a question about an infuriating problem

I guess a bit of background is in order: About a month or 2 ago, i decided to upgrade several software (spybot, adaware, zonealarm) and also i think i was trying to grab an Adobe acrobat version upgrade. Everything worked fine but the Adobe, and it recommended a win2k upgrade that i *think* i started, but killed due to time limitations.
So, afterward checking my zonealarm log (which i do sporadically to see what's happening in there) i notice a constant hit from an isp # that is running through every port on my computer, and then starting over again. Every attempt it makes is blocked by za, but it happens everytime i connect to my isp immediately. Runs through every port, then starts over again. If i disconnect, and reconnect, it picks up where it left off and continues.

So immediately i suspect the za upgrade, and join the forum there to inquire about it... no answer of help, they are stymied as to why. I even uninstalled the za software and went back to the earlier version. Still continues with the port pinging.
Along the way, when i connected to my isp, sometimes i would get a message from another firewall i installed (sygate) that za was trying to connect to the isp that was running thru my ports and did i want to allow the connection? I just click 'No' and the activity continues, which led me to believe it was the upgrade causing the problem. So that made me suspect the za upgrade.

now i'm beginning to suspect it is the win2k upgrade i started, but i have no idea how to check if it is. Here's the conundrum: The activity is being instigated by my computer, or at least that is what the sygate message tells me. My computer is trying to contact the isp, and it's then running through my ports over and over.
At one time, the isp # changed to another (i have run them both through whois, and don't really learn much, Qwest was the first one, changed to Computer Comfort for a day, and then back to Qwest), and since every attempt on my ports is blocked by za, i guess i shouldn't worry, but ...

So, my question is at this point: How do i find out what *on my computer* is trying to establish contact so i can cut this off? All i know is that truevector service (part of za) is trying to connect with the remote isp that is running through each port on my computer, and getting blocked.

But i would like it to stop. Any advice would be appreciated.
Hopefully this makes sense ...
tia
dp

ps. thanks again to the anonymous donor who granted me a star during this holiday season of giving, allowing me to post again in this forum ... :)

I vaguely remember this sort of thing from back when I was running ZA. I ran the un-enhanced version, not the one you pay for. I had to turn off a lot of ZA's "features" and spend some time configuring it to make it useful and not annoying. I wound up using it as a monitor for when new programs would try to do stuff on the web, which was nice, and as a firewall, for the IP filters. But it's been a while now, so I can't remember any details. I definitely do remember turning off the "True Vector" stuff. It was run at startup and I got rid of it by turning it off with msconfig (W98se), but that would cause issues at odd times too, because ZA seems to install itself in kernel space, and sometimes notices that you have turned off True Vector and assumes you have been compromised.

Eventually I got a DSL modem with a firewall, which resulted in zero port scans or much of anything else getting through, so I dispensed with ZA as an unnecessary annoyance. To be honest, the ability to monitor when something on my box trys to do something new would be nice, but not nice enough to put up with ZA.

i run the free version too. The thing is, this started with some upgrade to one of the programs, and i'd like to determine which one it is and deal with it only.
ZA allows me to see the ip address of what is coming at me, whereas sygatge does not, and i uninstalled everything i could find dealing with za before i downgraded to the previous version which did not cause the problem, but the problem still exists.

So, i guess my question should be how do i find out what is trying to establish contact with that ip address? i am assuming it's za truevector service, but would like to be absolutely sure, if possible, instead of uninstalling za, and then not being able to see the activity since za is where i monitor that it is still happening.

thanks for your input.
dp

I would not have commented at all if someone more knowledgable had chipped in.
If you give me the source IP-quad address I can run a reverse DNS lookup on it and try whois, which might tell us something.

one was Qwest, coming from Colorado, and for one full day it changed to Computer Comfort in Penn. i think. Someone told me to complain to the ISP hosting the address, but since it appears to be initiated by my computer, it doesn't seem like a complaint will do much.

you are being helpful since you are seconding mostly what i'm considering doing. I want to keep a firewall up tho, and so am trying to figure out any other options before i zap za.

thanks
dp

here's the ip address du jour: 205.171.3.65:53 and 205.171.2.65:53 which it usually is. The one from Comp.Comfort was just one day, same activity (and i don't remember the ip).

