Worried PC Noob [Resolved]

Hi all really hoping that someone can assist me with this as I’m begining to get a little worried now that my Internet connection is being used to do some iffy stuff.

When I connect to Firefox v3.0, Comodo lists Firefox in the connections activity section which all in all isnt a problem. What is concearning me is that it quite often lists it 17- 18 times and my internet connection has dropped from a nice 13meg connection to half a meg.

The Source ports never appear to be the same and the destinations all appear to be different also. Have run various spyware Malware programs and virus scanned and done a rootkit scan but they cant seem to locate anything.

Not sure what additional information I might need to provide (hence the noob bit) but will be happy to provide what ever is needed.

Pls pls some kind soul come save me from this as its driving me banana’s.

Jonie (:WAV)

I can’t help you too much as i’m not as experienced as most forum members but first off. When a 13 meg line drops to half a meg it could be the result of a DoS/DDoS Denial-of-service attack - Wikipedia but if youre behind a router with a hardware firewall like most Linksys and entgear routers have. I believe they would protect you from the majority of a DoS. I’m not saying that you are getting a DoS but i’m just stating that the internet speed drop happens once a DoS happens. I’m positive withing a few hours someone alot more experienced will add another post to help you out. Good luck with with everything and hopefully nothing suspicious is going on (:WAV)

Thanks Goose you and me both.

I guess my big concearn is all these connections flying out. Used to seeing 3-5 connections showing in the logs but not 17-18. Have contacted my IP and too be honest they have been kinda vague on the subject. Run virus scan we will check the server.

I have 2 comps running off the same modem and both are suffering drastic speed losses. Just did a Malwarebytes scan enclosed.

Malwarebytes’ Anti-Malware 1.19
Database version: 912
Windows 5.1.2600 Service Pack 3

23:07:04 01/07/2008
mbam-log-7-1-2008 (23-07-04).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 123490
Time elapsed: 45 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And a hijack this test.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:18:17, on 01/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
C:\Program Files\COMODO\Memory Firewall\cmf.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Consumer antivirus software providers for Windows - Microsoft Support
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKLM..\Run: [COMODO Memory Firewall] “C:\Program Files\COMODO\Memory Firewall\cmf.exe” -s
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com/
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148629314602
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148640560843
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

–
End of file - 7865 bytes

Hope thats some more help.

Jonie :BNC

What browser are you using? A web page is actually a mosaic of internet connections for the various items on the page. Each frame and sometimes subframes needs to get data independently in some cases, so you get connections for ads, pictures, news items, … so the whole page can be assembled for you simultaneously. If you look at the source code for the page with the browser, you can usually see some of the callouts for data from other servers and urls. And TCP connections usually persist for a while, so even if no data is currently being passed they don’t go away immediately. How do you know that the connection has dropped to .5mbps vs .5mbps for each connection?

A couple of questions first off…

You’ve posted in the CFP v2 forum. I want to confirm that you’re running CFP v2.4, and not v3.

Have you checked the CFP log? In v2.4, click Activity → Logs. In v3, Firewall → Common Tasks, View Firewall Events. If you’re unsure of how to interpret the logs, you can post the logs here.

Are you running any p2p or other filesharing programs? If so, you could be seeing some upstream ISP doing some network throttling.

Posted by: sded What browser are you using?

Okay im using Firefox version 3.0 as my browser though tbh have also tried this with IE7 and the results appear to be the same drastic speed loss. Just did a ping test also thanks to the advice of someone else and appear to be dropping the odd packet here and there also.

The test was done [ at ] http://www.broadbandspeedchecker.co.uk/ and have had a stable 13meg connection for about 3 months now only as off today has it plummeted to horrible chuggy speeds :(.

Posted by: grue155 Have you checked the CFP log?

Im pretty sure its version 2.4 though I have no idea how to get the log file into a postable format. Im not as far as I’m aware running and p2p stuff (or should I say if I am then I dont know how).

Thanks for this guys, tbh have never had to deal with anything like this before and I’m really grateful for the help.

Jonie

Have you checked by using “tracert” to a known location, like www.google.com? If there is some kind of ISP network problem, it’ll show the slowdown in the router timings.

You HJT log doesn’t show any p2p software running. You actually seem to be running a very clean machine.

As to the CFP version, if you open the tray icon, and you’re presented with a mostly blue window with an About in the upper right corner, you can press the About and it’ll likely tell you v2.4. If it’s not mostly blue, then you’ll need to click Miscellaneous, then About, and it’ll likely tell you v3.

Thanks for the fast reply yeah its 2.4.

Heres the Tracert log.

