Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zonealarm And Explorer.exe


  • Please log in to reply
25 replies to this topic

#1 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,109 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:43 AM

Posted 14 August 2006 - 01:54 PM

Every time I start up my computer, explorer.exe tries to filewrite ZoneAlarm file ZLDIR/zlclient.exe There are two attempts, they appear to be identical. Unfortunately, ZoneAlarm doesn't say just how or in what way explorer is wanting ZoneAlarm to change.

If it's any help, here's some alphabet number soup about the file that's trying to do the writing:

Program MD5 a0732187050030ae399b241436565e64 The MD5 hash, or number, that uniquely identifies the executable.

Smart Checksum 914e0a8ba776d336d75ff1e236b15833 The SKIMP hash, or number, that uniquely identifies the executable.

and the specific file path:

Filename C:\WINDOWS\explorer.exe

Is this simply a ZoneAlarm program conflict or what?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

BC AdBot (Login to Remove)

 


#2 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,588 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:02:43 AM

Posted 16 August 2006 - 04:09 PM

Every time I start up my computer, explorer.exe tries to filewrite ZoneAlarm file ZLDIR/zlclient.exe

Is ZLDIR really a directory or your abbreviation? I'll check at home, but I think zlclient resides in \program Files\Zone Labs.
If ZLDIR is a real thing, that's kinda weird I would think.

Is this simply a ZoneAlarm program conflict or what?

No reason for the windows explorer to EVER try to modify the ZA client, so you should keep worrying :thumbsup:
Just make sure to checkmark the setting in ZA to protect the client.

#3 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,588 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:02:43 AM

Posted 16 August 2006 - 10:07 PM

At home, executables are in C:\Program Files\Zone Labs\ZoneAlarm
Logs are in C:\WINDOWS\Internet Logs

Over at CastleCops there is a list of MD5s. Check if explorer.exe is OK. Scan it with ZA and Spybot. What you're seeing is really wrong. Also, when you click more info on the ZA alert, walk through their four tabs, perhaps you'll see more detail on the Technical or Detail page.

Edited by tos226, 16 August 2006 - 10:15 PM.


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 37,109 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:43 AM

Posted 17 August 2006 - 12:50 AM

Only in this case, I get 3 tabs. I'm assuming the 4th, hacker identity, isn't applicable in this case. The hash and checksum numbers related to Windows Explorer I got off the tech. info page. Also I copied ZLDIR/zlclient.exe straight from the ZoneAlarm logs.

I checked the file path for zlclient.exe and it is in the ZoneAlarm folder. I'm wondering if the path shown in the log is a registry entry. Nope, it's not.

I really don't like Windows Explorer's behaviour on this, but at least ZA is blocking it.

Over at CastleCops there is a list of MD5s. Check if explorer.exe is OK. Scan it with ZA and Spybot.

I'll check the explorer.exe with the JottiScan too. I hadn't thought of that. Could be explorer.exe got changed in some way.

JottiScan came out clean. I've also compared the MD5# JottiScan came up with and compared it to the number on the Tech page and they match - so I did scan the correct file.

However, I don't find a matching MD5 anywhere at CastleCops, so I tried searching explorer.exe as a file name. I looked in the OS columns, but I don't see Windows XP there, so CastleCops apparently hasn't got the MD5 numbers for explorer.exe for Windows XP in their database yet.

I'm going to check out the ZoneAlarm Forums and see if I can get any answers there too. I just wish I knew exactly what Explorer is wanting ZoneAlarm to do and why. The information on the three tabs don'tprovide that information, nor do the logs - either in the ZA interface nor in the NotePad versions. [/i]Most[i] frustrating.

I'm also going to check explorer.exe on a new free program I just downloaded called ProgramChecker and see what it says. I'm in the process of installing it at this moment.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#5 rowal5555

rowal5555

    Just enough info to be armed & dangerous...


  • Members
  • 2,644 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St Kilda, Dunedin. South Island. NZ
  • Local time:08:43 PM

Posted 17 August 2006 - 01:02 AM

Just a thought Orange Blossom.

Start>Control Panel>Administrative Tools>Event Viewer. Does anything unusual show up here.

Cheers

rowal5555 (Rob )                                                             

Avid supporter of Bleeping Computer's
Team 38444

You can help find a cure


 


#6 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 37,109 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:43 AM

Posted 17 August 2006 - 01:51 AM

Event Viewer. Does anything unusual show up here.


