BleepingComputer.com: Zone Alarm Stopping Firefox?

Hi guys, thanks for sticking with me on this one. I'm willing to try your suggestions but have 2 questions: TOS226, when I post the values into the Zone setting of the Firewall which option should I choose: Host/Site, IP address, IP range or Subnet)? The values I got from ipconfig /all covered a range of categories: IP address, Subnet Mask, Default Gateway, DHCP server and DNS servers. I'd guess IP RANGE but it's all starting to look like Hasty Pudding to me. And NIGGLSNUH85, followed your instructions, stopped the DNS but the warning sounded dire - said things like "this computer will not be able to resolve DNS names and locate Active Directory domain controller." Sounds bad to me. Does this sound bad to you too? Very late here, will find out just how bad in am, nighty night, M

Hi, had an interesting morning. Fx opened OK, DNS client still stopped. I opened several bookmarked pages to see if they were accessed. All fine until I tried to jump from a BC forum page to a tutorial page - Fx couldn't find the server. Hit "Try Again" and up it came. As I'm wondering whether this is some sort of timeout problem, up pops a ZA Server Program Security Alert saying that Firefox wants to accept a connection from the Internet, source IP 139.134.2.190. As tos226 had told me this was a Big Pond reserved DNS server, I thought, OK, so ticked Remember This and Allow. Next moment a pretty revolting porn pic (involving vomit and genitalia) downloads itself from a bookmarked site "Pictures from the Sky" that I'd used before with no problems. I showed my true newbie self by screaming, "AAGGHH" and hit every off button I could see. But I had to find out what had happened so I opened up ZA, looking for I don't know what, only to find in Program Control that Firefox has somehow got straight ticks - Internet and Server rights. I realise that I must have done this when I clicked on Allow during the earlier Security Report. So I stop Server rights first, then go to DNS Client, it's started again too. Stop it again. I empty the Fx cache, then hit Pictures from the Sky again, same porn pic. Empty cache again, check DNS, still stopped, google Pictures from the Sky, up comes the same URL (http://files.kavefish.com), hit it again, same porn pic but this is from the goggled URL. Completely confused. Access another bookmarked site to see if a porn virus has taken over bookmarks, but no problems. Emptied cache last time, checked DNS client still off, have no idea what just happened. Am I in trouble? No AVG alerts of any kind yet but will close browser and run full scan. sorry to be so long winded but it freaks me out to realise how ignorant I am, Margaret. One more thing, how do I change the DNS server designation to sy-dns01.tmns.net.au? I couldn't find anywhere in Services (Local) box that would allow me to do this.

What to put into the Firewall zones?
I have a router, so my answers are about a router.
When ZA detected a new network, it detected a router. SO I have it as "Network" 192.168.1.0/255.255.255.0 and ZA typed it all in. The 255s after a / is a subnet.
Then I added loopback as IP address, 127.0.0.1
Then my local LAN, as IP range 192.168.1.65 - 192.168.1.75 gives me 10 addresses which I really don't need, but guests may use wireless connection.
Since the router is also the DHCP and DNS server of sorts, I've put nothing here. BUT, you can just add the LEGITIMATE!!! IP addresses. When I used DSL modem I just did the ipconfig thing and added the two DNS servers as IP addresses.

Regarding "Security Alert saying that Firefox wants to accept a connection from the Internet, source IP 139.134.2.190. As tos226 had told me this was a Big Pond reserved DNS server, I thought, OK, so ticked Remember This and Allow"
Blame me ?!
1. If not sure, always check something like DNS stuff site as to what the address is.
2. I just checked 139.134.2.190. No idea what it is. Not BigPond.
inetnum: 139.134.0.0 - 139.134.255.255
netname: TELSTRAINTERNET36-AU
descr: Telstra Internet
descr: Locked Bag 5744
descr: Canberra
descr: ACT 2601
country: AU
admin-c: TIAR-AP
tech-c: TIAR-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-AU-TIAR-AP
status: ALLOCATED PORTABLE

Ah, your previous post was about 139.134.5.51 not 139.134.2.190. So ZA saw it as something questionable.
Is it possible your HOSTS file got infected? Can you post it, it's under C:\WINDOWS\system32\drivers\etc
Perhaps something is rerouting you to that lovely porn site?
If you see that address there, just get rid of the line.
Perhaps something is changing your ZA permissions on Firefox - is your ZA client protected from changes? I can't find where it's done, so read the Help screen.

Regarding your question: "how do I change the DNS server designation to sy-dns01.tmns.net.au"
I don't know. I think you need to repeat the flushDNS command and somehow acquire the legitimate DNS value from your ISP.

Now, since Firefox is not as bad as IE, emptying the FF cache, cleaning cookies, cleaning history should leave you clean. But I think, at this point you need advice from the malware people, not me.[/b]

This post has been edited by tos226: 25 April 2007 - 10:30 PM

For the reoutes in firefox please do the following :

Download and scan with SUPERAntiSypware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Udates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* When done, select "Scan for Harmful Software".
* There are three scanning options. Choose "Perform Complete Scan" and click "Next".
* When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK".
* Make sure they all have a checkmark next to them and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* Click Preferences and then click the statistics/logs tab.
* Click the dated log and press View log. A text file will appear so you can see the results.
* Select close to exit the program.
* Scan in SAFE MODE

After that, download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in SAFE MODE using the F8 method.

Scan with DrWeb-CureIt as follows:

* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

TOS226, sorry about that, I wasn't blaming you. The Big Pond IP info was in the first post on the Exetel Forum link you provided; I wrote it down then forgot where I got it from as I was working through your suggestions. Will work my way through both your very detailed answers today sometime. Speak to you afterwards, Marg

Thanks TOS226 for your suggestions. Adding the DNS server IP addresses to the Trusted zone in ZA seems to have done the trick -FF has linked successfully to a dozen servers since I did this without once dropping out, so fingers crossed. I was unable to find a way to protect ZA clients from being changed although I scanned several forums. Anyone know how to do this? Also, as NIGGLESNUSH85 suggested, I stopped the DNS Client on Services (Local) but it keeps restarting by itself. Any suggestions as to how to disable it completely? And thanks to FOZZIE. It's the first time I've scanned for malware in safe mode and it was very successful - found and deleted 2 trojans! Many thanks, Margaret

To stop the DNS service, double click on it and then select the startup type to disabled then click the recovery tab and select 'take no action' this will stop the service permanently until you want to change it back.

Alan, forget my FF probs. I can accept nigglesnush. But 85 nigglesnushes I can't. Where does the name come from>? M

Novitiate, on May 3 2007, 01:55 PM, said:

Futurama. Nibblonians. Very cute, as i am, apparently The 85 is when i was born. So don't worry not actually 85 nigglesnushes