Sygate PF process consistently terminated despite PG protections being enabled

Hi everyone,

I have a strange problem. I currently have the latest version of the Sygate personal firewall, along with PG 2.00, TDS-3, and Port Explorer 1.8.

All of these programs are running when I'm online, and I use Opera 7.50 Beta for browsing the web. TDS execution protection is also enabled. I'm running WinXP Home with all the latest critical updates. I have a dialup connection at home, with no other computers or routers involved.

The problem seems to be related in some way to the screen saver kicking in on my system, although I find it odd that the screen saver would play any role in running processes. I suppose it's possible... although I suspect that there is something else going on that I'm missing. In the log below, ssstars.scr is one screen server that comes with WinXP, and gives the illusion of moving through space at great speed. I've tried the saver that just makes the screen go blank, but SPF still fails. I have a log from PG showing drwatson32 running and trying to gain access on the SPF process. The first time I had this happen, I configured PG to not allow drwatson32 from gaining anything but Read and GetInfo on a process. However, this did not solve the problem. PG blocks the good doctor from gaining access, but SPF still terminates and my computer is left without a firewall.

Something is thus killing my firewall, and I don't know what it could be. Why isn't the system event that kills Sygate showing up in the PG log? I am wondering if it is a software conflict of some kind, since PG should prevent any normal routines from disabling the firewall.

Here is the partial log:

14 May 15:45:37 - [EXECUTION] c:\windows\system32\ssstars.scr with commandline c:\windows\system32\ssstars.scr /s was ALLOWED to run
14 May 15:55:33 - [EXECUTION] c:\program files\die\ext.sys\execprot.exe with commandline "c:\program files\die\ext.sys\execprot.exe" tds|tdsdll-test: was ALLOWED to run
14 May 15:55:34 - [EXECUTION] c:\program files\solidworks\sldworks.exe with commandline "c:\program files\solidworks\sldworks.exe" was ALLOWED to run
14 May 16:34:17 - [EXECUTION] c:\windows\system32\ssstars.scr with commandline c:\windows\system32\ssstars.scr /s was ALLOWED to run
14 May 16:39:30 - [EXECUTION] c:\windows\system32\ssstars.scr with commandline c:\windows\system32\ssstars.scr /s was ALLOWED to run
14 May 16:40:57 - [EXECUTION] c:\windows\system32\drwtsn32.exe with commandline drwtsn32 -p 1292 -e 1044 -g was ALLOWED to run
14 May 16:40:57 - [P] c:\windows\system32\drwtsn32.exe [616] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\sygate\spf\smc.exe [1292]
14 May 16:53:55 - [EXECUTION] c:\windows\system32\ssstars.scr with commandline c:\windows\system32\ssstars.scr /s was ALLOWED to run
14 May 17:13:48 - [EXECUTION] c:\windows\system32\ssstars.scr with commandline c:\windows\system32\ssstars.scr /s was ALLOWED to run


I have recently updated my nVidia drivers to 56.72, I am running the latest BIOS (which I upgraded to a few months ago, and never had any problems with SPF. This all started recently). I've also tried uninstalling SPF, cleaning the registry, reinstalling...and I still have this problem.

Argh.

Any ideas?

 

Ok, it just happened again...no screensaver activated this time. I am starting to think something hostile is going on...

Just before it crashed, SPF gave me a requester window asking if i should allow a new .dll to be loaded. I don't remember exactly what it was, since it disappeared very soon after appearing once SPF died, but it was related to the Windows Help files or system. It was also remote initiated (hmmmm).

Here's the PG log for this latest event. drwatson32 is once again mentioned...
I've included all entries from when I first booted the machine.

