Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow & Dropping Connection


  • Please log in to reply
10 replies to this topic

#1 nashvegas12

nashvegas12

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:03 AM

Posted 14 August 2012 - 12:11 PM

OS Version: Microsoft Windows 7 Professional, Service Pack 1, 64 bit
Processor: Intel® Core™ i5-2410M CPU @ 2.30GHz, Intel64 Family 6 Model 42 Stepping 7
Processor Count: 4
RAM: 8086 Mb
Graphics Card: Intel® HD Graphics 3000, -1988 Mb
Hard Drives: C: Total - 715301 MB, Free - 667246 MB;
Motherboard: Dell Inc., 0YH79Y
Antivirus: AVG Internet Security 2012, Updated and Enabled

Cable Internet (Comcast Blast)
150 ft from Wireless Router
Wireless Router: Netgear N600 Wireless Dual Band Router WNDR3400


I was recently infected with trojan.zeroaccess. I am confident it is gone; I did a complete "clean all" wipe of my hard drive and re-installed windows. Some of the networking & connection problems that I experienced when the trojan was active are still occurring.

On 7/31/2012 Norton popped up that trojan.zeroaccess was discovered and quarantined with no further action needed. I discovered on 8/02/2012 that I was actually infected after investigation my connection problems. Internet connection was slow and would drop & reconnect repeatedly. Long story short- my gmail and banking accounts both had blocked attempts to access my account info, so pretty obvious there was a backdoor opened and I had unauthorized connections to my system. I'm not one to take chances, so I just wiped everything and did a clean install.

What's weird is that I checked my Norton logs and at the exact second that I got the alert that the trojan was detected, these entries started appearing on my log.

IP address has disappeared from adapter teredo tunneling pseudo interface...,Protecting your connection to a newly detected network on adapter \"Teredo Tunneling Pseudo-Interface, IP address has disappeared from adapter Teredo Tunneling Pseudo-Interface and is no longer being protected,firewall disabled, Default Block SSDP\" blocked (192.168.1.1, Port (2869) ). Inbound TCP connection. ",Detected,No Action, stealthed (OWNER-PC (192.168.1.2), Port (5355) ). Inbound UDP packet, Block UPnP Discovery\" stealthed (192.168.1.2, Port ssdp(1900).Inbound UDP packet.2012-08-02 13:55:50,Info,"Protecting your connection to a newly detected network on adapter \"Teredo Tunneling Pseudo-Interface\" (IP address: 2001::9d38:953c:3cd1:370e:9d3e:5b85).",Detected,No Action Required,Firewall - Network and Connections,,,
2012-08-02 13:55:25,Info,"Protecting your connection to a newly detected network on adapter \"Intel® Centrino® Wireless-N 1030\" (IP address: fe80::3879:2f02:a7c8:99dc%11).",Detected,No Action

I don't know anything about networking. I do know that "teredo tunneling" has something to do with IPv4 & IPv6 converting. It seems like odd coincidence that the entries started at the exact second I got the trojan alert and going back through 90 days of logs, there were no entries remotely similar to that before that moment.

After the clean install of Windows7 and before attempting to reconnect to our wireless network, I reset the cable modem. Then I re-set the wireless router to factory settings. Changed our SSID, prevented it from broadcasting and changed the log in and password to both router and connection. I also released and refreshed our IP address as well.

Internet connection still seems not quite right. Still running slow and dropping connections. I am also still seeing the same type log entries and it seems like there are "a lot" of connections when I view the network but I don't really know what I'm looking at.

Is it possible for the trojan to be on/in the wireless router and/or could the back-doors created by the trojan still be opened somehow? Is there a way to know if all of those connections are legitimate? Also, we have a wireless network printer. Could it lurk somewhere in there too? (Please don't laugh at me, I'm a tad paranoid now) Or the Roku or Xbox that are also on our network?

Any help is much appreciated!


