nikkilocke
asked on
Ping of death from my XP Pro workstation logged in Zyxel firewall reports
I have a Zyxel Prestige 660H ADSL NAT router/firewall, on a mixed workgroup network (3 XP Pro, 1 Win2k, 1 Redhat Linux 9 with Samba).
I get it to email me its attack logs, and I have been seeing a lot of the following since last Friday (22 April) ...
No. Time Source IP Destination IP Note
1|04/22/2005 17:21:51 |192.168.1.3 |212.187.131.129 |ATTACK
ping of death. ICMP(type:0, code:0)
2|04/22/2005 17:21:51 |192.168.1.3 |212.187.131.129 |ATTACK
ping of death. ICMP(type:8, code:0)
The destination IP has always been 212.187.131.129 or 212.187.131.133, and there have been 1 or 2 attacks per day. The source IP is always my main XP Pro machine. The destination IPs are in a big Internet gateway in London, two hops from my ISP.
I run NOD32 Anti-Virus here, always kept up to date, and it has not detected anything. I also run Ad-Aware, and it hasn't detected anything either.
Has anyone got an explanation of why these are occurring?
Nikki
I get it to email me its attack logs, and I have been seeing a lot of the following since last Friday (22 April) ...
No. Time Source IP Destination IP Note
1|04/22/2005 17:21:51 |192.168.1.3 |212.187.131.129 |ATTACK
ping of death. ICMP(type:0, code:0)
2|04/22/2005 17:21:51 |192.168.1.3 |212.187.131.129 |ATTACK
ping of death. ICMP(type:8, code:0)
The destination IP has always been 212.187.131.129 or 212.187.131.133, and there have been 1 or 2 attacks per day. The source IP is always my main XP Pro machine. The destination IPs are in a big Internet gateway in London, two hops from my ISP.
I run NOD32 Anti-Virus here, always kept up to date, and it has not detected anything. I also run Ad-Aware, and it hasn't detected anything either.
Has anyone got an explanation of why these are occurring?
Nikki
Hi Nikki,
Here are a couple of thoghts:
1. perhaps the source ip address is being spoofed - it might not be the XP machine that is actually sending these pings.
Can you find out what MAC address is sending the pings?
2. you could try a different anti-virus such as Norton/Symantec.
HTH
CajunBill
Here are a couple of thoghts:
1. perhaps the source ip address is being spoofed - it might not be the XP machine that is actually sending these pings.
Can you find out what MAC address is sending the pings?
2. you could try a different anti-virus such as Norton/Symantec.
HTH
CajunBill
Also, what version of NOD32 are you runnning? The following was on the product web site:
Eset to discontinue the update of NOD32 Version 1
Jan 5 th 2005
Eset, producer of NOD32 antivirus, announced today discontinuing of virus definition updates for its product NOD32 Version 1. All the current users using the NOD32 Version 1 are advised to upgrade to the current NOD32 Version 2. The following document describes the steps to upgrade your NOD32 Version 1 to NOD32 Version 2. To find out what version of NOD32 you are currently using, click here.
The upgrade to NOD32 Version 2 is free for all the current NOD32 subscribers. If you are not able to use the NOD32 Version 2, please, let us know so that we can assist you.
Eset to discontinue the update of NOD32 Version 1
Jan 5 th 2005
Eset, producer of NOD32 antivirus, announced today discontinuing of virus definition updates for its product NOD32 Version 1. All the current users using the NOD32 Version 1 are advised to upgrade to the current NOD32 Version 2. The following document describes the steps to upgrade your NOD32 Version 1 to NOD32 Version 2. To find out what version of NOD32 you are currently using, click here.
The upgrade to NOD32 Version 2 is free for all the current NOD32 subscribers. If you are not able to use the NOD32 Version 2, please, let us know so that we can assist you.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the responses.
I am running NOD32 Version 2 (have been for ages).
I don't have a hub, unfortunately. I'll see if I can add more logging in the router.
Here is a HijackThis log for the machine in question...
Logfile of HijackThis v1.99.1
Scan saved at 09:20:19, on 27/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Acronis\Schedule2\sc
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mgabg.
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Dantz\Retrospect\ret
C:\WINDOWS\System32\ups.ex
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Quickenw\QAGENT.EXE
C:\PROGRA~1\Logitech\MOUSE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\PDesk\
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Common Files\Real\Update_OB\reals
C:\WINDOWS\system32\mrtMng
C:\WINDOWS\System32\svchos
C:\Program Files\Acronis\TrueImage\Tr
C:\Program Files\Common Files\Acronis\Schedule2\sc
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Skype\Phone\Skype.ex
C:\Program Files\PerSono\PersTray.exe
C:\Program Files\Quickenw\QWDLLS.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.E
C:\Program Files\Perl\bin\wperl.exe
C:\Program Files\PVSW\Bin\w3dbsmgr.ex
C:\Documents and Settings\nikki\My Documents\Visual Studio Projects\TimeSheet\TimeShe
C:\wigwam\VASCHD32.EXE
C:\wigwam\va6.exe
C:\BIN\hijackthis.exe
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-7
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Quickenw\QAGENT.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IM
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IME
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\Tr
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\sc
O4 - HKCU\..\Run: [Second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.ex
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.E
O4 - Startup: mrtg.lnk = C:\Program Files\Perl\bin\wperl.exe
O4 - Startup: Pervasive.SQL Workgroup Engine.lnk = C:\Program Files\PVSW\Bin\w3dbsmgr.ex
O4 - Startup: TimeSheet.Net.lnk = C:\Documents and Settings\nikki\My Documents\Visual Studio Projects\TimeSheet\TimeShe
O4 - Startup: VA Scheduler.lnk = C:\wigwam\VASCHD32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Perstray.lnk = C:\Program Files\PerSono\PersTray.exe
O4 - Global Startup: Query Time Server.lnk = C:\Program Files\NISTime\nistime-32bi
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quickenw\QWDLLS.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-0
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O15 - Trusted Zone: http://www.trumphurst.com
O16 - DPF: GIC - https://www.ib.albb.co.uk/ebs/ie/classes.cab
O16 - DPF: UKOnLineSigningApplet - https://secure.gateway.gov.uk/java/UKOnLineSigningApplet.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-0
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {2D9F7B63-EC7C-43FF-A41D-6
O16 - DPF: {41F17733-B041-4099-A042-B
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5
O16 - DPF: {630F2610-7654-11D1-83E3-0
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-0
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\sc
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pervasive IDS - Pervasive Software Inc. - C:\progra~1\PVSW\Bin\datas
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\ret
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rth
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe"
I am running NOD32 Version 2 (have been for ages).
I don't have a hub, unfortunately. I'll see if I can add more logging in the router.
Here is a HijackThis log for the machine in question...
Logfile of HijackThis v1.99.1
Scan saved at 09:20:19, on 27/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Acronis\Schedule2\sc
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mgabg.
