Worried PC Noob [Resolved]

[Guest]

[Greywinter]

Hi all really hoping that someone can assist me with this as I'm begining to get a little worried now that my Internet connection is being used to do some iffy stuff.

When I connect to Firefox v3.0, Comodo lists Firefox in the connections activity section which all in all isnt a problem. What is concearning me is that it quite often lists it 17- 18 times and my internet connection has dropped from a nice 13meg connection to half a meg.

The Source ports never appear to be the same and the destinations all appear to be different also. Have run various spyware Malware programs and virus scanned and done a rootkit scan but they cant seem to locate anything.

Not sure what additional information I might need to provide (hence the noob bit) but will be happy to provide what ever is needed.

Pls pls some kind soul come save me from this as its driving me banana's.

Jonie 

[Goose19]

I can't  help you too much as i'm not as experienced as most forum members but first off. When a 13 meg line drops to half a meg it could be the result of a DoS/DDoS http://en.wikipedia.org/wiki/Denial-of-service_attack  but if youre behind a router with a hardware firewall like most Linksys and entgear routers have. I believe they would protect you from the majority of a DoS. I'm not saying that you are getting a DoS but i'm just stating that the internet speed drop happens once a DoS happens. I'm positive withing a few hours someone alot more experienced will add another post to help you out. Good luck with with everything and hopefully nothing suspicious is going on   

[Greywinter]

Thanks Goose you and me both.

I guess my big concearn is all these connections flying out. Used to seeing 3-5 connections showing in the logs but not 17-18. Have contacted my IP and too be honest they have been kinda vague on the subject. Run virus scan we will check the server.

I have 2 comps running off the same modem and both are suffering drastic speed losses. Just did a Malwarebytes scan enclosed.

Malwarebytes' Anti-Malware 1.19
Database version: 912
Windows 5.1.2600 Service Pack 3

23:07:04 01/07/2008
mbam-log-7-1-2008 (23-07-04).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 123490
Time elapsed: 45 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And a hijack this test.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:18:17, on 01/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
C:\Program Files\COMODO\Memory Firewall\cmf.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=22028
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKLM\..\Run: [COMODO Memory Firewall] "C:\Program Files\COMODO\Memory Firewall\cmf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: [at]xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: [at]C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: [at]C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com/
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148629314602
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148640560843
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 7865 bytes

Hope thats some more help.

Jonie

[sded]

What browser are you using?  A web page is actually a mosaic of internet connections for the various items on the page.  Each frame and sometimes subframes needs to get data independently in some cases, so you get connections for ads, pictures, news items, ...  so the whole page can be assembled for you simultaneously.  If you look at the source code for the page with the browser, you can usually see some of the callouts for data from other servers and urls.  And TCP connections usually persist for a while, so even if no data is currently being passed they don't go away immediately.  How do you know that the connection has dropped to .5mbps vs .5mbps for each connection?

[grue155]

A couple of questions first off...

You've posted in the CFP v2 forum. I want to confirm that you're running CFP v2.4, and not v3.

Have you checked the CFP log? In v2.4, click Activity -> Logs. In v3, Firewall -> Common Tasks, View Firewall Events. If you're unsure of how to interpret the logs, you can post the logs here.

Are you running any p2p or other filesharing programs? If so, you could be seeing some upstream ISP doing some network throttling.

[Greywinter]

Posted by: sded What browser are you using?

Okay im using Firefox version 3.0 as my browser though tbh have also tried this with IE7 and the results appear to be the same drastic speed loss. Just did a ping test also thanks to the advice of someone else and appear to be dropping the odd packet here and there also.

The test was done [ at ] http://www.broadbandspeedchecker.co.uk/ and have had a stable 13meg connection for about 3 months now only as off today has it plummeted to horrible chuggy speeds .

Posted by: grue155 Have you checked the CFP log?

Im pretty sure its version 2.4 though I have no idea how to get the log file into a postable format. Im not as far as I'm aware running and p2p stuff (or should I say if I am then I dont know how).

Thanks for this guys, tbh have never had to deal with anything like this before and I'm really grateful for the help.

Jonie

[grue155]

Have you checked by using "tracert" to a known location, like www.google.com? If there is some kind of ISP network problem, it'll show the slowdown in the router timings.

You HJT log doesn't show any p2p software running. You actually seem to be running a very clean machine.

As to the CFP version, if you open the tray icon, and you're presented with a mostly blue window with an About in the upper right corner, you can press the About and it'll likely tell you v2.4. If it's not mostly blue, then you'll need to click Miscellaneous, then About, and it'll likely tell you v3.

[Greywinter]

Thanks for the fast reply yeah its 2.4.

Heres the Tracert log.

Traceroute
Result for www.google.com:

traceroute: Warning: www.google.com has multiple addresses; using 66.249.93.104
traceroute to www.l.google.com (66.249.93.104), 64 hops max, 40 byte packets
 1  giga-2.enst.fr (137.194.2.254)  0.426 ms  0.402 ms  0.381 ms
 2  gw-enst-itix1-100m.enst.fr (137.194.4.253)  1.095 ms  0.631 ms  0.983 ms
 3  gi9-48.228.ccr01.par04.atlas.cogentco.com (149.6.164.1)  1.553 ms  2.064 ms  1.713 ms
 4  te1-3.mpd02.par01.atlas.cogentco.com (130.117.2.94)  6.446 ms
    te1-3.ccr01.par01.atlas.cogentco.com (130.117.2.21)  2.733 ms  2.522 ms
 5  te7-7.mpd02.lon01.atlas.cogentco.com (130.117.2.6)  11.443 ms  10.736 ms
    te9-7.mpd02.lon01.atlas.cogentco.com (130.117.3.134)  11.530 ms
 6  te3-1.mpd01.lon01.atlas.cogentco.com (130.117.3.225)  11.053 ms
    vl3493.mpd01.lon01.atlas.cogentco.com (130.117.2.17)  16.183 ms
    te3-1.mpd01.lon01.atlas.cogentco.com (130.117.3.225)  10.715 ms
 7  72.14.198.37 (72.14.198.37)  10.856 ms  10.461 ms  10.834 ms
 8  209.85.252.42 (209.85.252.42)  11.217 ms  10.602 ms  10.476 ms
 9  216.239.43.123 (216.239.43.123)  22.327 ms  22.207 ms  21.564 ms
10  72.14.233.77 (72.14.233.77)  23.234 ms  23.078 ms
    72.14.233.79 (72.14.233.79)  23.669 ms
11  216.239.47.25 (216.239.47.25)  23.635 ms
    66.249.94.54 (66.249.94.54)  26.423 ms
    216.239.47.25 (216.239.47.25)  25.176 ms
12  ug-in-f104.google.com (66.249.93.104)  28.249 ms  27.712 ms  24.460 ms

Looks like a load of gibberish to me.

Jonie

[grue155]

That's okay. I speak gibberish, in several dialects. Tracert is showing normal traffic flow, with a little bit of dealy in hop 8. Not enough to be any kind of problem, especially not as you're describing.

Let's see what's in the CFP log. Click Activity -> Logs, then right click anywhere in the log itself. That will let you export to HTML, saved as a file which you can post here.

[Greywinter]

Glad you do As there's a cold soda's chance in hell of me understanding it.

Ok here we go and its not a small file.

COMODO Firewall Pro Logs

        

Date Created: 00:03:42 02-07-2008


Log Scope:: Today
        

Date/Time :2008-07-02 00:02:43
Severity :Medium
Reporter :Network Monitor
Description: Outbound Policy Violation (Access Denied, Protocol =  IGMP)
Protocol:IGMP Outgoing
Source: 192.168.1.65
Destination: 224.0.0.22
Reason: Network Control Rule ID = 5

Date/Time :2008-07-02 00:02:40
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: 192.168.1.65::ntp(123)
Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2008-07-02 00:02:28
Severity :Medium
Reporter :Component Monitor
Description: Unknown Components (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP Out
Destination: 87.248.212.8::http(80)
Details: C:\WINDOWS\system32\svchost.exe contains 2 components to be approved
Components: c:\WINDOWS\system32\qmgr.dll
C:\WINDOWS\system32\qmgrprxy.dll

Date/Time :2008-07-02 00:01:31
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP Out
Destination: 87.248.212.8::http(80)
Details: C:\WINDOWS\system32\mmc.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2008-07-01 23:59:48
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.65
Destination: 192.168.1.254
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:59:41
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 207.46.19.254::http(80)
Details: C:\WINDOWS\explorer.exe has tried to use C:\Program Files\Mozilla Firefox\firefox.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2008-07-01 23:59:40
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)
Details: C:\WINDOWS\explorer.exe has tried to use C:\Program Files\Mozilla Firefox\firefox.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2008-07-01 23:59:09
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: 192.168.1.65::dhcp(68)
Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2008-07-01 23:56:53
Severity :Medium
Reporter :Component Monitor
Description: Unknown Components (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 80.249.99.123::8095
Details: C:\Program Files\Mozilla Firefox\firefox.exe contains 1 components to be approved
Components: C:\Program Files\Java\jre1.5.0_07\bin\dcpr.dll

Date/Time :2008-07-01 23:56:43
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.65
Destination: 192.168.1.254
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:56:25
Severity :Medium
Reporter :Component Monitor
Description: Unknown Components (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)
Details: C:\Program Files\Mozilla Firefox\firefox.exe contains 11 components to be approved
Components: C:\Program Files\Java\jre1.5.0_07\bin\client\jvm.dll
C:\Program Files\Java\jre1.5.0_07\bin\hpi.dll
C:\Program Files\Java\jre1.5.0_07\bin\verify.dll
C:\Program Files\Java\jre1.5.0_07\bin\java.dll
C:\Program Files\Java\jre1.5.0_07\bin\zip.dll
C:\Program Files\Java\jre1.5.0_07\bin\awt.dll
C:\WINDOWS\system32\d3dim700.dll
C:\Program Files\Java\jre1.5.0_07\bin\fontmanager.dll
C:\Program Files\Java\jre1.5.0_07\bin\deploy.dll
C:\Program Files\Java\jre1.5.0_07\bin\RegUtils.dll
C:\Program Files\Java\jre1.5.0_07\bin\net.dll

Date/Time :2008-07-01 23:56:21
Severity :Medium
Reporter :Component Monitor
Description: Unknown Components (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 80.249.99.130::http(80)
Details: C:\Program Files\Mozilla Firefox\firefox.exe contains 2 components to be approved
Components: C:\Program Files\Java\jre1.5.0_07\bin\jpinscp.dll
C:\Program Files\Java\jre1.5.0_07\bin\jpishare.dll

Date/Time :2008-07-01 23:56:21
Severity :Medium
Reporter :Component Monitor
Description: Unknown Components (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 80.249.99.130::http(80)
Details: C:\Program Files\Mozilla Firefox\firefox.exe contains 2 components to be approved
Components: C:\Program Files\Java\jre1.5.0_07\bin\NPOJI610.dll
C:\Program Files\Java\jre1.5.0_07\bin\jpioji.dll

Date/Time :2008-07-01 23:51:00
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (avgcmgr.exe:38.103.37.248:  :http(80))
Application: C:\Program Files\AVG\AVG8\avgcmgr.exe
Parent: C:\Program Files\AVG\AVG8\avgwdsvc.exe
Protocol: TCP Out
Destination: 38.103.37.248::http(80)

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1845
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1844
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1843
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1842
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1841
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1840
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1839
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1838
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1837
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1836
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1835
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:31:00
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (avgcmgr.exe:38.103.37.248:  :http(80))
Application: C:\Program Files\AVG\AVG8\avgcmgr.exe
Parent: C:\Program Files\AVG\AVG8\avgwdsvc.exe
Protocol: TCP Out
Destination: 38.103.37.248::http(80)

Date/Time :2008-07-01 23:19:43
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.65
Destination: 192.168.1.254
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:19:37
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 199.232.43.137::http(80)
Details: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe has modified the the User interface of C:\Program Files\Mozilla Firefox\firefox.exe by sending special Window messages.

