what do these logs mean?

5/20/2008 6:43:58 PM C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.2 Type(8) 192.168.1.1 Code(0)
5/20/2008 6:44:02 PM C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.2 Type(8) 192.168.1.1 Code(0)
5/20/2008 6:44:05 PM C:\WINDOWS\system32\svchost.exe Blocked 192.168.1.2 Type(8) 192.168.1.1 Code(0)
5/20/2008 6:58:47 PM C:\Program Files\Mozilla Firefox\firefox.exe Blocked 192.168.1.2 1876 98.136.112.128 843

what is type (8) for source port and code (0) for dest. port?

Its your system ping your router/gateway
It is ICMP protocol, Echo reply 0 from the end station which is sent as a result of the Type 8 Echo Request to check connectivity.
If everything working well for you, you can keep blocking it…

However I think you are infected with Backdoor.Win32.Delf.aig (Kaspersky) or something similar, that indicates your last blocked connection
For more information go to http://vil.nai.com/vil/content/v_137872.htm

Also if You are really infected, it should be nice to keep “dropper” part of that malware or complete malware in quarantine for further testing, but I doubt you are not prompted by CFP when infection started…

You sure? The port 1876 outbound from firefox is to Yahoo’s servers… according to the Symptoms shouldn’t that be an iffy URL resolving to an equally iffy IP rather than Yahoo? And the random picture? Fazio93, how many of these firefox blocks on port 1876 have you seen? Also, seen any odd pictures popping up?

I am not sure, I said “I think” and “something similar”, that blocked connection suggesting infection of somekind. I cant think of what else can trigger it.

only those on my first post

Also, seen any [u]odd[/u] pictures popping up?

nope. running fine to me. no popups or weird performance.

salmonela, i looked at the site u posted and opened regedit and looked for those keys thats it creates/deletes. none were created and none of my keys were deleted.

Ok, sorry for disturbing, I see you using Avast which have signature of that backdoor in base.
Sorry again.