system intrusion attempts

I recently recovered from a PING.exe and zeroaccess rootkit, I was unable to clean my system, so had to use a backup recovery image a year old, I am Sure that image is/was clean, scans with eset and trendmicro, and avg show clean, there are no suspicious process’s running… but some setting has changed in my firewall and after being rootkit’d its making me uncomfortable

its showing Thousands of intrusion attempts, checking the events

System Blocked UDP 192.168.1.1 32883 192.168.1.42 137
System Blocked TCP 192.168.1.1 35530 192.168.1.42 2869

source port changes, destinations for the most port similar, UDP and TCP

I found several threads about system and svhost, some said it was harmless and let it out, I prefer to keep my system locked down, I don’t know what its doing (I have four other computers but they don’t talk to each other, the others are currently off, I have no printer) so I blocked it, and I am still getting these intrusion attempts, my comodo didnt usually have this, I dont know why my system is trying to connect out, I cannot find how to turn off whatever is doing this (file/printer sharing is off!!) there is probaby a way to make comodo not log this event, but Im worried that since its doing something different, something is wrong :frowning: help… I do not want to leave my computer open wrongly ignoring this issue

there is 43,000 blocked intrusion attempts >.< I run vista home, 32bit…

http://i42.tinypic.com/o9mpeg.jpg

http://i39.tinypic.com/vpizj9.jpg

http://i42.tinypic.com/11vqsza.jpg

Is IP address 192.168.1.1 your router’s or modem/router’s IP address? What is your IP address?
What is the make and model of your (modem)/router?

ipconfig says:

IPv4 address is 192.168.1.42

my modem is: westell 7500 (modem/router combo) thro verizon, tho they have recently changed to frontier

this laptop connects wirelessly

What does IP config say for default gateway address?

default gateway is 192.168.1.1

The logs tell your Westell modem/router is looking for clients that want to share folders or printers. Hence the traffic at ports 137 and 2869.

I skimmed the documentation of the Westell and found under 12.2 (page 50) settings for sharing over the local network. May be something needs to to be switched off there.

k, if you think its harmless… appreciate the reply, i found the document page you referenced, but I am unable to find away to ‘shut off’ the router from looking for? a shared folder (another article said that they use upnp and my routers upnp is off) im not sure why the system process is reaching out…

but if its harmless… k, i cannot find how to shut it off in router, cannot find how to stop it on my computer… how do I stop comodo from logging it as an intrusion attempt? (my comodo did Not use to do this) it currently shows 53,000 intrusion attempts, even if i consider it harmless, an actual Threat is going to get lost in this intrusion notifications :frowning:

You can set CIS to accept traffic from 192.168.1.1.

For this solution (which I use at home) I make a Network zone and use the Stealth Ports Wizard to make that network zone a Trusted Zone (first option in the wizard).

Using the wizard CIS will adjust Global Rules and the rule for System accordingly.

Just to add to Eric’s advice, If you’re not sharing files or printers, you may want to consider disabling NetBIOS on the properties of the network adapter of your PC. Doing so will stop requests being sent to your router for name resolution and thus, stop the router from responding (137). You can also disable UPnP/SSDP from services.msc. This should stop the inbound 2869 connections.

thank you both for the replys, I will look for those settings and see if they will solve the intrusion attempts

and if I may ask one more question

I will get a notification if from the firewall and be given the option to block or allow… I can see from my settings the alert will stay on the screen for 120 seconds, my question is, if I am not at the computer at the time of the alert, and it goes away…

what is the default action that it takes > block or allow (I would prefer block if there is a way to make this setting??)

The default action when not answering an alert is block. Comodo calls it Default Deny.