
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12283590
QBasic

Thanks for reopening the question, and reasigning the points - nice to see you took the time!
Thanks - and ...
Regards...
RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12343048
Hi!
I can't believe this question is still open!
Give sunray a 100 -
I'll take a 100 -
Give Lobo a 100-
Give QBasic a 100 -
(we could try to give  ee_ai_construct some points :) - I don't think that's allowed!?!)

Regards to all!  :)
RF
0
 

Author Comment

by:QBasic
ID: 12343080
I think it was closed!

I gave 100-100-200 (increased value 100 for you)

Surely it is closed. If not, I don't know what else to do.

Mac
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12343161
We could order some pizza, a 2-4, and play Balderdash! (I would have said watch hockey on TV, but since there's no NHL season....)

Thanks for the points, QBasic. I wasn't expecting them. You rule.

Good Vibes!

Lobo
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12343244
OK!
Maybe it was closed - me bad!
Nice to talk to "use" anyway!
YESSSSSSSSSSSSS Pizza!!!
>QBasic
Good job on the points distribution (should have given yourself 100 for "putting up"
with us "clowns"!  :)
RF
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now