It's a common error to rely on one source of computer protection. Obviously if your computer software is behaving in a suspicious manner then your Zone Alarm has been compromised.
There are a large number of backdoor malware programs, many do not get detected by virus scanners etc. Many of them specifically target and disable or circumvent the more popular virus scanners and firewall pacakges. Many of them allow a hacker to take direct control of your computer and allow them access to any and all files and information stored on or accessed through the Internet.
An independent test showed that the "free" adware/malware scanners like Spybot only detected 30-50% of the nasties at the time of the test. The "premium" paid version were higher but none detected 100%. Conclusion - use more than one scanner.
Here's an example of one that was detected by only a few virus scanners (tested against some 30 or so packages):
The file "setup.exe" contains a trojan.
Files created:
C:\WINDOWS\raova.dll
C:\WINDOWS\raova.exe
C:\WINDOWS\akltb.tul
Registry keys created:
[HKEY_CURRENT_USER\Software\Adobe\SBHC]
"SBM" = "C:\WINDOWS\akltb.tul"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed
Components\{gracutni-fjqb-bykh-sjhf-hcxivuvcattb}]
"StubPath" = "C:\WINDOWS\raova.exe"
Network Activity:
This trojan logs everything you do on your computer.
Whenever the logfile reaches a size of 100kB it is decrypted, sent, renamed
and replaced with a new "akltb.tul".
Opens FTP connection with "ftp1.hompy.com" on TCP port 21
(222.239.73.137:21 at the time of writing this)
USER
roceone@ftp1.hompy.com
PASS cho********
And uploads the decrypted logfile containing everything you've done on your
box for the last 100kB of logging.
It also sends e-mails with the same logfiles to:
"logs@popmail.com"
"elogger@naver.com"
Positive results of a scan of the infected "setup.exe":
ClamAV: Trojan.Bifrose-876
Norman Virus Control: W32/PoisonIvy.YH
Positive results of a scan of the trojan itself:
AntiVir: Found HEUR/Crypted
ClamAV: Found Trojan.Small-2868
VBA32: Found Malware.Delf.43 (probable variant)
Info on domain hompy.com:
Domain Name.......... hompy.com
Creation Date........ 1999-12-24
Registration Date.... 2006-11-22
Expiry Date.......... 2008-12-24
Organisation Name.... Lee Changhyun
Organisation Address. 1710-1
Organisation Address. SEOULSeocho-guSeocho-dong
Organisation Address. Seocho-gu
Organisation Address. 137-070
Organisation Address. SEOUL
Organisation Address. KOREA, REPUBLIC OF
Admin Name........... Changhyun Lee
Admin Address........ 1710-1
Admin Address........ SEOULSeocho-guSeocho-dong
Admin Address........ Seocho-gu
Admin Address........ 137-070
Admin Address........ SEOUL
Admin Address........ KOREA, REPUBLIC OF
Admin Email..........
lee@ziobiz.com
Admin Phone.......... +82.266731166
Admin Fax............ +82.266731167
Tech Name............ Won Ho Song
Tech Address......... 1701-1 Hanaro Telecom Internet
Tech Address......... Data Centre B/D SF
Tech Address......... Seocho
Tech Address......... 137070
Tech Address......... Seoul
Tech Address......... KOREA, REPUBLIC OF
Tech Email...........
domain@badanet.co.kr
Tech Phone........... +82.262692100
Tech Fax............. +82.262692112
Name Server.......... NS1.ZIOBIZ.CO.KR
Name Server.......... NS.HOMPY.COM