I’ve been running Avast personal version on my laptop and my daughter’s desktop for a couple months now and it’s been working well.

About a week ago I installed it on my Wife’s laptop and the past couple days have been investigating SYN floods that my firewall is reporting is coming from her computer.

The destination address is 69.63.178.112 which DNS resolves as channel42-09-01-snc1.facebook.com.

‘netstat -abn’ says that they’re being generated by ‘AvastSvc.exe’

TCP 10.1.20.21:2392 69.63.178.112:80 SYN_SENT 1808 [AvastSvc.exe]

TCP 10.1.20.21:2502 69.63.178.112:80 SYN_SENT 1808
[AvastSvc.exe]

TCP 10.1.20.21:2594 69.63.178.112:80 SYN_SENT 1808
[AvastSvc.exe]

TCP 10.1.20.21:2614 69.63.178.112:80 SYN_SENT 1808
[AvastSvc.exe]

RGFW-IN: ACCEPT (TCP 10.1.20.21:2724->69.63.178.112:80 on ixp0) [1402,91881476] Thu Feb 4 13:57:52 2010 RGFW-RATELIMIT: 42 messages of type BLOCK-SYNFLOOD reported 1 second(s) ago Thu Feb 4 13:57:51 2010

There are thousands of these SYN packets being sent every minute.

Any idea what could be causing this or what I can do to stop it? Avast scans don’t find anything. Neither did Mcaffe (which I replaced with Avast), SpyBot or SpywareBlaster.

Thanks

Interesting. Since the connection is being made on port 80 (http), it may be the WebShield proxy intercepting the connections from another process and relaying to FaceBook (WebShield in avast 5 runs in the context of AvastSvc.exe process). I’d suggest disabling WebShield for a while and seeing if anything changes (i.e. another process in the system may show up as generating the traffic).

Thanks
Vlk

I was wondering if that might be the case. I’ll give that a try.

Duane

Ok, that solved the mystery. It was a facebook game my wife plays.

Duane