Jump to content

Blocked traffic and unknown device in network


Recommended Posts

Recently my laptop was infected by a really bad virus, which encrypted all my files. However since i had backed up all my important data, i just used the Windows Media creation tool on another PC, made a bootable USB drive and re-installed Windows(i deleted all drive partitions and formatted my drives during the installation). Now everything seems as if its normal. Windows Defender didn't detect anything, i ran a full offline scan - still nothing, i ran the command "sfc /scannow" - again nothing found. But i decided to install ESET to be more confident that there are no threats to my laptop. When i scanned the PC, no threats were found, but there are strange(for me at least) things in the network tab in ESET. There are some unknown devices(one of them disappeared before i managed to take screenshots of the network configuration), and there was some blocked traffic from my laptop. Here are some screenshots:

Network configuration: https://ibb.co/WsfXTs0

The unknown device: https://ibb.co/5hGZPJy , https://ibb.co/GMs8b40

Blocked traffic: https://ibb.co/nncMcp0

And the blocked items : https://ibb.co/n6H84dR , https://ibb.co/fQKkq14 , https://ibb.co/2kNkNhL , https://ibb.co/9nfbzzv , https://ibb.co/1Z7cdr4 , https://ibb.co/SVFT36b

From what i can see, these are just Windows processes, but it seems strange that they are blocked. Also something i should mention - every time i boot my laptop, the windows command line console pops up 2-3 times for a split second, i don't know if this is normal or not, but I'm pointing it out because it may have something to do with these processes(maybe it conflicts with Malware bytes, since i have it installed as well?). So my question is - is this blocked traffic normal or not, and is that unknown device something that is normally generated from the network or something suspicious?

Edited by neodrago1324
missed some information
Link to comment
Share on other sites

  • Most Valued Members
Posted (edited)

If you feel that your router has been compromised it's better to reset it and change the Wireless password and if there is a firmware update , update it to the latest version

As for the unknown devices one seems to be a Windows computer that is trying to communicate with your PC and the other I can't know because the title is blurred

Normally Windows systems communicate with eachother like for Update sharing from PC to PC

Port 137 looks like to be used by NETBIOS

Quote

NetBIOS is a protocol used for File and Print Sharing under all current versions of Windows. While this in itself is not a problem, the way that the protocol is implemented can be.


I wonder if the other PC is infected and is trying to spread again through Port 137 , Port 445 , to infect you again with some ransomware again as you've said

For MalwareBytes if it's running in realtime it's better to disable the real-time scanning as it would conflict with ESET real-time scanning as they would fight eachother to claim files , then they will start bringing up false positives and then protection would be useless from both ,  as both cannot do what they are designed to do.

----

As for the Ransomware you should have taken it from some place , whether it was downloaded from the internet , or the PC was exploited through another PC from the LAN

It's better to clean off unknown devices from the network by securing your router again, then you will be sure only your devices remaining in the LAN, and then you can start by working to isolate and fix the troubled computer

Edited by Nightowl
Link to comment
Share on other sites

27 minutes ago, Nightowl said:

If you feel that your router has been compromised it's better to reset it and change the Wireless password and if there is a firmware update , update it to the latest version

As for the unknown devices one seems to be a Windows computer that is trying to communicate with your PC and the other I can't know because the title is blurred

Normally Windows systems communicate with eachother like for Update sharing from PC to PC

Port 137 looks like to be used by NETBIOS


I wonder if the other PC is infected and is trying to spread again through Port 137 , Port 445 , to infect you again with some ransomware again as you've said

For MalwareBytes if it's running in realtime it's better to disable the real-time scanning as it would conflict with ESET real-time scanning as they would fight eachother to claim files , then they will start bringing up false positives and then protection would be useless from both ,  as both cannot do what they are designed to do.

----

As for the Ransomware you should have taken it from some place , whether it was downloaded from the internet , or the PC was exploited through another PC from the LAN

It's better to clean off unknown devices from the network by securing your router again, then you will be sure only your devices remaining in the LAN, and then you can start by working to isolate and fix the troubled computer

How can i remove this unknown device? I'm trying to access my router settings, but when i type my IP address in the browser, it doesn't load.

Link to comment
Share on other sites

12 minutes ago, neodrago1324 said:

I'm trying to access my router settings, but when i type my IP address in the browser, it doesn't load.

You need to enter the IP address for your router in a browser window. In many cases it is one of the following 192.168.1.254, 192.168.1.1, or 192.168.0.1.

Open a command prompt window and type:

ipconfig /all

Your router IP address is listed next to "Default Gateway." There will be one IPv4 address listed and one for IPv6 if you have that enabled for your network adapter. Use the IPv4 address listed as your router's IP address.

Edited by itman
Link to comment
Share on other sites

1 minute ago, itman said:

You need to enter the IP address for your router in a browser window. In many cases it is one of the following 192.168.1.254, 192.169.1.1, or 192.168.0.1.