17 May 19:59:16 - Initializing Process Guard over 2 steps. If either step fails some protection may not be active.
17 May 19:59:16 - [1 of 2] Success: Driver is active and secure.
17 May 19:59:16 - [2 of 2] Success: Process Guard's Protection is currently Enabled.
17 May 19:59:16 - General Protection Options
17 May 19:59:16 - [1 of 4] Block End-Task is enabled.
17 May 19:59:16 - [2 of 4] Block Appinit registry key is enabled.
17 May 19:59:16 - [3 of 4] Block Drivers/Services is enabled.
17 May 19:59:16 - [4 of 4] Block Global Hooks is enabled.
17 May 19:59:16 - [EXECUTION] c:\windows\system32\logonui.exe with commandline logonui.exe /status was ALLOWED to run
17 May 19:59:16 - [EXECUTION] c:\windows\system32\userinit.exe with commandline c:\windows\system32\userinit.exe was ALLOWED to run
17 May 19:59:16 - [EXECUTION] c:\windows\explorer.exe with commandline c:\windows\explorer.exe was ALLOWED to run
17 May 19:59:16 - [EXECUTION] c:\windows\system32\rundll32.exe with commandline rundll32.exe nvcpl.dll,nvcplmanageusersettings 3 was ALLOWED to run
17 May 19:59:16 - [P] c:\windows\system32\svchost.exe [804] tried to gain TERMINATE access on c:\windows\explorer.exe [1452]
17 May 19:59:16 - [P] c:\windows\system32\svchost.exe [804] tried to gain TERMINATE access on c:\windows\system32\winlogon.exe [448]
17 May 19:59:16 - [P] c:\windows\system32\svchost.exe [804] tried to gain TERMINATE access on c:\windows\system32\csrss.exe [424]
17 May 19:59:16 - [EXECUTION] c:\windows\system32\rundll32.exe with commandline rundll32.exe nvcpl.dll,nvcplmanageusersettings 3 was ALLOWED to run
17 May 19:59:16 - [EXECUTION] c:\program files\mru-blaster\indexcleaner.exe with commandline "c:\program files\mru-blaster\indexcleaner.exe" -cc was ALLOWED to run
17 May 19:59:16 - [EXECUTION] c:\windows\system32\rundll32.exe with commandline "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup was ALLOWED to run
17 May 19:59:16 - [EXECUTION] c:\windows\system32\nwiz.exe with commandline "c:\windows\system32\nwiz.exe" /install was ALLOWED to run
17 May 19:59:16 - [EXECUTION] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe with commandline "c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" was ALLOWED to run
17 May 19:59:16 - [EXECUTION] c:\program files\avpersonal\avgnt.exe with commandline "c:\program files\avpersonal\avgnt.exe" /min was ALLOWED to run
17 May 19:59:16 - [EXECUTION] c:\windows\agrsmmsg.exe with commandline "c:\windows\agrsmmsg.exe" was ALLOWED to run
17 May 19:59:16 - [EXECUTION] c:\progra~1\sygate\spf\smc.exe with commandline "c:\progra~1\sygate\spf\smc.exe" -startgui was ALLOWED to run
17 May 19:59:16 - [EXECUTION] c:\program files\iisystem wiper\systemwiper.exe with commandline "c:\program files\iisystem wiper\systemwiper.exe" m was ALLOWED to run
17 May 19:59:16 - [EXECUTION] c:\program files\mru-blaster\mrublaster.exe with commandline "c:\program files\mru-blaster\mrublaster.exe" -silent was ALLOWED to run
17 May 19:59:16 - [EXECUTION] c:\program files\processguard\procguard.exe with commandline "c:\program files\processguard\procguard.exe" -minimize was ALLOWED to run
17 May 19:59:18 - [EXECUTION] c:\windows\system32\imapi.exe with commandline c:\windows\system32\imapi.exe was ALLOWED to run
17 May 19:59:27 - [EXECUTION] c:\program files\die\tds-3.exe with commandline "c:\program files\die\tds-3.exe" was ALLOWED to run
17 May 19:59:30 - [EXECUTION] c:\windows\msagent\agentsvr.exe with commandline c:\windows\msagent\agentsvr.exe -embedding was ALLOWED to run
17 May 19:59:30 - [EXECUTION] c:\program files\die\ext.sys\execprot.exe with commandline "c:\program files\die\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\sygate\spf\smc.exe was ALLOWED to run
