Computer Security & Viruses/UPnP?

Advertisement


Question
QUESTION: Hello Mr Filmer,

I am using Windows XP and Privatefirewall 7.0.Today when I was viewing my firewall log, I noticed there had been incoming UDP packets from IP address 192.168.1.1 , which if I'm right is my router.My laptop is connected to the router via Wifi.The internet
connection is private and Im not using other devices so I don't understand why my router sent me UPnP packets.

So in the advanced report it says:

Remote IP: 192.168.1.1:1900(UPnP)
Local IP:  192.168.1.2:1912
Protocol:UDP(17)

So my question would be:
Do you think this was a hacker?
Are there any other reasons?

ANSWER: Hi John,

I don't think it's a hacker.

See:  Privatefirewall User Guide - Product documentation (*.pdf)

www.privacyware.com/PF_support.html (download to desktop PDF) In the Firewall log section, you almost expect it to be explained, but it's not there.

You can also submit a Privacyware Support Ticket link (bottom of the page).

From the info you've provided, it's probably the "loopback" scenario. That's the complicated part. Borrowing from a thread associated with another Firewall, see:

bit.ly/16fD1GO

(6/23/12 post by SendOfJive guru/community.norton.com...)

Hopefully, this helps you understand why I don't believe it's a hacker, but the Firewall developers would have the definitive answer. You can also use search engines with variations on "UDP packets, IP address, 192.168.1.1, loopback, Firewall" but then it gets slightly complicated.



---------- FOLLOW-UP ----------

QUESTION: Thanks for your answer.I just scanned my PC because several things weren't functioning(corrupted file extensions,Internet explorer not working, Disk defragmenter and Windows Update not working )and found 10 trojans(Gen Frauder, Gen Cryptor and Gen Medfos).What do these three do?Were they there to steal social security numbers and my passwords etc?Or are they false positives(according to Zonealarm and Avast the files were clean but Superantispyware recognised them as trojan horses.I also checked the date the infected files were last modified to see if they really were viruses and most of them were last modified in 2008.How is that even possible?)
  
Scan log:


Trojan.Agent/Gen-Cryptor:

  C:\SYSTEM VOLUME INFORMATION\_RESTORE{B7B2A5DE-83E9-4CE7-8059-1A2CEBF7DE7F}\RP0\A0001955.SYS
  C:\SYSTEM VOLUME INFORMATION\_RESTORE{B7B2A5DE-83E9-4CE7-8059-1A2CEBF7DE7F}\RP0\A0002099.SYS
  C:\SYSTEM VOLUME INFORMATION\_RESTORE{B7B2A5DE-83E9-4CE7-8059-1A2CEBF7DE7F}\RP0\A0002159.SYS
  C:\SYSTEM VOLUME INFORMATION\_RESTORE{B7B2A5DE-83E9-4CE7-8059-1A2CEBF7DE7F}\RP0\A0002168.SYS
  C:\SYSTEM VOLUME INFORMATION\_RESTORE{B7B2A5DE-83E9-4CE7-8059-1A2CEBF7DE7F}\RP0\A0002177.SYS
  C:\SYSTEM VOLUME INFORMATION\_RESTORE{B7B2A5DE-83E9-4CE7-8059-1A2CEBF7DE7F}\RP0\A0002207.SYS
  C:\SYSTEM VOLUME INFORMATION\_RESTORE{B7B2A5DE-83E9-4CE7-8059-1A2CEBF7DE7F}\RP0\A0002713.SYS
  C:\SYSTEM VOLUME INFORMATION\_RESTORE{B7B2A5DE-83E9-4CE7-8059-1A2CEBF7DE7F}\RP0\A0002720.SYS
  C:\SYSTEM VOLUME INFORMATION\_RESTORE{B7B2A5DE-83E9-4CE7-8059-1A2CEBF7DE7F}\RP0\A0002751.SYS







Trojan.Agent/Gen-Medfos:

  C:\SYSTEM VOLUME INFORMATION\_RESTORE{B7B2A5DE-83E9-4CE7-8059-1A2CEBF7DE7F}\RP0\A0003021.EXE









Trojan.Agent/Gen-Frauder:

  C:\SYSTEM VOLUME INFORMATION\_RESTORE{B7B2A5DE-83E9-4CE7-8059-1A2CEBF7DE7F}\RP0\A0005667.EXE
  C:\SYSTEM VOLUME INFORMATION\_RESTORE{B7B2A5DE-83E9-4CE7-8059-1A2CEBF7DE7F}\RP0\A0005668.EXE
  C:\SYSTEM VOLUME INFORMATION\_RESTORE{B7B2A5DE-83E9-4CE7-8059-1A2CEBF7DE7F}\RP1\A0006378.EXE

Answer
Trojans go by different names. I would suggest you use search engines to find first-hand information about them, sometimes updated but usually coming from expert sources specializing in Trojan descriptions.

What you need to do is at least once a week, update your anti-virus and antispyware tools and do full systems scans at least one every 2 weeks, or month (quick scans at least once a week).

Also, if you're using two Firewalls (Zone Alarm and PrivateFirewall) you're always going to have major problems.

In other words which ones are on your system? Which ones are you using - and the ones not in use, are you sure they're disabled?

As far as the original question, still looks like a legitimate "loopback" scenario, but like I said, PrivateFirewall might have a more definitive answer.

Computer Security & Viruses

All Answers


Answers by Expert:


Ask Experts

Volunteer


James Filmer

Expertise

Viruses, Spam, hacking, Rootkits, Trojans, Keyloggers, all other forms of Malware, Internet access problems, slow systems, application and system instability, network abuse, Firewalls, layered security configurations, system maintenance support and general troubleshooting.

Experience

System, network and website administrator

Publications
http://forums.mozillazine.org http://episteme.arstechnica.com http://news.cnet.com/security-bites-podcast http://enrgy21.com

Education/Credentials
http://linkedin.com/in/enrgy21

©2016 About.com. All rights reserved.