Date/Time :2008-07-01 23:19:36
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)
Details: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe has modified the the User interface of C:\Program Files\Mozilla Firefox\firefox.exe by sending special Window messages.

Date/Time :2008-07-01 23:19:33
Severity :Medium
Reporter :Component Monitor
Description: Unknown Components (HijackThis.exe)
Application: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)
Details: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe contains 1 components to be approved
Components: C:\WINDOWS\system32\wbem\wbemdisp.dll

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1767
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1766
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1765
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1764
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1763
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1762
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1761
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1760
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1759
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1758
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1757
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:11:00
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (avgcmgr.exe:38.103.37.248:  :http(80))
Application: C:\Program Files\AVG\AVG8\avgcmgr.exe
Parent: C:\Program Files\AVG\AVG8\avgwdsvc.exe
Protocol: TCP Out
Destination: 38.103.37.248::http(80)

Date/Time :2008-07-01 23:09:53
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.65
Destination: 192.168.1.254
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:06:53
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.65
Destination: 192.168.1.254
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:05:47
Severity :Medium
Reporter :Component Monitor
Description: Unknown Components (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 216.35.19.134::http(80)
Details: C:\Program Files\Mozilla Firefox\firefox.exe contains 1 components to be approved
Components: C:\WINDOWS\system32\Macromed\Common\SwSupport.dll

Date/Time :2008-07-01 23:05:47
Severity :Medium
Reporter :Component Monitor
Description: Unknown Components (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)
Details: C:\Program Files\Mozilla Firefox\firefox.exe contains 1 components to be approved
Components: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

Date/Time :2008-07-01 22:51:00
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (avgcmgr.exe:38.103.37.248:  :http(80))
Application: C:\Program Files\AVG\AVG8\avgcmgr.exe
Parent: C:\Program Files\AVG\AVG8\avgwdsvc.exe
Protocol: TCP Out
Destination: 38.103.37.248::http(80)

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1646
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1645
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1644
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1643
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1642
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1641
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1640
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1639
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1638
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1637
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1636
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:31:01
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (avgcmgr.exe:38.103.37.248:  :http(80))
Application: C:\Program Files\AVG\AVG8\avgcmgr.exe
Parent: C:\Program Files\AVG\AVG8\avgwdsvc.exe
Protocol: TCP Out
Destination: 38.103.37.248::http(80)

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1573
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1572
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1571
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1570
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1569
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1568
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1567
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1566
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1565
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1564
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1563
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:11:53
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.64:nbdgram(138)
Destination: 192.168.1.255:nbdgram(138)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:11:07
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (avgcmgr.exe:38.103.37.248:  :http(80))
Application: C:\Program Files\AVG\AVG8\avgcmgr.exe
Parent: C:\Program Files\AVG\AVG8\avgwdsvc.exe
Protocol: TCP Out
Destination: 38.103.37.248::http(80)

Date/Time :2008-07-01 22:10:13
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.64:nbdgram(138)
Destination: 192.168.1.255:nbdgram(138)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:08:30
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-01 22:06:21
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbname(137))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbname(137)

Date/Time :2008-07-01 22:06:20
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-01 22:06:16
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbname(137))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbname(137)

Date/Time :2008-07-01 22:06:11
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbname(137))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbname(137)

Date/Time :2008-07-01 22:06:11
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-01 21:58:13
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.64:nbdgram(138)
Destination: 192.168.1.255:nbdgram(138)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:55:00
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (avgcmgr.exe:38.103.37.248:  :http(80))
Application: C:\Program Files\AVG\AVG8\avgcmgr.exe
Parent: C:\Program Files\AVG\AVG8\avgwdsvc.exe
Protocol: TCP Out
Destination: 38.103.37.248::http(80)

