Zone Alarm popup
Ken Walsh
I wonder if someone can help me. When I start my machine up I get a `Zone
alarm pop up security alert` Server Program saying
Generic Host Process for Win32 Servers is trying to act as a server
Identification: None
Application: sychost.exe
Source IP: 0.0.0.0.Port 135
if I do either, click on the button `remember this setting.`Allow` or `Deny`
Zone Alarm then starts up and my machine works OK.
The trouble is it will still pop up next time I boot up so its getting to be
a pain. Any ideas how to stop this popping up every time.
Thanks
Ken
Wilderbeast
sychost.exe is a malicious process related to LEOX.B virus. It is a
dangerous threat to your system and therefore should be removed immediately
after detection.
http://www.2-spyware.com/remove-sychost-exe.html
http://www.google.com/search?hl=en&q=sychost.exe&btnG=Google+Search&aq=f&oq=
Ken Walsh
"Wilderbeast" <Wilde...@unlisted.com> wrote in message
news:D6mdncbR0rk6BGjV...@comcast.com...
the system???
Lars-Erik Østerud
> the system???
Byt you wrote "sychost.exe", that's not the same program
--
Lars-Erik Østerud : http://www.osterud.name
TMitchell
Don't know why it started or how to solve it.
Patrick Keenan
"Ken Walsh" <k...@nospam.co.uk> wrote in message
news:nOOdnctNLYLjN2jV...@posted.plusnet...
As pointed out, look very carefully at the name of the process. It's got a
Y, not a V, in it. This is a fairly common trick used by malware authors,
to make you think that the process is legitimate.
You need to check that this isn't a typo.
HTH
-pk
Kayman
>> Identification: None
>> Application: sychost.exe
>> Source IP: 0.0.0.0.Port 135
>>
> Can't help, but I'm having the exact same problem these past few weeks.
> Don't know why it started or how to solve it.
1.Uninstall/Remove ZA from your OS and DON'T re-install!
http://zonealarm.donhoover.net/uninstall.html
--or--
Revo Uninstaller
http://www.revouninstaller.com/
2.For the average homeuser, the Windows Firewall in XP does a fantastic job
at its core mission and is really all you need if you have an 'real-time'
anti-virus program, [another firewall on your router or] other edge
protection like SeconfigXP and practise Safe-Hex.
The windows firewall deals with inbound protection and therefore does not
give you a false sense of security. Best of all, it doesn't implement lots
of nonsense like pretending that outbound traffic needs to be monitored.
Activate and utilize the Win XP built-in Firewall; Uncheck *all* Programs
and Services under the Exception tab.
Windows XP: How to turn on your firewall.
http://www.microsoft.com/protect/computer/firewall/xp.mspx
Read through:
Understanding Windows Firewall.
http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx
Using Windows Firewall.
http://www.microsoft.com/windowsxp/using/networking/security/winfirewall.mspx
3.Click Start==>Run... then type (or copy/paste) inetcpl.cpl into the box,
click the 'OK' button.
In Internet Properties panel 'General' tab, under 'Browsing history', click
'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
all...'button then place a checkmark into the box beside 'Also delete files
and settings stored by add-ons', Click 'Yes' and exit the Internet
Properties panel by clicking the 'OK' button. Done!
4.Download David H. Lipman's MULTI_AV.EXE directly:
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
--or--
http://212.98.39.7/ds/28400/28470/Multi_AV.exe
--or--
from URL:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/
NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your FireWall to allow it to download the needed AV vendor
related files.
When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help file.
Additional Instructions:
http://pcdid.com/Multi_AV.htm
NOTE: To use this utility, perform the following...
Execute; Multi_AV.exe {Note: You must use the default folder C:\AV-CLS}
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{or Double-click on 'Start Menu' in C:\AV-CLS}
Other quality Standalone Malware Scanners are:
KasperskyŽ AVPTool
http://avptool.virusinfo.info/en/
Direct:
http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/
--and--
Dr.Web CureIt!Ž Utility - FREE
http://www.freedrweb.com/cureit/
--and--
MalwarebytesŠ Corporation - Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
KasperskyŽ AVPTool, Dr.Web CureIt!Ž have no update feature (so they don't
turn into full blown scanners), thus they need to be re-downloaded every
time there's an update.
5.Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.
http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.theeldergeek.com/forum/index.php?s=2e9ea4e19d3289dd877ab75a8220bff6&showforum=29
NOTE: Registration is required in any of the above mentioned fora
before posting a HJT log and read the 'stickies'
(instructions/guidelines) for the respective HJT forum.
