Author Topic: Infected with Whistler / Black internet  (Read 15378 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected with Whistler / Black internet
« Reply #30 on: July 31, 2011, 07:15:17 PM »
So it is incoming - that is totally illogical  ???

youngsta

  • Guest
Re: Infected with Whistler / Black internet
« Reply #31 on: July 31, 2011, 07:25:31 PM »
I think the source is my default gateway and the destination is my pc whatever that means.

Edit: 16382 times in the last month sometimes UDP sometimes TCP, same destination port the source port is tried 7 times then moves up 1, always same IP.


« Last Edit: July 31, 2011, 07:42:02 PM by youngsta »

youngsta

  • Guest
Re: Infected with Whistler / Black internet
« Reply #32 on: July 31, 2011, 08:12:32 PM »
Can i just ask as well what does "detected NTDLL code modification" "ZwClose" mean? Thanks.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88896
  • No support PMs thanks
Re: Infected with Whistler / Black internet
« Reply #33 on: July 31, 2011, 08:37:44 PM »
To me like essexboy, that doesn't make sense either, as this is giving svchost.exe as the application but the blocking as inbound. Masking the destination IP, etc. doesn't aid investigation.

Generally this inbound connection would have an associated outbound connection for any inbound connection to be for a local file.

So I think filtering this on only inbound/blocked connections may be giving a misleading impression.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

youngsta

  • Guest
Re: Infected with Whistler / Black internet
« Reply #34 on: July 31, 2011, 08:53:01 PM »
What should i change the policy to?

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88896
  • No support PMs thanks
Re: Infected with Whistler / Black internet
« Reply #35 on: July 31, 2011, 09:08:25 PM »
I don't think it is a case of changing policy, but seeing all results and not just those blocked.

Virtually all outbound connections will have an associated inbound connection, so to make sense of this, there should be an outbound connection from svchost.exe at very close to the same time.

By looking at the associated outbound connection can you get an idea of what is going on. The svchost.exe file has legit reasons for making an outbound connection and the more most common is connecting to windows update.

I don't use comodo, so I can't help with its settings.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

youngsta

  • Guest
Re: Infected with Whistler / Black internet
« Reply #36 on: July 31, 2011, 09:28:38 PM »
I've set it to allow and log outgoing. It is connecting to the IP address of my dns server and 1 to 255.255.255.255 from the IP address of my PC, on the incoming the source is the IP of my default gateway and the destination is the IP address of my PC. I really, really don't understand what any of this means it's just from looking at the comodo log and the support tab of the LAN Status in sys tray. So do you think i should just unblock it?

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88896
  • No support PMs thanks
Re: Infected with Whistler / Black internet
« Reply #37 on: July 31, 2011, 10:18:26 PM »
As I said I'm really not familiar with comodo and I don't know why you chosen those settings.

My firewall Outpost Firewall Pro, I have virtually left it on default settings other than it runs a rules wizard and that would ask me about outbound connections where the application isn't white listed, etc. I certainly wouldn't set it to allow and log outbound connections as that essentially would let anything out, good or bad.

No I don't know if that is what you meant or not, but my advice would be don't set rules that you don't know what the expected results are going to be. For the most part firewalls do reasonably well on their default settings. Though comodo if/when combined with defence+ might be a bit noisy (constantly asking questions about processes/connections).

So I only hope there is a comodo user than can give you some guidance on this.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

youngsta

  • Guest
Re: Infected with Whistler / Black internet
« Reply #38 on: July 31, 2011, 10:33:20 PM »
So you are telling me that i should allow incoming connections to my computer when i don't know what they are?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected with Whistler / Black internet
« Reply #39 on: July 31, 2011, 10:37:04 PM »
The source gateway on that mask will be your router - reset Comodo to it's default settings ( I have never used it so I do not know what they are)

youngsta

  • Guest
Re: Infected with Whistler / Black internet
« Reply #40 on: July 31, 2011, 10:58:31 PM »
I set svchost.exe to allow and log so i could see where it was going else it would be listed as a windows system application i didn't just allow all outbound connections and i don't just set random rules just for the hell of it. It asked for an incoming connection and as i didn't know why i blocked it, if you are telling me that i should have just allowed it then i don't think you should be giving advice out on this forum.

essexboy thank you very, very much for your help, much appreciated.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected with Whistler / Black internet
« Reply #41 on: July 31, 2011, 11:09:49 PM »
We really need someone who knows the comodo firewall - I have just checked my AIS settings and svchost is under system

I have just revisited the CF log as it shows open ports and all I found was this one legitimate item

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

It is a legitimate windows process however, it can be disabled http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/hnw_icmp_disable.mspx?mfr=true