17 May 19:59:34 - [EXECUTION] c:\program files\sygate\spf\smc.exe with commandline "c:\program files\sygate\spf\smc.exe" -start was ALLOWED to run
17 May 19:59:34 - [EXECUTION] c:\program files\sygate\spf\smc.exe with commandline "c:\program files\sygate\spf\smc.exe" was ALLOWED to run
17 May 19:59:34 - [EXECUTION] c:\program files\die\ext.sys\execprot.exe with commandline "c:\program files\die\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\port explorer\portexplorer.exe was ALLOWED to run
17 May 19:59:35 - [EXECUTION] c:\program files\port explorer\portexplorer.exe with commandline "c:\program files\port explorer\portexplorer.exe" was ALLOWED to run
17 May 19:59:36 - [EXECUTION] c:\program files\die\dcsmutex.exe with commandline "c:\program files\die\dcsmutex.exe" diamond computer systems pty. ltd.
17 May 20:00:03 - [EXECUTION] c:\program files\die\ext.sys\execprot.exe with commandline "c:\program files\die\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\juno6\qs\exec.exe was ALLOWED to run
17 May 20:00:04 - [EXECUTION] c:\program files\juno6\qs\exec.exe with commandline "c:\program files\juno6\qs\exec.exe" was ALLOWED to run
17 May 20:00:04 - [EXECUTION] c:\program files\juno6\qs\exec.exe with commandline exec 95db625hsjl|-1 56 was ALLOWED to run
17 May 20:00:05 - [P] c:\program files\juno6\qs\exec.exe [1296] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\juno6\qs\exec.exe [1264]
17 May 20:00:08 - [P] c:\windows\system32\svchost.exe [804] tried to gain TERMINATE access on c:\program files\juno6\qs\exec.exe [1296]
17 May 20:00:28 - [P] c:\windows\system32\svchost.exe [804] tried to gain TERMINATE access on c:\program files\juno6\qs\exec.exe [1296]
17 May 20:00:43 - [EXECUTION] c:\program files\internet explorer\iexplore.exe with commandline "c:\program files\internet explorer\iexplore.exe" -nohome http://my.juno.com/s/sp?r=al&cf=sp&...000000&c=1062486000000&d=0&i=6.2b4ju&n=pl&o=i was ALLOWED to run
17 May 20:00:47 - [EXECUTION] c:\program files\die\ext.sys\execprot.exe with commandline "c:\program files\die\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\opera75\opera.exe was ALLOWED to run
17 May 20:00:47 - [EXECUTION] c:\program files\opera75\opera.exe with commandline "c:\program files\opera75\opera.exe" was ALLOWED to run
17 May 20:15:48 - [EXECUTION] c:\program files\die\ext.sys\execprot.exe with commandline "c:\program files\die\ext.sys\execprot.exe" tds|tdsdll-test:c:\documents and settings\******\my documents\sygate_error_log.sxw was ALLOWED to run
17 May 20:15:49 - [EXECUTION] c:\program files\openoffice.org1.1.1\program\soffice.exe with commandline "c:\program files\openoffice.org1.1.1\program\soffice.exe" -o "c:\documents and settings\****\my documents\sygate_error_log.sxw" was ALLOWED to run
17 May 20:39:46 - [EXECUTION] c:\windows\system32\drwtsn32.exe with commandline drwtsn32 -p 224 -e 936 -g was ALLOWED to run
17 May 20:39:47 - [P] c:\windows\system32\drwtsn32.exe [160] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\sygate\spf\smc.exe [224]
17 May 20:39:57 - [EXECUTION] c:\program files\die\ext.sys\execprot.exe with commandline "c:\program files\die\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\sygate\spf\smc.exe was ALLOWED to run
17 May 20:39:58 - [EXECUTION] c:\program files\sygate\spf\smc.exe with commandline "c:\program files\sygate\spf\smc.exe" -start was ALLOWED to run
17 May 20:39:58 - [EXECUTION] c:\program files\sygate\spf\smc.exe with commandline "c:\program files\sygate\spf\smc.exe" was ALLOWED to run