Traceroute
Result for www.google.com:

traceroute: Warning: www.google.com has multiple addresses; using 66.249.93.104
traceroute to www.l.google.com (66.249.93.104), 64 hops max, 40 byte packets
1 giga-2.enst.fr (137.194.2.254) 0.426 ms 0.402 ms 0.381 ms
2 gw-enst-itix1-100m.enst.fr (137.194.4.253) 1.095 ms 0.631 ms 0.983 ms
3 gi9-48.228.ccr01.par04.atlas.cogentco.com (149.6.164.1) 1.553 ms 2.064 ms 1.713 ms
4 te1-3.mpd02.par01.atlas.cogentco.com (130.117.2.94) 6.446 ms
te1-3.ccr01.par01.atlas.cogentco.com (130.117.2.21) 2.733 ms 2.522 ms
5 te7-7.mpd02.lon01.atlas.cogentco.com (130.117.2.6) 11.443 ms 10.736 ms
te9-7.mpd02.lon01.atlas.cogentco.com (130.117.3.134) 11.530 ms
6 te3-1.mpd01.lon01.atlas.cogentco.com (130.117.3.225) 11.053 ms
vl3493.mpd01.lon01.atlas.cogentco.com (130.117.2.17) 16.183 ms
te3-1.mpd01.lon01.atlas.cogentco.com (130.117.3.225) 10.715 ms
7 72.14.198.37 (72.14.198.37) 10.856 ms 10.461 ms 10.834 ms
8 209.85.252.42 (209.85.252.42) 11.217 ms 10.602 ms 10.476 ms
9 216.239.43.123 (216.239.43.123) 22.327 ms 22.207 ms 21.564 ms
10 72.14.233.77 (72.14.233.77) 23.234 ms 23.078 ms
72.14.233.79 (72.14.233.79) 23.669 ms
11 216.239.47.25 (216.239.47.25) 23.635 ms
66.249.94.54 (66.249.94.54) 26.423 ms
216.239.47.25 (216.239.47.25) 25.176 ms
12 ug-in-f104.google.com (66.249.93.104) 28.249 ms 27.712 ms 24.460 ms

Looks like a load of gibberish to me.

Jonie

That’s okay. I speak gibberish, in several dialects. Tracert is showing normal traffic flow, with a little bit of dealy in hop 8. Not enough to be any kind of problem, especially not as you’re describing.

Let’s see what’s in the CFP log. Click Activity → Logs, then right click anywhere in the log itself. That will let you export to HTML, saved as a file which you can post here.

Glad you do As there’s a cold soda’s chance in hell of me understanding it.

Ok here we go and its not a small file.

COMODO Firewall Pro Logs

Date Created: 00:03:42 02-07-2008

Log Scope:: Today

Date/Time :2008-07-02 00:02:43
Severity :Medium
Reporter :Network Monitor
Description: Outbound Policy Violation (Access Denied, Protocol = IGMP)
Protocol:IGMP Outgoing
Source: 192.168.1.65
Destination: 224.0.0.22
Reason: Network Control Rule ID = 5

Date/Time :2008-07-02 00:02:40
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: 192.168.1.65::ntp(123)
Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2008-07-02 00:02:28
Severity :Medium
Reporter :Component Monitor
Description: Unknown Components (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP Out
Destination: 87.248.212.8::http(80)
Details: C:\WINDOWS\system32\svchost.exe contains 2 components to be approved
Components: c:\WINDOWS\system32\qmgr.dll
C:\WINDOWS\system32\qmgrprxy.dll

Date/Time :2008-07-02 00:01:31
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP Out
Destination: 87.248.212.8::http(80)
Details: C:\WINDOWS\system32\mmc.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2008-07-01 23:59:48
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.65
Destination: 192.168.1.254
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:59:41
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 207.46.19.254::http(80)
Details: C:\WINDOWS\explorer.exe has tried to use C:\Program Files\Mozilla Firefox\firefox.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2008-07-01 23:59:40
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)
Details: C:\WINDOWS\explorer.exe has tried to use C:\Program Files\Mozilla Firefox\firefox.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2008-07-01 23:59:09
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: 192.168.1.65::dhcp(68)
Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2008-07-01 23:56:53
Severity :Medium
Reporter :Component Monitor
Description: Unknown Components (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 80.249.99.123::8095
Details: C:\Program Files\Mozilla Firefox\firefox.exe contains 1 components to be approved
Components: C:\Program Files\Java\jre1.5.0_07\bin\dcpr.dll

Date/Time :2008-07-01 23:56:43
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.65
Destination: 192.168.1.254
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:56:25
Severity :Medium
Reporter :Component Monitor
Description: Unknown Components (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)
Details: C:\Program Files\Mozilla Firefox\firefox.exe contains 11 components to be approved
Components: C:\Program Files\Java\jre1.5.0_07\bin\client\jvm.dll
C:\Program Files\Java\jre1.5.0_07\bin\hpi.dll
C:\Program Files\Java\jre1.5.0_07\bin\verify.dll
C:\Program Files\Java\jre1.5.0_07\bin\java.dll
C:\Program Files\Java\jre1.5.0_07\bin\zip.dll
C:\Program Files\Java\jre1.5.0_07\bin\awt.dll
C:\WINDOWS\system32\d3dim700.dll
C:\Program Files\Java\jre1.5.0_07\bin\fontmanager.dll
C:\Program Files\Java\jre1.5.0_07\bin\deploy.dll
C:\Program Files\Java\jre1.5.0_07\bin\RegUtils.dll
C:\Program Files\Java\jre1.5.0_07\bin\net.dll