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Dantz\Retrospect\ret
C:\WINDOWS\System32\ups.ex
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Quickenw\QAGENT.EXE
C:\PROGRA~1\Logitech\MOUSE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\PDesk\
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Common Files\Real\Update_OB\reals
C:\WINDOWS\system32\mrtMng
C:\WINDOWS\System32\svchos
C:\Program Files\Acronis\TrueImage\Tr
C:\Program Files\Common Files\Acronis\Schedule2\sc
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Skype\Phone\Skype.ex
C:\Program Files\PerSono\PersTray.exe
C:\Program Files\Quickenw\QWDLLS.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.E
C:\Program Files\Perl\bin\wperl.exe
C:\Program Files\PVSW\Bin\w3dbsmgr.ex
C:\Documents and Settings\nikki\My Documents\Visual Studio Projects\TimeSheet\TimeShe
C:\wigwam\VASCHD32.EXE
C:\wigwam\va6.exe
C:\BIN\hijackthis.exe
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-7
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Quickenw\QAGENT.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IM
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IME
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\Tr
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\sc
O4 - HKCU\..\Run: [Second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.ex
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.E
O4 - Startup: mrtg.lnk = C:\Program Files\Perl\bin\wperl.exe
O4 - Startup: Pervasive.SQL Workgroup Engine.lnk = C:\Program Files\PVSW\Bin\w3dbsmgr.ex
O4 - Startup: TimeSheet.Net.lnk = C:\Documents and Settings\nikki\My Documents\Visual Studio Projects\TimeSheet\TimeShe
O4 - Startup: VA Scheduler.lnk = C:\wigwam\VASCHD32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Perstray.lnk = C:\Program Files\PerSono\PersTray.exe
O4 - Global Startup: Query Time Server.lnk = C:\Program Files\NISTime\nistime-32bi
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quickenw\QWDLLS.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-0
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O15 - Trusted Zone: http://www.trumphurst.com
O16 - DPF: GIC - https://www.ib.albb.co.uk/ebs/ie/classes.cab
O16 - DPF: UKOnLineSigningApplet - https://secure.gateway.gov.uk/java/UKOnLineSigningApplet.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-0
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {2D9F7B63-EC7C-43FF-A41D-6
O16 - DPF: {41F17733-B041-4099-A042-B
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5
O16 - DPF: {630F2610-7654-11D1-83E3-0
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-0
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\sc
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pervasive IDS - Pervasive Software Inc. - C:\progra~1\PVSW\Bin\datas
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\ret
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rth
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe"
ASKER
P.S. The Ping of Death "attacks" are happening about once every 5 hours (as I found when I left my machine on overnight to do a backup).
ASKER
Well, the ping of death is still happening, and I would still love an answer!
Nickki, did you try the things that I and Technicon suggested? (essentially, doing more monitoring?)
ASKER
The pings of death only happen when the computer at 192.168.1.3 is switched on.
The firewall says...
3|05/13/2005 11:55:19 |192.168.1.3 |212.187.131.1 |ATTACK ping of death. ICMP(type:0, code:0)
4|05/13/2005 11:55:19 |192.168.1.3 |212.187.131.1 |ATTACK ping of death. ICMP(type:8, code:0)
I started TdiMon from sysinternals, and ran it over the period when the pings of death were logged. Here is an example from that log (note 1 hr time difference due to DST)...
40 12:55:04 va32.exe:3112 81D08AF0 IRP_MJ_CREATE TCP:Control obj
TCP:Control obj SUCCESS
41 12:55:04 va32.exe:3112 81B06780 IRP_MJ_CREATE TCP:Control obj
TCP:Control obj SUCCESS
42 12:55:04 va32.exe:3112 81D08AF0 IRP_MJ_DEVICE_CONTROL TCP:Control obj IOCTL_TCP_QUERY_INFORMATIO
IOCTL_TCP_QUERY_INFORMATIO
43 12:55:04 va32.exe:3112 81D08AF0 IRP_MJ_DEVICE_CONTROL TCP:Control obj IOCTL_TCP_QUERY_INFORMATIO
IOCTL_TCP_QUERY_INFORMATIO
44 12:55:04 va32.exe:3112 81D08AF0 IRP_MJ_DEVICE_CONTROL TCP:Control obj IOCTL_TCP_QUERY_INFORMATIO
IOCTL_TCP_QUERY_INFORMATIO
45 12:55:04 va32.exe:3112 81D08AF0 IRP_MJ_DEVICE_CONTROL TCP:Control obj IOCTL_TCP_QUERY_INFORMATIO
IOCTL_TCP_QUERY_INFORMATIO
46 12:55:04 va32.exe:3112 81D08AF0 IRP_MJ_DEVICE_CONTROL TCP:Control obj IOCTL_TCP_QUERY_INFORMATIO
IOCTL_TCP_QUERY_INFORMATIO
47 12:55:04 va32.exe:3112 81D08AF0 IRP_MJ_DEVICE_CONTROL TCP:Control obj IOCTL_TCP_QUERY_INFORMATIO
IOCTL_TCP_QUERY_INFORMATIO
48 12:55:05 Inet32.exe:1628 81C95778 IRP_MJ_CREATE TCP:0.0.0.0:0 Address Open
Address Open SUCCESS
49 12:55:05 Inet32.exe:1628 81C95778 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1441 Error Event
Error Event SUCCESS
50 12:55:05 Inet32.exe:1628 81C95778 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1441 Disconnect Event
Disconnect Event SUCCESS
51 12:55:05 Inet32.exe:1628 81C95778 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1441 Receive Event
Receive Event SUCCESS
52 12:55:05 Inet32.exe:1628 81C95778 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1441 Expedited Receive Event
Expedited Receive Event SUCCESS
53 12:55:05 Inet32.exe:1628 81C95778 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1441 Chained Receive Event
Chained Receive Event SUCCESS
54 12:55:05 Inet32.exe:1628 81C95778 TDI_QUERY_INFORMATION TCP:0.0.0.0:1441 Query Address
Query Address SUCCESS
55 12:55:05 Inet32.exe:1628 81F93E40 IRP_MJ_CREATE TCP:Connection obj Context:0x82222F10
Context:0x82222F10 SUCCESS
56 12:55:05 Inet32.exe:1628 81F93E40 TDI_ASSOCIATE_ADDRESS TCP:Connection obj TCP:0.0.0.0:1441
TCP:0.0.0.0:1441 SUCCESS
57 12:55:05 Inet32.exe:1628 81F93E40 TDI_CONNECT TCP:0.0.0.0:1441 216.154.195.50:110
58 12:55:05 System:4 81D17C70 IRP_MJ_CLEANUP TCP:<none>
TCP:<none> SUCCESS
59 12:55:05 System:4 81D17C70 IRP_MJ_CLOSE TCP:<none>
TCP:<none> SUCCESS
60 12:55:05 System:4 81D17C70 IRP_MJ_CREATE TCP:Connection obj Context:0x81D8B9F0
Context:0x81D8B9F0 SUCCESS
61 12:55:05 System:4 81D17C70 TDI_ASSOCIATE_ADDRESS TCP:Connection obj TCP:0.0.0.0:445
TCP:0.0.0.0:445 SUCCESS
62 12:55:05 System:4 81D17C70 IRP_MJ_DEVICE_CONTROL TCP:0.0.0.0:445 IOCTL_TCP_SET_INFORMATION_
IOCTL_TCP_SET_INFORMATION_
63 12:55:05 System:4 81F7FAF8 IRP_MJ_CREATE TCP:Connection obj Context:0x81DB6E98
Context:0x81DB6E98 SUCCESS
