Sygate Personal Firewall?

**scratchONtheBOX** · March 23rd, 2005, 01:26 PM

Good point, ByTeWrangler!

3 out of 4 vulnerability arE UNPATCHED"

One vulnerability was way back year 2002 - moderately critical (Typically used for remotely exploitable Denial of Service vulnerabilities against services like FTP, HTTP, and SMTP, and for vulnerabilities, which allows system compromises but require user interaction.)

From Secunia also - http://secunia.com/advisories/7930/

Description:
Sygate Personal Firewall comes with a default rule set that blocks all udp requests, however if udp requests originates from source port 137 or 138 they are allowed, thus a malicious person could get access to all open udp ports on a target merely by sending all requests from source port 137 or 138.

Unpatched but with solution
Solution:
Change your firewall rules to block all udp traffic, inclusive trafik with source port 137 and 138.

Yo!

**ryan-nyquist** · March 24th, 2005, 07:37 AM

I just opened a WinZip crack that I downloaded from Kazaa Lite. Must have been spyware or something because as soon as I opened it Sygate told me: C:\WINDOWS\TEMP\123.exe is attempting to connect to an IP address that I did not record. Set Sygate to BLOCK the connection and any other connections that it told me about. Now, in the list of running applications, I have new apps that I have never seen there before that are set to ask before connection:

|RCPCSS.EXE| |TCP| |LISTEN| |1028|
|RCPCSS.EXE| |TCP| |LISTEN| |135|
|kernel32.dll| |UDP| |LISTEN| |68|
|kernel32.dll| |UDP| |LISTEN| |138|
|kernel32.dll| |UDP| |LISTEN| |137|
|kernel32.dll| |UDP| |LISTEN| |139|

All files exist on the C:\WINDOWS\SYSTEM directory. Should I block them all?

I have scanned my PC using "Free Spyware Scanner GOLD" with updated database, and it found nothing. I do remember one of the domains the programs were trying to connect to was: get.inetbar.com . My NOD32 Antivirus scanner did not detect the file that I downloaded and ran even when I scanned it a second time myself with advanced heuristics and updated definitions. Usually if I download an infected file from Kazaa lite, my NOD32 will detect it before it is even finished downloading. Did not detect anything. This "LISTEN" sounds fishy to me. Especially on the ports that scratchonthebox just posted about. So what I did, was set an advanced rule with Sygate titled "Patch" to block ALL hosts with UDP REMOTE and LOCAL ports 137, 138, and 139.

What I am worried about here is, could I have opened an undetectable trojan? Can anyone PLEASE help me out here? Thanks ALOT in advance!!!

Peace.

**scratchONtheBOX** · March 24th, 2005, 08:54 AM

ryan-nyquist,

Don't panic. Relax! Just like most of the AO guys said about firewall, it is doing its job. Aside from chaging the settings of your sygate (as per the solution of the advisory of course), what have you done lately? First thing, using P2P SW like Kazaa Lite, not to mention that you had opened a WinZip crack (what do you mean by it?), it is probably a malware (and it is in temp folder).

For the ports you had mentioned, only port 139 I could recall and it is in my website’s port list - NetBIOS. NetBIOS is used for Windows File & Print sharing. If port 139 is open, your computer is open to sharing files over the Internet. Other components of NetBIOS can expose your computer name, workgroup, user name, and other information.

*.. and port 135 Location service (loc-srv). This port is used to direct RPC (Remote Procedure Calls) services to the appropriate dynamically mapped ports. Hackers can use this to determine which port is used by several Windows services. This port should not be visible from the Internet.
*

You should do the normal routine, disable system restore, restart in safe mode, run your anti-malware and antivirus (make sure all definitions are updated). After doing this, restart your BoX, and run HJT (hijackthis - http://www.antionline.com/showthrea...threadid=265467) and check it (Remember, don’t do anything with the HJT, show the logs here first so that the rest of AO guys could give you advice). You can place the LOG here afterwards to see more details of what's going on with your BoX.

Yo!

**MoonWolf** · March 24th, 2005, 10:01 AM

I would like to take this opportunity the blatently advertise for

Kerio. Its a decent firewall that does its work like it should. AND it can be configured really well.

***ByTeWrangler*** · March 24th, 2005, 10:08 AM

Greeting's

Okay you might want to do the following :

Get you Copmuter scanned online at housecall.trendmicro.com

Get an anti-spyware program like spy.bot and if you want upload your hijackthis log online.

**nihil** · March 24th, 2005, 10:43 AM

I just opened a WinZip crack that I downloaded from Kazaa Lite. Must have been spyware or something

Jeez! some of them won't ever learn

Let that be a lesson to you, in future go into Google and type "freeware", you will get lots of sites and just about everything you might need..............even full-blown Microsoft Compatible Office Suites!............there are certainly plenty of Zip file applications.

