Okay guys... Help me figure out what happened (and how I can prevent it).

This Wednesday at about 11:00 PM, I was browsing Wikipedia when Comodo Firewall registered an attempt to connect to the System program from an IP address on the local network. I clicked "block".

The connection was not blocked. The attempt to block it was immediately followed by a flurry of ethernet and hard drive activity; on clicking on the Start menu, I got a bubble tip claiming that new software had been installed.

I downloaded GMER and ran it, and discovered to my annoyance that Defense+, which was configured to intercept driver loading, did not so much as raise an eyebrow at GMER's randomly named driver.

GMER found nothing.. After that though, I didn't waste time trying to diagnose exactly what was wrong. Instead I just wiped my Windows partitions and installed Ubuntu LTS, from which I'm now posting.

Some pointers:

- This wasn't Windows XP Home, which I also have, but the 180 day trial version of Windows 2003 R2 SP2.

- Due to graphics driver breakage, I'd disabled Windows Update entirely. To compensate for this I had disabled all unnecessary services - the BITS, Computer Browser, everything that could potentially cause issues. The only update installed was SP2.

(Is it possible that, if there was some unpatched vulnerability in the network stack, something bad could happen without the firewall having any say?)

- I was, as I mentioned, using Comodo D+ and firewall at the time due to their greater feature set than Online Armor Free. Yeah, I don't quite trust Comodo, but I figured that if their software had any significant holes those would have come to light during testing. Now I'm not so sure.

- I was running as Admin. This shouldn't have made a difference though, since the connection attempt was to the System service... Still, I guess it's relevant.

What do you guys think happened? Is there any worm that typically propagates by connection to the System service, and can bypass firewalls like that? Or could it have been a deliberate hacking? In the future, how can I prevent stuff like this?

 

you don't remember what new software?

 

Scab with hijackthis and post your log here so someone can help you if an infection is there! Hope Not!

 

Sorry... Yeah, kind of stupid.

That's the funny thing, there wasn't anything new in the Start menu that I could see.

 

it could have been nothing sinister that comodo detected, not that it matters now

 

I'm fairly sure it was sinister, considering that the HIPS stopped working properly afterward. (Didn't try to block Gmer's driver despite being configured to and having intercepted drivers before.)

Getting more specific... How can I block *any* external attempt to connect to the System process? Last I checked that process doesn't need to accept connections, so how can I block it from doing so?