64 12:55:05 System:4 81C31240 IRP_MJ_CREATE TCP:0.0.0.0:0 Address Open
Address Open SUCCESS
65 12:55:05 System:4 81C31240 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1442 Error Event
Error Event SUCCESS
66 12:55:05 System:4 81C31240 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1442 Receive Event
Receive Event SUCCESS
67 12:55:05 System:4 81C31240 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1442 Disconnect Event
Disconnect Event SUCCESS
68 12:55:05 System:4 81F7FAF8 TDI_ASSOCIATE_ADDRESS TCP:Connection obj TCP:0.0.0.0:1442
TCP:0.0.0.0:1442 SUCCESS
69 12:55:05 System:4 81F7FAF8 IRP_MJ_DEVICE_CONTROL TCP:0.0.0.0:1442 IOCTL_TCP_SET_INFORMATION_
IOCTL_TCP_SET_INFORMATION_
70 12:55:05 System:4 81D1ED18 IRP_MJ_CLEANUP TCP:<none>
TCP:<none> SUCCESS
71 12:55:05 System:4 81D1ED18 IRP_MJ_CLOSE TCP:<none>
TCP:<none> SUCCESS
72 12:55:05 System:4 8229F5C0 IRP_MJ_CREATE TCP:Connection obj Context:0x81D2F728
Context:0x81D2F728 SUCCESS
73 12:55:05 System:4 8229F5C0 TDI_ASSOCIATE_ADDRESS TCP:Connection obj TCP:192.168.1.3:139
TCP:192.168.1.3:139 SUCCESS
74 12:55:05 System:4 8229F5C0 IRP_MJ_DEVICE_CONTROL TCP:192.168.1.3:139 IOCTL_TCP_SET_INFORMATION_
IOCTL_TCP_SET_INFORMATION_
75 12:55:05 System:4 81FC3E68 IRP_MJ_CREATE TCP:Connection obj Context:0x81BDEBD0
Context:0x81BDEBD0 SUCCESS
76 12:55:05 System:4 82115E40 IRP_MJ_CREATE TCP:192.168.1.3:0 Address Open
Address Open SUCCESS
77 12:55:05 System:4 82115E40 TDI_SET_EVENT_HANDLER TCP:192.168.1.3:1443 Error Event
Error Event SUCCESS
78 12:55:05 System:4 82115E40 TDI_SET_EVENT_HANDLER TCP:192.168.1.3:1443 Receive Event
Receive Event SUCCESS
79 12:55:05 System:4 82115E40 TDI_SET_EVENT_HANDLER TCP:192.168.1.3:1443 Disconnect Event
Disconnect Event SUCCESS
80 12:55:05 System:4 81FC3E68 TDI_ASSOCIATE_ADDRESS TCP:Connection obj TCP:192.168.1.3:1443
TCP:192.168.1.3:1443 SUCCESS
81 12:55:05 System:4 81FC3E68 IRP_MJ_DEVICE_CONTROL TCP:192.168.1.3:1443 IOCTL_TCP_SET_INFORMATION_
IOCTL_TCP_SET_INFORMATION_
82 12:55:05 System:4 81D20C70 IRP_MJ_CLEANUP TCP:<none>
TCP:<none> SUCCESS
83 12:55:05 System:4 81D20C70 IRP_MJ_CLOSE TCP:<none>
TCP:<none> SUCCESS
84 12:55:05 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:50
Length:50 SUCCESS
SUCCESS 216.154.195.50:110 SUCCESS-85
86 12:55:05 Inet32.exe:1628 81C95778 TDI_EVENT_RECEIVE TCP:0.0.0.0:1441 216.154.195.50:110
216.154.195.50:110 SUCCESS Length:18 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
87 12:55:05 Inet32.exe:1628 81F93E40 TDI_SEND TCP:0.0.0.0:1441 216.154.195.50:110 Length:29
Length:29 SUCCESS
88 12:55:05 Inet32.exe:1628 81C95778 TDI_EVENT_RECEIVE TCP:0.0.0.0:1441 216.154.195.50:110
216.154.195.50:110 SUCCESS Length:24 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
89 12:55:05 Inet32.exe:1628 81F93E40 TDI_SEND TCP:0.0.0.0:1441 216.154.195.50:110 Length:17
90 12:55:05 Inet32.exe:1628 81C95778 TDI_EVENT_RECEIVE TCP:0.0.0.0:1441 216.154.195.50:110
216.154.195.50:110 SUCCESS Length:16 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
Length:16 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH SUCCESS-91
92 12:55:05 Inet32.exe:1628 81F93E40 TDI_SEND TCP:0.0.0.0:1441 216.154.195.50:110 Length:6
93 12:55:05 Inet32.exe:1628 81C95778 TDI_EVENT_RECEIVE TCP:0.0.0.0:1441 216.154.195.50:110
216.154.195.50:110 SUCCESS Length:15 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
Length:15 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH SUCCESS-94
95 12:55:05 Inet32.exe:1628 81F93E40 TDI_SEND TCP:0.0.0.0:1441 216.154.195.50:110 Length:6
96 12:55:05 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:50
Length:50 SUCCESS
97 12:55:05 Inet32.exe:1628 81C95778 TDI_EVENT_RECEIVE TCP:0.0.0.0:1441 216.154.195.50:110
216.154.195.50:110 SUCCESS Length:1103 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
Length:1103 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH SUCCESS-98
99 12:55:06 Inet32.exe:1628 81F93E40 TDI_SEND TCP:0.0.0.0:1441 216.154.195.50:110 Length:8
100 12:55:06 Inet32.exe:1628 81C95778 TDI_EVENT_RECEIVE TCP:0.0.0.0:1441 216.154.195.50:110
216.154.195.50:110 SUCCESS Length:14 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
Length:14 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH SUCCESS-101
102 12:55:06 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:50
Length:50 SUCCESS
103 12:55:06 Skype.exe:1512 81BCB3D0 TDI_SEND TCP:192.168.1.3:1052 Length:15
104 12:55:06 Inet32.exe:1628 81F93E40 TDI_SEND TCP:0.0.0.0:1441 216.154.195.50:110 Length:6
105 12:55:06 Inet32.exe:1628 81C95778 TDI_EVENT_RECEIVE TCP:0.0.0.0:1441 216.154.195.50:110
216.154.195.50:110 SUCCESS Length:14 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
Length:14 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH SUCCESS-106
107 12:55:06 Inet32.exe:1628 81F93E40 TDI_DISCONNECT TCP:0.0.0.0:1441 216.154.195.50:110
108 12:55:06 Inet32.exe:1628 81C95778 TDI_EVENT_DISCONNECT TCP:0.0.0.0:1441 216.154.195.50:110
216.154.195.50:110 SUCCESS RELEASE
RELEASE SUCCESS-109
110 12:55:07 Skype.exe:1512 81BF67E8 TDI_SEND_DATAGRAM UDP:0.0.0.0:12549 140.192.172.203:26001 Length:62
Length:62 SUCCESS
111 12:55:07 Skype.exe:1512 81BF67E8 TDI_SEND_DATAGRAM UDP:0.0.0.0:12549 222.151.72.231:16550 Length:62
Length:62 SUCCESS
112 12:55:07 Skype.exe:1512 81BF67E8 TDI_SEND_DATAGRAM UDP:0.0.0.0:12549 68.174.145.254:15674 Length:62
Length:62 SUCCESS
113 12:55:07 Skype.exe:1512 81BF67E8 TDI_SEND_DATAGRAM UDP:0.0.0.0:12549 69.132.99.137:63090 Length:62
Length:62 SUCCESS
114 12:55:07 Skype.exe:1512 81BF67E8 TDI_SEND_DATAGRAM UDP:0.0.0.0:12549 219.77.29.216:51102 Length:62
Length:62 SUCCESS
115 12:55:07 Skype.exe:1512 81BF67E8 TDI_SEND_DATAGRAM UDP:0.0.0.0:12549 84.121.130.155:45204 Length:62
Length:62 SUCCESS
116 12:55:07 va32.exe:3112 81D08AF0 IRP_MJ_CLEANUP TCP:Control obj
TCP:Control obj SUCCESS
117 12:55:07 va32.exe:3112 81D08AF0 IRP_MJ_CLOSE TCP:Control obj
TCP:Control obj SUCCESS
118 12:55:07 va32.exe:3112 81B06780 IRP_MJ_CLEANUP TCP:Control obj
TCP:Control obj SUCCESS
119 12:55:07 va32.exe:3112 81B06780 IRP_MJ_CLOSE TCP:Control obj
TCP:Control obj SUCCESS
120 12:55:09 Skype.exe:1512 81BF67E8 TDI_SEND_DATAGRAM UDP:0.0.0.0:12549 219.77.29.216:51102 Length:62 Length:62 SUCCESS
121 12:55:09 System:4 81F7FAF8 TDI_CONNECT TCP:0.0.0.0:1442 192.168.1.4:445
122 12:55:14 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.4:137 Length:50 Length:50 SUCCESS
123 12:55:16 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.4:137 Length:50 Length:50 SUCCESS
124 12:55:17 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.4:137 Length:50 Lngth:50 SUCCESS
