SYN Flood from Avast?

[demigh0d]

I've been running Avast personal version on my laptop and my daughter's desktop for a couple months now and it's been working well.

About a week ago I installed it on my Wife's laptop and the past couple days have been investigating SYN floods that my firewall is reporting is coming from her computer.

The destination address is 69.63.178.112 which DNS resolves as channel42-09-01-snc1.facebook.com.

'netstat -abn' says that they're being generated by 'AvastSvc.exe'

TCP    10.1.20.21:2392        69.63.178.112:80       SYN_SENT        1808
 [AvastSvc.exe]

 TCP    10.1.20.21:2502        69.63.178.112:80       SYN_SENT        1808
 [AvastSvc.exe]

 TCP    10.1.20.21:2594        69.63.178.112:80       SYN_SENT        1808
 [AvastSvc.exe]

 TCP    10.1.20.21:2614        69.63.178.112:80       SYN_SENT        1808
 [AvastSvc.exe]

RGFW-IN: ACCEPT (TCP 10.1.20.21:2724->69.63.178.112:80 on ixp0) [1402,91881476]
Thu Feb  4 13:57:52 2010
RGFW-RATELIMIT: 42 messages of type BLOCK-SYNFLOOD reported 1 second(s) ago
Thu Feb  4 13:57:51 2010

There are thousands of these SYN packets being sent every minute.

Any idea what could be causing this or what I can do to stop it? Avast scans don't find anything. Neither did Mcaffe (which I replaced with Avast), SpyBot or SpywareBlaster.

Thanks

[Vlk]

Interesting. Since the connection is being made on port 80 (http), it may be the WebShield proxy intercepting the connections from another process and relaying to FaceBook (WebShield in avast 5 runs in the context of AvastSvc.exe process). I'd suggest disabling WebShield for a while and seeing if anything changes (i.e. another process in the system may show up as generating the traffic).

Thanks
Vlk

[demigh0d]

I was wondering if that might be the case. I'll give that a try.

Duane

[demigh0d]

Ok, that solved the mystery. It was a facebook game my wife plays.

Duane