Get spy bot Search & Destroy and AdAware SE, update them and run them in safe mode.

Get Moosoft's "The Cleaner" 30 day trial and run that.

And follow the advice already given

**ryan-nyquist** · March 24th, 2005, 10:44 PM

You guys got it right on. Its definately a browser hijacker. Won't even let me click that link so I have to copy and paste the hijackthis URL into my browser.

Sounds alot like spyware to me, but just to be safe, I am gonna perform a number of online scans with different AV sites. I know there is one that uses 6 different AV's definitions to scan your PC. Can't remember the link though. Will also get Moosoft's "The Cleaner" and perform an updated scan on my system.

I have never really had this problem with Kazaa lite before. Not until now. I mean "Winzip crack" by an app that was supposed to be a keygen (product key number generator). It was in a Winzip zip file so I figured it wouldn't be a virus. I scanned the app before I opened it and it was clean. But when I actually opened the application, nothing happened. Sounds like typical trojan behavior to me. So like I said will perform multiple virus scans and will post up what I come up with.

Will also install "Hijackthis" but what exactly is this program?

Thanks again in advance!!

Peace.

**ryan-nyquist** · March 24th, 2005, 11:04 PM

sorry for the double post but I didn't know that I wouldn't have to install HiJackThis. I performed a scan with it, and also saved the log file. Here the entire log file, since it will not allow me to attach a .log file to this post:

Logfile of HijackThis v1.98.2
Scan saved at 4:59:37 PM, on 3/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE
C:\PROGRAM FILES\NETASSISTANT\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\ESET\NOD32KUI.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\IRIVER\IRIVER MANAGER\UPDATER\UPDATER.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebtown.com/freesec/thankyou.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: {92E1B3F7-0546-421E-9835-904D25B7BA66} - {C4F147D7-BF25-488E-A12B-EFD43E7029BF} - C:\WINDOWS\SYSTEM\winvbie.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: VisuExplorer - {92E1B3F7-0546-421E-9835-904D25B7BA66} - C:\WINDOWS\SYSTEM\msiev32.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [NOD32kernel] "C:\Program Files\Eset\nod32krn.exe"
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

Your help with this is greatly appreciated!!!

Will do the Cleaner scan and antivirus programs scans now and will edit this post if they find anything.

Peace.

***Tiger Shark*** · March 24th, 2005, 11:35 PM

To clear up a couple of little misconceptions here....

Ryan: That "router" you got given by the ISP..... It isn't a router... It's a Cable/DSL modem... It does _nothing_ for your security... It could, very easily, but your ISP would then charge you $100/month for internet access when all you need is to D/L Sygate or whatever.... Or update to SP2 if you are on XP.

Whoever: It's practically impossible to DoS any user nowadays by using a "pipe-filling" DoS. Yeah, they can deny service to a box by crashing the box through a DoS vulnerability in the service that either kills the service or the OS but a "pipe-filling" DoS is reserved for lamers using a cable/dsl connection to attack a dial-up client.... Now a DDoS is a whole different issue and can be accomplished against really big "pipes" if you have enough "drones" on big "pipes" themselves.

Ryan again: You downloaded cracked warez....

/stop....

This doesn't feel right any more.... As I go back and read what has been said by ryan.... He's not coming across as "right".... He has all the terminology "down"... Which implies a deeper knowledge than he ends up with by d/ling cracked warez and then being screwed up by it...

I just had my "troll alert" flag go up really high.....

As such I am withdrawing from the conversation.....

Have fun Y'all....

**ryan-nyquist** · March 25th, 2005, 07:47 AM

Just spent about 20 minutes writing out a long post that when I clicked "Submit Reply" on, told me that I had included too many images in my last post. Yet it only had 2 smilies. Clicked "Back" button on my browser an took me to empty "Reply To Topic" page

.

Anyways, it ran along the lines of, is this what this forum is meant for? Am I misunderstood on this forum's purpose?

Wrote a LONG description about my experience and work with computers, and also my personal experiences with trojans. It's 1:42 AM here, and I am going to go to bed now. BTW, ran The Cleaner and antivirus scans in safe mode, and nothing was found. Am too tired now, but will edit this thread tomorrow trying to re-write my last reply attempt's less important details. Also mentioned about those who are telling me not to download cracks - The crack I download was for WinZIP. This isn't an expensive/big program here (probably $29 online, and a product which I don't even know if trial version has an expiry for personal use

). Besides, WinZIP was needed to open and extract "HiJackThis" file and is needed to open and extract ALOT of FREE programs today.

Peace.

Thread: Sygate Personal Firewall?

Thread Tools

Display

Hmmm...

Hmmm...

sorry for double post

Posting Permissions