125 12:55:19 System:4 81FC3E68 IRP_MJ_CLEANUP TCP:192.168.1.3:1443 TCP:192.168.1.3:1443 SUCCESS
126 12:55:19 System:4 81FC3E68 IRP_MJ_CLOSE TCP:192.168.1.3:1443 TCP:192.168.1.3:1443 SUCCESS
127 12:55:19 System:4 82115E40 IRP_MJ_CLEANUP TCP:192.168.1.3:1443 TP:192.168.1.3:1443 SUCCESS
128 12:55:23 svchost.exe:972 82075D88 TDI_SEND_DATAGRAM UDP:0.0.0.0:1042 217.146.99.22:53 Length:30
Length:30 SUCCESS
129 12:55:23 nod32krn.exe:172 822A7F40 IRP_MJ_CREATE TCP:0.0.0.0:0 Address Open
Address Open SUCCESS
130 12:55:23 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Error Event
Error Event SUCCESS
131 12:55:23 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Disconnect Event
Disconnect Event SUCCESS
132 12:55:23 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Receive Event
Receive Event SUCCESS
133 12:55:23 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Expedited Receive Event
Expedited Receive Event SUCCESS
134 12:55:23 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Chained Receive Event
Chained Receive Event SUCCESS
135 12:55:23 nod32krn.exe:172 822A7F40 TDI_QUERY_INFORMATION TCP:0.0.0.0:1444 Query Address
Query Address SUCCESS
136 12:55:23 nod32krn.exe:172 8228B2A8 IRP_MJ_CREATE TCP:Connection obj Context:0x81CC1CF0
Context:0x81CC1CF0 SUCCESS
137 12:55:23 nod32krn.exe:172 8228B2A8 TDI_ASSOCIATE_ADDRESS TCP:Connection obj TCP:0.0.0.0:1444
TCP:0.0.0.0:1444 SUCCESS
138 12:55:23 nod32krn.exe:172 8228B2A8 TDI_CONNECT TCP:0.0.0.0:1444 194.213.194.29:80
194.213.194.29:80 194.213.194.29:80 SUCCESS
139 12:55:23 nod32krn.exe:172 8228B2A8 TDI_SEND TCP:0.0.0.0:1444 194.213.194.29:80 Length:229
Length:229 SUCCESS
140 12:55:23 nod32krn.exe:172 822A7F40 TDI_EVENT_RECEIVE TCP:0.0.0.0:1444 194.213.194.29:80
194.213.194.29:80 MORE_PROCESSING_REQUIRED Length:264 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
141 12:55:23 nod32krn.exe:172 8228B2A8 TDI_RECEIVE TCP:0.0.0.0:1444 194.213.194.29:80
194.213.194.29:80 SUCCESS
143 12:55:24 nod32krn.exe:172 822A7F40 TDI_EVENT_RECEIVE TCP:0.0.0.0:1444 194.213.194.29:80
194.213.194.29:80 MORE_PROCESSING_REQUIRED Length:1260 Flags: LOOKAHEAD DISPATCH
144 12:55:24 nod32krn.exe:172 8228B2A8 TDI_RECEIVE TCP:0.0.0.0:1444 194.213.194.29:80
194.213.194.29:80 SUCCESS
146 12:55:24 nod32krn.exe:172 822A7F40 TDI_EVENT_DISCONNECT TCP:0.0.0.0:1444 194.213.194.29:80
194.213.194.29:80 SUCCESS RELEASE
147 12:55:24 nod32krn.exe:172 8228B2A8 TDI_DISCONNECT TCP:0.0.0.0:1444
TCP:0.0.0.0:1444 SUCCESS RELEASE
148 12:55:24 nod32krn.exe:172 8228B2A8 TDI_DISASSOCIATE_ADDRESS TCP:0.0.0.0:1444
TCP:0.0.0.0:1444 SUCCESS
149 12:55:24 nod32krn.exe:172 8228B2A8 IRP_MJ_CLEANUP TCP:Connection obj
TCP:Connection obj SUCCESS
150 12:55:24 nod32krn.exe:172 8228B2A8 IRP_MJ_CLOSE TCP:Connection obj
TCP:Connection obj SUCCESS
151 12:55:24 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Error Event: NULL
Error Event: NULL SUCCESS
152 12:55:24 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Disconnect Event: NULL
Disconnect Event: NULL SUCCESS
153 12:55:24 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Receive Event: NULL
Receive Event: NULL SUCCESS
154 12:55:24 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Expedited Receive Event: NULL
Expedited Receive Event: NULL SUCCESS
155 12:55:24 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Chained Receive Event: NULL
Chained Receive Event: NULL SUCCESS
156 12:55:24 nod32krn.exe:172 822A7F40 IRP_MJ_CLEANUP TCP:0.0.0.0:1444
TCP:0.0.0.0:1444 SUCCESS
157 12:55:24 nod32krn.exe:172 81D1A3B0 IRP_MJ_CREATE TCP:0.0.0.0:0 Address Open
Address Open SUCCESS
158 12:55:24 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Error Event
Error Event SUCCESS
159 12:55:24 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Disconnect Event
Disconnect Event SUCCESS
160 12:55:24 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Receive Event
Receive Event SUCCESS
161 12:55:24 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Expedited Receive Event
Expedited Receive Event SUCCESS
162 12:55:24 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Chained Receive Event
Chained Receive Event SUCCESS
163 12:55:24 nod32krn.exe:172 81D1A3B0 TDI_QUERY_INFORMATION TCP:0.0.0.0:1445 Query Address
Query Address SUCCESS
164 12:55:24 nod32krn.exe:172 821C32F8 IRP_MJ_CREATE TCP:Connection obj Context:0x82284008
Context:0x82284008 SUCCESS
165 12:55:24 nod32krn.exe:172 821C32F8 TDI_ASSOCIATE_ADDRESS TCP:Connection obj TCP:0.0.0.0:1445
TCP:0.0.0.0:1445 SUCCESS
166 12:55:24 nod32krn.exe:172 821C32F8 TDI_CONNECT TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 194.213.194.29:80 SUCCESS
167 12:55:24 nod32krn.exe:172 821C32F8 TDI_SEND TCP:0.0.0.0:1445 194.213.194.29:80 Length:229
Length:229 SUCCESS
168 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_EVENT_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 MORE_PROCESSING_REQUIRED Length:272 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
169 12:55:25 nod32krn.exe:172 821C32F8 TDI_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 SUCCESS
171 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_EVENT_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 MORE_PROCESSING_REQUIRED Length:1260 Flags: LOOKAHEAD DISPATCH
172 12:55:25 nod32krn.exe:172 821C32F8 TDI_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 SUCCESS
174 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_EVENT_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 SUCCESS Length:944 Flags: ENTIRE_MESSAGE LOOKAHEAD
175 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_EVENT_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 MORE_PROCESSING_REQUIRED Length:1260 Flags: LOOKAHEAD DISPATCH
176 12:55:25 nod32krn.exe:172 821C32F8 TDI_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 SUCCESS
178 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_EVENT_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 MORE_PROCESSING_REQUIRED Length:944 Flags: ENTIRE_MESSAGE LOOKAHEAD
179 12:55:25 nod32krn.exe:172 821C32F8 TDI_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 SUCCESS
181 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_EVENT_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 MORE_PROCESSING_REQUIRED Length:1260 Flags: LOOKAHEAD DISPATCH
182 12:55:25 nod32krn.exe:172 821C32F8 TDI_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 SUCCESS
184 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_EVENT_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 MORE_PROCESSING_REQUIRED Length:1260 Flags: LOOKAHEAD DISPATCH