Date/Time :2008-07-01 23:56:21
Severity :Medium
Reporter :Component Monitor
Description: Unknown Components (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 80.249.99.130::http(80)
Details: C:\Program Files\Mozilla Firefox\firefox.exe contains 2 components to be approved
Components: C:\Program Files\Java\jre1.5.0_07\bin\jpinscp.dll
C:\Program Files\Java\jre1.5.0_07\bin\jpishare.dll

Date/Time :2008-07-01 23:56:21
Severity :Medium
Reporter :Component Monitor
Description: Unknown Components (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 80.249.99.130::http(80)
Details: C:\Program Files\Mozilla Firefox\firefox.exe contains 2 components to be approved
Components: C:\Program Files\Java\jre1.5.0_07\bin\NPOJI610.dll
C:\Program Files\Java\jre1.5.0_07\bin\jpioji.dll

Date/Time :2008-07-01 23:51:00
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (avgcmgr.exe:38.103.37.248: :http(80))
Application: C:\Program Files\AVG\AVG8\avgcmgr.exe
Parent: C:\Program Files\AVG\AVG8\avgwdsvc.exe
Protocol: TCP Out
Destination: 38.103.37.248::http(80)

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1845
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1844
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1843
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1842
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1841
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1840
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1839
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1838
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1837
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1836
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:41:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1835
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:31:00
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (avgcmgr.exe:38.103.37.248: :http(80))
Application: C:\Program Files\AVG\AVG8\avgcmgr.exe
Parent: C:\Program Files\AVG\AVG8\avgwdsvc.exe
Protocol: TCP Out
Destination: 38.103.37.248::http(80)

Date/Time :2008-07-01 23:19:43
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.65
Destination: 192.168.1.254
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:19:37
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 199.232.43.137::http(80)
Details: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe has modified the the User interface of C:\Program Files\Mozilla Firefox\firefox.exe by sending special Window messages.

Date/Time :2008-07-01 23:19:36
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)
Details: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe has modified the the User interface of C:\Program Files\Mozilla Firefox\firefox.exe by sending special Window messages.

Date/Time :2008-07-01 23:19:33
Severity :Medium
Reporter :Component Monitor
Description: Unknown Components (HijackThis.exe)
Application: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)
Details: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe contains 1 components to be approved
Components: C:\WINDOWS\system32\wbem\wbemdisp.dll

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1767
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1766
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1765
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1764
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1763
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1762
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1761
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1760
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1759
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1758
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:12:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1757
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:11:00
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (avgcmgr.exe:38.103.37.248: :http(80))
Application: C:\Program Files\AVG\AVG8\avgcmgr.exe
Parent: C:\Program Files\AVG\AVG8\avgwdsvc.exe
Protocol: TCP Out
Destination: 38.103.37.248::http(80)

Date/Time :2008-07-01 23:09:53
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.65
Destination: 192.168.1.254
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:06:53
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.65
Destination: 192.168.1.254
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 23:05:47
Severity :Medium
Reporter :Component Monitor
Description: Unknown Components (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 216.35.19.134::http(80)
Details: C:\Program Files\Mozilla Firefox\firefox.exe contains 1 components to be approved
Components: C:\WINDOWS\system32\Macromed\Common\SwSupport.dll

Date/Time :2008-07-01 23:05:47
Severity :Medium
Reporter :Component Monitor
Description: Unknown Components (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)
Details: C:\Program Files\Mozilla Firefox\firefox.exe contains 1 components to be approved
Components: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

Date/Time :2008-07-01 22:51:00
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (avgcmgr.exe:38.103.37.248: :http(80))
Application: C:\Program Files\AVG\AVG8\avgcmgr.exe
Parent: C:\Program Files\AVG\AVG8\avgwdsvc.exe
Protocol: TCP Out
Destination: 38.103.37.248::http(80)

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1646
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1645
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1644
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1643
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1642
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1641
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1640
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1639
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1638
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1637
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:44:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1636
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:31:01
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (avgcmgr.exe:38.103.37.248: :http(80))
Application: C:\Program Files\AVG\AVG8\avgcmgr.exe
Parent: C:\Program Files\AVG\AVG8\avgwdsvc.exe
Protocol: TCP Out
Destination: 38.103.37.248::http(80)