 

If its Dr Watson killing it, then it has already crashed by itself. Dr Watson just attaches AFTER to get debug info about the crash.

Can you save your protection list and email it to support ? you might want to try adding ALLOW flags for known safe processes - give ALL allow flags to Sygate to limit the chance of something causing Sygate to crash. I cant figure out what you were doing at the time of the crash from the log since theres a time gap between the last action and the startup of Dr Watson. What were you doing at the time ?

 

Hi Gavin,

Is the address support@diamondcs.com ?

I cut and pasted the protection list I currently have. I wasn't at the computer for all of the crashes but one. I left for a bit, sometimes while it was downloading files for AntiVir, or TDS....other times I wasn't downloading anything and I stepped away for a while. When I came back, the Sygate icon was still in the system tray in the lower right. When I moved the mouse pointer over it, the icon disappeared.

The first time I was present for a crash was during the .dll allow request that Sygate initiated, which just happened tonight. Within a few seconds, the requester window was gone and Sygate was gone with it. At the time I was using the software I listed in my first post (I forgot to mention AntiVir free in the first post. I have never had a problem with it though, so I don't think it has anything to do with my current troubles).

Should I post a list from asviewer? Perhaps that would help...maybe someone can pick out a known conflict with what I have running now and Sygate.


Process Guard v2.000 Protection List
Date Saved: 18 May 2004 at 00:26:18

Total items in list:- 24

001 - c:\program files\processguard\procguard.exe
002 - c:\program files\processguard\pg_msgprot.exe
003 - c:\windows\system32\lsass.exe
004 - c:\windows\system32\services.exe
005 - c:\windows\system32\svchost.exe
006 - c:\windows\system32\winlogon.exe
007 - c:\windows\system32\smss.exe
008 - c:\windows\system32\csrss.exe
009 - c:\windows\system32\wbem\winmgmt.exe
010 - c:\windows\system32\wbem\wmiadap.exe
011 - c:\windows\system32\drwtsn32.exe
012 - c:\windows\explorer.exe
013 - c:\program files\internet explorer\iexplore.exe
014 - c:\program files\outlook express\msimn.exe
015 - c:\program files\avpersonal\avguard.exe
016 - c:\program files\processguard\dcsuserprot.exe
017 - c:\program files\opera7\opera.exe
018 - c:\program files\juno6\qs\exec.exe
019 - c:\program files\die\tds-3.exe
020 - c:\program files\yahoo!\messenger\ypager.exe
021 - c:\program files\yahoo!\messenger\yserver.exe
022 - c:\program files\port explorer\portexplorer.exe
023 - c:\matrix games\massive assault\ma.exe
024 - c:\program files\sygate\spf\smc.exe

---001-----------------------------------------------
Long Path :- c:\program files\processguard\procguard.exe
Short Path :- c:\progra~1\proces~1\procgu~1.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- None
Option Flags :- Allow Global Hooks


---002-----------------------------------------------
Long Path :- c:\program files\processguard\pg_msgprot.exe
Short Path :- c:\progra~1\proces~1\pg_msg~1.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
Option Flags :- None


---003-----------------------------------------------
Long Path :- c:\windows\system32\lsass.exe
Short Path :- c:\windows\system32\lsass.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
Option Flags :- None


---004-----------------------------------------------
Long Path :- c:\windows\system32\services.exe
Short Path :- c:\windows\system32\services.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
Option Flags :- None


