Continuing from the topic at https://forum.avast.com/index.php?topic=191508.0

Quote
" Dear all,
An incident happened yesterday (03-October-2016) which went as follows.

1. 13:39:40 IST Windows event viewer gave error. The Avast Antivirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

2. From 13:51:03 - 13:51:38 IST - Massive serial connection attempt from host to firewall on ports 111, 137, 20005, 7547, 53, 32764, 138, 49152, 873, 3389, 22, 135, 3128, 21, 993, 4567, 5357, 389, 5431, 500, 139, 23, 515, 1434, 20, 5060, 500, 8099, 5000, 3128, 8443, 9100, 389, 515, 80 which were blocked by firewall. The computer was unattended and event viewer showed no anomalous entry.

3. Multiple scan by Malwarebytes and Avast also yielded no result. Rkill and JRT tool also showed no anomalous entry.

Can anyone confirm whether it was a genuine sophisticated hack attempt and suggest remedial measures"
Unquote

Logs to assist have been attached

from host to firewall

I do not see real major problems in the log files, but wait till one of the listed helpers had a look at them.

As quoted, “The computer was unattended”. ;D.

Also Avast has created a .mdmp file when service stopped. Can that be useful for analysis too.

Was this a business connected (domain connected) PC at one time? I do not believe it is malware but mal-configure of the system. Photon service is trying to run without files present and there are pieces of McAfee Endpoint ( a business level security utility) on the system.

It was previously connected to domain. Photon Plus is a wifi enabled internet dongle which may have been used to connect to internet in the past (more than two years ago, at least) but has not been connected to the system. So the setting might have been junk registry entry. Also Mcafee product is Endpoint Encryption Agent which came as a standard software package from HP, we have no way to uninstall it as of now. Considering the port numbers which have been targeted and the logs generated by the firewall, it doesn’t seem to be a mal-configure. Plus Avast giving a memory dump just before host automatically tries to probe the firewall is too much of a coincidence.

Uploaded log06102016.zip to ftp://ftp.avast.com/incoming. The file contains unpxxxx.mdmp and unpxxxx.mdmp.status file generated when Avast service stopped working. Our version is Avast Free antivirus 12.3.3154.6 on windows 7 SP1. The definition was current 161003-0 at the time of memory dump generation.
I request Avast to have a look at the memory dump and analyze the root cause of the dump.

Post your ticket-ID.

How do you generate a ticket ID? There used to be a ticket generation in support.avast.com but now they seem to have moved it from there.

Ticket number #541421