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1573
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1572
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1571
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1570
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1569
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1568
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1567
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1566
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1565
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1564
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:15:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1563
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:11:53
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.64:nbdgram(138)
Destination: 192.168.1.255:nbdgram(138)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:11:07
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (avgcmgr.exe:38.103.37.248: :http(80))
Application: C:\Program Files\AVG\AVG8\avgcmgr.exe
Parent: C:\Program Files\AVG\AVG8\avgwdsvc.exe
Protocol: TCP Out
Destination: 38.103.37.248::http(80)

Date/Time :2008-07-01 22:10:13
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.64:nbdgram(138)
Destination: 192.168.1.255:nbdgram(138)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 22:08:30
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255: :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-01 22:06:21
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255: :nbname(137))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbname(137)

Date/Time :2008-07-01 22:06:20
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255: :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-01 22:06:16
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255: :nbname(137))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbname(137)

Date/Time :2008-07-01 22:06:11
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255: :nbname(137))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbname(137)

Date/Time :2008-07-01 22:06:11
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255: :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-01 21:58:13
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.64:nbdgram(138)
Destination: 192.168.1.255:nbdgram(138)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:55:00
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (avgcmgr.exe:38.103.37.248: :http(80))
Application: C:\Program Files\AVG\AVG8\avgcmgr.exe
Parent: C:\Program Files\AVG\AVG8\avgwdsvc.exe
Protocol: TCP Out
Destination: 38.103.37.248::http(80)

Date/Time :2008-07-01 21:54:33
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.65:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:28
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.65:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:28
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = ECHO REQUEST)
Protocol:ICMP Incoming
Source: 192.168.1.64
Destination: 192.168.1.65
Message: ECHO REQUEST
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:23
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = ECHO REQUEST)
Protocol:ICMP Incoming
Source: 192.168.1.64
Destination: 192.168.1.65
Message: ECHO REQUEST
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:23
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.255:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:23
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.65:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.65:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:13
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = ECHO REQUEST)
Protocol:ICMP Incoming
Source: 192.168.1.64
Destination: 192.168.1.65
Message: ECHO REQUEST
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:13
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.65:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:13
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.64:nbdgram(138)
Destination: 192.168.1.255:nbdgram(138)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:13
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.255:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.65:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:54:03
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = ECHO REQUEST)
Protocol:ICMP Incoming
Source: 192.168.1.64
Destination: 192.168.1.65
Message: ECHO REQUEST
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:53:58
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.64:nbname(137)
Destination: 192.168.1.255:nbname(137)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:53:33
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 72.5.167.152, Port = 1769)
Protocol: TCP Incoming
Source: 72.5.167.152:http(80)
Destination: 192.168.1.65:1769
TCP Flags: SYN ACK
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1453
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1452
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1451
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1450
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1449
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1448
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1447
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1446
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1445
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1444
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:47:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.254, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.254:1443
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:46:13
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.64, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.64:nbdgram(138)
Destination: 192.168.1.255:nbdgram(138)
Reason: Network Control Rule ID = 5

Date/Time :2008-07-01 21:46:07
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (firefox.exe:192.168.1.254: :dns(53))
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)

Date/Time :2008-07-01 21:46:07
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (firefox.exe:127.0.0.1: :1660)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 127.0.0.1::1660

Date/Time :2008-07-01 21:46:07
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (firefox.exe:127.0.0.1: :1658)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 127.0.0.1::1658

This is not the full days file wouldnt want to cripple a server

Jonie

There are a couple of interesting things in that portion of the log. Nothing dangerous, just some things that can be streamlined a little.

One thing of note though, which would show itself as a network slowdown, is that Firefox is being denied DNS queries to your router. That will cause a hang until a timeout occurs, which will look for all the world as a network that is seriously wedged.

So, let’s see what rules are in place for Firefox. In CFP, click Security → Application Monitor. There are likely several lines for firefox.exe. I’ll need to know what those lines are: destination, port, protocol, allow or block. It’s port 53 for UDP that is what I’m looking for, in particular.

From your log, I take it your router is at 192.168.1.254, and some other device on your LAN at 192.168.1.64. With your machine at 192.168.1.65. Am I reading that correctly?

Ok as far as I can see there is only one entry for firefox in the security section.

Firefox.exe
Destination (any)
Port (any)
Protocol (TCP/UDP In/Out)
Permission (check)

Can only see that one showing

Jonie (:WAV)

Odd, as this entry shows a block

Date/Time :2008-07-01 21:46:07 Severity :Medium Reporter :Application Monitor Description: Application Access Denied (firefox.exe:192.168.1.254: :dns(53)) Application: C:\Program Files\Mozilla Firefox\firefox.exe Parent: C:\WINDOWS\explorer.exe Protocol: UDP Out Destination: 192.168.1.254::dns(53)

No matter. There are some other things that can be done, which should streamline things a bit.

First, I want to define two network zones. Click Security → Tasks, Add/Remove/Modify Zone. We’ll create two new zones.

First, is zone “MyLAN”. Starting address is 192.168.1.0, ending at 192.168.1.255.

Second, is zone “Multicast”. Starting address is 224.0.0.0, ending at 239.255.255.255.

