Need Help Understanding Sygate Security Message

Discussion in 'other firewalls' started by ellentk, Nov 21, 2009.

Thread Status:
Not open for further replies.
  1. ellentk

    ellentk Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    8
    I'm running XP Home SP2 and Sygate 5.6. I'm not sure what more to do about this entry in Sygate's security log today. Any help will be very much appreciated.

    Security Type: Executable File; Severity: Major; Direction: Outgoing
    Protocol: TCP; Remote Host: 84.16.255.208
    Application has changed since the last time you opened it, process id:
    3316
    Filename: C:\Program Files\Java\jre6\bin\java.exe
    The change was denied by user
    ---- Modules changed: 1 ----
    C:\Program Files\Java\jre6\bin\java.exe
    ---- New modules: 0 ----
    stopped

    The message seems to be saying contradictory things: 1) the application has changed and 2) change denied by user. Did malware from the remote host change java.exe or did I stop it?

    Around the time Sygate's icon began flashing red, the java icon appeared on my taskbar, though I didn't launch it and was not running a program that should have launched it.

    What I did so far: I closed all programs (which had all become very slow to respond), rebooted without being connected to the net, and performed quick scans of my c: drive with recently updated versions of Malwarebytes, Superantispyware, and Avast. They all turned up no malware or viruses. Scans with Malwarebytes and Avast of c:\program files\java and c:\program files\JRE launched from the right click menu in windows explorer also turned up no malware of viruses.

    Is there anything else I should do?

    The remote host (netdirekt.de) is a known distributor of malware according to web of trust (mywot.com)

    Other Questions:
    Could this have anything to do with jusched.exe, which is set to check monthly?

    Could it have anything to do with the Firefox add-on Java Quick Starter Service, which I thought I disabled, but is now enabled. I don't know when that changed?

    There was no traffic to or from the remote host in Sygate's traffic log. I guess it goes in one log or the other?

    Thank you again for any help.

    Ellen
     
  2. SpiritWind

    SpiritWind Registered Member

    Joined:
    Jun 18, 2005
    Posts:
    52
    Location:
    Southern Calif


    Hi Ellen :

    I am a fellow Sygate User and would assume that "Message" is saying that your Java program was recently "Updated" !? I get "Messages" like that anytime a program of mine is "upgraded" to a newer "version" . IF you feel it
    is saying something more serious, I would get a "2nd Opinion" by running scans of programs like Malwarebytes Anti-Malware and/or
    "SUPERAntiSpyware" .
    Have you ever read the "Sygate Personal Firewall Guide" at
    www.kotiposti.net/string/SPF_eng/SPFGuide.html !? Its Author goes by the
    "Name" of "Jarmo P" on these forums, and even though he has not posted on these forums for over a year, you should consider sending him a "Personal/Private
    Message" IF he does not respond in this thread .
     
    Last edited: Nov 22, 2009
  3. ellentk

    ellentk Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    8
    Hi SpiritWind,

    Thanks very much for your reply and the link to the Sygate guide. I did quick scans with the programs you mentioned, and with Avast. I think the quick scans check the places where trojans usually go, don't they? I guess I'll run thorough scans too.

    What concerns me is that the message in Sygate's security log stated my system tried to contact a remote host, unrelated to sun and java, located in Germany and known for distributing malware. This doesn't sound like an ordinary update and makes me think there must be a trojan on my system programmed to contact that site.

    But since the quick scans found nothing, the other possibility is that Sygate stopped the trojan but saw that it was programmed to contact the remote site, as the message also says "change denied by user." And this would explain why the scans found no trojans.

    But, I'm not sure what the message means.

    Thanks for mentioning Jarmo P. I'll contact him if I get no further replies.

    Ellen
     
  4. SpiritWind

    SpiritWind Registered Member

    Joined:
    Jun 18, 2005
    Posts:
    52
    Location:
    Southern Calif
    Latest "Version/Update" of Java !?



    Hi Ellen :

    Perhaps you do NOT have the latest, most secure "Version" of Java on your
    computer !? For security purposes, should ONLY have 1 "Version/Update" of
    Sun's Java on a computer . Can easily find out by going to the FREE "Tester"
    at www.javatester.org/version.html . IF it does NOT say "Java Version
    1.6.0_17 from Sun Microsystems Inc " in the pink-colored rectangle, you do
    NOT have the latest and you should uninstall ALL "Version(s)/Update(s)" of
    Sun's Java on your computer . Then go to www.java.com and get the latest . Best to use the "Offline Installation" Method .

    EDIT : Any through Search for malware should include looking for possible
    "Rootkits" ; nowadays, that is Best done by using the FREE "RootRepeal"
    and following "Step Four : Rootkit Detection " at
    www.geekstogo.com/forum/Malware-Spyware-Cleaning-Guide-t2852.html .
     
    Last edited: Nov 23, 2009
  5. ellentk

    ellentk Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    8
    thanks for the advice about java and the link to rootrepeal.
     
Loading...
Thread Status:
Not open for further replies.