Vecna Scan ??

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

For the past few weeks I've been getting this:

in the security logs of my belkin router/adsl modem where the IP 192.168.x.x is of this computer I'm typing on now.

the port number its coming from varies on my computer and the IP it goes to is different - everything from Bloomberg domain, to yahoo.com, to who knows what!

After trawling the internet it seems to be some sort of stealth port scanner which seems to be coming from inside my network? I've run 3 spyware and 2 antivirus programs, including free ones like AVG and they all come up clean.
I've port scanned my computers and they are all tied down tightly.
Does anyone have a clue with this??

I can post more of the log if needed

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Judging from all the above you've carried out there is nothing to worry about as long as you keep your OS patched and updated. It's normal for your computer to be scanned by other computers, usually "zombies". It's just hacker programs on compromised computers doing random scans so that they copy themselves to vulnerable computers. If your router has a firewall, you don't have to worry about it.

 

I know you did you online virus scan with AVG, but I would recommend doing the online scan with Kaspersky. Reason being is because before I was infected with a virus that my antivirus could not detect. The AV that I used at the time was AVG. I then took of avg and installed mcafee, and same thing, tried pc cillin, same thing. Then a friend recommended me doing the online kaspersky test and voila it found the virus I had, once I new the name it was easy to find a way to delete it.

 

Sparky is right - since the traffic originates from INSIDE your network you should be slightly more concerned than if it were just portscans bouncing off the outside interface of your firewall. I can't count the number of organisations I've worked/consulted for that wondered why their network was rinsed, trotting out the old refrain: "But our Firewall blocks everything inbound!" (not much good if you allow all your internal PCs free reign to access any old box on tEh iNteRnEtz on any port it chooses! All that said, I think its probably a false positive - 'Vecna Scan' probably refers to some P2P application running on your LAN - Soulseek or a torrent client most likely - with the router not able to cope with or understand the connections that are being made/attempted by that app. 'Vecna' was, I believe, a poster on the NMap list a few years back who devised some stealth scanning techniques that were subsequently added to NMap's scanning methodologies in a later build (though I could be wrong on that). They don't work properly on Windows systems because M$ trashed the TCP/IP stack when they implemented it for their OS.

PM me the logfiles and I'll take a look - if you have them as syslogs that would be better than the (no doubt) shitty ones that are presented by your Router/FW. If you REALLY want to be anal, you could fire up Wireshark and leave it running overnight.

 

Thanks for the thoughts so far guys - to update:
tried Kasperspy but it stops downloading the new updates at 93% - perhaps some website trouble

I normally don't run a software firewall, but remembering ZoneAlarm I installed the trial - and it looks by blocking services.exe from accessing the internet, stops all these errors.

 

well, zonealarm was worth its weight in gold - not only did it stop the outflow of data - hurrah - but also helped me identify what the problem was.

A bit of research later - xpdx.sys - some trojan. No idea where it came from, but glad it went.
For future reference used ComboFix to solve it.