MyLAN is almost exactly the same as your existing zone definition, except that it includes the end point addresses x.0 and x.255. You could edit your existing LAN zone definition if you prefer.

With those two zones, there are a few new network rules to put in place. Click Security → Network Monitor, and then Add these rules

Allow IP In&Out from zone[MyLAN] to zone[MyLAN]

Allow IP In&Out from zone[MyLAN] to zone[Multicast]

The move these two rules up to the top of the list of network rules. Highlight the line, and Move Up as needed. CFP evaluates the rule in order from the top down, and the first match wins. These two should be right up there.

those two rules will get rid of a bunch of stuff that is filling up your CFP log. You may have to restart CFP, or at worst, reboot, to make sure everything sticks and resets properly.

Once everything is reset, then you can clear the logs (clear all logs, next to the export to html). Browse around for a bit, and see the bits that start filling in the logs. That should make it a little easier to dig out where the wedge is.

Ok ive set up the two new zones and the logs have remained clear for the moment (This has now changed)

Mess of text enclosed.

Date Created: 11:28:01 02-07-2008

Date/Time :2008-07-02 11:15:55
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 64.233.183.99::http(80)
Details: C:\WINDOWS\system32\rundll32.exe has modified the the User interface of the Parent application C:\WINDOWS\explorer.exe by sending special Window messages. 

Date/Time :2008-07-02 11:15:54
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 87.194.0.66::dns(53)
Details: C:\WINDOWS\system32\rundll32.exe has modified the the User interface of the Parent application C:\WINDOWS\explorer.exe by sending special Window messages. 

Date/Time :2008-07-02 11:15:49
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 87.194.0.66::dns(53)
Details: C:\WINDOWS\system32\rundll32.exe has modified the the User interface of the Parent application C:\WINDOWS\explorer.exe by sending special Window messages. 

Date/Time :2008-07-02 11:09:46
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 66.249.93.99::http(80)
Details: C:\WINDOWS\explorer.exe has tried to use C:\Program Files\Internet Explorer\iexplore.exe through OLE Automation, which can be used to hijack other applications. 

Date/Time :2008-07-02 11:09:44
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)
Details: C:\WINDOWS\explorer.exe has tried to use C:\Program Files\Internet Explorer\iexplore.exe through OLE Automation, which can be used to hijack other applications. 

Date/Time :2008-07-02 11:03:51
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: 192.168.1.64::dhcp(68)
Details: C:\Program Files\Internet Explorer\iexplore.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications. 

End of gibberish.

however I still seem to have a terrible connection and using IE7 and firefox its still showing 17-18 connections everytime i go to any site.

The odd thing is that if i let the internet sit idle on a page for anythime these connections drop down to 2 normally.
Quite often they are clones of each other.

Still waiting for the IP provider to come back with some news however at last check there was 14 people sitting infront of me in the queue

Missing my fast browing tbh this sucks in more ways than one.

Is it possible that my router is being used as a server for someone else? Seems odd that I have so many connections running. Could someone be piggybacking my connection and draining the resources?

Hope that makes sense I feel like a fish out of water atm and only large amounts of tea seem to keep me from pulling my hair out.

Jonie

There doesn’t seem to be anything really unusual in your log extract. Some google browsing, and a DNS query thru what I presume is your ISP nameserver.

Some more active monitoring seems to be in order. I’m going to ask that you download TCPView from TCPView for Windows - Sysinternals | Microsoft Learn

TCPView will monitor all your active connections in real time. There is an option (the floopy disk icon) to capture the moment, so you can post results here when strange things appear.

Thanks for all the help grue, my ip has now sorted out the problem which had something to do with packet dropping from my modem. And im back to a nice smooth 12meg connection now.

However …

This is worrying me alot.

Date Created: 17:29:19 02-07-2008

Date/Time :2008-07-02 17:26:54
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 87.194.0.66 
Ports: 40964, 30980, 31748, 32260, 32516, 33028, 33540, 34564, 34308, 35332, 35588, 36100, 36356, 36868, 37124, 37892, 38148, 38404, 38660, 39428, 39172, 39684, 39940, 40196, 40452, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 
The attacker has been temporarily blocked

Date/Time :2008-07-02 17:25:56
Severity :High
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:87.194.0.67:  :dns(53))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 87.194.0.67::dns(53)

Date/Time :2008-07-02 17:25:56
Severity :High
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:87.194.0.66:  :dns(53))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 87.194.0.66::dns(53)

Date/Time :2008-07-02 17:25:24
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 87.194.0.66, Port = 1084)
Protocol: UDP Incoming
Source: 87.194.0.66:dns(53) 
Destination: 192.168.1.20:1084 
Reason: Network Control Rule ID = 7

Date/Time :2008-07-02 17:25:17
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 87.194.0.67::dns(53)
Details: \b1Microsoft Windows \b0has loaded avgrsstx.dll into C:\WINDOWS\system32\svchost.exe  \b1by using a registry based(AppInit_DLLs) hook which could be used by keyloggers to steal private information. \b0  

