[Titan8990]

Alright, I reformatted my machine about two weeks ago. Until a few days ago my firewall had blocked next to nothing (mostly programs I actually wanted to allow to use the internet). Starting on Feb 2nd I began to get lots of blocks. In fact I received about 475 blocks since the 2nd.

The source IP is my own router. The ports started on 2050. The port numbers have gradually gone up and is now at 2919. The destination IP is my PC that is running the firewall. The destination port is always 2869. These are all on the TCP protocol.

Next, I have received three outgoing blocks since this had first occurred. The source program is svchost. Source IP is my computer on port 1048, 1025, and 1453. The destination is my ISP. When I go to IP lookup it actually gives a specific location of my ISP which is not their main location. In fact if I look my ISP up in the phone book this location is not listed. Eww, It has just happened again as I have been typing this. This time it is port 1048 once again. Source DNS listed is what I named the computer. These are on the UDP protocol.

I have done some in depth malware checks with my commonly used anti-spyware and a/v programs. Also I scanned through my HJT log and found nothing.

I had a unsecure wireless network. Mostly because I had trouble about a month ago find a good guide for configuring WEP. I turned the wireless network off. It has stopped now but I believe that it stopped before I turned it off.

Why would my own router be hitting my computer?

Why is svchost calling out to this particular location furthest away from my house?

Edit: My software firewall is ZoneAlarm free and my router is a Linksys WRT54G.

Edit 2: More specific questions.

New update:

This may be related to power outage at my house but does not seem likely that is the case. I no longer get internet activity from my router. I can configure the router so I can see that it is working properly. I can see that the DNS servers it has assigned are correct and the same as before. Also if I clear the DHCP and renew it the same DNS comes up as before. So now my router is busted.

Any ideas on what is going on? Can a power surge cause a router to malfunction in this manor?

Another New update:

I am up to 1550 blocks since Feb 02. Now three of them are listed in ZoneAlarm as "high" risk. About 50-75 are these from partially blocking game connections since I no longer want to put ZoneAlarm in gaming mode. I despretly want to find out what is going on here.

I can only view the last 1000 blocks. I must have missed the other high risk ones but I was able to look one up. The IP was from Beijing, China. The netname was A1DIALUP-NET. The destination port was 80.

The blockings now come from a variety of IPs and 26458 seems to be a popular port. Nearly all of them now are UDP blocks up there are some TCPs thrown in there.


Netstat from command prompt show two open ports without IE running.

1. local: TCP [computername]:2437 foreign: 72-165-61-141.dia.static.qwest.net:27039
2. local: TCP [computername]:2730 foreign: 72-165-61-141.dia.static.qwest.net:27039

Edited by Titan8990, 07 February 2008 - 11:49 PM.

[Advertisements]

Hey Titan8990.

I have Zone Alarm as well, and I have a lot of intrusions listed. You seem to have a lot happening at once however...

First, have you had your HijackThis logfile checked by the Malware staff? If the bill comes out clean, we know it's not Malware. Also, you said you disabled wireless signals from being sent from your router. Is this still current? Do you have security settings enabled? Are there other computers on the network that are supposed to be there? I saw what you listed from netstat, but I'm just making sure it's all correct.

Also, the ISP address is usually a little off. Mine says it's based in Herndon, VA... I'm in Florida... It's natural for that stuff to be different. As long as the name of the service provider is the same (or is affiliated with your ISP), then we know it's legit.

Now, about svchost. Here's some information on that... Please click here... We don't want to remove that really, as you'll be needing it. It's safe

Your router must also maintain communication with any computers on that network. I wouldn't be surprised for it to set off Zone Alarm, especially if your security settings are set to "high".

Let me know about these things, and see about getting checked by a Malware Specialist. We want to make sure you're clean before we go too far.

Good luck!

[Facedown98]

Hey Titan8990.

I have Zone Alarm as well, and I have a lot of intrusions listed. You seem to have a lot happening at once however...

First, have you had your HijackThis logfile checked by the Malware staff? If the bill comes out clean, we know it's not Malware. Also, you said you disabled wireless signals from being sent from your router. Is this still current? Do you have security settings enabled? Are there other computers on the network that are supposed to be there? I saw what you listed from netstat, but I'm just making sure it's all correct.

Also, the ISP address is usually a little off. Mine says it's based in Herndon, VA... I'm in Florida... It's natural for that stuff to be different. As long as the name of the service provider is the same (or is affiliated with your ISP), then we know it's legit.

Now, about svchost. Here's some information on that... Please click here... We don't want to remove that really, as you'll be needing it. It's safe

Your router must also maintain communication with any computers on that network. I wouldn't be surprised for it to set off Zone Alarm, especially if your security settings are set to "high".

Let me know about these things, and see about getting checked by a Malware Specialist. We want to make sure you're clean before we go too far.

Good luck!

[Titan8990]

Thanks for the reply.

The router is no longer working. It will not connect to the internet but I can still configure it as if it was working. I'm currently plugged directly into modem. I am now up to 2803. I will have the malware experts have a look but I don't see it likely since I just reformatted three weeks ago. For the first week I had only a dozen or so blocks from ZoneAlarm.

[Facedown98]

Have you tried resetting the modem and router? All you need to do is disable power to them both for about 30 seconds. Then restore power one at a time. They will configure themselves in a minute or so after having power restored. See if that helps a little.

[Titan8990]

Yep, I'm sure that I get no connection from the router. When I go to the configuration page I am able to clear the DHCP and then renew it. The DNS servers that it renews is the correct one. It still fails to connect to the internet or successfully ping a website or my ISP.

Edited by Titan8990, 08 February 2008 - 11:25 PM.

[Facedown98]

So resetting using a power outage didn't work... hhhhmm... Ok, do you have a reset button on your router? It's usually a small button in the back for you to push in.

[Titan8990]

No luck. I'm feeling more like this is power surge related but still find it odd that I can still use and configure the router. I think I am willing to bite the bullet and buy a new router.


Edit: When the malware expert had me use DDS scanner I noticed this in the log:

Event Record #/Type1410 / Error
Event Submitted/Written: 02/09/2007 11:30:12 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.101 for the Network Card with network address 001D7DA27BF7 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Edited by Titan8990, 09 February 2008 - 11:10 AM.

[Facedown98]

192.168.1.101 and 192.168.1.1 should be the same thing I thin... They've always taken me to the same place... In your router configuration, what do you see about assigned IP addresses?

[Titan8990]

The default linksys address is 198.168.1.1 it starts ips at 198.168.1.100. 100 would have been my Xbox so my computer got assigned 101.

What do you think about reinstalling the firmware?

Edited by Titan8990, 09 February 2008 - 09:44 PM.

[Facedown98]

Did you mention your findings to the Malware Expert about Error Type1410?

We're going to have to research this more to find the answer...

[Titan8990]

No, but it was in the log that he had asked for. Also I gave him a link to this thread after I had posted that. I figured that this would require more research.

I appreciate your help so far.

[Facedown98]

How strange. Let me pull some research and see if there's anything more useful I can come up with... Sadly none of my solutions have worked

[Titan8990]

I am going to take the router over a friends house sometime this week to verify that it is not the router malfunctioning.

[Facedown98]

Might be a good idea. Give me a report, I'm curious to see how that test comes back.

[Titan8990]

I just installed Ubuntu on a partition that I was not using. My router works with Ubuntu so this means this is a issue with Windows.



Edit: Actually I am using the router in Ubuntu now.

Edited by Titan8990, 11 February 2008 - 07:30 PM.