Results 1 to 10 of 10

Thread: All systems active yet,the firewall has blocked 0 access attempts

Hybrid View

  1. #1
    marzbarz Guest

    Default All systems active yet,the firewall has blocked 0 access attempts

    Hi "?"
    I have been using Zone(free)since 2003, and in November of 2006 after realizing security was an issue within my o/s I purchased Zone Alarm Security Suite.
    January I went on a crusade endeavoring to find what the heck was holding my o/s hostage after finding photo's edited, files missing and then reappearing, unexplained programs appearing in zone and process guard sent me into a PC research rendezvous.
    The cops lent little help, my cell phone was hijacked as well- I still think that they got into my pc through my unprotected browser on my cell phone equipped(stupidly) with msn. NEVER AGAIN. Corporate bell insists that I had to have been responsible for the hundred page bell mobility bill, literally every minute of every hour either a text or browser entry.... I asked the cops "and when exactly would I have slept and eaten? But, to get on with my query...
    I would like to get more information on in regards to my Zone Alarm Security Suite 7.0.
    Kl1 and KLIF;
    In the regedit there are key values that appear to disable updates, the drivers in question are Kaspersky, using zonelabs/avsbases as it's path to execute.
    There were key values assigning permissions for these two drivers and for mail frontier that just appeared with a new install, (In the months of Jan and Feb my system crashed a few times, after one of these times this Mail Frontier began monitoring the system, but because the certificate belonged to Cisco, and not Checkpoint, yet it was in the Zone Labs Zass 7.0 program files on my pc.
    And that's only what I can recall of the top of my head. There are many many other curious objects and behaviors.
    I deleted these values after researching the system, and realizing that they (Kl1 and KLIF are remote acces drivers - At very least the results of intense study of my o/s over the past two months corresponds with the computer nightmare after a successful attack in January, where police and credit card fraud were all involved.
    There has been a lot of things that don't make sense, and since I am a newbie, it's a whole new world, one that usually has me asking more questions every time I seek an answer....lol-

    I have not been able to administer my 7.0 Suite version ... probably at all this year, it continually resets itself even without a boot, it does not maintain my configuration settings, and most worrisome is my inability to access parts of the control center. Interestingly enough I was informed by a forum member that the firewalls reports of having blocked 0 access attempts could be due to the installation of a D-Link router. I am going to check into this.
    I have been using Process Guard v3.150 for the past three months is there any information regarding conflicts between Zass and it?

    I know that I will be installing a new WindowsXP Home full version in the next week or two. I am hoping that that will be the end of this. I have used Zass since 2003 and really commend the product; I am certain that what's going on right now is an effect of and not the cause of the nightmare of a system under siege.
    Unfortunately at the moment I am unable to access the console management, and since I am relatively new to the tech side of my pc. Please bear with my layman's knowledge.

    Thank you for any info you could provide in regards to what I should and should not do to avoid contaminating the new windows O/S so I can get onto Internet security with a stable Zone Alarm Security Suite.
    Thank you,
    Windows xp pro,
    Dsl internet connection w/
    Ethernet broadband router
    Zass 7.0
    Process Guardv3.150
    Mozilla Firefox 2.0 and Thunderbird 1.8

    "Finding answers leads me to bigger questions...LOVE IT!"
    Marzbarz

    Message Edited by Marzbarz on 03-10-200702:37 AM

    Message Edited by Marzbarz on 03-10-200702:39 AM

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,288

    Default Re: All systems active yet,the firewall has blocked 0 access attempts

    Wound'nt be good to have a reformat of your system and install a fresh and clean version of the OS?Update your OS with the XP firewall ON and then install ZASS (latest version).Orif you want, you could examine your system with the help of security experts:First read here and follow the mandatory steps:http://www.castlecops.com/t102301-Hi...e_Posting.htmland then post your Hijackthis log here:http://www.castlecops.com/f67-Hijack...ans_Oh_My.htmlHow do you connect to the internet? Via a Router? have you changed default password?If connecting via WIFI (wireless), is your connection protected withWPA encryption?Fax

    Message Edited by fax on 03-08-2007 03:46 AM

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    marzbarz Guest

    Default Re: All systems active yet,the firewall has blocked 0 access attempts

    <blockquote><hr>fax wrote:

    Wound'nt be good to have a reformat of your system and install a fresh and clean version of the OS?
    Update your OS with the XP firewall ON and then install ZASS (latest version).

    Or if you want, you could examine your system with the help of security experts:

    First read here and follow the mandatory steps:
    http://www.castlecops.com/t102301-Hi...e_Posting.html
    and then post your Hijackthis log here:
    http://www.castlecops.com/f67-Hijack...ans_Oh_My.html


    How do you connect to the internet? Via a Router? have you changed default password?
    If connecting via WIFI (wireless), is your connection protected with WPA encryption?

