Mysterious UDP traffic

I have the free version of CIS (firewall and defense++, usually set to the paranoid level but not always). The firewall is in custom policy mode and I routinely refuse TCP connections from the internet (most of the requests are from IP addresses registered in China).

This is a relatively new installation of XP and should not have any viruses on it (taken with a grain of salt of course). My normal internet connection is a 56k dialup with makes it relatively easy to monitor suspicious IP traffic.

A few times now, I’ve noticed UDP traffic which pops up out of nowhere, going to IP addresses registered with COMODO. The most recent was UDP to the address “” and mostly on ports 4447/4448. In the past I’ve seen what appears to be a port scan, but again going out to a COMODO-registered address. I am not using the COMODO secure DNS servers.

Maybe if I see this again I’ll try capturing it with wireshark and see what’s in the packets…maybe it is ASCII?

Do you have any idea what this traffic is and if it represents a problem or not?

TCP/UDP out dest &

on ports 4447/4448

is normal traffic for CMDAgent.exe

ALL other traffic to other domains should be exclusively TCP. Traffic to will be src port 1975/1976 dest ports 2116/50302. Traffic to will be src port 4151/4152 dest port 217/50534. All other destination domains by either CMDAgent (or cfpupdt) will be destination port 80.

EDIT: discovered additional hosts

disable the cloud stuff (things with online and lookup in it. i dont know the english userinterface)
in defense+ and in the antivirus.