A client called this morning saying "I clicked on a security alert and now I can't get on the internet..." Of course, my spideysense said "Ah! Classic Malware!"
However, when I got on-site, there was no malware on the machine.
A quick glance over the Autoruns turned up nothing out of the ordinary, MalwareBytes turned up nothing, doing a netsh winsock reset did nothing to improve the situation... not feeling like standard malware... was this thing rootkitted?
But then I noticed there was an odd entry in his start menu called "ZoneAlarm!12dc_532f!erased" which had a broken link to a "ZoneAlarm Security Tutorial"
The client does use ZoneAlarm, and prior issues with his machine had been traced back to ZA -- most notably when a Microsoft DNS patch befuddled the firewall, forcing it to block all DNS traffic -- so I didn't rule ZA out of the equation.
Searching all the files on his machine which were created in the past 24 hours, turned up a file in c:\windows\internet logs called fwpktlog.txt (FireWall PacKeT LOG anyone? And why are we still limiting ourselves to 8.3 naming? Does anything other than our own laziness still rely on that?)
In this file was a whole bunch of lines denying packets from the local machine to Internet addresses. I could still access machines on the local network, but nothing outside.
What created that packet filter file?
I looked in the services list and there was nothing for ZoneAlarm in there, but there was a entry for ForceField (ZA's browser security program) and it was running. Stopping the service and setting it to disabled did nothing.
Open the pod bay doors, Hal!
I'm afraid I can't do that, Dave.
Also, among the recently created files, I found an installer_02251175403.log file, also in the c:\windows\internet logs folder. Opening it up, it pointed me to a temp folder it had created: C:\DOCUME~1\Steve\LOCALS~1\Temp\02251175403 within which was a bunch of files including an executable called cpes_clean.exe which is listed as "Check Point Endpoint Security Cleaner" from "Check Point Software Technologies LTD" in the file properties.
Going for broke, I ran the program.
It ate up some CPU according to Task Manager, but didn't show any sort of UI until it popped up a box asking to reboot.
Rebooted the machine, and lo and behold, we could access sites out on the internet.
Pop over to ZoneAlarm's and download the latest build, and 145MB and 15 minutes later (DSL!!!) and the download is corrupt.
Another 15 minute download, and ZA is happily reinstalling itself.