Nothing that I haven't seen since before having ZoneAlarm. I have an error with IPSEC services not being able to find all network interfaces, but I doubt that's related in addition to which the times don't match. I have a couple log-on errors that I get every time I start-up as well, but again I don't think it's related.
-----------
I just checked explorer.exe with the file checker in the ProgramChecker program and the hash number I've got matches the legitimate file. I've gone ahead and used the submit detail option in ProgramChecker for that file, and I'll see if I get a response about whether the file has been compromised.

Is this happening because I don't have permissions set up right or is there something bad going on? I've read that explorer can sometimes be malicious - so...

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#7 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,588 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:02:43 AM

Posted 17 August 2006 - 09:11 AM

Very long shot and, possibly, old info - a bug which infiltrated explorer. Zlclient and vsmon are mentioned in the below links - do some looking around and see if anything matches
http://www3.ca.com/securityadvisor/virusin...s.aspx?id=50057
http://smartdefense.zonelabs.com/tmpl/body...72849?VId=47824
http://www.fortinet.com/VirusEncyclopedia/...y&fid=92895

I'd be scanning for trojans in safe mode at this point, with explorer not running (check tasks). Sorry if this is a false alarm.
Perhaps an expert has something simpler/better to offer.

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 37,109 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:43 AM

Posted 17 August 2006 - 01:25 PM

http://www3.ca.com/securityadvisor/virusin...s.aspx?id=50057
http://smartdefense.zonelabs.com/tmpl/body...72849?VId=47824
http://www.fortinet.com/VirusEncyclopedia/...y&fid=92895


Thanks for the links :thumbsup:. I checked all three of these sites, and copied and pasted registry file paths into the find window of my registry editor, but these registry keys were not found - so I don't have those particular baddies.

I also uploaded the explorer.exe file to the FortiGuard scanners and the results were that explorer.exe appears to be clean. This confirms the JottiScan results and the ProgramChecker information I have received to date in addition to my own security scans.

I've already scanned the beastie in safe mode multiple times with various scanners, and while a keylogger, a worm, and a trojan were found, they have been successfully removed with assistance in HJT forum: scans now come out clean, and the attempted File Writes persist.

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#9 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,588 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:02:43 AM

Posted 17 August 2006 - 07:32 PM

No clue.
Do you really have "ZLDIR/zlclient.exe" . Where is ZLDIR? What's there? It just sounds suspiciousl. If you copied from the log, it's either something spooky or when you installed ZoneAlarm, perhaps you told it to go into a directory called ZLDIR (instead of default) in which case nothing wrong with that. I'm just trying to see where you are.

How about you quote one line from the log, and also do you have C:\Program Files\ZoneLabs\ZoneAlarm with 7 executables in that directory (if Suite). If not, what's your equivalent and is it where you installed it?

Can you define "filewrites"

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 37,109 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:43 AM

Posted 17 August 2006 - 08:45 PM

Do you really have "ZLDIR/zlclient.exe" . Where is ZLDIR?

Haven't the foggiest. I have done both a search and a registry search for it and didn't find ZLDIR.

or when you installed ZoneAlarm, perhaps you told it to go into a directory called ZLDIR (instead of default)

Nope. Went to the default. Incidentally, when I do an online Panda Scan I get numerous attempted file writes to ZoneAlarm: there are a few different filepaths shown examples:
WINSYSDIR\ZoneLabs\updclient.exe
WINDIR\Internet Logs\ZALog.txt
ZLDIR\expert.dll

I think perhaps ZLDIR is program's way of specifying that the file in question is in the ZoneLabs folder as opposed to the Windows folder or the Windows system folder.

How about you quote one line from the log

OSFW 2006/08/15 06:27:26 -4:00 GMT BLOCKED Windows Explorer C:\WINDOWS\explorer.exe FILE WRITE SRC ZLDIR\zlclient.exe

do you have C:\Program Files\ZoneLabs\ZoneAlarm with 7 executables in that directory (if Suite). If not, what's your equivalent and is it where you installed it?

Executables in main ZoneLabs folder: instmtdr.exe, multiscan.exe, zatutor.exe, zlclient.exe, zonealarm.exe, zauninst.exe (that makes 6)
In the mail frontier subfolder: AddinMon.exe, regsvr32.exe, UNWISE.EXE, mantispm.exe (that's four)
In the Repair subfolder: vsmon.exe which makes a total of 11 executables.

Can you define "filewrites"


File write: One program writing to the file of another program to change its behaviour.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#11 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,588 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:02:43 AM

Posted 17 August 2006 - 09:56 PM

Haven't the foggiest. I have done both a search and a registry search for it and didn't find ZLDIR.

Do you have explorer's view set to show all hidden files and folders?