Date/Time :2008-07-02 17:25:16
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 87.194.0.66::dns(53)
Details: \b1Microsoft Windows \b0has loaded avgrsstx.dll into C:\WINDOWS\system32\svchost.exe  \b1by using a registry based(AppInit_DLLs) hook which could be used by keyloggers to steal private information. \b0  

Date/Time :2008-07-02 17:17:28
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 87.194.0.66 
Ports: 34308, 22276, 23556, 24068, 24324, 24836, 25348, 25604, 24580, 26884, 27652, 28164, 28420, 26116, 29956, 30212, 30724, 30980, 31236, 32004, 31748, 32772, 33028, 33540, 34052, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 
The attacker has been temporarily blocked

Date/Time :2008-07-02 17:17:01
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 87.194.0.67::dns(53)
Details: C:\WINDOWS\system32\WgaTray.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications. 

Date/Time :2008-07-02 17:17:01
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 87.194.0.66::dns(53)
Details: C:\WINDOWS\system32\WgaTray.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications. 

Date/Time :2008-07-02 17:16:43
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:127.0.0.1:  :1033)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 127.0.0.1::1033

Date/Time :2008-07-02 17:16:40
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:239.255.255.250:  :upnp-mcast(1900))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 239.255.255.250::upnp-mcast(1900)

Date/Time :2008-07-02 17:16:35
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (alg.exe:127.0.0.1:  :1034)
Application: C:\WINDOWS\system32\alg.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP In
Destination: 127.0.0.1::1034

Date/Time :2008-07-02 17:16:35
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:239.255.255.250:  :upnp-mcast(1900))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 239.255.255.250::upnp-mcast(1900)

Date/Time :2008-07-02 17:16:35
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:127.0.0.1:  :1033)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: 127.0.0.1::1033

Date/Time :2008-07-02 17:16:34
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:192.168.1.20:  :upnp-mcast(1900))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: 192.168.1.20::upnp-mcast(1900)

Date/Time :2008-07-02 17:16:34
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:127.0.0.1:  :upnp-mcast(1900))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: 127.0.0.1::upnp-mcast(1900)

Date/Time :2008-07-02 17:16:33
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:0.0.0.0:  :ms-rpc(135))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP In
Destination: 0.0.0.0::ms-rpc(135)

Date/Time :2008-07-02 12:55:35
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 12:47:47
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 12:40:35
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 12:35:47
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 12:25:35
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 12:23:47
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 12:22:15
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:192.168.1.254:  :http(80))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP Out
Destination: 192.168.1.254::http(80)

Date/Time :2008-07-02 12:22:15
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:127.0.0.1:  :2917)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 127.0.0.1::2917

Date/Time :2008-07-02 12:11:48
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 12:10:35
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 12:02:58
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:192.168.1.254:  :http(80))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP Out
Destination: 192.168.1.254::http(80)

Date/Time :2008-07-02 12:02:46
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:192.168.1.254:  :http(80))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP Out
Destination: 192.168.1.254::http(80)

Date/Time :2008-07-02 11:59:46
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 11:55:35
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:192.168.1.255:  :nbdgram(138))
Application: System
Parent: System
Protocol: UDP Out
Destination: 192.168.1.255::nbdgram(138)

Date/Time :2008-07-02 11:29:21
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 87.194.0.66 
Ports: 63755, 54027, 54283, 54539, 54795, 55563, 55819, 56075, 57099, 49675, 57611, 58635, 58379, 50699, 59403, 59659, 60427, 60683, 60171, 61195, 61451, 61707, 62219, 63243, 63499, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 
The attacker has been temporarily blocked

Date/Time :2008-07-02 11:15:55
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 64.233.183.99::http(80)
Details: C:\WINDOWS\system32\rundll32.exe has modified the the User interface of the Parent application C:\WINDOWS\explorer.exe by sending special Window messages. 

Date/Time :2008-07-02 11:15:54
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 87.194.0.66::dns(53)
Details: C:\WINDOWS\system32\rundll32.exe has modified the the User interface of the Parent application C:\WINDOWS\explorer.exe by sending special Window messages. 

Date/Time :2008-07-02 11:15:49
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 87.194.0.66::dns(53)
Details: C:\WINDOWS\system32\rundll32.exe has modified the the User interface of the Parent application C:\WINDOWS\explorer.exe by sending special Window messages. 

Date/Time :2008-07-02 11:09:46
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 66.249.93.99::http(80)
Details: C:\WINDOWS\explorer.exe has tried to use C:\Program Files\Internet Explorer\iexplore.exe through OLE Automation, which can be used to hijack other applications. 

Date/Time :2008-07-02 11:09:44
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)
Details: C:\WINDOWS\explorer.exe has tried to use C:\Program Files\Internet Explorer\iexplore.exe through OLE Automation, which can be used to hijack other applications. 

