More weirdness

Application ypops.exe
Remote IP:Listen Port: 3351 =UDP

C:\program Files\Adobe\Adobe Help Center\ahc.exe has modified the User interface of ypops.exe by sending special Window messages. Any program trying to modify another program using this method may be a sign of trojan activity.

clicking more details
Application: ypops.exe
Parent: Explorer

It seems like anytime I install something (in this case, Adobe elements trial)
it opens a UDP port of seemingly random numbers

I’ve allowed ypops.exe and clicked the check to remember I dont know how many times… but like I said, a new program will alter the User interface and I have to do it again…

I installed adobe… it told me I needed to reboot… before I could reboot, this popped up without me doing anything but waiting for the install to finish…

this is just one example…, is there any way I can send logs to someone and have them look and see whats going on and offer advice? I fear an unknown trojan

Kaspersky anti virus is also giving me alot of warnings about “injections” and what not… but no virus scanner I try comes up with anything.

Interesting you say this as I have found mine is doing exactly the same with Outlook.Exe - it opens with a different port and halts me all day long. This is becoming extremely annoying. The other application it continually keeps asking for approval on of all things is Firefox - ???

I love the layout of Comodo P Firewall and the basic functionality - it is just that it is still too fussy at the moment.

I am running Office 2007 Beta at the moment so maybe this could account for the issues. Is anyone else encountering the same without running Office 2007?

Regards… Phil

here is a screenshot of one that makes no sense to me

and while I was doing that my virus checker came up with something strange…

[attachment deleted by admin]

I unchecked “monitor windows messages” under “security/advanced” and the stray popups went away. Seems to be a feature of CPF not quite ready yet, in spite of some improvements in latest version.

I’d like to be sure, because when I see svchost connecting to Beyond tv and Photoshop Elements it makes me worry…
I unchecked “monitor windows messages” and rebooted… AND JUST NOW as I was typing this the same exact thing came up except instead of Photoshop Elements 4.0\adproxy.exe it was Photoshop ELemenets editor!


Complex applications like Adobe Acrobat or other Adobe products, make heavy use of DDE/OLE communication. Since they usually use windows shell integration, it is not a surprise that they communicate with svchost.exe or explorer.exe. When you Copy/Paste scenes from your TV software or try to capture the video(or something similar) and use adobe photoshop or a similar product, a sort of communication is established between those applications.
Outlook.exe also communicates with MSN Messenger(to read your email contact list) and internet explorer. So it is an expected behavior for CPF to report these behaviors.

it is better for you to disable “Monitor Window Messages” and “Monitor OLE/COM Requests” options in Security->Advanced section. I dont think your PC is infected with an unknown trojan. Trojans mostly use DLL and process Injections to take control of your PC. In this case CPF will clearly alert you.

Hope this helps,

I can understand that if I was doing something with the program mentioned.
But when Im checking my mail, why would an injection from photoshop elements and or BTV be made into my pop mail retreiver? I was not interacting with those programs at all.
Like when I was typing the reply, thats all I was doing was typing the reply and an injection notice came up. That was after I disabled “Monitor Window Messages” and rebooted… I didnt even load Photoshop elements editor yet… I just installed it before I rebooted.
How would CPF alert me if my system was being taken over? Because it seems like its alerting its ■■■■ off as it is.

Injection alert is coming from your Kaspersky AV not from CPF. If CPF says it detects an “Injection”, it is probably not a false-positive and an action must be taken.

Like when I was typing the reply, thats all I was doing was typing the reply and an injection notice came up. That was after I disabled "Monitor Window Messages" and rebooted.. I didnt even load Photoshop elements editor yet... I just installed it before I rebooted. How would CPF alert me if my system was being taken over? Because it seems like its alerting its ■■■■ off as it is.

Just disable “Monitor Window Messages” and “Monitor COM/OLE Requests” options(You dont need to restart).

As I said before, if something serious happens, CPF will give you infection alerts.

We are in the process of providing an instant safe list update module. With this improvement, those types of alerts will stop significantly.