Nope. Went to the default. Incidentally, when I do an online Panda Scan I get numerous attempted file writes to ZoneAlarm: there are a few different filepaths shown examples:
WINSYSDIR\ZoneLabs\updclient.exe
WINDIR\Internet Logs\ZALog.txt
ZLDIR\expert.dll

I think perhaps ZLDIR is program's way of specifying that the file in question is in the ZoneLabs folder as opposed to the Windows folder or the Windows system folder.

If you told me that Panda reports it that way, I'd be translating their abbreviations, but ...

OSFW 2006/08/15 06:27:26 -4:00 GMT BLOCKED Windows Explorer C:\WINDOWS\explorer.exe FILE WRITE SRC ZLDIR\zlclient.exe

Zlclient.exe just should not be there. It's gotta be hiding someplace. I don't know. It should say "Zone Alarm\"

Executables in main ZoneLabs folder: instmtdr.exe, multiscan.exe, zatutor.exe, zlclient.exe, zonealarm.exe, zauninst.exe (that makes 6)
In the mail frontier subfolder: AddinMon.exe, regsvr32.exe, UNWISE.EXE, mantispm.exe (that's four)
In the Repair subfolder: vsmon.exe which makes a total of 11 executables.

I forgot subdirectories. In the Zone Alarm I have one more imf_editor.exe, whatever that is. The rest matches your list and location.

File write: One program writing to the file of another program to change its behaviour.

Ok. That's what I was guessing you meant.

Orange Blossom, I'm so sorry, but I'm not qualified to answer. All I can do is try and compare.

At this point your only recourse may have to be to contact tech support (hey, you've paid your dues), and just give'm link to this post. They know about BleepingComputer, one tech sent me here in the first place :thumbsup: two years ago. They answer within 24 hours if you hurry and do it before the weekend.

#12 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,588 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:02:43 AM

Posted 17 August 2006 - 10:50 PM

Can you run Panda in safe mode? When ZA is not running, and certainly when its A/V not running.

Edited by tos226, 17 August 2006 - 11:02 PM.


#13 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 37,109 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:43 AM

Posted 17 August 2006 - 11:10 PM

Do you have explorer's view set to show all hidden files and folders?

Yup.


I think perhaps ZLDIR is program's way of specifying that the file in question is in the ZoneLabs folder as opposed to the Windows folder or the Windows system folder.

If you told me that Panda reports it that way, I'd be translating their abbreviations, but ...

it's not Panda doing the reporting - it's ZoneAlarm. Incidentally, when those filewrite attempts occur during Panda's Online Scanning, ZoneAlarm identifies it as Internet Explorer attempting the changes! However, since "IE" attempts this only during a Panda Scan so far, I'm thinking it's a program conflict between ZoneAlarm and Panda.

OSFW 2006/08/15 06:27:26 -4:00 GMT BLOCKED Windows Explorer C:\WINDOWS\explorer.exe FILE WRITE SRC ZLDIR\zlclient.exe

Zlclient.exe just should not be there. It's gotta be hiding someplace. I don't know. It should say "Zone Alarm\"


I still suspect that it's ZoneAlarm's abreviation for its own folder location, as the program is remarkably consistent in reporting it this way.

At this point your only recourse may have to be to contact tech support (hey, you've paid your dues), and just give'm link to this post. They know about BleepingComputer, one tech sent me here in the first place :thumbsup: two years ago. They answer within 24 hours if you hurry and do it before the weekend.


I've posted the problem on the ZoneAlarm Forum today, and I'll see what responses I'll get. I do know that this wasn't happening when I first got ZoneAlarm about a month ago.

Thanks for all the suggestions,

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#14 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,588 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:02:43 AM

Posted 18 August 2006 - 09:46 AM

Incidentally, when those filewrite attempts occur during Panda's Online Scanning, ZoneAlarm identifies it as Internet Explorer attempting the changes! However, since "IE" attempts this only during a Panda Scan so far, I'm thinking it's a program conflict between ZoneAlarm and Panda.

That's a given. That's why I keep saying run Panda in safe mode and/or shut off ZA's Antivirus for the duration of the scan. You should not have two things fighting for filelocks and things like that at the same time.

Having said that, I still think some malware has already modified/redirected something, due to that ZLDIR name. It should not be.

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 37,109 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:43 AM

Posted 18 August 2006 - 10:46 AM

ZoneAlarm's AntiVirus WAS shut off every time I do on-line virus scans. I shut it off just before the scanning starts. I left the firewall up and the spyware guard up. Bit defender didn't try those file writes, but Panda does.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users