MiniToolBox by Farbar Version: 23-07-2012
Ran by LHHG (administrator) on 14-08-2012 at 11:42:58
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================



========================= IP Configuration: ================================

Intel® Centrino® Wireless-N 1030 = Wireless Network Connection (Connected)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 3 (Media disconnected)
Realtek PCIe FE Family Controller = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : LHHG-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
Physical Address. . . . . . . . . : 14-FE-B5-B4-06-F9
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : BC-77-37-C8-21-33
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #2
Physical Address. . . . . . . . . : BC-77-37-C8-21-30
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel® Centrino® Wireless-N 1030
Physical Address. . . . . . . . . : BC-77-37-C8-21-2F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::48cc:db29:2719:4f9f%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.7(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, August 13, 2012 9:36:45 PM
Lease Expires . . . . . . . . . . : Wednesday, August 15, 2012 9:49:46 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 247232311
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-B3-B5-11-BC-77-37-C8-21-2F
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{B4D0F193-4C6B-4E86-85D5-F3A29E6D0773}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:4ce:3829:9d3e:5b85(Preferred)
Link-local IPv6 Address . . . . . : fe80::4ce:3829:9d3e:5b85%16(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{0EEF223A-1146-4A6E-869F-E20DD4718D8F}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{61E5A5D5-10FD-40F0-AC61-785D9EC734D9}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{7F99BA34-78F3-4444-BEF8-2C8B18385FA7}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 2001:4860:800a::64
74.125.139.139
74.125.139.113
74.125.139.138
74.125.139.102
74.125.139.101
74.125.139.100


Pinging google.com [74.125.139.113] with 32 bytes of data:
Reply from 74.125.139.113: bytes=32 time=23ms TTL=48
Reply from 74.125.139.113: bytes=32 time=20ms TTL=48

Ping statistics for 74.125.139.113:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 20ms, Maximum = 23ms, Average = 21ms
Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 98.138.253.109
98.139.183.24
72.30.38.140


Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=725ms TTL=51
Reply from 98.139.183.24: bytes=32 time=764ms TTL=51

Ping statistics for 98.139.183.24:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 725ms, Maximum = 764ms, Average = 744ms
Server: UnKnown
Address: 192.168.1.1

Name: bleepingcomputer.com
Address: 208.43.87.2


Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Reply from 208.43.87.2: Destination host unreachable.
Reply from 208.43.87.2: Destination host unreachable.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
17...14 fe b5 b4 06 f9 ......Realtek PCIe FE Family Controller
15...bc 77 37 c8 21 33 ......Bluetooth Device (Personal Area Network)
13...bc 77 37 c8 21 30 ......Microsoft Virtual WiFi Miniport Adapter #2
11...bc 77 37 c8 21 2f ......Intel® Centrino® Wireless-N 1030
1...........................Software Loopback Interface 1
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.7 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.7 281
192.168.1.7 255.255.255.255 On-link 192.168.1.7 281
192.168.1.255 255.255.255.255 On-link 192.168.1.7 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.7 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.7 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
16 58 ::/0 On-link
1 306 ::1/128 On-link
16 58 2001::/32 On-link
16 306 2001:0:4137:9e76:4ce:3829:9d3e:5b85/128
On-link
11 281 fe80::/64 On-link
16 306 fe80::/64 On-link
16 306 fe80::4ce:3829:9d3e:5b85/128
On-link
11 281 fe80::48cc:db29:2719:4f9f/128
On-link
1 306 ff00::/8 On-link
16 306 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/13/2012 11:50:32 PM) (Source: DeviceCenter) (User: )
Description: Unknown Node:#text -->

Error: (08/13/2012 09:36:44 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/13/2012 08:34:12 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/09/2012 08:02:17 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/09/2012 07:52:33 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/09/2012 06:25:37 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/09/2012 05:48:47 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/09/2012 04:39:47 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040154, Class not registered
.


Operation:
Instantiating VSS server

Error: (08/09/2012 04:39:47 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.
This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider.
The error returned from CoCreateInstance on class with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and Name IVssCoordinatorEx2 is [0x80040154, Class not registered
].


Operation:
Instantiating VSS server

Error: (08/09/2012 10:54:34 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (08/13/2012 09:37:43 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (08/13/2012 09:35:34 PM) (Source: Service Control Manager) (User: )
Description: The AVGIDSAgent service did not shut down properly after receiving a preshutdown control.

Error: (08/13/2012 09:35:23 PM) (Source: DCOM) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

Error: (08/13/2012 08:35:14 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (08/13/2012 08:28:23 PM) (Source: Service Control Manager) (User: )
Description: The AVGIDSAgent service did not shut down properly after receiving a preshutdown control.