6.Flush your System Restore after doing these cleaning steps.
Do this:
Right click "My Computer" icon and select Properties from the drop down
list.
On the system Properties click on System Restore Tab and [check] the box
'Turn off System Restore on all drives'.
Click 'Apply' then click 'OK'
Reboot.
Right click "My Computer" icon and select Properties from the drop down
list.
On the system Properties click on System Restore Tab and [uncheck] the box
'Turn off System Restore on all drives'.
Note: ensure that under 'Available drives' the Status of Drive does show
'Monitoring'.
And then manually create a Restore point.
Go to:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx
And scroll down to: Create a Restore Point.
7.Configure Windows by using:
Seconfig XP 1.1
http://seconfig.sytes.net/
8.Routinely practice Safe-Hex.
http://www.claymania.com/safe-hex.html
Good luck :)
HeyBub
> On Wed, 15 Oct 2008 13:33:31 -0500, TMitchell wrote:
>
>>> Identification: None
>>> Application: sychost.exe
>>> Source IP: 0.0.0.0.Port 135
>>>
>> Can't help, but I'm having the exact same problem these past few
>> weeks. Don't know why it started or how to solve it.
>
> 1.Uninstall/Remove ZA from your OS and DON'T re-install!
> http://zonealarm.donhoover.net/uninstall.html
> --or--
> Revo Uninstaller
> http://www.revouninstaller.com/
>
[...]
The OP has a Trojan and you're telling him to remove the software that
detected it?
Outstanding.
Kayman
According to the hype, ZA is supposed to prevent the installation of
malware. The OP's OS is compromised. Implementing my suggestions will
remove this Trojan and keep malware out of his OS.
> Outstanding.
Yes, I know.
John John (MVP)
I'm no fan of ZA but I have never heard that its basic firewall is
supposed to prevent the installation of malware. Where have you seen ZA
advertise or state that its basic firewall prevents the installation of
malware?
John
Bob I
Kayman wrote:
You may want to see what that free version actually does.
http://www.zonealarm.com/store/content/catalog/products/znalm/comparison.jsp
Lars-Erik Østerud
> malware. The OP's OS is compromised. Implementing my suggestions will
> remove this Trojan and keep malware out of his OS.
Standard FREE ZoneAlarm is just a firewall.
It will not prevent anything from installing and/or running.
It WILL however prevent it from accessing the network.
So I'd say it (this time) did exacly what it should.
With an AV sofware installed he'd probably wouldn't have
the spyware/malware installed in the first place though.
Leonard Grey
--
Leonard Grey
Errare humanum est
"Kayman <kaymanDe...@operamail.com>" wrote
Leonard Grey
Some background: I am the real Leonard Grey. The rude post copied below
was not created by me. It was created by a disturbed individual named
Murphy.
Murphy is a very angry person, and he is apparently suffering side
effects from taking Rimonabant (brand name: Zimultri, produced by
Sanofi-Adventis.) . Rimonabant is an anti-obesity drug that has been
documented by the United States FDA to cause severe depression.
Murphy's game is to try to impersonate people in these newsgroups, and
then make rude and even revolting posts in their names. He's done it to
nass, he's done it to me, and to others. Unfortunately, there's nothing
anyone can do about it, AFAIK.
It's not hard to tell the difference between posts made me - the real
me - and Murphy's impersonation.
I do not normally post to this newsgroup, and I won't post to this
thread again, so any other posts in this thread that have my name on
them are coming from Murphy.
To the OP and all others who have genuinely tried to help: I'm sorry
this mess has gotten in the way of your getting the answer you need.
---
Leonard Grey
Errare Humanum Est
Kayman
In my newsreader the posts authored by KW and TM do not indicate specifics
of ZA.
The hype created by ZA is real ("Blocks malicious program attacks including
rootkits"), just Google it.
Be that as it may, the real issue and the crux of the matter is the
removal/prevention of malware; the suggestions offered are appropriate and,
if followed, will correct this.
TMitchell
not the malware version "sychost.exe", so I suppose that is what the OP
meant to state too.
So, that leaves us with the original question that remains unanswered
(except for the somewhat unhelpful "...remove ZoneAlarm and stick with
Windows firewall...". which, while I appreciate and respect the intent
of, is not what the OP and I are asking about as a possible solution for
the stated problem).