185 12:55:25 nod32krn.exe:172 821C32F8 TDI_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 SUCCESS
187 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_EVENT_DISCONNECT TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 SUCCESS RELEASE
188 12:55:25 nod32krn.exe:172 821C32F8 TDI_DISCONNECT TCP:0.0.0.0:1445
TCP:0.0.0.0:1445 SUCCESS RELEASE
189 12:55:25 nod32krn.exe:172 821C32F8 TDI_DISASSOCIATE_ADDRESS TCP:0.0.0.0:1445
TCP:0.0.0.0:1445 SUCCESS
190 12:55:25 nod32krn.exe:172 821C32F8 IRP_MJ_CLEANUP TCP:Connection obj
TCP:Connection obj SUCCESS
191 12:55:25 nod32krn.exe:172 821C32F8 IRP_MJ_CLOSE TCP:Connection obj
TCP:Connection obj SUCCESS
192 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Error Event: NULL
Error Event: NULL SUCCESS
193 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Disconnect Event: NULL
Disconnect Event: NULL SUCCESS
194 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Receive Event: NULL
Receive Event: NULL SUCCESS
195 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Expedited Receive Event: NULL
Expedited Receive Event: NULL SUCCESS
196 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Chained Receive Event: NULL
Chained Receive Event: NULL SUCCESS
197 12:55:25 nod32krn.exe:172 81D1A3B0 IRP_MJ_CLEANUP TCP:0.0.0.0:1445
TCP:0.0.0.0:1445 SUCCESS
SUCCESS TIMEOUT-198
199 12:55:30 System:4 81F7FAF8 IRP_MJ_CLEANUP TCP:0.0.0.0:1442
TCP:0.0.0.0:1442 SUCCESS
200 12:55:30 System:4 81F7FAF8 IRP_MJ_CLOSE TCP:0.0.0.0:1442
TCP:0.0.0.0:1442 SUCCESS
201 12:55:30 System:4 81C31240 IRP_MJ_CLEANUP TCP:0.0.0.0:1442
TCP:0.0.0.0:1442 SUCCESS
202 12:55:30 System:4 81D89C70 IRP_MJ_CLEANUP TCP:<none>
TCP:<none> SUCCESS
203 12:55:30 System:4 81D89C70 IRP_MJ_CLOSE TCP:<none>
TCP:<none> SUCCESS
204 12:55:30 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:181
Length:181 SUCCESS
205 12:55:31 msnmsgr.exe:900 821C4268 TDI_SEND TCP:192.168.1.3:1039 Length:5
Length:5 SUCCESS
206 12:55:32 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:181
Length:181 SUCCESS
207 12:55:33 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:181
Length:181 SUCCESS
208 12:55:35 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:181
Length:181 SUCCESS
209 12:55:36 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:193
Length:193 SUCCESS
210 12:55:37 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:193
Length:193 SUCCESS
211 12:55:38 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:193
Length:193 SUCCESS
212 12:55:39 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:193
Length:193 SUCCESS
213 12:55:40 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:68
Length:68 SUCCESS
214 12:55:41 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:68
Length:68 SUCCESS
215 12:55:42 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:68
Length:68 SUCCESS
216 12:55:43 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:68
Length:68 SUCCESS
217 12:55:43 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:68
Length:68 SUCCESS
218 12:55:44 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:68
Length:68 SUCCESS
219 12:55:45 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:68
Length:68 SUCCESS
220 12:55:46 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:68
Length:68 SUCCESS
221 12:55:46 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:181
Length:181 SUCCESS
222 12:55:46 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:181
Length:181 SUCCESS
223 12:55:46 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:211
Length:211 SUCCESS
The firewall says...
3|05/13/2005 11:55:19 |192.168.1.3 |212.187.131.1 |ATTACK ping of death. ICMP(type:0, code:0)
4|05/13/2005 11:55:19 |192.168.1.3 |212.187.131.1 |ATTACK ping of death. ICMP(type:8, code:0)
I started TdiMon from sysinternals, and ran it over the period when the pings of death were logged. Here is an example from that log (note 1 hr time difference due to DST)...
40 12:55:04 va32.exe:3112 81D08AF0 IRP_MJ_CREATE TCP:Control obj
TCP:Control obj SUCCESS
41 12:55:04 va32.exe:3112 81B06780 IRP_MJ_CREATE TCP:Control obj
TCP:Control obj SUCCESS
42 12:55:04 va32.exe:3112 81D08AF0 IRP_MJ_DEVICE_CONTROL TCP:Control obj IOCTL_TCP_QUERY_INFORMATIO
IOCTL_TCP_QUERY_INFORMATIO
43 12:55:04 va32.exe:3112 81D08AF0 IRP_MJ_DEVICE_CONTROL TCP:Control obj IOCTL_TCP_QUERY_INFORMATIO
IOCTL_TCP_QUERY_INFORMATIO
44 12:55:04 va32.exe:3112 81D08AF0 IRP_MJ_DEVICE_CONTROL TCP:Control obj IOCTL_TCP_QUERY_INFORMATIO
IOCTL_TCP_QUERY_INFORMATIO
45 12:55:04 va32.exe:3112 81D08AF0 IRP_MJ_DEVICE_CONTROL TCP:Control obj IOCTL_TCP_QUERY_INFORMATIO
IOCTL_TCP_QUERY_INFORMATIO
46 12:55:04 va32.exe:3112 81D08AF0 IRP_MJ_DEVICE_CONTROL TCP:Control obj IOCTL_TCP_QUERY_INFORMATIO
IOCTL_TCP_QUERY_INFORMATIO
47 12:55:04 va32.exe:3112 81D08AF0 IRP_MJ_DEVICE_CONTROL TCP:Control obj IOCTL_TCP_QUERY_INFORMATIO
IOCTL_TCP_QUERY_INFORMATIO
48 12:55:05 Inet32.exe:1628 81C95778 IRP_MJ_CREATE TCP:0.0.0.0:0 Address Open
Address Open SUCCESS
49 12:55:05 Inet32.exe:1628 81C95778 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1441 Error Event
Error Event SUCCESS
50 12:55:05 Inet32.exe:1628 81C95778 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1441 Disconnect Event
Disconnect Event SUCCESS
51 12:55:05 Inet32.exe:1628 81C95778 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1441 Receive Event
Receive Event SUCCESS
52 12:55:05 Inet32.exe:1628 81C95778 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1441 Expedited Receive Event
Expedited Receive Event SUCCESS
53 12:55:05 Inet32.exe:1628 81C95778 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1441 Chained Receive Event
Chained Receive Event SUCCESS
54 12:55:05 Inet32.exe:1628 81C95778 TDI_QUERY_INFORMATION TCP:0.0.0.0:1441 Query Address
Query Address SUCCESS
55 12:55:05 Inet32.exe:1628 81F93E40 IRP_MJ_CREATE TCP:Connection obj Context:0x82222F10
Context:0x82222F10 SUCCESS
56 12:55:05 Inet32.exe:1628 81F93E40 TDI_ASSOCIATE_ADDRESS TCP:Connection obj TCP:0.0.0.0:1441
TCP:0.0.0.0:1441 SUCCESS
57 12:55:05 Inet32.exe:1628 81F93E40 TDI_CONNECT TCP:0.0.0.0:1441 216.154.195.50:110
58 12:55:05 System:4 81D17C70 IRP_MJ_CLEANUP TCP:<none>
TCP:<none> SUCCESS
59 12:55:05 System:4 81D17C70 IRP_MJ_CLOSE TCP:<none>
TCP:<none> SUCCESS
60 12:55:05 System:4 81D17C70 IRP_MJ_CREATE TCP:Connection obj Context:0x81D8B9F0
Context:0x81D8B9F0 SUCCESS
61 12:55:05 System:4 81D17C70 TDI_ASSOCIATE_ADDRESS TCP:Connection obj TCP:0.0.0.0:445
TCP:0.0.0.0:445 SUCCESS
62 12:55:05 System:4 81D17C70 IRP_MJ_DEVICE_CONTROL TCP:0.0.0.0:445 IOCTL_TCP_SET_INFORMATION_