    Fax



    Message Edited by fax on 03-08-200703:46 AM
    <hr></blockquote>


    Thank you Fax for the sites info, I will check them out.

    I bought an ethernet Broadband router in February, and a friend configured it for me. I do not recall anything regarding WPA encryption. Yes the password was changed, but, I failed to mention that I have found many, many probable causes as to why my Zone alarm as well as other software is responding the was it is...ie I found a driver a driver- Kl1 &amp; KLIF, IPnIP tunnel driver linked to a SCSI miniport- Aha154x, Starwind server service, and much more data that is remote access and networking specific; now one can say maybe these are installed with the o/s by default, but I think if this was the case then there would not be registry key values outlining the associated permissions and parameters etc.

    I have always used Zone alarm, I really like the UI, but I can't help being concerned about the fact that it shows not having had to block even one access attempt, for the past three or four weeks.
    FAX:
    *That was an interesting point of view you brought up about the router possibly cutting access off at the path, I should have figured that one out....(shakes head)

    I am unable to configure certain parts of it, as in the junk mail filter, I try to turn it off, and the next time I open it up it just keeps resetting itself to be on, it would be different if this happened during a re-boot, but no.... and I can't even access some of the advanced settings, I click on these and nothing happens.

    The Mail Frontier properties doesn't make sense to me- instmtdr.exe/C:\program files\zone labs\zonealarm/digitally signed by SonicWall Ink; with no time stamp-????????????? Is this legitimately part of Zass?

    Other curious security alerts that include;

    C:\WINDOWS\system32\services.exe attempted to spawn a new process- doesn't sound tooooooooooo ominous......... until I see that PROCESS GUARD is involved.

    [For anyone who might be interested:Process Guard 'LOCAL POLICE FOR YOUR OPERATING SYSTEM' has to be one of the best online purchases (Zass aside...)
    The UI is CLEAN AND DIRECT, COMPLETE WITH COMPREHENSIVE HELP FILES. The information logs it generates really helps in targeting troubles. The control is significant, and the nifty little feature they call &quot;Secure message handling&quot; is annoying but practical for absolute knowlege that only you can close programs using HID.] The free version is available at: http://www.diamonds.com.au
    &quot;Just my two cents... lol&quot; No, I am not a spokesperson, just a firm believer.

    TO SAY THE LEAST ANY PROGRAM MESSING WITH PROCESS GUARD IS GOING TO HAVE MY FULL ATTENTION.
    This is the ZA Smart defense info;

    Services and Controller app is trying to create a new process.
    ZoneAlarm Security Suite is asking you whether to allow this behavior. Your computer is safe.

    Inside the OSFirewall alert

    Alert property Alert property value Technical explanation
    Program Name Services and Controller app A program running on your computer, which attempted an action that was detected by the OSFirewall.
    Filename C:\WINDOWS\system32\services.exe The filename of the program that ZoneAlarm Security Suite found on your computer.
    Program Size 108032 The size of the program executable file in bytes.
    Program MD5 c6ce6eec82f187615d1002bb3bb50ed4 The MD5 hash, or number, that uniquely identifies the executable.
    Smart Checksum 6199d4043063c57a569de9250d7ad829 The SKIMP hash, or number, that uniquely identifies the executable.
    Date Modified Aug-03-2004 05:56:56 PM The date when C:\WINDOWS\system32\services.exe was most recently modified.
    Event Type Process The event involved starting or terminating a thread or process.
    Sub Event Type SpawnProcess Services and Controller app attempted to spawn a new process.
    Process Name C:\PROGRAM FILES\PROCESSGUARD\DCSUSERPROT.EXE The name (including path) of the process being spawned.


    Here's another; SpawnProcess

    Description Generic Host Process for Win32 Services was trying to load the driver: \Registry\Machine\System\CurrentControlSet\Service s\Rdbss
    Rating High
    Date / Time 2007/03/10 02:58:06-5:00 GMT
    Type Driver
    Subtype Load Driver
    Data \Registry\Machine\System\CurrentControlSet\Service s\Rdbss
    Program C:\WINDOWS\system32\svchost.exe
    Action Taken
    Count 1
    I know for a fact that this one is a driver is named Redbook and is affiliated with one of the many remote access ports and driver services I have identified but am unable to kill.

    So that being said, will using something quite radical to wipe out the hardrive result in successfully being able to re-use the same computer and hardware components with an entire new software O/S? Or is this just going to be a playground for the remote network that has administrative rights that supersede my mine to continue the siege?

    I left the computer up and running / internet engaged last night; when I opened Zone alarm this morning all the settings have gone to question marks in the programs control page, which maybe a good thing, if the setting were just completely out of wack, but I don't really think it's that.
    I have un-installed and re-installed Zone Alarm Security Suite at least eight to ten times since early January. (Using newly downloaded versions each time so as to avoid re-installing the same problems over and over again.....But hey I am learning tons.

