Alerts everytime I click a link in an email from OE

Every single time I click a link in an email to go to a website I get alerts saying:

Application iexplorer.exe
Remote IP:206.74.254.2 Port : dns(53) - UDP
Parent svhost.exe

Security Considerations

No advise available for this alert, please click here to send files to comodo for analysis.

I click remember and allow, then the next alert comes up only difference is the Remote is a little different, same port.

The 3rd alert (there’s always 3) is exactly the same except the Remote says:

IP:127.0.0.1 Port : 12080 - TCP

I click the remember box every time with these. And I’ve done an experiment, I click the same link over and over, clicking remember and allow, then shutting down IE, going back to the same email, clicking the exact same link, each time getting the same alerts with different IP and/or Port.

What is up with this. It only started this about a month ago. These emails and links are good, safe, well known.

Thanks for any help.

Are you absolutely certain that it’s svhost and not svchost? If it is indeed svhost, then it’s malware, details here
The IP address it wants to connect to resolves to dns4.InfoAve.Net which is a client on “Info Avenue Internet Services” based on Rock Hill, South Carolina in case that rings any bells.

Yes, it was svchost, sorry about that. I use avast, spybot s&d, adaware se, and spyware blaster, all updated and ran regularly, and I keep a check on my hijackthis log. nothing has changed on that.

Remote IP:206.74.254.2 Port : dns(53) - UDP

That’s a nameserver lookup, used to translate a domain name into an IP address. I’m not sure why iexplorer.exe, and not the system service “DNS Client”, would be making these queries. To check DNS Client service, from an command prompt, type “services.msc”, and see if DNS Client is started. If not, then right click, and select Start.

The 3rd alert (there's always 3) is exactly the same except the Remote says:

IP:127.0.0.1 Port : 12080 - TCP


TCP packets go in groups of 3, to increase the chance of at least one getting to where it wants to go. It’s how TCP works.

The 127.0.0.1 is “localhost”, meaning your machine is talking to itself. Which you probably don’t need to check. In CFP this is controlled by the settings in Security → Advanced, Miscellaneous → Configure, and the two checkboxs for “skip loopback” (one for UDP, one for TCP). That you’re seeing these CFP messages says these checkbox are clear. Check both boxes.

The next question, is what is running that there would be a localhost loopback 127.0.0.1? Things like antivirus scanners do this. From an command prompt, run “netstat -anob”, which will show all the active ports, and what programs are using those ports. You want to see which ones are attached to the 127.0.0.1 address. You should recognize everything, but if not, then the next step would be to identify that unknown program.

Looks like IP:127.0.0.1 Port : 12080 - TCP is the proxy server for Avast: Conflict with Comodo Personal Firewall 3

UDP was checked, but TCP was not, so I checked it.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Compaq_Owner>netstat -anob

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 900
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
– unknown component(s) –
[svchost.exe]

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
[System]

TCP 0.0.0.0:6523 0.0.0.0:0 LISTENING 2832
[trueWeather.exe]

TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING 2772
[alg.exe]

TCP 127.0.0.1:12025 0.0.0.0:0 LISTENING 1700
[ashMaiSv.exe]

TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING 2316
[ashWebSv.exe]

TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING 1700
[ashMaiSv.exe]

TCP 127.0.0.1:12119 0.0.0.0:0 LISTENING 1700
[ashMaiSv.exe]

TCP 127.0.0.1:12143 0.0.0.0:0 LISTENING 1700
[ashMaiSv.exe]

TCP 206.74.21.3:139 0.0.0.0:0 LISTENING 4
[System]

UDP 0.0.0.0:500 : 692
[lsass.exe]

UDP 0.0.0.0:445 : 4
[System]

UDP 0.0.0.0:1041 : 2832
[trueWeather.exe]

UDP 0.0.0.0:4500 : 692
[lsass.exe]

UDP 0.0.0.0:1025 : 1052
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP 127.0.0.1:2102 : 3236
[IEXPLORE.EXE]

UDP 127.0.0.1:123 : 1004
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP 127.0.0.1:2090 : 3096
[msimn.exe]

UDP 206.74.21.3:138 : 4
[System]

UDP 206.74.21.3:137 : 4
[System]

UDP 206.74.21.3:123 : 1004
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

I recognize all the references to avast and Trueweather, the rest is greek to me.

All the other port listings are standard Windows components. No surprises. Setting the TCP loopback checkbox will get rid of the 127.0.0.1 messages. The DNS port 53 messages probably will continue, but I would expect these to be a fewer number of occurrences. DNS queries should go thru the client service, which caches the results, so there isn’t the need to hit the Internet each and every time.

I can already tell a difference, thanks for all your help!