Date/Time :2008-07-01 21:54:33
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.65:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:28
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.65:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:28
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = ECHO REQUEST)
Protocol:ICMP Incoming
Source: 192.168.1.64
Destination: 192.168.1.65
Message: ECHO REQUEST
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:23
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = ECHO REQUEST)
Protocol:ICMP Incoming
Source: 192.168.1.64
Destination: 192.168.1.65
Message: ECHO REQUEST
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:23
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.255:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:23
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.65:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.65:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:13
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = ECHO REQUEST)
Protocol:ICMP Incoming
Source: 192.168.1.64
Destination: 192.168.1.65
Message: ECHO REQUEST
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:13
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.65:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:13
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.64:nbdgram(138)
Destination: 192.168.1.255:nbdgram(138)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:13
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.255:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.65:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:03
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = ECHO REQUEST)
Protocol:ICMP Incoming
Source: 192.168.1.64
Destination: 192.168.1.65
Message: ECHO REQUEST
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:53:58
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.255:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:53:33
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 72.5.167.152, Port = 1769)
Protocol: TCP Incoming
Source: 72.5.167.152:http(80)
Destination: 192.168.1.65:1769
TCP Flags: SYN ACK
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1453
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1452
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1451
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1450
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1449
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1448
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1447
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1446
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1445
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1444
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1443
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:46:13
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.64:nbdgram(138)
Destination: 192.168.1.255:nbdgram(138)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:46:07
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (firefox.exe:192.168.1.254:  :dns(53))
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)

Date/Time :2008-07-01 21:46:07
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (firefox.exe:127.0.0.1:  :1660)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 127.0.0.1::1660

Date/Time :2008-07-01 21:46:07
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (firefox.exe:127.0.0.1:  :1658)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 127.0.0.1::1658

This is not the full days file wouldnt want to cripple a server

Jonie

[grue155]

There are a couple of interesting things in that portion of the log. Nothing dangerous, just some things that can be streamlined a little.

One thing of note though, which would show itself as a network slowdown, is that Firefox is being denied DNS queries to your router. That will cause a hang until a timeout occurs, which will look for all the world as a network that is seriously wedged.

So, let's see what rules are in place for Firefox. In CFP, click Security -> Application Monitor. There are likely several lines for firefox.exe. I'll need to know what those lines are: destination, port, protocol, allow or block. It's port 53 for UDP that is what I'm looking for, in particular.

From your log, I take it your router is at 192.168.1.254, and some other device on your LAN at 192.168.1.64. With your machine at 192.168.1.65. Am I reading that correctly?

[Greywinter]

Ok as far as I can see there is only one entry for firefox in the security section.

Firefox.exe
Destination (any)
Port (any)
Protocol (TCP/UDP In/Out)
Permission (check)

Can only see that one showing

Jonie

[grue155]

Odd, as this entry shows a block

Date/Time :2008-07-01 21:46:07
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (firefox.exe:192.168.1.254:  :dns(53))
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)

No matter. There are some other things that can be done, which should streamline things a bit.

First, I want to define two network zones. Click Security -> Tasks, Add/Remove/Modify Zone. We'll create two new zones.

First, is zone "MyLAN". Starting address is 192.168.1.0, ending at 192.168.1.255.

Second, is zone "Multicast". Starting address is 224.0.0.0, ending at 239.255.255.255.

MyLAN is almost exactly the same as your existing zone definition, except that it includes the end point addresses x.0 and x.255. You could edit your existing LAN zone definition if you prefer.

With those two zones, there are a few new network rules to put in place. Click Security -> Network Monitor, and then Add these rules

Allow IP  In&Out  from zone[MyLAN] to zone[MyLAN]

Allow IP  In&Out  from zone[MyLAN] to zone[Multicast]

The move these two rules up to the top of the list of network rules. Highlight the line, and Move Up as needed. CFP evaluates the rule in order from the top down, and the first match wins. These two should be right up there.

those two rules will get rid of a bunch of stuff that is filling up your CFP log. You may have to restart CFP, or at worst, reboot, to make sure everything sticks and resets properly.