Port #53 is the conventional port for DNS servers, and the reverse DNS lookup says that's what they are, qwest.net name servers:

65.2.171.205.in-addr.arpa name = resolver2.qwest.net.
65.3.171.205.in-addr.arpa name = resolver1.qwest.net.

So it would appear that the traffic that is concerning you is name server traffic, i.e. something on your machine is accessing the Qwest name servers, presumably to do a lookup. That in itself would be normal. What would cause the port scanning behavior you describe in response I don't know, there may be something else going on. It is true that modern DNS servers will try to set up a connection on some other random port, so that might be relevant. You might look into what ZA settings have to say about DNS traffic.

Edit: one possible solution would be to tell ZA to allow those machines access, in some form, to see what happens when you let them do what they are trying to do.

Edit2: It makes sense that something named "True Vector" would be doing DNS lookups.

i take it?

perhaps someone who does will check in here. I'm looking for an option to add that ip to a 'blocked' status, and not finding it. I can add it to the 'trusted' zone, but will not yet.

dp

hope that's okay.
see if you can make any sense of it.

thanks.
dp

I still don't understand a few things, so you can think about them:

Is the initial DNS query getting to the DNS server, or is the DNS server just sitting there probing your machine all the time? The former seems more likely to me,

Is the probing coming from a different address than one of the DNS servers? From Zonelabs? Or something else? If the answer is something else you may have someone scanning your ports looking for a vulnerability (which is sort of normal).

What is the probing about? My initial guess is it's trying to open a tcp connection of send back a response, but can't really tell from what I know.

truevector wants to initiate a UDP to the remote port 53 of that ip (or whichever ip is showing) that is probing my ports all of the time, one after another in series(about every 30 seconds) and when it runs through a certain few hundred, starts over again.

I sent the same info to zonelabs forum, and they were clueless.
i also checked with my isp, and they said it was not happening from their side.

i don't know what the probing is about, only it's being blocked continuously by za.

i suspected someone scanning my ports, but then the message started after i upgraded (something) about truevector wanting to contact the same ip started coming up, so i recognized the ip # and started checking to see what was going on.

this behavior was not happening before the upgrades, b/c i will check my za logs fairly regularly to see what has been going on ... not that i understood it, but when i saw the constant probing it jumped out at me since it's happening so much.

basically, i've been observing it for a month or more now. It seems like a waste of energy/bandwidth/activity going on btwn my comp and another, so was looking for a way to make it stop.

i've run checks for trojans, spyware, virus, etc. nothing found.

:shrug: i'm stumped.
dp

with the answer. If you want it to stop, you have to tell it not to send the DNS query (not to call home).

i'm just trying to find out how to tell it :)
short of killing za, since it's in za that i know this activity is even happening (the other firewall doesn't give me the same info, ip, etc).

in the message i'm getting about the contact in za from sygate, i keep clicking NO, no contact. I have stopped the contact with the 2nd program, but not able to find out where or how to stop it in za.

my contact with za forums said it should not be happening due to za, and i'm concerned some other program is using truevector? to send the query.
another weird incident: an option in the log is to select the traffic/ip and click more info. in the past, it would go to a za page with a generic answer, but now it goes to some other netscape page with some info about microsoft upgrades -here's the address it always takes me to:
http://keyword.netscape.com/ns/search?query=w+ZLN31711723326433-1013%2C%2C%2C%2CWindows+2000-5.0.2195--SP%2C5.5.062.011%2CExtBlockAll2%2Cj5hvqhisiu3s4he7bhx644bu4g0%2C2%2C%2CHOME&st=webresults&fromPage=NSCPResultsT&x=17&y=11

so, i am not completely sure it's related to za, or if it was from starting and killing a windows upgrade for win2k.

if i kill za, this contact may not be blocked, i wouldn't know one way or the other if it was still going on, etc.

like i said initially, it's a bit infuriating to me at least.

dp

edit: yes, i am a bit paranoid about microsoft connecting to my computer ...