---005-----------------------------------------------
Long Path :- c:\windows\system32\svchost.exe
Short Path :- c:\windows\system32\svchost.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,Write,Suspend,GetInfo,SetInfo
Option Flags :- None


---006-----------------------------------------------
Long Path :- c:\windows\system32\winlogon.exe
Short Path :- c:\windows\system32\winlogon.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
Option Flags :- None


---007-----------------------------------------------
Long Path :- c:\windows\system32\smss.exe
Short Path :- c:\windows\system32\smss.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
Option Flags :- None


---008-----------------------------------------------
Long Path :- c:\windows\system32\csrss.exe
Short Path :- c:\windows\system32\csrss.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
Option Flags :- None


---009-----------------------------------------------
Long Path :- c:\windows\system32\wbem\winmgmt.exe
Short Path :- c:\windows\system32\wbem\winmgmt.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
Option Flags :- None


---010-----------------------------------------------
Long Path :- c:\windows\system32\wbem\wmiadap.exe
Short Path :- c:\windows\system32\wbem\wmiadap.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
Option Flags :- None


---011-----------------------------------------------
Long Path :- c:\windows\system32\drwtsn32.exe
Short Path :- c:\windows\system32\drwtsn32.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,GetInfo
Option Flags :- None


---012-----------------------------------------------
Long Path :- c:\windows\explorer.exe
Short Path :- c:\windows\explorer.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
Option Flags :- Allow Global Hooks


---013-----------------------------------------------
Long Path :- c:\program files\internet explorer\iexplore.exe
Short Path :- c:\progra~1\intern~1\iexplore.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- None
Option Flags :- None


---014-----------------------------------------------
Long Path :- c:\program files\outlook express\msimn.exe
Short Path :- c:\progra~1\outloo~1\msimn.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- None
Option Flags :- None


---015-----------------------------------------------
Long Path :- c:\program files\avpersonal\avguard.exe
Short Path :- c:\progra~1\avpers~1\avguard.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,GetInfo
Option Flags :- None


---016-----------------------------------------------
Long Path :- c:\program files\processguard\dcsuserprot.exe
Short Path :- c:\progra~1\proces~1\dcsuse~1.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
Option Flags :- None


---017-----------------------------------------------
Long Path :- c:\program files\opera7\opera.exe
Short Path :- c:\progra~1\opera7\opera.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,GetInfo
Option Flags :- None


---018-----------------------------------------------
Long Path :- c:\program files\juno6\qs\exec.exe
Short Path :- c:\progra~1\juno6\qs\exec.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,GetInfo
Option Flags :- None


---019-----------------------------------------------
Long Path :- c:\program files\die\tds-3.exe
Short Path :- c:\progra~1\die\tds-3.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,GetInfo
Option Flags :- None


---020-----------------------------------------------
Long Path :- c:\program files\yahoo!\messenger\ypager.exe
Short Path :- c:\progra~1\yahoo!\messen~1\ypager.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read
Option Flags :- None


---021-----------------------------------------------
Long Path :- c:\program files\yahoo!\messenger\yserver.exe
Short Path :- c:\progra~1\yahoo!\messen~1\yserver.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read
Option Flags :- None


---022-----------------------------------------------
Long Path :- c:\program files\port explorer\portexplorer.exe
Short Path :- c:\progra~1\portex~1\portex~1.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,GetInfo
Option Flags :- None


---023-----------------------------------------------
Long Path :- c:\matrix games\massive assault\ma.exe
Short Path :- c:\matrix~1\massiv~1\ma.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,GetInfo
Option Flags :- Allow Global Hooks


---024-----------------------------------------------
Long Path :- c:\program files\sygate\spf\smc.exe
Short Path :- c:\progra~1\sygate\spf\smc.exe
Blocked Flags :- Write,Terminate,Suspend,SetInfo
Allow Flags :- Read,GetInfo
Option Flags :- Allow Global Hooks

 

Hi,

I notice you still have PG_MsgProt from an older build, remove that from the list. If the file exists, delete it.

