Author Topic: Help! Resident protection is disabled and Sygate firewall has... disappeared!!  (Read 8476 times)

0 Members and 1 Guest are viewing this topic.

altar

  • Guest
When I turned on the pc this morning I noticed that the Avast resident protection did'nt start and that the firewall didn't launch.
I turned on the Avast protection manually but it shut down shortly after with an error message.
Can't turn on the Sygate firewall at all.
I'm running virus scans but nothing has come up yet.
I didn't download any software or files recently.
I've got a few important files that I haven't backed up yet and I'm terrified at the idea of losing them. Ima try and back them up after scanning each one.
If someone has ever heard of such a thing?

altar

  • Guest
after rebooting several times the resident protection and firewall finally came back uo and running.
The virus scan has found Win32 Trojan-gen UPX...
Restore mode is disabled so I deleted the file.
Any suggestions anyone? ....Anybody?

Jarmo P

  • Guest
I have heard that there has been some problems with SPF free 5.6.2808 of not shown started. But I am not familiar with it and thought it was still protecting, just not shown. Never did experience it myself.

I did run that latest free one maybe a month, and once I got a warning from avast! network shield, when it was slow starting.
I am currently running as trial SPF Pro 5.6.2818 beta and it is working fine in my XP Home.

Soon I will revert back to SPF free though, bad economics, hehe.
So I maybe test it more but sounds bad if you got trojan cause of the slow start. Might be rather that the trojan disabled SPF?

Remember always to uninstall the current version of SPF from Control Panel before installing an other version.

You can find a link where to install SPF 5.5.2710 that is known to be very stable from Sygate forum:
http://forums.sygate.com/vb/forumdisplay.php?s=dc827ceaabf4c40b62820439ac6e8ebd&forumid=8
Just do a search there with '5.5.2710' keyword.


Jarmo P

  • Guest
I might revert also back to SPF 5.5.2710 cause of your posting.
And that one experience 5.6.2808 was slow starting as I mentioned.

It is just fine though not recognized from XP SP2 security center, so you have to tell the security center "that you are controlling the firewall" then it will be just fine and no more prompts from it.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
What was the error message? Can you post a screenshot of it?
Visit my webpage Angry Sheep Blog

altar

  • Guest
sorry RejZor, I can't do screen shots, but the alert panel that appears when avast shuts down  translates by (I use the French version):
              "avast!: the AAVM sub-system has detected an RPC error
                               
                               the operation could not be done"

And after that I can't even open or use a web browser. It's

Concerning the firewall, yes Jarmo you're right, it's working but it doesn't appear on the tray before I get an contact attempt alert.
Then it gives me a panel saying the NT Kernel_System has changed....

The executable has changed since the last time you used: C:\WINDOWS\System32\ntoskrnl.exe
File Version :      5.1.2600.1634
File Description :   NT Kernel & System
File Path :      C:\WINDOWS\System32\ntoskrnl.exe
Process ID :      0x4 (Heximal) 4 (Decimal)

Connection origin :   local initiated
Protocol :      UDP
Local Address :    192.168.1.102
Local Port :      138
Remote Name :         
Remote Address :   192.168.1.255
Remote Port :       138 (NETBIOS-DGM - Browsing datagram responses of NetBIOS over TCP/IP)

Ethernet packet details:
Ethernet II (Packet Length: 266)
   Destination:    ff-ff-ff-ff-ff-ff
   Source:    00-0e-a6-75-40-b3
Type: IP (0x0800)
Internet Protocol
   Version: 4
   Header Length: 20 bytes
   Flags:
      .0.. = Don't fragment: Not set
      ..0. = More fragments: Not set
   Fragment offset:0
   Time to live: 128
   Protocol: 0x11 (UDP - User Datagram Protocol)
   Header checksum: 0x15b0 (Correct)
   Source: 192.168.1.102
   Destination: 192.168.1.255
User Datagram Protocol
   Source port: 138
   Destination port: 138
   Length: 8
   Checksum: 0x6a8c (Correct)
Data (218 Bytes)