John John (MVP)
It wouldn't be surprising that you would find that in your Google
search, if you don't already know it Zone Alarm is also in the
Anti-Virus/Anti-spyware market so it wouldn't be out of the ordinary for
anyone in that market to have products capable of blocking those pests
and to advertise it, it is no more of a hype than what the other
competing companies in that market also claim and advertise about their
products. The OP talks about firewall outbound connection attempts, you
have no way of knowing if he is using the free basic firewall or the pay
for security suite, therefore you have no way of knowing if his ZA
product should have prevented the installation of malware.
John
Kayman
Then you haven't read my post in its entirety!
Kayman
Ken Walsh <k...@nospam.co.uk> wrote on 16-Oct-08 6:46:38 PM in
comp.security.firewalls
[quote]
Sorry my mistake I went and checked again after reading the replies and
like an idiot I am (blind as a bat as well)
yes your right it is SVCHOST.EXE and not sychost.exe
[unquote]
It would've been be nice if you'd advised this group here as well!
Rick
are calling themselves now. It occurs in ZoneAlarm Pro too.
--
Rick
Fargo, ND
N 46°53'251"
W 096°48'279"
Remember the USS Liberty
http://www.ussliberty.org/
Kayman
It wouldn't be surprising that a certain John John (MVP) didn't find in his
search the ZA firewall which "blocks malicious malware attacks". LOL!
To reiterate, I do call their claim to be nothing but a sensational
promotion because it (obviously) ain't working!
> The OP talks about firewall outbound connection attempts,
The OP talks about a malware infection! "sychost.exe is a malicious process
related to LEOX.B virus. It is a dangerous threat to your system and
therefore should be removed immediately".
> you have no way of knowing if he is using the free basic firewall or the
> pay for security suite,
I know that according to his post, his OS is compromised by malware and
he's using a snake oil application for whatever security purpose.
Nobody except you is referring to suites. Nice try to redirect content
of a posting! What's next? More innuendo and selective snipping of posts to
suit your meaningless (scoring or whatever) purpose?
Save your efforts - EOD :-)
> therefore you have no way of knowing if his ZA
> product should have prevented the installation of malware.
Irrelevant! Remedy is what's needed. Read my previous post in its entirety
and learn to comprehend.
BTW, what is your recommendation to tackle sychost.exe; WLOC?
TMitchell
OK. I read it all, but am confused as to what all of those steps are
supposed to accomplish. Looks to me that they are predicated on the
assumption that I want to remove ZA from my system (I don't) and that I
have the malware version of the svchost.exe file (or some other malware
file that needs to be removed), and I don't.
It's entirely possible that I am not understanding what you posted, but
if it was a solution to the OP's (and my) ZA popup problem (to be clear;
ZA not remembering that I selected it to rember to allow the Generic
Host Process for the svchost.exe file to access the internet) and not
involving removal of the ZA program or some malware file that I don't
have, then it's still not the solution I'm looking for.
John John (MVP)
Kayman wrote:
Now you are trying to change your previous statement which was:
"According to the hype, ZA is supposed to prevent the installation of
malware."
It doesn't suprise me that you would now try to change the the
discussion to weasle out of your previous incorect statement.
John
John John (MVP)
Now you are trying to change your previous statement which was:
"According to the hype, ZA is supposed to prevent the installation of
malware."
It doesn't suprise me that you would now try to change the the
John John (MVP)
Now you are trying to change your previous statement which was:
"According to the hype, ZA is supposed to prevent the installation of
malware."
It doesn't suprise me that you would now try to change the the
Ken Walsh
"Kayman" <kaymanDe...@operamail.com> wrote in message
news:%23qGLGzE...@TK2MSFTNGP04.phx.gbl...
yes your right but I was only on line for seconds when I sent the post back
to that group not had chance
to do the same to this one (sorry) but your quite right it was a cock up by
me. Sorry my mistake I went
and checked again after reading the replies and like an idiot I am (blind as
a bat as well ;-)
yes your right it is SVCHOST.EXE and not sychost.exe
but the same question is, valid why do I keep getting it??
Kayman
Read through here:
http://support.microsoft.com/kb/314056
http://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/
http://www.liutilities.com/products/wintaskspro/processlibrary/svchost/
http://www.download.com/8301-2007_4-9865052-12.html
Download Process Explorer:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
In any case, you won't harm your operating system if go thru steps as
suggested in my response to TMitchel
Re: Zone Alarm popup Kayman <kaymanDe...@operamail.com> 16-Oct-08
7:43:22 AM
Good luck :)