Error: (08/13/2012 03:00:16 PM) (Source: iaStor) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (08/12/2012 08:01:11 PM) (Source: Server) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{0EEF223A-1146-4A6E-869F-E20DD4718D8F} because another computer on the network has the same name. The server could not start.

Error: (08/12/2012 03:00:06 PM) (Source: iaStor) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (08/12/2012 00:14:20 PM) (Source: iaStor) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (08/10/2012 03:00:19 PM) (Source: iaStor) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.


Microsoft Office Sessions:
=========================
Error: (08/13/2012 11:50:32 PM) (Source: DeviceCenter)(User: )
Description: Unknown Node:#text -->

Error: (08/13/2012 09:36:44 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/13/2012 08:34:12 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/09/2012 08:02:17 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/09/2012 07:52:33 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/09/2012 06:25:37 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/09/2012 05:48:47 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/09/2012 04:39:47 PM) (Source: VSS)(User: )
Description: CoCreateInstance0x80040154, Class not registered


Operation:
Instantiating VSS server

Error: (08/09/2012 04:39:47 PM) (Source: VSS)(User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}IVssCoordinatorEx20x80040154, Class not registered


Operation:
Instantiating VSS server

Error: (08/09/2012 10:54:34 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


========================= Memory info: ===================================

Percentage of memory in use: 28%
Total physical RAM: 8086.17 MB
Available physical RAM: 5764.32 MB
Total Pagefile: 16170.53 MB
Available Pagefile: 13518.76 MB
Total Virtual: 4095.88 MB
Available Virtual: 3971.98 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:698.54 GB) (Free:648.8 GB) NTFS

========================= Users: ========================================

User accounts for \\LHHG-PC

Administrator Guest LHHG


**** End of log ****

BC AdBot (Login to Remove)

 


#2 nashvegas12

nashvegas12
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:03 AM

Posted 16 August 2012 - 09:26 PM

BUMP- been 48 hours since post.

#3 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:11:03 AM

Posted 16 August 2012 - 09:54 PM

Sorry for the delay, its a very busy week for me. If your network was that compromised then the intruder likely has your mac address for at least your router. Your isp assigns your WAN address based on that mac address. they can find your router no matter where it is on their network so can the hacker. I would start with your isp request they reset your mac address asignment. Before they reset it you need to change it in the router. You can cloan a pc network card (not one you have on the network ), use a mac address generator or buy a firewall. Before you reconnect the new router have the isp change your ip and clear the mac address. You can monitor your connection by setting logging In your router and using wireshark. You could also look into ipsec VPN firewall and encrypt the connection between your computer and router.

Edited by Sneakycyber, 16 August 2012 - 09:58 PM.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#4 nashvegas12

nashvegas12
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:03 AM

Posted 16 August 2012 - 10:03 PM

thanks for the reply and help!

I think I understood just enough of what you said to make me dangerous... and the rest went over my head.

I got that I need to contact Comcast regarding mac address, buy a firewall- that's a part of my computer security software, correct? Also, from my settings posted above, does anything look odd? When I download wireshark, what would I look for to signal me that something was "off"

Thanks in advance- I can make my way around a PC pretty well, I know zip about networking

#5 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:11:03 AM

Posted 16 August 2012 - 10:28 PM

I will have to look at the log file more closely when I'm on a pc (I post from my HTC thunderbolt at night when I'm studying) the firewall should be separate from your pc for best results and they don't require a monthly fee.. There is pc software based firewalls, Comodo firewall (they have a free version) , sophos endpoint security and Eset smart security the last two are not free. They are all difficult to setup however Comodo and sophos have outstanding tech support. Mcaffe does have built in firewall protection however.as you just experienced it didn't stop the attack it only told you it was happening. Remember before calling comcasst you need.to change your router's mac address.

Edit: The Netgear prosafe series firewall routers are relatively inexpensive and do a great job.

Edited by Sneakycyber, 16 August 2012 - 10:31 PM.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#6 nashvegas12

nashvegas12
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:03 AM

Posted 17 August 2012 - 07:48 PM

Hello- my netgear router has a firewall. Should I have posted in a different forum, I thought I was posting in the one where a helper would look at the log of the Mini Toolbox tool? The instructions said to run and post it. I don't know anything about about what connections should or should not be there. Is there a different board where someone reviews what you posted to see if there are irregularities or things that don't look right?