Binary dump of the packet:
0000:  FF FF FF FF FF FF 00 0E : A6 75 40 B3 08 00 45 00 | .........u@...E.
0010:  00 EE 05 34 00 00 80 11 : B0 15 C0 A8 01 66 C0 A8 | ...4.........f..
0020:  01 FF 00 8A 00 8A 00 DA : 8C 6A 11 02 80 1B C0 A8 | .........j......
0030:  01 66 00 8A 00 C4 00 00 : 20 46 44 45 46 45 44 45 | .f...... FDEFEDE
0040:  49 45 42 45 4F 43 4E 44 : 41 44 42 43 41 43 41 43 | IEBEOCNDADBCACAC
0050:  41 43 41 43 41 43 41 41 : 41 00 20 41 42 41 43 46 | ACACACAAA. ABACF
0060:  50 46 50 45 4E 46 44 45 : 43 46 43 45 50 46 48 46 | PFPENFDECFCEPFHF
0070:  44 45 46 46 50 46 50 41 : 43 41 42 00 FF 53 4D 42 | DEFFPFPACAB..SMB
0080:  25 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | %...............
0090:  00 00 00 00 00 00 00 00 : 00 00 00 00 11 00 00 2A | ...............*
00A0:  00 00 00 00 00 00 00 00 : 00 E8 03 00 00 00 00 00 | ................
00B0:  00 00 00 2A 00 56 00 03 : 00 01 00 01 00 02 00 3B | ...*.V.........;
00C0:  00 5C 4D 41 49 4C 53 4C : 4F 54 5C 42 52 4F 57 53 | .\MAILSLOT\BROWS
00D0:  45 00 0C 00 E0 93 04 00 : 4D 53 48 4F 4D 45 00 00 | E.......MSHOME..
00E0:  00 00 00 00 00 00 01 00 : 03 0A 00 10 00 80 D4 FE | ................
00F0:  9C 02 53 45 43 48 41 4E : 2D 30 31 00 00 00 00 00 | ..SECHAN-01.....
0100:  00 00 00 00 00 00 00 00 : 00 00                   | ..........     



Can I still save files without risking to save the virus. I mean, if this thing has gotten though Sygate and Avast, I can't really trust file scans, can I?
Heeeelp!

Jarmo P

  • Guest
Quote
Concerning the firewall, yes Jarmo you're right, it's working but it doesn't appear on the tray before I get an contact attempt alert.
Then it gives me a panel saying the NT Kernel_System has changed....

That is a normal prompt from Sygate after MS security update patches, no need to worry about that if that is the cause for that prompt.

About viruses, there are more knowledgeable people here, so you just keep asking
« Last Edit: April 30, 2005, 10:58:27 AM by Jarmo P »

Jarmo P

  • Guest
I think you have SPF packet logging enabled.
I read in SPF forum some posts that doing so, is not so recommandable normally.
If Sygate does not start in systray, I really recommend in my limited knowledge you to install 5.5.2710.

And you could also ask in the firewall forum.

cvsa

  • Guest
try an online scanning with another antivirus or install as i did : avast! my main antivirus running all the time + a second antivirus (antivir) disabling the resident scanner that i update every 2 weeks then scan with the second antivirus every 2 weeks. ;)

altar

  • Guest
Thanks Jarmo, what does having "SPF packet logging enabled" mean?

Does anybody know what exactly this Win32 Trojan-gen UPX does to the computer?

Why can't Avast start, why does it shut down after a few minutes if I start it manually?
Has anyone seen a message like this before:
                      "avast!: the AAVM sub-system has detected an RPC error
                               
                                 the operation could not be done"

Jarmo P

  • Guest
Usually just security log and traffic log and system log are enabled.
The dump you gave made me suspect you have enabled also the Packet log. It takes resources, and I refer to those few posts I have read in SPF forum.
You can disable it from 'Tools/Options/Log'


altar

  • Guest
No "full packet logging" isn't enabled, security, system and traffic logs are.

altar

  • Guest
Why is avast not working?
I've used it for 10 months without a problem.
Does anybody know what exactly this Win32 Trojan-gen UPX does to the computer?
Has anyone seen a message like this before:
                      "avast!: the AAVM sub-system has detected an RPC error
                               
                                 the operation could not be done"

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Has anyone seen a message like this before: "avast!: the AAVM sub-system has detected an RPC errorĀ the operation could not be done"

RPC error is generally related to other antivirus present or, at least, firewall blocking.

Anyway, RPC error is most likely correct by this procedure:
Go to Control Panel > Add/Remove programs > avast! antivirus > Remove
Then choose Repair function in the pop up window (Repair).

If this does not help, can you uninstall / boot / install / boot again?
The best things in life are free.

altar

  • Guest
repair didn't work so I re-installed. Hope it solves the problem.
Is it possible that Trojan-gen UPX corrupted avast? It's quite a coincidence that it came up in a full scan I did after seeing avast wasn't working anymore...
By the way, do you advise setting the protection level to normal or high?
« Last Edit: April 30, 2005, 03:23:42 PM by altar »