ASViewer log would be helpful, yes please email both to support@diamondcs.com.au

Since everything in your list is KNOWN to be good, try giving every item full allow access (all 6 flags) and then reboot. See if your firewall dies at any time. When you moved the mouse over the icon, it was already closed long ago

Also, see if Sygate support can offer any ideas. Try installing an old version, and possibly try uninstalling both programs (stay off the internet though !) and just install this new version of Sygate. Does it still go down ? Lots of things we can try to narrow down the problem, but the first for me would be an older version and contact their support team

 

Hi,

did you use Windows Worms Doors Cleaner ?

I had a user mailing me about SPF PRO crashing after disabling DCOM or Locator (which is just a registry editing that you can do manually) and wasn't able to make SPF to work properly even after to have enabled again the services.

I'm still looking at why a firewall should fail to run after to have disabled a service not needed for the firewall to run
All of the firewalls I have tested works very fine with every critical services disabled, apart of Kerio 2.1.5 and SPF Pro.

If it's not your case, then forget my post, but I would really like to know anyway what could make your firewall to crash.

regards,

gkweb.

 

I had similar problems with Sygate 5.5 and reverted to 5 as it is a known problem and is mentioned many times on the Sygate forums, This is definately NOT a Process Guard problem. I got so peed off with the lack of support from Sygate that I ditched it.
Now happily using Kerio 2.1.5 with Process Guard protecting it
I also use Outpost 2 on Server 2003 with PG and they have been running continously now, apart from updates, for over six months with no problems

:End Rant:

Pilli

 

Hi Gavin,

Thank you for your help. I will send the protection list and asviewer log to the support address. I just had Sygate crash two times in a row. The .dll requester appeared both times, asking about the same things (Windows helpfile related things that were remote initiated).

I have been getting lots of bad traffic the past couple weeks, all of it from the same general IP range. I am wondering if there is some sort of malformed packet that can kill Sygate. Most of this bad traffic is trying to get in on my port 5000, with a few attempts on 113, 80, 0 using ICMP requests, and 2745. Perhaps it would be a good idea to send in the packet log to the Sygate people and have them look at it. If anyone on here wants to look, I'll email them the logs as well. I am starting to get very suspicious, and maybe there is something malevolent going on here.

The IPs coming in to my machine are ranging in 199.35.xxx.xxx WhoIs gives this info:


OrgName: ICG NetAhead, Inc.
OrgID: ICGN
Address: 161 Inverness Drive West
City: Englewood
StateProv: CO
PostalCode: 80112
Country: US

NetRange: 199.35.96.0 - 199.35.255.255
CIDR: 199.35.96.0/19, 199.35.128.0/17
NetName: ICG-BLK-BLK3A
NetHandle: NET-199-35-96-0-1
Parent: NET-199-0-0-0-0
NetType: Direct Allocation
NameServer: AS1.ICG.NET
NameServer: AS2.ICG.NET
Comment: Addresses within this block are non-portable
RegDate:
Updated: 2004-05-03

TechHandle: IPADM127-ARIN
TechName: IP Admin
TechPhone: +1-303-414-5000
TechEmail: ip_admin@icgcomm.com

OrgAbuseHandle: ABUSE170-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-303-414-5000
OrgAbuseEmail: abuse@icgcom.com

OrgTechHandle: IPADM127-ARIN
OrgTechName: IP Admin
OrgTechPhone: +1-303-414-5000
OrgTechEmail: ip_admin@icgcomm.com

# ARIN WHOIS database, last updated 2004-05-17 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database

I've tried emailing their abuse address in the past, but they didn't bother with anything more than a form letter. Up til now, I didn't care much, but now it seems that something is wiping out my firewall, so I am a rather more concerned.