Good luck,


OK, I just wanted to be sure. Thank you, for the help and the outstanding product.

I’m sorry for my ignorance, I followed the advice and disabled the things you told me too…
But I’m still getting popups coming at random times when Im not doing anything on the internet
I got this when I was just clicking to open a folder, a folder I’ve been in and out of going back and forth for the last hour… editing some clients files
It is one example of many, I must have 100 ports opened from allowing these things
Can someone please explain this?

[attachment deleted by admin]

Sure. Explorer.exe sometimes tries to connect to the Internet for example when you search for files.Winlogon.exe is also a safe application(CPF’s safe list should be missing the version you have). You can Allow/Deny this request safely. But if you asked my opinion, i would not allow explorer.exe to access to the Internet by creating a permanent Deny rule when I see the popup.

Unless you do not play with network monitor rules, you can not open any port to the world by just simply allowing popups. So do not worry about remaning vulnerable to unsolicited inbound connections.


Thanks for the response.
My main concern is, I wast doing anything I havent been doing in the last hour…
going back and forth between two different folders and opening text files in both…
I was not doing any searching or internet/network related things at all… I can understand if I was doing anything related to connecting, but I wasn’t.
None of my folders or files are shared, no home network is set up. nothing at all…
It just randomly popped up when I clicked to open the same folder I opened a hundred times before.
All my files are (or should be) up to date, I check windows updates almost every day, along with any other major tool I use.
So even if comodo wont allow anything to be received, why would things randomely try to use other random things for connection to send?
Again, please excuse my ignorance… I am just worried because I have clients confidential material, and a compromise would mean the end of my career.

I understand your concern. But just you dont do anything does not mean the background programs wont work as they intended for. For your case, clicking on folders is sometimes enough for explorer.exe to connect to the Internet. And winlogon.exe can be the parent of explorer.exe when you do a couple of things like fast user switching etc.

Lets talk about how your system can be compromised :

1- a trojan can be installed in your computer and can try to transmit your confidential data,
2- someone else can break your computer by exploting a vulnerability or a configuration error,

Case 2 is almost impossible if you dont change the network monitor settings of CPF. Namely, your PC is stealhted by default against any attacker who may try to access your PC remotely.

Case 1 can happen, if you somehow download a virus/trojan from the Internet or etc… But in this case, the trojan will need to transmit your data to somewhere else in which case it needs to bypass the CPF. Keeping in mind the protection strength of CPF, you are fairly secure against such type of an attack.

This forum is for created for asking such questions. So feel free to ask whatever you need to be made clear. You will always receive a satisfactory reply.

Hope this helps,


It is case 1 I am worried about.

I’ve tested the firewall with leak testers and comodo passes them all.
But the popups I am getting at random times are very similiar to the popups from those leak testers…

This was what I was doing in the last example…

open folder->open file->edit file->save file
open a different folder->open file->edit file->save file
go back to first folder
repeat a hundred times

No user switching, no nothing but, open edit save then I click a folder to do the same thing I’ve been doing and CPF pops up with a warning
again this is just one example…

It is comodos depth of security that makes me wonder if maybe I have some super stealthy root kit that my old firewall (ZA free) and antivirus/online scans dont and didnt catch.
I’m worried that maybe userinit,winlogon,explorer.exe may be corrupted… I have tried uploading to online virus scanners and they come back clean but…still I get these random things…

in the application monitor, I just now blocked winlogon.exe,explorer.exe,userinit.exe and system all of which were set to allow for the full range of IPs and ports

And now I am concerned that the things I have disabled in CPF that showed much more unrelated programs connecting and using each other is just hiding activity I should be worried about.

Not every popup of CPF is because of a trojan activity. It is simply asking you about the permission for windows explorer. There are hundreds of legitimate cases that CPF will show you popups.

If those files were corrupted, infected or somehow hijacked by a virus, the popup you were going to see would be much more serious like “Signature of the application changed” or “This is typical of virus/trojan behavior”.

Except “Monitor Window Messages” and “Monitor COM/OLE Requests” options, you do not disable anything.