IOCTL_TCP_SET_INFORMATION_
63 12:55:05 System:4 81F7FAF8 IRP_MJ_CREATE TCP:Connection obj Context:0x81DB6E98
Context:0x81DB6E98 SUCCESS
64 12:55:05 System:4 81C31240 IRP_MJ_CREATE TCP:0.0.0.0:0 Address Open
Address Open SUCCESS
65 12:55:05 System:4 81C31240 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1442 Error Event
Error Event SUCCESS
66 12:55:05 System:4 81C31240 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1442 Receive Event
Receive Event SUCCESS
67 12:55:05 System:4 81C31240 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1442 Disconnect Event
Disconnect Event SUCCESS
68 12:55:05 System:4 81F7FAF8 TDI_ASSOCIATE_ADDRESS TCP:Connection obj TCP:0.0.0.0:1442
TCP:0.0.0.0:1442 SUCCESS
69 12:55:05 System:4 81F7FAF8 IRP_MJ_DEVICE_CONTROL TCP:0.0.0.0:1442 IOCTL_TCP_SET_INFORMATION_
IOCTL_TCP_SET_INFORMATION_
70 12:55:05 System:4 81D1ED18 IRP_MJ_CLEANUP TCP:<none>
TCP:<none> SUCCESS
71 12:55:05 System:4 81D1ED18 IRP_MJ_CLOSE TCP:<none>
TCP:<none> SUCCESS
72 12:55:05 System:4 8229F5C0 IRP_MJ_CREATE TCP:Connection obj Context:0x81D2F728
Context:0x81D2F728 SUCCESS
73 12:55:05 System:4 8229F5C0 TDI_ASSOCIATE_ADDRESS TCP:Connection obj TCP:192.168.1.3:139
TCP:192.168.1.3:139 SUCCESS
74 12:55:05 System:4 8229F5C0 IRP_MJ_DEVICE_CONTROL TCP:192.168.1.3:139 IOCTL_TCP_SET_INFORMATION_
IOCTL_TCP_SET_INFORMATION_
75 12:55:05 System:4 81FC3E68 IRP_MJ_CREATE TCP:Connection obj Context:0x81BDEBD0
Context:0x81BDEBD0 SUCCESS
76 12:55:05 System:4 82115E40 IRP_MJ_CREATE TCP:192.168.1.3:0 Address Open
Address Open SUCCESS
77 12:55:05 System:4 82115E40 TDI_SET_EVENT_HANDLER TCP:192.168.1.3:1443 Error Event
Error Event SUCCESS
78 12:55:05 System:4 82115E40 TDI_SET_EVENT_HANDLER TCP:192.168.1.3:1443 Receive Event
Receive Event SUCCESS
79 12:55:05 System:4 82115E40 TDI_SET_EVENT_HANDLER TCP:192.168.1.3:1443 Disconnect Event
Disconnect Event SUCCESS
80 12:55:05 System:4 81FC3E68 TDI_ASSOCIATE_ADDRESS TCP:Connection obj TCP:192.168.1.3:1443
TCP:192.168.1.3:1443 SUCCESS
81 12:55:05 System:4 81FC3E68 IRP_MJ_DEVICE_CONTROL TCP:192.168.1.3:1443 IOCTL_TCP_SET_INFORMATION_
IOCTL_TCP_SET_INFORMATION_
82 12:55:05 System:4 81D20C70 IRP_MJ_CLEANUP TCP:<none>
TCP:<none> SUCCESS
83 12:55:05 System:4 81D20C70 IRP_MJ_CLOSE TCP:<none>
TCP:<none> SUCCESS
84 12:55:05 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:50
Length:50 SUCCESS
SUCCESS 216.154.195.50:110 SUCCESS-85
86 12:55:05 Inet32.exe:1628 81C95778 TDI_EVENT_RECEIVE TCP:0.0.0.0:1441 216.154.195.50:110
216.154.195.50:110 SUCCESS Length:18 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
87 12:55:05 Inet32.exe:1628 81F93E40 TDI_SEND TCP:0.0.0.0:1441 216.154.195.50:110 Length:29
Length:29 SUCCESS
88 12:55:05 Inet32.exe:1628 81C95778 TDI_EVENT_RECEIVE TCP:0.0.0.0:1441 216.154.195.50:110
216.154.195.50:110 SUCCESS Length:24 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
89 12:55:05 Inet32.exe:1628 81F93E40 TDI_SEND TCP:0.0.0.0:1441 216.154.195.50:110 Length:17
90 12:55:05 Inet32.exe:1628 81C95778 TDI_EVENT_RECEIVE TCP:0.0.0.0:1441 216.154.195.50:110
216.154.195.50:110 SUCCESS Length:16 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
Length:16 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH SUCCESS-91
92 12:55:05 Inet32.exe:1628 81F93E40 TDI_SEND TCP:0.0.0.0:1441 216.154.195.50:110 Length:6
93 12:55:05 Inet32.exe:1628 81C95778 TDI_EVENT_RECEIVE TCP:0.0.0.0:1441 216.154.195.50:110
216.154.195.50:110 SUCCESS Length:15 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
Length:15 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH SUCCESS-94
95 12:55:05 Inet32.exe:1628 81F93E40 TDI_SEND TCP:0.0.0.0:1441 216.154.195.50:110 Length:6
96 12:55:05 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:50
Length:50 SUCCESS
97 12:55:05 Inet32.exe:1628 81C95778 TDI_EVENT_RECEIVE TCP:0.0.0.0:1441 216.154.195.50:110
216.154.195.50:110 SUCCESS Length:1103 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
Length:1103 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH SUCCESS-98
99 12:55:06 Inet32.exe:1628 81F93E40 TDI_SEND TCP:0.0.0.0:1441 216.154.195.50:110 Length:8
100 12:55:06 Inet32.exe:1628 81C95778 TDI_EVENT_RECEIVE TCP:0.0.0.0:1441 216.154.195.50:110
216.154.195.50:110 SUCCESS Length:14 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
Length:14 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH SUCCESS-101
102 12:55:06 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:50
Length:50 SUCCESS
103 12:55:06 Skype.exe:1512 81BCB3D0 TDI_SEND TCP:192.168.1.3:1052 Length:15
104 12:55:06 Inet32.exe:1628 81F93E40 TDI_SEND TCP:0.0.0.0:1441 216.154.195.50:110 Length:6
105 12:55:06 Inet32.exe:1628 81C95778 TDI_EVENT_RECEIVE TCP:0.0.0.0:1441 216.154.195.50:110
216.154.195.50:110 SUCCESS Length:14 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
Length:14 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH SUCCESS-106
107 12:55:06 Inet32.exe:1628 81F93E40 TDI_DISCONNECT TCP:0.0.0.0:1441 216.154.195.50:110
108 12:55:06 Inet32.exe:1628 81C95778 TDI_EVENT_DISCONNECT TCP:0.0.0.0:1441 216.154.195.50:110
216.154.195.50:110 SUCCESS RELEASE
RELEASE SUCCESS-109
110 12:55:07 Skype.exe:1512 81BF67E8 TDI_SEND_DATAGRAM UDP:0.0.0.0:12549 140.192.172.203:26001 Length:62
Length:62 SUCCESS
111 12:55:07 Skype.exe:1512 81BF67E8 TDI_SEND_DATAGRAM UDP:0.0.0.0:12549 222.151.72.231:16550 Length:62
Length:62 SUCCESS
112 12:55:07 Skype.exe:1512 81BF67E8 TDI_SEND_DATAGRAM UDP:0.0.0.0:12549 68.174.145.254:15674 Length:62
Length:62 SUCCESS
113 12:55:07 Skype.exe:1512 81BF67E8 TDI_SEND_DATAGRAM UDP:0.0.0.0:12549 69.132.99.137:63090 Length:62
Length:62 SUCCESS
114 12:55:07 Skype.exe:1512 81BF67E8 TDI_SEND_DATAGRAM UDP:0.0.0.0:12549 219.77.29.216:51102 Length:62
Length:62 SUCCESS
115 12:55:07 Skype.exe:1512 81BF67E8 TDI_SEND_DATAGRAM UDP:0.0.0.0:12549 84.121.130.155:45204 Length:62
Length:62 SUCCESS
116 12:55:07 va32.exe:3112 81D08AF0 IRP_MJ_CLEANUP TCP:Control obj
TCP:Control obj SUCCESS
117 12:55:07 va32.exe:3112 81D08AF0 IRP_MJ_CLOSE TCP:Control obj
TCP:Control obj SUCCESS
118 12:55:07 va32.exe:3112 81B06780 IRP_MJ_CLEANUP TCP:Control obj
TCP:Control obj SUCCESS
119 12:55:07 va32.exe:3112 81B06780 IRP_MJ_CLOSE TCP:Control obj
TCP:Control obj SUCCESS
120 12:55:09 Skype.exe:1512 81BF67E8 TDI_SEND_DATAGRAM UDP:0.0.0.0:12549 219.77.29.216:51102 Length:62 Length:62 SUCCESS
121 12:55:09 System:4 81F7FAF8 TDI_CONNECT TCP:0.0.0.0:1442 192.168.1.4:445
122 12:55:14 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.4:137 Length:50 Length:50 SUCCESS
123 12:55:16 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.4:137 Length:50 Length:50 SUCCESS
124 12:55:17 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.4:137 Length:50 Lngth:50 SUCCESS
125 12:55:19 System:4 81FC3E68 IRP_MJ_CLEANUP TCP:192.168.1.3:1443 TCP:192.168.1.3:1443 SUCCESS
126 12:55:19 System:4 81FC3E68 IRP_MJ_CLOSE TCP:192.168.1.3:1443 TCP:192.168.1.3:1443 SUCCESS
127 12:55:19 System:4 82115E40 IRP_MJ_CLEANUP TCP:192.168.1.3:1443 TP:192.168.1.3:1443 SUCCESS
128 12:55:23 svchost.exe:972 82075D88 TDI_SEND_DATAGRAM UDP:0.0.0.0:1042 217.146.99.22:53 Length:30
Length:30 SUCCESS
129 12:55:23 nod32krn.exe:172 822A7F40 IRP_MJ_CREATE TCP:0.0.0.0:0 Address Open
Address Open SUCCESS
130 12:55:23 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Error Event
Error Event SUCCESS
131 12:55:23 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Disconnect Event
Disconnect Event SUCCESS
132 12:55:23 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Receive Event
Receive Event SUCCESS
133 12:55:23 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Expedited Receive Event
Expedited Receive Event SUCCESS
134 12:55:23 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Chained Receive Event
Chained Receive Event SUCCESS
135 12:55:23 nod32krn.exe:172 822A7F40 TDI_QUERY_INFORMATION TCP:0.0.0.0:1444 Query Address
Query Address SUCCESS
136 12:55:23 nod32krn.exe:172 8228B2A8 IRP_MJ_CREATE TCP:Connection obj Context:0x81CC1CF0
Context:0x81CC1CF0 SUCCESS
137 12:55:23 nod32krn.exe:172 8228B2A8 TDI_ASSOCIATE_ADDRESS TCP:Connection obj TCP:0.0.0.0:1444
TCP:0.0.0.0:1444 SUCCESS
138 12:55:23 nod32krn.exe:172 8228B2A8 TDI_CONNECT TCP:0.0.0.0:1444 194.213.194.29:80
194.213.194.29:80 194.213.194.29:80 SUCCESS
139 12:55:23 nod32krn.exe:172 8228B2A8 TDI_SEND TCP:0.0.0.0:1444 194.213.194.29:80 Length:229
Length:229 SUCCESS
140 12:55:23 nod32krn.exe:172 822A7F40 TDI_EVENT_RECEIVE TCP:0.0.0.0:1444 194.213.194.29:80
194.213.194.29:80 MORE_PROCESSING_REQUIRED Length:264 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
141 12:55:23 nod32krn.exe:172 8228B2A8 TDI_RECEIVE TCP:0.0.0.0:1444 194.213.194.29:80
194.213.194.29:80 SUCCESS
143 12:55:24 nod32krn.exe:172 822A7F40 TDI_EVENT_RECEIVE TCP:0.0.0.0:1444 194.213.194.29:80
194.213.194.29:80 MORE_PROCESSING_REQUIRED Length:1260 Flags: LOOKAHEAD DISPATCH
144 12:55:24 nod32krn.exe:172 8228B2A8 TDI_RECEIVE TCP:0.0.0.0:1444 194.213.194.29:80
194.213.194.29:80 SUCCESS
146 12:55:24 nod32krn.exe:172 822A7F40 TDI_EVENT_DISCONNECT TCP:0.0.0.0:1444 194.213.194.29:80
194.213.194.29:80 SUCCESS RELEASE
147 12:55:24 nod32krn.exe:172 8228B2A8 TDI_DISCONNECT TCP:0.0.0.0:1444
TCP:0.0.0.0:1444 SUCCESS RELEASE
148 12:55:24 nod32krn.exe:172 8228B2A8 TDI_DISASSOCIATE_ADDRESS TCP:0.0.0.0:1444
TCP:0.0.0.0:1444 SUCCESS
149 12:55:24 nod32krn.exe:172 8228B2A8 IRP_MJ_CLEANUP TCP:Connection obj
TCP:Connection obj SUCCESS
150 12:55:24 nod32krn.exe:172 8228B2A8 IRP_MJ_CLOSE TCP:Connection obj
TCP:Connection obj SUCCESS
151 12:55:24 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Error Event: NULL
Error Event: NULL SUCCESS
152 12:55:24 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Disconnect Event: NULL
Disconnect Event: NULL SUCCESS
153 12:55:24 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Receive Event: NULL
Receive Event: NULL SUCCESS
154 12:55:24 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Expedited Receive Event: NULL
Expedited Receive Event: NULL SUCCESS
155 12:55:24 nod32krn.exe:172 822A7F40 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1444 Chained Receive Event: NULL
Chained Receive Event: NULL SUCCESS
156 12:55:24 nod32krn.exe:172 822A7F40 IRP_MJ_CLEANUP TCP:0.0.0.0:1444
TCP:0.0.0.0:1444 SUCCESS
157 12:55:24 nod32krn.exe:172 81D1A3B0 IRP_MJ_CREATE TCP:0.0.0.0:0 Address Open
Address Open SUCCESS
158 12:55:24 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Error Event
Error Event SUCCESS
159 12:55:24 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Disconnect Event
Disconnect Event SUCCESS
160 12:55:24 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Receive Event
Receive Event SUCCESS
161 12:55:24 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Expedited Receive Event
Expedited Receive Event SUCCESS
162 12:55:24 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Chained Receive Event
Chained Receive Event SUCCESS
163 12:55:24 nod32krn.exe:172 81D1A3B0 TDI_QUERY_INFORMATION TCP:0.0.0.0:1445 Query Address
Query Address SUCCESS
164 12:55:24 nod32krn.exe:172 821C32F8 IRP_MJ_CREATE TCP:Connection obj Context:0x82284008
Context:0x82284008 SUCCESS
165 12:55:24 nod32krn.exe:172 821C32F8 TDI_ASSOCIATE_ADDRESS TCP:Connection obj TCP:0.0.0.0:1445
TCP:0.0.0.0:1445 SUCCESS
166 12:55:24 nod32krn.exe:172 821C32F8 TDI_CONNECT TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 194.213.194.29:80 SUCCESS
167 12:55:24 nod32krn.exe:172 821C32F8 TDI_SEND TCP:0.0.0.0:1445 194.213.194.29:80 Length:229
Length:229 SUCCESS
168 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_EVENT_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 MORE_PROCESSING_REQUIRED Length:272 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
169 12:55:25 nod32krn.exe:172 821C32F8 TDI_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 SUCCESS
171 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_EVENT_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 MORE_PROCESSING_REQUIRED Length:1260 Flags: LOOKAHEAD DISPATCH
172 12:55:25 nod32krn.exe:172 821C32F8 TDI_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 SUCCESS
174 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_EVENT_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 SUCCESS Length:944 Flags: ENTIRE_MESSAGE LOOKAHEAD
175 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_EVENT_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 MORE_PROCESSING_REQUIRED Length:1260 Flags: LOOKAHEAD DISPATCH
176 12:55:25 nod32krn.exe:172 821C32F8 TDI_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 SUCCESS
178 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_EVENT_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 MORE_PROCESSING_REQUIRED Length:944 Flags: ENTIRE_MESSAGE LOOKAHEAD
179 12:55:25 nod32krn.exe:172 821C32F8 TDI_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 SUCCESS
181 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_EVENT_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 MORE_PROCESSING_REQUIRED Length:1260 Flags: LOOKAHEAD DISPATCH
182 12:55:25 nod32krn.exe:172 821C32F8 TDI_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 SUCCESS