#7 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:11:03 AM

Posted 18 August 2012 - 11:53 AM

When I answered you the last time I was posting from my phone. It has a SMALL screen have you ever tried to read a log file on a screen that small at 11:30 at night from bed? I am reviewing your log now. Edited (no harm, no foul) You post here is in the correct spot.

Edited by Sneakycyber, 18 August 2012 - 06:32 PM.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#8 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:11:03 AM

Posted 18 August 2012 - 12:29 PM

The warnings in the Norton log are from the ZeroAccess infection redirecting your network connections to a Peer TO Peer connection with the infecting agent. The Teredo Tunneling Pseudo-Interface is for IPV6. In order for IPv6 to work properly behind NAT on some routers the IPV6 packet is encapsulated in a IPV4 packet. If your not using IPV6 you can remove the protocol from your Network adapter by Choosing Network and Sharing in the control panel and selecting Change Adapter settings. Select your connection and right click and choose properties. Under the heading "This connection uses the following" uncheck IPV6. Without knowing the Revision number of your Router there is no way to know it has a built in firewall there is at least the WNDR 3400, 3600, 3700, 3800 with some with multiple Revisions. If you post the Netgear model number WNDR-number and Version number I can look at what protocols it supports. Your tool box report

========================= Event log errors: ===============================

1. To repair this error review the Microsoft Knowlegebase Article KB950375
Spoiler


On August 9th Did you try a system restore and receive and error?

The rest of the log looks good. You should change your Network address in your router to something other then 192.168.1.1 its a default address and everyone knows it. You can change it to Any of these Private addresses

Edited by Sneakycyber, 18 August 2012 - 12:48 PM.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#9 nashvegas12

nashvegas12
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:03 AM

Posted 18 August 2012 - 06:19 PM

Hi- I'm sorry if something I wrote seemed offensive. Email & messaging can lend it's self to hearing "tone" when there was none implied. I was legitimately asking to make sure that I did post in the correct place. I always try to follow the posting instructions b/c I realize that people are helping in their free time and that posting what is asked in the correct place is respectful of their time.

Is there another number that I should look for on my router? I thought the info in my first post was my router with model number.

Posted 14 August 2012 - 12:11 PM
OS Version: Microsoft Windows 7 Professional, Service Pack 1, 64 bit
Processor: Intel® Core™ i5-2410M CPU @ 2.30GHz, Intel64 Family 6 Model 42 Stepping 7
Processor Count: 4
RAM: 8086 Mb
Graphics Card: Intel® HD Graphics 3000, -1988 Mb
Hard Drives: C: Total - 715301 MB, Free - 667246 MB;
Motherboard: Dell Inc., 0YH79Y
Antivirus: AVG Internet Security 2012, Updated and Enabled

Cable Internet (Comcast Blast)
150 ft from Wireless Router
Wireless Router: Netgear N600 Wireless Dual Band Router WNDR3400


There are some other numbers on the bottom that look like a serial number? Let me know if that is the number you are looking for. On the 9th I was still re-installing drivers from doing the clean install of Windows7. Could that be the cause of what you noticed?

#10 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:11:03 AM

Posted 18 August 2012 - 06:34 PM

WNDR3400 Thats the one I needed BRB.. I edited my last post. The instructions you read I wrote so it seemed like you said I wasn't helping :whistle: I will post back with instructions on your router.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#11 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:11:03 AM

Posted 18 August 2012 - 07:10 PM

Your specific router does have a "firewall" the major differences between WNR400 and for example Netgear Prosafe VPN Firewall FVS124G is its flexibility in blocking ports and support for IPSEC VPN. In this instance the VPN only plays a role if 1. you remote to your work and need a VPN client, 2. Your ISP supports encrypted connectoins 3. You remote into your home computer. You can block Keyword websites for filtering content such as adult websites, web based games, etc. on your router. Its a matter of personal preference and level of security needed. Now on to the original question at hand. your connection seem slow. Can you go to www.speedtest.net and post the speeds your getting and what your ISP is charging you for.. I have a 20MB/s Cable connection and a WRT320N Custom DD-WRT firmware, Overclocked processor, custom cooling, and Gigabit I get
Posted Image

We need to make sure its your computer, or network and not your ISP

Edited by Sneakycyber, 18 August 2012 - 07:12 PM.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users