Date/Time :2008-07-02 11:03:51
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: 192.168.1.64::dhcp(68)
Details: C:\Program Files\Internet Explorer\iexplore.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications. 

Seems to be alot of dodgy traffic floating about is there anything there I should be worring about, I know its being blocked just concearned I guess.

Heres the TVS log.

:1220 TCP yourpc-ba21dbba:1422 38.103.37.243:http FIN_WAIT1
[System Process]:0 TCP yourpc-ba21dbba:1411 207.46.198.249:http TIME_WAIT
[System Process]:0 TCP yourpc-ba21dbba:1421 38.103.37.248:http TIME_WAIT
alg.exe:3236 TCP yourpc-ba21dbba:1031 yourpc-ba21dbba:0 LISTENING
avgemc.exe:2736 TCP yourpc-ba21dbba:10110 yourpc-ba21dbba:0 LISTENING
CLMLServer.exe:784 TCP yourpc-ba21dbba:12346 yourpc-ba21dbba:0 LISTENING
CLMLServer.exe:784 UDP yourpc-ba21dbba:1026 :
iexplore.exe:2552 TCP yourpc-ba21dbba:1395 213.155.157.97:http ESTABLISHED
iexplore.exe:2552 TCP yourpc-ba21dbba:1409 65.55.197.125:http ESTABLISHED
iexplore.exe:2552 TCP yourpc-ba21dbba:1401 65.55.11.240:http ESTABLISHED
iexplore.exe:2552 TCP yourpc-ba21dbba:1407 65.55.197.254:http ESTABLISHED
iexplore.exe:2552 TCP yourpc-ba21dbba:1403 213.155.157.97:http ESTABLISHED
iexplore.exe:2552 TCP yourpc-ba21dbba:1425 65.55.151.10:http ESTABLISHED
iexplore.exe:2552 TCP yourpc-ba21dbba:1404 213.155.157.97:http ESTABLISHED
iexplore.exe:2552 TCP yourpc-ba21dbba:1390 65.55.11.240:http ESTABLISHED
iexplore.exe:2552 TCP yourpc-ba21dbba:1392 213.155.157.97:http ESTABLISHED
iexplore.exe:2552 TCP yourpc-ba21dbba:1393 213.155.157.97:http ESTABLISHED
iexplore.exe:2552 UDP yourpc-ba21dbba:1089 :
lsass.exe:468 UDP yourpc-ba21dbba:isakmp :
lsass.exe:468 UDP yourpc-ba21dbba:4500 :
svchost.exe:716 TCP yourpc-ba21dbba:epmap yourpc-ba21dbba:0 LISTENING
svchost.exe:756 UDP yourpc-ba21dbba:1044 :
svchost.exe:756 UDP yourpc-ba21dbba:ntp :
svchost.exe:756 UDP yourpc-ba21dbba:ntp :
svchost.exe:804 UDP yourpc-ba21dbba:1060 :
svchost.exe:840 TCP yourpc-ba21dbba:2869 yourpc-ba21dbba:0 LISTENING
svchost.exe:840 UDP yourpc-ba21dbba:1900 :
svchost.exe:840 UDP yourpc-ba21dbba:1900 :
System:4 TCP yourpc-ba21dbba:netbios-ssn yourpc-ba21dbba:0 LISTENING
System:4 TCP yourpc-ba21dbba:microsoft-ds yourpc-ba21dbba:0 LISTENING
System:4 UDP yourpc-ba21dbba:netbios-ns :
System:4 UDP yourpc-ba21dbba:netbios-dgm :
System:4 UDP yourpc-ba21dbba:microsoft-ds :
Tcpview.exe:4020 UDP yourpc-ba21dbba:1429 :

Best of luck, if I stare at this too long think im gonna go mad.

Jonie

I’m glad to hear that your traffic flow is back up to its proper running speed.

Everything is looking like normal, or at least known, traffic. In the TCPView log,

iexplore.exe:2552 TCP yourpc-ba21dbba:1395 213.155.157.97:http ESTABLISHED iexplore.exe:2552 TCP yourpc-ba21dbba:1409 65.55.197.125:http ESTABLISHED iexplore.exe:2552 TCP yourpc-ba21dbba:1401 65.55.11.240:http ESTABLISHED iexplore.exe:2552 TCP yourpc-ba21dbba:1407 65.55.197.254:http ESTABLISHED iexplore.exe:2552 TCP yourpc-ba21dbba:1403 213.155.157.97:http ESTABLISHED iexplore.exe:2552 TCP yourpc-ba21dbba:1425 65.55.151.10:http ESTABLISHED iexplore.exe:2552 TCP yourpc-ba21dbba:1404 213.155.157.97:http ESTABLISHED iexplore.exe:2552 TCP yourpc-ba21dbba:1390 65.55.11.240:http ESTABLISHED iexplore.exe:2552 TCP yourpc-ba21dbba:1392 213.155.157.97:http ESTABLISHED iexplore.exe:2552 TCP yourpc-ba21dbba:1393 213.155.157.97:http ESTABLISHED

All that bit, is normal browsing of Microsoft web sites (the 65.55.x.x belongs to Microsoft). The 213.155.157.97 belongs to Akamai, which is a “nearby” (in network terms) advert and graphics quick-retrieval heap. Routine stuff, just a lot of it.