The version of Sygate I have is the latest one, but it came out a number of months ago. I never had any troubles at all with it until...about 10 days ago, when it started to crash with no explanation.

Here is the asviewer log if anyone would like to see it, with running services and autostarts:

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for ********@POOP1, 05-18-2004
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\scrnsave.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\scrnsave.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
nwiz.exe /install
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HPDJ Taskbar Utility
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVGCtrl
C:\Program Files\AVPersonal\AVGNT.EXE /min
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AGRSMMSG
C:\WINDOWS\AGRSMMSG.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SmcService
C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\MRUBlaster
C:\Program Files\MRU-Blaster\indexcleaner.exe -CC
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\iIWiper
C:\Program Files\iISystem Wiper\SystemWiper.exe m
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\Documents and Settings\**********\Start Menu\Programs\Startup\MRU-Blaster Silent Clean.lnk
C:\Program Files\MRU-Blaster\mrublaster.exe
C:\Documents and Settings\****\Start Menu\Programs\Startup\Process Guard.lnk
C:\Program Files\ProcessGuard\procguard.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\System32\dcsws2.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\AntiVirService\
C:\Program Files\AVPersonal\AVGUARD.EXE
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\DCSUserProt\
C:\Program Files\ProcessGuard\dcsuserprot.exe
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\IOPort\
\??\C:\WINDOWS\System32\DRIVERS\IOPORT.SYS
HKLM\System\CurrentControlSet\Services\irda\
C:\WINDOWS\System32\DRIVERS\irda.sys
HKLM\System\CurrentControlSet\Services\NVSvc\
C:\WINDOWS\System32\nvsvc32.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\procguard\
\??\C:\WINDOWS\System32\drivers\procguard.sys
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Secdrv\
C:\WINDOWS\System32\DRIVERS\secdrv.sys
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SocketLock\
\??\C:\WINDOWS\System32\socketlock.sys
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\wg3n\
C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs

 

Hi gkweb,

Thank you for the suggestion. Unfortunately, I haven't run Windows Worms Doors Cleaner. I am rather curious as to why Sygate has suddenly stopped being reliable.... An interesting problem.

 

Hi Pilli,

I have heard about various problems with Sygate, but up until very recently, it had been working well for me. I like the program a lot, and would like to keep using it...if at all possible. I might not be able to continue using it the way things are going now.

I tried installing the free version of Kerio a few days ago, but it didn't install correctly, complaining about not finding a certain series of registry keys.

 

Log looks OK, does sound like a Sygate bug. Its a good firewall though, agreed

Try uninstalling and reinstalling it soon ? Hope you receive an answer from their support team (soon) which helps

 

Gavin, It is a good firewall when working correctly but the latest version was too unstable on this PC, Sygate have been very slow to react on one or two fronts, firstly not changing the default rules which allows unecessary servers for allowed programs & secondly the instability of the tcp layer.
On the Sygate forums there is a mention that Sygate have produced private beta builds for some users that can correct the second error.

Pikachu762

If Kerio 4 would not install it sounds like you may have some registry cleaning to do or defragging.
Did you try and install it with other programs running? PG, AV, AT etc. If so this could have caused the install problem.

Pilli

 

Hi Gavin,

Thank you for checking out the logs and your help.

I am starting to believe that Sygate is vulnerable to some bad incoming traffic, since it seems to be crashing only when I am getting bad inbound connection attempts.

I started another thread in the "other firewalls" section with more info from my System and Security logs.

I haven't gotten any responses yet on the Sygate forum...grrrr.

 

Hi Pilli,

The Kerio install issue was an odd one. The entire registry key folder to which it was trying to add keys doesn't exist on my computer. I should have written it down, because I have forgotten what exactly it was called.

 

BTW Kerio 4 works great for me

 

If your running sygate you must ensure that any javacools software is disabled properly or sygate crashes.....if you are running spywareguard you must manually disable it as sygate does not seem to like it at all....i suggest uninstalling it all together.