Oh the shame....

[houseisland]

I am fairly careful with my system. I have anti-virus software and keep it up-to-date. I scan regularly with a variety of anti-spyware programs.

But but but ...... I began to suspect that something was not right with my machine -- weird little things, mild instability. For example, DNS Stuff accused me of having some prefetching software installed and wouldn't let me into the site unless I clicked the reload button several time. There was no prefetching software. The list of weird little things is way too long.......

Nothing showed up in any scans, so I downloaded Linksys's log viewer so that I could watch activity on my router.

I began to notice a pattern. Everytime IE or Firefox was started up there would be a connection to an IP address in the 209.249.114.14 to 209.249.114.150 range. Sometimes they would be resolved to names, these including images.amazon.com, pages.ebay.ca, www.ebay.ca, etc. All of theses addresses ultimately resolve to Akamai.com. There were also entries for this IP range in the router logs at night when my computer was not being used, these happening every few hours or so. Whatever the source, it was something that ZoneAlarm was allowing out.

Anyway ... after trying a variety of things to track down the source of this traffic, including port monitoring with ActivePorts (not successful), I went to good old Trend Micro's House Call. And it picked off an instance of unvise32.exe, which it labled Trak_SE.77236.

The unusual port traffic is now gone, for the moment anyway.

Looking through the registry for remnants of this infection, I find traces in the uninstall settings in the following keys:

1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\Active Ports

2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\Hollywood FX 4.6

3. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\Pinnacle Hollywood FX Pack - ATI FX

This is not a smoking gun, however. Unvise32.exe is MindVision's uninstaller. It is possible that it was coopted by some unknown third party. But it does seem to me that "the weird little things" started after I installed ATI's OEM Pinnacle software -- not conclusive though. ActivePorts was not installed until after the problem started, so I think SmartLine is off the hook here.

Anyway, there was infrequent traffic to one more IP address: 207.172.128.222. I can find out little about this address except that it is in Baltimore, that it is residential dynamic or dynamic/static, that it belongs to the RCN Corporation, and that they have got themselves on SORBS' and NJABL's bad boy lists.

Oh the shame......

[shamus]

If you haven't yet, download ewido and run it
http://www.ewido.net/en/

[houseisland]

Love Ewido, but neither the program nor their online scanner found anything.

I have found this great program: http://www.diamondcs.com.au/portexplorer/ And with it, I have discovered that ZoneAlarm's vsmon.exe also initiates traffic with Akamai.com. So some of the previous traffic was probably due to this process. The frequency of contact with Akamai.com is now reduced to almost nothing now, so there was more happening than just this. I have Port Explorer spying on vsmon.exe now. We shall see what packets it captures on vsmon.exe's next contact with Akamai.com and what, if anything, can be learned from them.

More later.

[houseisland]

Well, vsmon.exe connects every so often to:

hs2.zonelabs.com at 208.185.174.66

and to

pa2.zonelabs.com at 209.249.114.20 which also resolves to 209.249.114.20.akamai.com

The nature of the traffic appears to be similar. So Akamai is probably hosting some Zonelabs mirror for regional service/load balancing. Outbound traffic appears to be some sort of get command. Inbound traffic appears to be some sort of content code with an expirery date.

What it all means I know not. Nothing sinister? But then there are the perennial questions that flood net forums every so often:

"What exactly is vsmon.exe doing?"

"Is ZoneAlarm spyware?"

[confus-ed]

What it all means I know not.

Me neither ! .. but I will say something that'll maybe help in future & that's that a software firewall is your friend, if you ain't so sure what really must & mustn't be allowed in & out of your system .. lots of stuff natively 'phones home' as at some point you either told it it could (you inadvertendly agreed by not treading the EULA completely), or its busy checking for updates or sending traffic/success stats back to HQ (some stuff doesn't even get you to agree!) - almost exactly like spyware & honestly imho stuff like this IS !

You need to take your s/w firewall off automatic (read 'dummy' ) mode, & prepare yourself for the pain of putting up with it in advanced mode & with all connections set on 'ask' until you figure out just exactly what rules you need for what on your system ..

btw tracking cookies might've caused your original paranoia

[houseisland]

Me neither ! .. but I will say something that'll maybe help in future & that's that a software firewall is your friend, if you ain't so sure what really must & mustn't be allowed in & out of your system .. lots of stuff natively 'phones home' as at some point you either told it it could (you inadvertendly agreed by not treading the EULA completely), or its busy checking for updates or sending traffic/success stats back to HQ (some stuff doesn't even get you to agree!) - almost exactly like spyware & honestly imho stuff like this IS !

You need to take your s/w firewall off automatic (read 'dummy' ) mode, & prepare yourself for the pain of putting up with it in advanced mode & with all connections set on 'ask' until you figure out just exactly what rules you need for what on your system ..

btw tracking cookies might've caused your original paranoia

No tracking cookies. They were cleaned out manually. Spybot, AdAware, Ewido, Spyware Dr. etc. gave the system a clean bill of health.

I have worked with 8Signs and CheckPoint s/w firewalls and am aware of the the complexities of setup. ZoneAlarm seems adequate for my personal use, and it is very affordable. The others are not affordable for legal personal use.

Since House Call removed Unvise32.exe (Trak_SE.77236), a piece of Greyware/Spyware, the nature and frequency of outbound traffic has changed. What I was seeing earlier was a mix of traffic, ZoneAlarm's (probably) legitimate traffic with the Trak_SE.77236 traffic. It is probably a co-incidence that both sets of traffic were to Akamai.com. Akamai is not a spyware company, but they provide services for companies that may or may not participate in spyware data gathering. Most interestingly, my optical drives no longer spin up if there is a disk in them when IE or Firefox starts up.

I suspect that you are right about not reading EULAs carefully. I found the OEM software bundle for my ATI All-in-Wonder the other day and installed it. And of course...... ... I did not take the time to read the EULAs for the Pinnacle apps. I suspect that this is source of the problem -- my installing and my not reading.

My embarassment here is that I spend so much time cleaning spyware crap out of other people's systems and here I am with it on my own personal machine.

[confus-ed]

..I have worked with 8Signs and CheckPoint s/w firewalls and am aware of the the complexities of setup. ZoneAlarm seems adequate for my personal use, and it is very affordable. The others are not affordable for legal personal use..

He-he-he 'doing you down' there a bit was I ? Sorry dude its pretty well impossible for me to figure out & remember who knows what about particular things - I will though say perhaps have a look at Kerio which is also free & I find it much easier to relate to than ZA in terms of rule writing & fathoming out what the hell is going on -

Arrrrrgh ! edit : look at this, they are stopping support for Kerio .. (Scratch my last suggestion! ) Kerio Personal Firewall is being discontinued on December 31, 2005. While Kerio will continue to support this product for all customers through 2006, we will not be actively developing any new features or functionality going forward

As for stuff being 'busted' on your own machines, well ... that just shows you are busy ! (That's my excuse anyway & I'm sticking to it ! )

[houseisland]

He-he-he 'doing you down' there a bit was I ?

I don't think so. And even if you were, I wouldn't ask you to change. I am usually amused, sometimes even delighted, by the cantankerous persona you often present here.