This bit, on the other hand,

Date/Time :2008-07-02 17:17:28 Severity :High Reporter :Network Monitor Description: UDP Port Scan Attacker: 87.194.0.66 Ports: 34308, 22276, 23556, 24068, 24324, 24836, 25348, 25604, 24580, 26884, 27652, 28164, 28420, 26116, 29956, 30212, 30724, 30980, 31236, 32004, 31748, 32772, 33028, 33540, 34052, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 The attacker has been temporarily blocked

is a known CFP v2.4 bug. There’s a timing bug down in CFP v2.4 that gets tripped when packets come in too fast, and your connection speed may be fast enough to trip that bug. There’s no fix, but the way to cut down on the log warnings, is to up the trip threshold. In CFP, click Security → Advanced, Advanced Attack Detection → Configure, the Intrusion Detection tab. Crank up all of the “packet/sec” values up from the default (50, I think) to something like 2000 or more.

And

Date/Time :2008-07-02 17:16:40 Severity :Medium Reporter :Application Monitor Description: Application Access Denied (svchost.exe:239.255.255.250: :upnp-mcast(1900)) Application: C:\WINDOWS\system32\svchost.exe Parent: C:\WINDOWS\system32\services.exe Protocol: UDP Out Destination: 239.255.255.250::upnp-mcast(1900)

shouldn’t be in the log, if that “allow multicast” rule is doing its job. Something then is out of place. Not a problem, but potentially confusing. If you could screenshot your network rules, and post that screenshot here, we can work thru the details and get the rules sorted.

Ok have adjusted the packet sizes so hopefully that will solve that problem. (:LGH)

Cant do a direct screenie of Comodo so heres the typed version.

ID Permission Protocol Source Destination Criteria

0 Allow IP In/Out Zone (MyLan) 192.168.1.0 Any

WHERE IPPROTO IS ANY 192.168.1.255

1 Allow IP In/Out Zone (Multicast) 224.0.0.0 Any

WHERE IPPROTO IS ANY 239.255.255.255

2 Allow TCP/UDP Out Any Any

WHERE SOURCE PORT IS (Any) AND DESTINATION PORT IS (Any)

3 Allow ICMP Out Any Any

WHERE ICMP MESSAGE IS ECHO REQUEST

4 Allow ICMP In Any Any
WHERE ICMP MESSAGE IS FRAGMENTATION NEEDED

5 Allow ICMP In Any Any
WHERE ICMP MESSAGE IS TIME EXCLUDED

6 Allow IP Out Any Any
WHERE IPPROTO IS GRE

7 Block & Log IP In/Out Any Any
WHERE IPPROTO IS ANY

Im gonna have to get a screen grabber I think.

Jonie

Windows can do screenshots… Select the window, Alt-PrntScrn will copy that window to the Clipboard, then Cntl-V as normal paste into something like Paint or Wordpad, and save as a file. And you got it.

We need to rework the first two rules.

First rule should be

Action: Allow
Protocol: IP
Direction: In&Out
Source IP: Zone[MyLAN]
Destination IP: Zone[MyLAN]
Source Port: Any
Destination Port: Any

Second rule should be, almost the same

Action: Allow
Protocol: IP
Direction: In&Out
Source IP: Zone[MyLAN]
Destination IP: Zone[Multicast]
Source Port: Any
Destination Port: Any

And that should do it.

I’d like to tighten up the rules just a little bit, to reflect some recently learned Windows madness.

Highlight this rule,

2 Allow TCP/UDP Out Any Any WHERE SOURCE PORT IS (Any) AND DESTINATION PORT IS (Any)

then right click that highlighted line, and select “Add Before”. We’re going to add a rule,

Action: Block (do not log)
Protocol: TCP&UDP
Direction: Out
Source IP: Any
Destination IP: Any
Source port: Any
Destination port: a set of ports (comma seperated) : 135,137,138,139,445

Windows, it seems, has this mad idea of going out to the Internet to resolve names when the regular Internet name lookup comes up empty. Blocking this set of ports makes sure that no Netbios traffic will get anywhere near the Internet.

If your router has a firewall capability, then having a comparable rule on the router would be a good thing to have.

And, as a general security measure, it is strongly recommended that you change the router login password if you haven’t done so already. There is active malware that will attack routers using the default passwords to get in. You really don’t want somebody on the far side of the planet mucking about inside your router. So don’t use the factory default password on your router.