Once everything is reset, then you can clear the logs (clear all logs, next to the export to html). Browse around for a bit, and see the bits that start filling in the logs. That should make it a little easier to dig out where the wedge is.

[Greywinter]

Ok ive set up the two new zones and the logs have remained clear for the moment (This has now changed)

Mess of text enclosed.

<html>
<head><META HTTP-EQUIV="Content-Type" content="text/html; charset=Windows-1200"></head>
<body>

<table width=100%% bgcolor=#CFCFE5><tr> <td> <font face=arial size=+2>COMODO Firewall Pro Logs</font></table>
<table width=* cellspacing=0 cellpadding=0><tr><td width=0 bgcolor=#EDEDF5>&nbsp;</td><td width=0 bgcolor=#FFFFFF>&nbsp;</td><td width=*>
<h4>Date Created: 11:28:01 02-07-2008</h4>
</table>
<table width=100%% bgcolor=#DFDFE5><tr><td><font face=arial size=+1>Log Scope:: Today
</font></table><table width=* cellspacing=0 cellpadding=0><tr><td width=0 bgcolor=#EDEDF5>&nbsp;</td><td width=0 bgcolor=#FFFFFF>&nbsp;</td><td width=*>
Date/Time :2008-07-02 11:15:55
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 64.233.183.99::http(80)
Details: C:\WINDOWS\system32\rundll32.exe has modified the the User interface of the Parent application C:\WINDOWS\explorer.exe by sending special Window messages. 

Date/Time :2008-07-02 11:15:54
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 87.194.0.66::dns(53)
Details: C:\WINDOWS\system32\rundll32.exe has modified the the User interface of the Parent application C:\WINDOWS\explorer.exe by sending special Window messages. 

Date/Time :2008-07-02 11:15:49
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 87.194.0.66::dns(53)
Details: C:\WINDOWS\system32\rundll32.exe has modified the the User interface of the Parent application C:\WINDOWS\explorer.exe by sending special Window messages. 

Date/Time :2008-07-02 11:09:46
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 66.249.93.99::http(80)
Details: C:\WINDOWS\explorer.exe has tried to use C:\Program Files\Internet Explorer\iexplore.exe through OLE Automation, which can be used to hijack other applications. 

Date/Time :2008-07-02 11:09:44
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)
Details: C:\WINDOWS\explorer.exe has tried to use C:\Program Files\Internet Explorer\iexplore.exe through OLE Automation, which can be used to hijack other applications. 

Date/Time :2008-07-02 11:03:51
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: 192.168.1.64::dhcp(68)
Details: C:\Program Files\Internet Explorer\iexplore.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications. 

</td>
</table>
<table width=100% height=20 bgcolor=#CFCFE5><tr><td><font face=arial size=+1>End of The Report</font></table></body></html>

End of gibberish.


 however I still seem to have a terrible connection and using IE7 and firefox its still showing 17-18 connections everytime i go to any site.

The odd thing is that if i let the internet sit idle on a page for anythime these connections drop down to 2 normally.
Quite often they are clones of each other.

Still waiting for the IP provider to come back with some news however at last check there was 14 people sitting infront of me in the queue 

Missing my fast browing tbh this sucks in more ways than one.

Is it possible that my router is being used as a server for someone else? Seems odd that I have so many connections running. Could someone be piggybacking my connection and draining the resources?

Hope that makes sense I feel like a fish out of water atm and only large amounts of tea seem to keep me from pulling my hair out.

Jonie

[grue155]

There doesn't seem to be anything really unusual in your log extract. Some google browsing, and a DNS query thru what I presume is your ISP nameserver.

Some more active monitoring seems to be in order. I'm going to ask that you download TCPView from http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

TCPView will monitor all your active connections in real time. There is an option (the floopy disk icon) to capture the moment, so you can post results here when strange things appear.

[Tags:]