Hello, For several months I have been receiving port scans which my sygate firewall always informs me of. The remote IP address was initially "220.127.116.11" and its associated MAC is always "00-14-F1-E9-EA-DA", and its somewhere in China. I get random port scans from other IP addresses and assumed they were different computers, however I recently seen they all had the exact same MAC address as above guy from China. That is not the only problem. On a regular basis my computer applications - even security ones like AVG and SuperAntiSpyware - are stopped from accessing the internet by my sygate firewall which informs me the programs have changed recently. Because I have always assumed its simply AVG updating itself I usually allow the file change, but then immediately sygate informs me of an application hijacking attempt, and this then followed by MAC spoofing, but MOST worrying of all is the remote address involved with these hijackings and mac spoofings (and port scans) is the exact same MAC address (given above), and usually its associated IP (also above) although sometimes the IP changes but mac doesnt. My communications online and through my security software - according to logs - are being intercepted through above IP and MAC address. Please continue to read. Sometimes (more recently) the suspect remote IP has changed and become almost identical to my own IP except the end digit is wrong and obviously the mac address (same suspect one above) is completely different from my own. Its almost as though its trying to trick my sygate into thinking its my computer but sygate is (hopefully) detecting it all of the time. I believe my communications are being intercepted by this remote ip user who may be monitoring everything I do online. I have setup in my sygate, some advanced rules specific to stopping above mac address and several other IPs it uses. Despite this sygate still reports these attempts. The attacking MAC address is also in contact with my windows system32 file NDISUIO.SYS - which I have sygate block from accessing internet, if that helps at all. I recently seen traffic log which was very disturbing. I logged into my google account and after doing so my traffic log showed under "REMOTE HOST" this - "accounts.google.com[18.104.22.168]" and the remote MAC was the SAME culprit who has been port scanning me that I have already given above. This is very disturbing to me and I can post these recent logs if required. Let me just repeat that my IP and MAC address are NOT the attacking one mentioned above. My MAC address is completely different. My sygate traffic log occasionally shows this statement in the column for "rule name" :- "GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_100". This is often the action carried out by the attacking remote IP and MAC mentioned above. It looks to my untrained eye as though he is able to allow himself past my sygate firewall, because I have NO rules allowing this and in fact all the rules I created (about 8) are specifically to block ip and mac address. On top of all this I often hear the hard disk being accessed even though no scheduling of any kind should be taking place. I know how paranoid this may all sound but I am heavily suspicious something is happening. I am somewhat computer literate and my internet skills could definitely be better, but it appears to me as though every time an application is wanting access - or has recently been changed - the IP and mac address always involved is the one I constantly get port scans from. I have saved a small section of packet logs, traffic logs, and security logs into an excel spreadsheet that I could upload if you guys want more info, but I would think it best I remove my own IP and MAC address etc before posting it to a public forum. Could someone please help with these problems and let me know asap if you need to view the logs I mentioned and I will post them. Many thanks, Roy.