184 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_EVENT_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 MORE_PROCESSING_REQUIRED Length:1260 Flags: LOOKAHEAD DISPATCH
185 12:55:25 nod32krn.exe:172 821C32F8 TDI_RECEIVE TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 SUCCESS
187 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_EVENT_DISCONNECT TCP:0.0.0.0:1445 194.213.194.29:80
194.213.194.29:80 SUCCESS RELEASE
188 12:55:25 nod32krn.exe:172 821C32F8 TDI_DISCONNECT TCP:0.0.0.0:1445
TCP:0.0.0.0:1445 SUCCESS RELEASE
189 12:55:25 nod32krn.exe:172 821C32F8 TDI_DISASSOCIATE_ADDRESS TCP:0.0.0.0:1445
TCP:0.0.0.0:1445 SUCCESS
190 12:55:25 nod32krn.exe:172 821C32F8 IRP_MJ_CLEANUP TCP:Connection obj
TCP:Connection obj SUCCESS
191 12:55:25 nod32krn.exe:172 821C32F8 IRP_MJ_CLOSE TCP:Connection obj
TCP:Connection obj SUCCESS
192 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Error Event: NULL
Error Event: NULL SUCCESS
193 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Disconnect Event: NULL
Disconnect Event: NULL SUCCESS
194 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Receive Event: NULL
Receive Event: NULL SUCCESS
195 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Expedited Receive Event: NULL
Expedited Receive Event: NULL SUCCESS
196 12:55:25 nod32krn.exe:172 81D1A3B0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1445 Chained Receive Event: NULL
Chained Receive Event: NULL SUCCESS
197 12:55:25 nod32krn.exe:172 81D1A3B0 IRP_MJ_CLEANUP TCP:0.0.0.0:1445
TCP:0.0.0.0:1445 SUCCESS
SUCCESS TIMEOUT-198
199 12:55:30 System:4 81F7FAF8 IRP_MJ_CLEANUP TCP:0.0.0.0:1442
TCP:0.0.0.0:1442 SUCCESS
200 12:55:30 System:4 81F7FAF8 IRP_MJ_CLOSE TCP:0.0.0.0:1442
TCP:0.0.0.0:1442 SUCCESS
201 12:55:30 System:4 81C31240 IRP_MJ_CLEANUP TCP:0.0.0.0:1442
TCP:0.0.0.0:1442 SUCCESS
202 12:55:30 System:4 81D89C70 IRP_MJ_CLEANUP TCP:<none>
TCP:<none> SUCCESS
203 12:55:30 System:4 81D89C70 IRP_MJ_CLOSE TCP:<none>
TCP:<none> SUCCESS
204 12:55:30 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:181
Length:181 SUCCESS
205 12:55:31 msnmsgr.exe:900 821C4268 TDI_SEND TCP:192.168.1.3:1039 Length:5
Length:5 SUCCESS
206 12:55:32 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:181
Length:181 SUCCESS
207 12:55:33 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:181
Length:181 SUCCESS
208 12:55:35 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:181
Length:181 SUCCESS
209 12:55:36 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:193
Length:193 SUCCESS
210 12:55:37 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:193
Length:193 SUCCESS
211 12:55:38 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:193
Length:193 SUCCESS
212 12:55:39 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:193
Length:193 SUCCESS
213 12:55:40 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:68
Length:68 SUCCESS
214 12:55:41 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:68
Length:68 SUCCESS
215 12:55:42 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:68
Length:68 SUCCESS
216 12:55:43 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:68
Length:68 SUCCESS
217 12:55:43 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:68
Length:68 SUCCESS
218 12:55:44 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:68
Length:68 SUCCESS
219 12:55:45 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:68
Length:68 SUCCESS
220 12:55:46 System:4 82285BE0 TDI_SEND_DATAGRAM UDP:192.168.1.3:137 192.168.1.255:137 Length:68
Length:68 SUCCESS
221 12:55:46 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:181
Length:181 SUCCESS
222 12:55:46 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:181
Length:181 SUCCESS
223 12:55:46 System:4 822A6480 TDI_SEND_DATAGRAM UDP:192.168.1.3:138 192.168.1.255:138 Length:211
Length:211 SUCCESS
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks.
I didn't know TDIMon didn't monitor ping (why not?).
Is there anything that will monitor ping, and identify which program is doing the pinging?
The Zyxel can be configured to log attacks, but there does not seem to be any fine grain control over what it considers to be an attack.
I didn't know TDIMon didn't monitor ping (why not?).
Is there anything that will monitor ping, and identify which program is doing the pinging?
The Zyxel can be configured to log attacks, but there does not seem to be any fine grain control over what it considers to be an attack.
Let me clarify - from reading their website it seems that TDIMon doesn't monitor ping. This is because communications is done in layers, and TDIMon sems to only deal with layer 4, but ping happens at layer 3. I have not downloaded TDIMon but from reading their web site this seems to be what they are doing.
The method suggested by Technicon would help, or you could download the free Ethereal monitor.
I'll learn a little more about TDIMon to double check my belief about it.
Bill
The method suggested by Technicon would help, or you could download the free Ethereal monitor.
I'll learn a little more about TDIMon to double check my belief about it.
Bill
ASKER
Unfortunately I don't have a hub - my network is all switched.
ASKER
I've accepted your answers, and split the points, as you've tried your best, and it's not your fault I don't have a hub.
Hope you don't mind that I have only graded the answers 2 - no reflection on your helpfulness, but I haven't solved the problem yet.
Hope you don't mind that I have only graded the answers 2 - no reflection on your helpfulness, but I haven't solved the problem yet.
Nikki, thanks for the points,
You still have possible actions to take if you like:
1. install a real network monitor such as Ethereal (the free one I mentioned in an earlier post) on the machine you suspect of the attack
2. contact the ISP to see how they perceive this - it sounds like they have not complained to you
Good luck,
CajunBill
You still have possible actions to take if you like:
1. install a real network monitor such as Ethereal (the free one I mentioned in an earlier post) on the machine you suspect of the attack
2. contact the ISP to see how they perceive this - it sounds like they have not complained to you
Good luck,
CajunBill
the same thing happen to me and i have Zyxel- ZyWALL 10 when my coworker had insalled skype so i blame skype for the attack e-mails. and i don't rally worry bit it would help if someone would help know to solve this problem without taking any risk....
Have fun BGCM
Have fun BGCM
ASKER