Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Confused About My Firewall


  • Please log in to reply
3 replies to this topic

#1 Brandon5550

Brandon5550

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 14 November 2007 - 04:25 PM

Hi there,
I'm new here. Hope this is in the right forum.


1)A couple of weeks ago i made a firewall rule in Norton Internet Security like this:
Block connections to and from other computers;
Only the computers and sites listed below:
www.winantivirus.com
www.systemdoctor.com

Protocols to block:
TCP and UDP

Types of communication, or ports, to block:
All types of communication (all ports, local and remote)

Descripton: Winfixer
Category: Web Browsers.


Anyone know if i did this right? I was worried about a winfixer infection after my friend had one, so I made this. Now i frequently get these notices of the rule being 'matched'

Program : svchost.exe
Path : C:\WINDOWS\system32\
Date : 08/11/2007
Local Address: All local network adapters : 2869
Protocall : TCP (inbound)
Location : Default

Program : MsnMsgr.Exe
Path : C:\Program Files\MSN Messenger\
Date/Time : 10/11/2007 22:43
Local Address: All local network adapters : 3966
Protocal : TCP (Inbound)
Location : Default

Program : MsnMsgr.Exe
Path : C:\Program Files\MSN Messenger\
Date/Time : 10/11/2007 22:44
Local Address: All local network adapters : 4013
Protocal : TCP (Inbound)
Location : Default

Program : MsnMsgr.Exe
Path : C:\Program Files\MSN Messenger\
Date/Time : 10/11/2007 22:44
Local Address: All local network adapters : 4013
Protocal : TCP (Inbound)
Location : Default

Program : MsnMsgr.Exe
Path : C:\Program Files\MSN Messenger\
Date/Time : 10/11/2007 22:45
Local Address: All local network adapters : 4036
Protocal : TCP (Inbound)
Location : Default

Program : svchost.exe
Path : C:\WINDOWS\system32\
Date/Time : 10/11/2007 23:31
Local Address: All local network adapters : 2869
Protocal : TCP (Inbound)
Location : Default

Program : msnmsgr.Exe
Path : C:\Program Files\MSN Messenger\
Date/Time : 10/11/2007 23:40
Local Address: All local network adapters : 2334
Protocal : TCP (Inbound)
Location : Default


Program : msnmsgr.Exe
Path : C:\Program Files\MSN Messenger\
Date/Time : 11/11/2007 13.56
Local Address: All local network adapters : 3969
Protocal : TCP (Inbound)
Location : Default

All the notifications are for the same programs.

2) 2 intrusion attempts were also blocked, one day after the other.

Time : 23:29
Date : 10/11/2007
Intrusion : Invalid UDP Destination Port.
Intruder : (My Computer's name)(My internal IP address for the wireless router)
Risk Level : Medium.
Source IP addre: (My Computer's name)(My internal IP address for the wireless router)
Destination IP : XX.XXX.XXX.XXX
UDP Source Port: 50708.
UDP Dest. Port : 0. Invalid.


Time : 21:27
Date : 11/11/2007
Intrusion : Invalid UDP Destination Port.
Intruder : (My Computer's name)(My internal IP address for the wireless router)
Risk Level : Medium.
Source IP addre: (My Computer's name)(My internal IP address for the wireless router)
Destination IP : XX.XXX.XXX.XXX
UDP Source Port: 50708.
UDP Dest. Port : 0. Invalid.

The destination IPs are the same, and i'm not sure if its mine or not? I believe not, and the destination IP is in toronto (whoIS search). (I live in the UK)

3) AVG Free has picked up 2 'changes' after scanning. It picks these up consistently. I edited the hosts file using HostsXpert and deleted some entires in there. In retrospect I probably shouldnt have. Spybot S&D also added entries to the hosts file, but the hosts change keeps coming up in every scan. The shell32.dll has only recently been detected by AVG Free...

Object - Result - Status
C:\WINDOWS\system32\shell32.dll - Change - Changed
C:\WINDOWS\system32\drivers\etc\hosts - Change - Changed

4)Trojan horse drop detected by AVG Free a few weeks ago.

Object name - A0093206.exe
Object path - C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP111
Discovery - Trojan horse Dropper.Generic_c.DC
Source computer - (mine)
Finder - (my user account)
File size - 606 KB (620591 bytes)
Healable - No
Source - Backup copy
Status - Infected.

Can anyone shed some light on this? I'm not all that technical with antivirus stuff... hehe. Hope i don't sound too stupid.
Thanks for the help =)

Plz let me know if you need any more info =)

Edited by Brandon5550, 14 November 2007 - 04:27 PM.


BC AdBot (Login to Remove)

 


m

#2 Brandon5550

Brandon5550
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 14 November 2007 - 04:31 PM

Hmm C:\System Volume Information is a hidden system folder, with seemingly nothing in it. However access in denied...
edit: a google search reveals this to be normal ;)

Edited by Brandon5550, 14 November 2007 - 04:32 PM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,563 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:27 PM

Posted 14 November 2007 - 10:38 PM

AVG does not change your HOSTS file but it will alert you that the HOSTS file has changed since the last scan. If you did not make any changes, then you need to investigate what the changes are. Since you used HostsXpert and Spybot, that probably accounts for the changes but you still should investigate your HOSTS file.

Reported changes in system files such as kernel32.dll, wsock32.dll, user32.dll, shell32.dll and ntosknrl.exe are normal for AVG.

There are many valid reasons for those files to show changed, a Windows update, file system check that replaced them if corrupted, and others. As long as AVG doesn't say they are infected it is ok. If it continues to show changed, delete the following file(s) in the C:\ directory and AVG will create a new one(s)...AVG7DB_F.DAT, AVG7QT.DAT

kernel32.dll, wsock32.dll, user32.dll, shell32.dll and ntosknrl.exe have "changed"
AVG free edition shows shell32.dll changed

It is normal that AVG shows that files, the MBR or Boot record to have changed. These are done during normal maintainance, when you or windows updates files or have had to correct errors on the drive. The only time that you should worry is if they also show as infected.

To get AVG to quit showing them as changed, open the AVG Test Center, click the F3 key on your keyboard and tell it to accept the changes. If it still shows something as changed after this.. delete the file named AVG7QT.DAT in the %ALLUSERSPROFILE%\Application Data\avg7\ folder and AVG will rebuild it the next time it is run.

The %ALLUSERSPROFILE% is different for each version of Windows. The following are the typical locations for XP and Win9x

XP - C:\Documents and Settings\All Users\Application Data\avg7
Win9x -C:\Windows\All Users\Application Data\avg7

Changed File Alerts

The file identified by AVG is in the System Volume Information Folder (SVI) which is a part of System Restore - the feature that allows you to set points in time to roll back your computer to a clean working state. This folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it.

Keep in mind that System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a virus was found in the System Volume Information folder (System Restore points) but the anti-virus software was unable to remove it. Since the System Volume Information folder is a protected directory, your tools cannot access it to delete these files and they sometimes can reinfect your system if you accidentally use an old restore point.

To resolve this, you need to Set a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Brandon5550

Brandon5550
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 16 November 2007 - 02:56 PM

Thanks for shedding some light on this. =) I'll try the disk cleanup.
Glad i could find someone who could help
:flowers: :thumbsup:

now could anyone help with the firewall issue?
I'd be very greatful =D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users