I run Sygate Personal Firewall (just upgraded to version 5.5) on my system, and since last night the program has been detecting an odd attempt to access my machine via UDP from a host with the numeric IP address 10.71.128.1. It's trying to contact kernel32.dll on my machine. All I can find out on back-tracing it and doing a whois is that the IP is part of the block assigned to the "blackhole" servers at IANA (Internet Assigned Numbers Authority). I've blocked this IP from accessing the system, but I'm not sure if I'm doing the right thing (it's not a permanent block, so I can go back and turn it off if needed). I'm also wondering if it could be connected with some odd crashes I've been having in Explorer since last night; three times within the last 24 hours, a popup window has come up telling me that Explorer has crashed, but the system then hangs requiring me to hit the reset button (this has been preceded by sluggish response in my browser window). I've run Spybot-S&D just an hour or so ago to look for spyware and cleaned out several possible agents, but right now I'm not sure what's going on here. Anyone have any ideas?

-Joe-

P.S. FWIW - or maybe not worth - those Explorer crashes/hangs followed the installation of a new keyboard (the GE "Power Keyboard" which has onboard buttons for power and sleep functions). I pulled that keyboard and replaced it with my old (Memorex) keyboard which doesn't have those "special" buttons. I have no idea if the keyboard swap had anything to do with those Explorer problems.

10.71.128.1 isnt actually assigned to the servers at IANA (blackhole are just the aliases they give their name servers which have 192.*.*.* addresses.)

The IP range 10.0.0.0 - 10.255.255.255 are part of a reserved addressing space for private schemes that are either not connected to the internet or are connected via proxy or a NAT gateway and as such should not be visible across an external network connection and you should only be seeing the IP address of the 'public' connection which that address is behind. See RFC 1918 (http://www.faqs.org/rfcs/rfc1918.html) for more detail.

How Sygate is detecting a 10 address and what it might be doing is slightly beyond me but unless you have an internal network using 10.*.*.* addresses I would leave it blocked and run a full set of virus adware and trojan scans.

I ran Norton Antivirus (freshly updated) and Spybot S&D, but didn't find anything out of order on my system. However, Explorer crashed again, and wouldn't respond to repeated clickings of the "close" button on the gray popup window (it also hung the system again). This time, when Norton Disk Doctor scanned the system, it reported an error in the Sygate Personal Firewall debug.exe file. I conclude that something may have gone wrong with Sygate, so I have turned off that program (risky, I know) and may uninstall it completely (and try reinstalling it). I am also considering the possibility that there is something else wrong with Explorer that cropped up last night; I was able to copy (write) down the information from the error window before I rebooted. I'll be posting it in a different forum because the problem might not after all be security-related.

-Joe-

Originally posted by pave_spectre
How Sygate is detecting a 10 address and what it might be doing is slightly beyond me but unless you have an internal network using 10.*.*.* addresses I would leave it blocked and run a full set of virus adware and trojan scans.
Even if his computer is on an internal network, would it be normal for that other computer to try contacting his own computer's kernel32.dll file ?

Well, the only network I know of that my computer is contacted to is the Comcast broadband network, and this computer (the one I'm writing from now) is the only one connected to that network; I have two other computers in the house but neither of them is networked.) I can say that I disabled Sygate Firewall this morning - with a good deal of trepidation, admittedly - and so far today (almost 12 hours at this writing; I rebooted about 5:10 am after the last Explorer crash) my system hasn't hung or crashed and there've been no Explorer glitches. I am not positive yet but I am going to keep monitoring the system and if there is no further trouble overnight I will have to come to the tentative conclusion that there is a problem with Sygate (it's worth noting in this connection that my problems began overnight Tues/Wed when, after I rebooted, Sygate produced a popup message that advised me that a new version of the program was available and asking if I wanted to obtain it.) I will say that this is the first time I've ever seen Sygate act like this, and I'm mystified because, as I said earlier, a virus scan with NAV and a check with Spybot S&D (both currently updated) didn't produce anything - actually, Spybot did turn up some spywares which I deleted but the last crash occurred _after_ that event. I have just run HijackThis, and here is the log of what's currently running on my system:

Logfile of HijackThis v1.95.1
Scan saved at 17:27:49, on 11/20/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\STARDOCK\SMARTEXCEPTION\SMARTEX.EXE
C:\PROGRAM FILES\COMMON FILES\STARDOCK\SMARTEXCEPTION\MCPSERVER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\STARDOCK\SDMCP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\OPERA7\OPERA.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
N2 - Netscape 6: user_pref("browser.startup.homepage", ""); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ewxrp5so.slt\prefs.j s)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5 Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ewxrp5so.slt\prefs.j s)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NAVAPW32.EXE
O4 - HKLM\..\Run: [SmartException] C:\Program Files\Common Files\Stardock\SmartException\smartex.exe
O4 - HKLM\..\Run: [1A:Stardock MCP] C:\Program Files\Common Files\Stardock\SmartException\mcpserver.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [1A0 Stardock MCP] C:\Program Files\Common Files\Stardock\sdmcp.exe -startup
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37826.6602199074
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

-Joe-

Since I disabled Sygate Personal Firewall at approximately 5:10 AM yesterday, my system has now been up for a full 24 hours without incident notwithstanding some pretty heavy browsing with Opera last evening. I will watch today to see if anything happens while the system is idle while I'm at work, but for now I think I can provisionally state that Sygate is the possible culprit, for reasons still unknown, in the system troubles I've been having. So....recommendations for alternatives? (I'm looking at hardware alternatives this time)

-Joe-

You could try reinstalling Sygate and see if the problem goes away or you could switch to Kerio or another firewall.

Or if you have an old machine like a P100 lying aroun you could go for SmoothWall (http://www.smoothwall.org) if your on dial up, or for broadband just find a modem with an inbuilt firewall which I think most have..

As I'm on broadband, I would look at modems with built-in firewalls, if I could find any (I was in the store today to get some network cable and I didn't see any such modems offhand, though I saw a lot of wireless stuff - much more, in fact, than "traditional" wired networkware). I already have a hardware router with NAT and SPI (the SMC Barricade) on hand, so I don't feel any particular call to spend the extra money at this point. I will probably try setting up the router tonight or tomorrow (and yes, uninstall Sygate); I don't think I've heard of Kerio before - do you have a link for it?

-Joe-

P.S. I'm pretty certain now that Sygate, in whatever way it might have decided to glitch, was the source of the Explorer crashes, because my system has now been up for 36.5 hours since last reboot without a problem (remember, the Explorer crashes all occurred within 4 to 10 hours after boot).
P.P.S. I do have an older system (PII 333 Overdrive, Windows 95) with a dialup connection, so I'll take a look at Smoothwall for that machine.

I run a smoothwall box as my internet firewall/gateway on dialup (works for broadband as well) but I still use sygate to keep an eye on programs that are trying to connect.

Kerio is HERE (http://www.kerio.com/us/kerio.html).

I too would give Kerio a try first.....

I set up the SMC Barricade router about 45 minutes ago and so far it seems to be working well. I had to do a bit of fiddling to enable the firewall (turns out it's not enabled automatically, you have to go into Advanced Setup to turn on the firewall), and when I log on to setup via Opera, it keeps claiming the firewall is disabled - however, when I log on to setup via Netscape or IE, the firewall is listed as enabled. I don't know quite what to make of that. I'll take a look at Smoothwall and Kerio. My system ran for 51+ hours without a fault (except when Opera choked on a webpage) once I disabled Sygate, so until/unless I find out why Sygate crashed Explorer repeatedly, I'll probably leave that program turned off and try one of the other alternatives.

-Joe-

Sure sounds like Sygate doesn't like something on your machine, so yeah, leave it off. Actually, I would go ahead and uninstall it. If you have the router firewall enabled, you have some breathing room, but it won't provide much if anything in the way of outbound protection.

I know it. The inbound firewall is definitely enabled, and it's been put to work already so I'm OK on that side, but until I can find a better solution I'm going to have to run AdAware/Spybot regularly to clean out spywares, which is about as much as I know how to do to protect the outgoing connection.

-Joe-

Spyware scanners won't protect you from a lot of hijackers and other scumware... I am unclear why you can't use Kerio or some other option, even though you can't use Sygate...

Because I'm gun-shy after the experience I had this week. I freely admit to being chicken, but if one software firewall did such nasty things to my system's core, what might other software firewalls not do? Frankly, right now I just don't have a lot of trust in those programs not to crash my system or to eat up scads of system resources. That being said, after I simmer down some, I'll try Kerio (I believe I downloaded the trial version this morning).

-Joe-