Worried PC Noob [Resolved]

[Guest]

[Greywinter]

Thanks for all the help grue, my ip has now sorted out the problem which had something to do with packet dropping from my modem. And im back to a nice smooth 12meg connection now.

However ......

This is worrying me alot.

<html>
<head><META HTTP-EQUIV="Content-Type" content="text/html; charset=Windows-1200"></head>
<body>

<table width=100%% bgcolor=#CFCFE5><tr> <td> <font face=arial size=+2>COMODO Firewall Pro Logs</font></table>
<table width=* cellspacing=0 cellpadding=0><tr><td width=0 bgcolor=#EDEDF5>&nbsp;</td><td width=0 bgcolor=#FFFFFF>&nbsp;</td><td width=*>
<h4>Date Created: 17:29:19 02-07-2008</h4>
</table>
<table width=100%% bgcolor=#DFDFE5><tr><td><font face=arial size=+1>Log Scope:: Today
</font></table><table width=* cellspacing=0 cellpadding=0><tr><td width=0 bgcolor=#EDEDF5>&nbsp;</td><td width=0 bgcolor=#FFFFFF>&nbsp;</td><td width=*>
Date/Time :2008-07-02 17:26:54
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 87.194.0.66 
Ports: 40964, 30980, 31748, 32260, 32516, 33028, 33540, 34564, 34308, 35332, 35588, 36100, 36356, 36868, 37124, 37892, 38148, 38404, 38660, 39428, 39172, 39684, 39940, 40196, 40452, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 
The attacker has been temporarily blocked

Date/Time :2008-07-02 17:25:56
Severity :High
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:87.194.0.67:  :dns(53))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 87.194.0.67::dns(53)

Date/Time :2008-07-02 17:25:56
Severity :High
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:87.194.0.66:  :dns(53))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 87.194.0.66::dns(53)

Date/Time :2008-07-02 17:25:24
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 87.194.0.66, Port = 1084)
Protocol: UDP Incoming
Source: 87.194.0.66:dns(53) 
Destination: 192.168.1.20:1084 
Reason: Network Control Rule ID = 7

Date/Time :2008-07-02 17:25:17
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 87.194.0.67::dns(53)
Details: \b1Microsoft Windows \b0has loaded avgrsstx.dll into C:\WINDOWS\system32\svchost.exe  \b1by using a registry based(AppInit_DLLs) hook which could be used by keyloggers to steal private information. \b0  

Date/Time :2008-07-02 17:25:16
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 87.194.0.66::dns(53)
Details: \b1Microsoft Windows \b0has loaded avgrsstx.dll into C:\WINDOWS\system32\svchost.exe  \b1by using a registry based(AppInit_DLLs) hook which could be used by keyloggers to steal private information. \b0  

Date/Time :2008-07-02 17:17:28
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 87.194.0.66 
Ports: 34308, 22276, 23556, 24068, 24324, 24836, 25348, 25604, 24580, 26884, 27652, 28164, 28420, 26116, 29956, 30212, 30724, 30980, 31236, 32004, 31748, 32772, 33028, 33540, 34052, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 
The attacker has been temporarily blocked

Date/Time :2008-07-02 17:17:01
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 87.194.0.67::dns(53)
Details: C:\WINDOWS\system32\WgaTray.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications. 

Date/Time :2008-07-02 17:17:01
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 87.194.0.66::dns(53)
Details: C:\WINDOWS\system32\WgaTray.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications. 

Date/Time :2008-07-02 17:16:43
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:127.0.0.1:  :1033)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 127.0.0.1::1033

Date/Time :2008-07-02 17:16:40
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:239.255.255.250:  :upnp-mcast(1900))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 239.255.255.250::upnp-mcast(1900)

Date/Time :2008-07-02 17:16:35
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (alg.exe:127.0.0.1:  :1034)
Application: C:\WINDOWS\system32\alg.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP In
Destination: 127.0.0.1::1034

Date/Time :2008-07-02 17:16:35
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:239.255.255.250:  :upnp-mcast(1900))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 239.255.255.250::upnp-mcast(1900)

Date/Time :2008-07-02 17:16:35
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:127.0.0.1:  :1033)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: 127.0.0.1::1033

Date/Time :2008-07-02 17:16:34
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:192.168.1.20:  :upnp-mcast(1900))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: 192.168.1.20::upnp-mcast(1900)

Date/Time :2008-07-02 17:16:34
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:127.0.0.1:  :upnp-mcast(1900))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: 127.0.0.1::upnp-mcast(1900)

Date/Time :2008-07-02 17:16:33
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:0.0.0.0:  :ms-rpc(135))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP In
Destination: 0.0.0.0::ms-rpc(135)

Date/Time :2008-07-02 12:55:35
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 12:47:47
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 12:40:35
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 12:35:47
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 12:25:35
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 12:23:47
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 12:22:15
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:192.168.1.254:  :http(80))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP Out
Destination: 192.168.1.254::http(80)

Date/Time :2008-07-02 12:22:15
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:127.0.0.1:  :2917)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 127.0.0.1::2917

Date/Time :2008-07-02 12:11:48
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 12:10:35
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 12:02:58
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:192.168.1.254:  :http(80))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP Out
Destination: 192.168.1.254::http(80)

Date/Time :2008-07-02 12:02:46
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:192.168.1.254:  :http(80))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP Out
Destination: 192.168.1.254::http(80)

Date/Time :2008-07-02 11:59:46
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 11:55:35
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 11:29:21
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 87.194.0.66 
Ports: 63755, 54027, 54283, 54539, 54795, 55563, 55819, 56075, 57099, 49675, 57611, 58635, 58379, 50699, 59403, 59659, 60427, 60683, 60171, 61195, 61451, 61707, 62219, 63243, 63499, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 
The attacker has been temporarily blocked

Date/Time :2008-07-02 11:15:55
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 64.233.183.99::http(80)
Details: C:\WINDOWS\system32\rundll32.exe has modified the the User interface of the Parent application C:\WINDOWS\explorer.exe by sending special Window messages. 

Date/Time :2008-07-02 11:15:54
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 87.194.0.66::dns(53)
Details: C:\WINDOWS\system32\rundll32.exe has modified the the User interface of the Parent application C:\WINDOWS\explorer.exe by sending special Window messages. 

Date/Time :2008-07-02 11:15:49
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 87.194.0.66::dns(53)
Details: C:\WINDOWS\system32\rundll32.exe has modified the the User interface of the Parent application C:\WINDOWS\explorer.exe by sending special Window messages. 

Date/Time :2008-07-02 11:09:46
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 66.249.93.99::http(80)
Details: C:\WINDOWS\explorer.exe has tried to use C:\Program Files\Internet Explorer\iexplore.exe through OLE Automation, which can be used to hijack other applications. 

Date/Time :2008-07-02 11:09:44
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)
Details: C:\WINDOWS\explorer.exe has tried to use C:\Program Files\Internet Explorer\iexplore.exe through OLE Automation, which can be used to hijack other applications. 

Date/Time :2008-07-02 11:03:51
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: 192.168.1.64::dhcp(68)
Details: C:\Program Files\Internet Explorer\iexplore.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications. 

</td>
</table>
<table width=100% height=20 bgcolor=#CFCFE5><tr><td><font face=arial size=+1>End of The Report</font></table></body></html>

Seems to be alot of dodgy traffic floating about is there anything there I should be worring about, I know its being blocked just concearned I guess.

Heres the TVS log.

<non-existent>:1220   TCP   yourpc-ba21dbba:1422   38.103.37.243:http   FIN_WAIT1   
[

System Process]:0   TCP   yourpc-ba21dbba:1411   207.46.198.249:http   TIME_WAIT   
[System Process]:0   TCP   yourpc-ba21dbba:1421   38.103.37.248:http   TIME_WAIT   
alg.exe:3236   TCP   yourpc-ba21dbba:1031   yourpc-ba21dbba:0   LISTENING   
avgemc.exe:2736   TCP   yourpc-ba21dbba:10110   yourpc-ba21dbba:0   LISTENING   
CLMLServer.exe:784   TCP   yourpc-ba21dbba:12346   yourpc-ba21dbba:0   LISTENING   
CLMLServer.exe:784   UDP   yourpc-ba21dbba:1026   *:*      
iexplore.exe:2552   TCP   yourpc-ba21dbba:1395   213.155.157.97:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1409   65.55.197.125:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1401   65.55.11.240:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1407   65.55.197.254:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1403   213.155.157.97:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1425   65.55.151.10:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1404   213.155.157.97:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1390   65.55.11.240:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1392   213.155.157.97:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1393   213.155.157.97:http   ESTABLISHED   
iexplore.exe:2552   UDP   yourpc-ba21dbba:1089   *:*      
lsass.exe:468   UDP   yourpc-ba21dbba:isakmp   *:*      
lsass.exe:468   UDP   yourpc-ba21dbba:4500   *:*      
svchost.exe:716   TCP   yourpc-ba21dbba:epmap   yourpc-ba21dbba:0   LISTENING   
svchost.exe:756   UDP   yourpc-ba21dbba:1044   *:*      
svchost.exe:756   UDP   yourpc-ba21dbba:ntp   *:*      
svchost.exe:756   UDP   yourpc-ba21dbba:ntp   *:*      
svchost.exe:804   UDP   yourpc-ba21dbba:1060   *:*      
svchost.exe:840   TCP   yourpc-ba21dbba:2869   yourpc-ba21dbba:0   LISTENING   
svchost.exe:840   UDP   yourpc-ba21dbba:1900   *:*      
svchost.exe:840   UDP   yourpc-ba21dbba:1900   *:*      
System:4   TCP   yourpc-ba21dbba:netbios-ssn   yourpc-ba21dbba:0   LISTENING   
System:4   TCP   yourpc-ba21dbba:microsoft-ds   yourpc-ba21dbba:0   LISTENING   
System:4   UDP   yourpc-ba21dbba:netbios-ns   *:*      
System:4   UDP   yourpc-ba21dbba:netbios-dgm   *:*      
System:4   UDP   yourpc-ba21dbba:microsoft-ds   *:*      
Tcpview.exe:4020   UDP   yourpc-ba21dbba:1429   *:*      


Best of luck, if I stare at this too long think im gonna go mad.

Jonie

[grue155]

I'm glad to hear that your traffic flow is back up to its proper running speed.

Everything is looking like normal, or at least known, traffic. In the TCPView log,

iexplore.exe:2552   TCP   yourpc-ba21dbba:1395   213.155.157.97:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1409   65.55.197.125:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1401   65.55.11.240:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1407   65.55.197.254:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1403   213.155.157.97:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1425   65.55.151.10:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1404   213.155.157.97:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1390   65.55.11.240:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1392   213.155.157.97:http   ESTABLISHED   
iexplore.exe:2552   TCP   yourpc-ba21dbba:1393   213.155.157.97:http   ESTABLISHED

All that bit, is normal browsing of Microsoft web sites (the 65.55.x.x belongs to Microsoft). The 213.155.157.97 belongs to Akamai, which is a "nearby" (in network terms) advert and graphics quick-retrieval heap. Routine stuff, just a lot of it.

This bit, on the other hand,

Date/Time :2008-07-02 17:17:28
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 87.194.0.66
Ports: 34308, 22276, 23556, 24068, 24324, 24836, 25348, 25604, 24580, 26884, 27652, 28164, 28420, 26116, 29956, 30212, 30724, 30980, 31236, 32004, 31748, 32772, 33028, 33540, 34052, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
The attacker has been temporarily blocked

is a known CFP v2.4 bug. There's a timing bug down in CFP v2.4 that gets tripped when packets come in too fast, and your connection speed may be fast enough to trip that bug. There's no fix, but the way to cut down on the log warnings, is to up the trip threshold. In CFP, click Security -> Advanced, Advanced Attack Detection -> Configure, the Intrusion Detection tab. Crank up all of the "packet/sec" values up from the default (50, I think) to something like 2000 or more.

And

Date/Time :2008-07-02 17:16:40
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:239.255.255.250:  :upnp-mcast(1900))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 239.255.255.250::upnp-mcast(1900)

shouldn't be in the log, if that "allow multicast" rule is doing its job. Something then is out of place. Not a problem, but potentially confusing. If you could screenshot your network rules, and post that screenshot here, we can work thru the details and get the rules sorted.

[Greywinter]

Ok have adjusted the packet sizes so hopefully that will solve that problem.  

Cant do a direct screenie of Comodo so heres the typed version.

ID   Permission Protocol         Source                                     Destination      Criteria

0     Allow        IP In/Out       Zone (MyLan)     192.168.1.0     Any       

WHERE IPPROTO IS ANY                                192.168.1.255

1     Allow        IP In/Out       Zone (Multicast)  224.0.0.0         Any       

WHERE IPPROTO IS ANY                                239.255.255.255

2     Allow      TCP/UDP Out   Any                                          Any 
      
WHERE SOURCE PORT IS (Any) AND DESTINATION PORT IS (Any)

3     Allow       ICMP Out        Any                                          Any
           
WHERE ICMP MESSAGE IS ECHO REQUEST

4     Allow       ICMP In          Any                                          Any            
WHERE ICMP MESSAGE IS FRAGMENTATION NEEDED

5     Allow       ICMP In          Any                                          Any            
WHERE ICMP MESSAGE IS TIME EXCLUDED

6     Allow       IP Out           Any                                          Any             
WHERE IPPROTO IS GRE

7  Block & Log IP In/Out       Any                                          Any             
WHERE IPPROTO IS ANY

Im gonna have to get a screen grabber I think.

Jonie

[grue155]

Windows can do screenshots... Select the window, Alt-PrntScrn will copy that window to the Clipboard, then Cntl-V as normal paste into something like Paint or Wordpad, and save as a file. And you got it.

We need to rework the first two rules.

First rule should be

Action: Allow
Protocol: IP
Direction: In&Out
Source IP: Zone[MyLAN]
Destination IP: Zone[MyLAN]
Source Port: Any
Destination Port: Any

Second rule should be, almost the same

Action: Allow
Protocol: IP
Direction: In&Out
Source IP: Zone[MyLAN]
Destination IP: Zone[Multicast]
Source Port: Any
Destination Port: Any

And that should do it.

[grue155]

I'd like to tighten up the rules just a little bit, to reflect some recently learned Windows madness.

Highlight this rule,

2     Allow      TCP/UDP Out   Any       Any WHERE SOURCE PORT IS (Any) AND DESTINATION PORT IS (Any)

then right click that highlighted line, and select "Add Before". We're going to add a rule,

Action: Block (do not  log)
Protocol: TCP&UDP
Direction: Out
Source IP: Any
Destination IP: Any
Source port: Any
Destination port: a set of ports (comma seperated) : 135,137,138,139,445

Windows, it seems, has this mad idea of going out to the Internet to resolve names when the regular Internet name lookup comes up empty. Blocking this set of ports makes <bleep> sure that no Netbios traffic will get anywhere near the Internet.

If your router has a firewall capability, then having a comparable rule on the router would be a good thing to have.

And, as a general security measure, it is strongly recommended that you change the router login password if you haven't done so already. There is active malware that will attack routers using the default passwords to get in. You really don't want somebody on the far side of the planet mucking about inside your router. So don't use the factory default password on your router.

[Greywinter]

Ok Ive made the changes and it looks like all the annoying spam has finally vanished from my security logs. Well most of it anyway.

Ive also added the the new rule and Im pleased to say for once (a non noobie action - changing the router password was one of the 1st things I did when I got my new IP)

Truly many many thanks for all your help. For once Ive managed to get some help from someone who put it into simple english and didnt spam me full of technical bumf.  
Tbh I dont think I would have ever got there on my own, go grab a beer or three you deserve them. Cheers  .

Jonie

[grue155]

Glad to have been of help. And good for you for changing that password first thing.

I'll keep this topic open for the next day or so, in case something odd shows up in your logs. Then I'll lock it for reference. If you need it reopened after that, you can PM any of the moderators.

[Tags:]