    Thoughts?....Concepts? I could really use some experienced knowlege here;
    Everyone's two cents just might make a looney out of me!!!!!!! ?????????

    Message Edited by Marzbarz on 03-10-200705:07 AM

  4. #4
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,288

    Default Re: All systems active yet,the firewall has blocked 0 access attempts

    Hi!you find more info on WPA here: http://en.wikipedia.org/wiki/Wi-Fi_Protected_AccessAfter you have installed your fresh OS remember to activate its firewall thenfully patch the system via windows update....After that just install ZASS 7 and all the rest of the applications....Check the name and brand of your router, mostprobably it does NAT and/or it incorporates a firewall (inboundprotection) that would explain whyZA is reporting 0 intrusion.You router actually blocked the intrusions and not ZASS. ZASSfirewall will still protect your system fromunsolicited outbound connection + AV/AS and the other features...There are many online guides on how to secure windows XP like this http://www.windowsecurity.com/articl...own_Guide.html,this http://www.markusjansson.net/exp.htmlor this http://tweakhound.com/xp/security/page_1.htmjsut google it and you will find a lot of information.Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  5. #5
    marzbarz Guest

    Default Re: All systems active yet,the firewall has blocked 0 access attempts


    <blockquote><hr>fax wrote:
    Hi!
    you find more info on WPA here: http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access


    After you have installed your fresh OS remember to activate its firewall then
    fully patch the system via windows update....
    After that just install ZASS 7 and all the rest of the applications....


    Check the name and brand of your router, most
    probably it does NAT and/or it incorporates a firewall (inbound
    protection) that would explain why
    ZA is reporting 0 intrusion.
    You router actually blocked the intrusions and not ZASS. ZASS
    firewall will still protect your system from
    unsolicited outbound connection + AV/AS and the other features...


    There are many online guides on how to secure windows XP like this http://www.windowsecurity.com/articl...own_Guide.html
    ,
    this http://www.markusjansson.net/exp.html
    or this
    http://tweakhound.com/xp/security/page_1.htm
    jsut google it and you will find a lot of information.


    Cheers,
    Fax
    <hr></blockquote>
    Thank you for the smashing site lists, I have a ton of reading to do!
    I edited the original post, adding specific information that I am interested in finding out what other Zass users take is on the alerts and info.
    Again, many thanks.
    Marzbarz

  6. #6
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,288

    Default Re: All systems active yet,the firewall has blocked 0 access attempts

    Hi!reading back my message I have realised that I forgot to include an important piece of information....Kl1 and Klif are legitimate processes and they are installed by ZASS 7.They are part of the Kaspersky Antivirus engine that is now integrated into the ZASS 7. Previous version of ZASS did not have these two services (the AV engine was supplied by Computer Associates)Klif (klif.sys) and Kl1 (kl1.sys) are essential system files and should not be removed... Please also note that the current ZASS 7 have this known issue:http://forum.zonelabs.org/zonelabs/b...ssage.id=61385They will be fixed in the next build of ZASS 7.Hope this helps.Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  7. #7
    marzbarz Guest

    Default Re: All systems active yet,the firewall has blocked 0 access attempts


    <blockquote><hr>fax wrote:

    Wound'nt be good to have a reformat of your system and install a fresh and clean version of the OS?
    Update your OS with the XP firewall ON and then install ZASS (latest version).


    Or
    if you want, you could examine your system with the help of security experts:


    First read here and follow the mandatory steps:
    http://www.castlecops.com/t102301-Hi...e_Posting.html
    and then post your Hijackthis log here:
    http://www.castlecops.com/f67-Hijack...ans_Oh_My.html



    How do you connect to the internet? Via a Router? have you changed default password?
    If connecting via WIFI (wireless), is your connection protected with
    WPA encryption?


    Fax





    Message Edited by fax on 03-08-200703:46 AM
    <hr></blockquote>
    Sorry Fax,

    I responded this post while I was editing the original post... I had a lot of info to add so I thought it would be better to make the first post all inclusive- keep the info together.
    The links are truly terrific. TKZ

  8. #8
    marzbarz Guest

    Default Re: All systems active yet,the firewall has blocked 0 access attempts

    I had my system scanned by CastleCops, (THANK YOU)
    Sorry all, I have lots to learn, and at the moment it's apparent...lol

    Message Edited by Marzbarz on 03-12-200710:31 AM

  9. #9
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,288

    Default Re: All systems active yet,the firewall has blocked 0 access attempts

    Hi!something wrong in your post, you actually posted the version history of HijackThis... not your log.Why not attaching directly the link to your message in castlecops?Thanks,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  10. #10
    marzbarz Guest

    Default Re: All systems active yet,the firewall has blocked 0 access attempts

    That's a good idea, when I posted that I was kind of in shock at what I was learning from CastleCops about the system corruption, and I actually posted that in order to protect my ability to re-access it.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •