seacue

My ZoneAlarm (free) is working overtime blocking things.

I'm using a dialup connection.

It is blocking 2 or 3 items per minute trying to access ports 445 or 135, and many of these requests originate at my own ISP.

There are additional items from elsewhere that ZoneAlarm thinks are port scans.

When I disconnect, DLLs on my machine try to send two messages to black holes or .....

I'm surprised at all this busy-work which ZoneAlarm is faced with..

Ideas?

SC

timmcat

Hi Seacue. .

To start with, I would suggest installation and scanning with Spybot . There is a lot of advice in the sticky's in this forum with regard to nasties which might just be lurking on your system. A good online virus scan might also be good housekeeping before looking any further.

Eboy

I think that is good advice.

If you have further concerns, I suggest browsing the Forum section of company's support area, and posting a question if your answer is not found. I have had quick responses from several volunteer gurus.

http://www.zonelabs.com/store/conten..._agreement.jsp

seacue

I forgot to mention that I have Spybot S&D, NortonAV, Panix PopUp Stopper and PopFile installed.

Spybot found just one AvenueA cookie.

Offhand, I don't see how spyware would cause my ISP to keep looking at ports 445 and 135/7/9.

Thanks for comments.

SC

Bre901

Not directly related, but my ADSL router has been getting a lot of probes to ports 12033 & 12037 (15-20/min), from different places since 18:00 UTC.

Nothing to worry about, I guess, but out of sheer curiosity, does anyone know what service it is ? TIA
(Google didn't bring anything useful).

CamelPilot

I suggest that you go to www.grc.com where you can get a few tests done on your machine. "Shields UP" is a great way to see if you have ports open and it will close them too. The site is used by some of the biggest names in IT.

Bre901

CamelPilot

Thanks, I've been there already, my router works as a firewall and all ports are shut and locked.

As already mentionned, it was just a matter of curiosity, I was just wondering if it was some kind of worm attack or some peer-to-peer stuff, inherited from the previous owner of the IP address (My ISP changes addresses quite often).
As it's gone today, I'd go for the peer-to-peer hypothesis.

seacue

I, too, just tried the grc test again. My machine is fully locked down and stealthed. At least the probes to ports 135 and 139 were explained by grc .... but not why my ISP would try to access them.

SC

Blacksheep

Blackice does the same on my PC - a never ending storm of probes scanning odd ports. They seem to be random searches for http servers and back door programs together with attempts to either place the Slammer Worm onto my machine or find out if its already there.

I lost touch with the kind gentleman on this Forum who fixed CoolWebSearch for me, but thats a bitch of an infection if you ever get it. Firewalls don't block CoolWebSearch because it comes in directly from the web page, buried in the script. To keep it out You have to keep your IE6 browser updated as well as doing regular scans for any existing infection that may have sneaked in between updates. I don't know if other browsers can keep it out.