Open a command prompt window and type:

ipconfig /all

Your router IP address is listed next to "Default Gateway." There will be one IPv4 address listed and one for IPv6 if you have that enabled for your network adapter. Use the IPv4 address listed as your router's IP address.

I get the message: Unable to connect, with these options below:

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

Link to comment
Share on other sites

  • Most Valued Members

Most router brands will have a sticker on them that will tell you user/pass and login link

In CMD/Command Prompt as ITMAN said , type ipconfig /all , you should see a part that says Default Gateway.

Link to comment
Share on other sites

4 minutes ago, neodrago1324 said:

I get the message: Unable to connect, with these options below:

Enter the router's IP address as http://192.168.1.254 using whatever your router's IP address is instead of 192.168.1.254 .

-EDIT- Also Firefox will display an alert stating the connection is insecure or something like this. Ignore the message.

Edited by itman
Link to comment
Share on other sites

1 minute ago, itman said:

Enter the router's IP address as hxxp://192.168.1.254 using whatever your router's IP address is instead of 192.168.1.254 .

Doesn't work, even when i type the link which is from the router sticker, nothing loads

Link to comment
Share on other sites

3 minutes ago, neodrago1324 said:

Doesn't work, even when i type the link which is from the router sticker, nothing loads

Did you perform the ipconfig command as I requested and obtain your IPv4 gateway from its output?

Edited by itman
Link to comment
Share on other sites

Just now, itman said:

Did you perform the ipconfig command as I requested and obtain your Ipv4 gateway from its output?

Yes, i tried with the Ipv4 and with the Default Gateway

Link to comment
Share on other sites

4 minutes ago, itman said:

Did you enter the your router's IPv4 address as show in the below screen shot?

Eset_Firefox.thumb.png.b0d0dca251af10d862e9b46d6d97c691.png

Yes, exactly like that. I just get the message Unable to connect

Link to comment
Share on other sites

As far as your Eset Connected Home screen goes, the main problem I see is your neighbor's cell phone is connected to your router.

Rather than fooling around with router settings to corrected this, I would just reset the router. Then either assign a strong admin password for router admin login screen or change the existing one.

Link to comment
Share on other sites

2 minutes ago, itman said:

As far as your Eset Connected Home screen goes, the main problem I see is your neighbor's cell phone is connected to your router.

Rather than fooling around with router settings to corrected this, I would just reset the router. Then either assign a strong admin password for router admin login screen or change the existing one.

OK, but what happens after i reset it? How will i be able to set the network name and password if i still can't access the router options page?

Link to comment
Share on other sites

9 minutes ago, neodrago1324 said:

Yes, exactly like that. I just get the message Unable to connect

This is somewhat of a mystery why you can't access the router.

Post a screen shot of what ipconfig Default Gateway shows. You can just crop that section using MS Paint or whatever you are using for screen shots and save the output to your desktop. Then attach the screen shot to your next reply posting.

Edited by itman
Link to comment
Share on other sites

5 minutes ago, itman said:

This is somewhat of a mystery why you can't access the router.

Post a screen shot of what ipconfig Default Gateway shows. You can just crop that section using MS Paint or whatever you are using for screen shots and save the output to your desktop. Then attach the screen shot to your next reply posting.

 

Untitled.png

Link to comment
Share on other sites

3 minutes ago, neodrago1324 said:

How will i be able to set the network name and password if i still can't access the router options page?

I don't know what you are referring to.

When you reset the router, everything returns to default settings. If your ISP provided the router, the settings will the defaults provided by it. Otherwise, the defaults will be those provided by the manufacturer. These include the admin access password which is not assigned many times or is set to "admin."

 

Link to comment
Share on other sites

11 minutes ago, neodrago1324 said:

 

Untitled.png

Verify that the IPv4 gateway address shown on the router label is the same as shown above.

Link to comment
Share on other sites

4 minutes ago, itman said:

Verify that the IPv4 gateway address shown on the router label is the same as shown above.

There is no IPv4 address on the router label. My router was installed by my ISP btw.

Link to comment
Share on other sites

26 minutes ago, neodrago1324 said:

There is no IPv4 address on the router label. My router was installed by my ISP btw.

Check the case of the router carefully. Many times the Gateway and other info is imprinted on the router case itself. Check top, bottom, and both sides of the case for such imprinting.

Link to comment
Share on other sites

Here's what I suspect is going on in regards to your router since this happened to me a while back.

Routers support both wired and wireless networks. The admin interface to the router is via the wired connection gateway IPv4 address.

When AT&T installed my router originally, they set up a secondary wireless gateway connection to allow a USB wireless dongle attached to my PC to connect to my router.

Subsequent to the above, I stopped using the above wireless connection and connect to the router via a wired Ethernet connection.

A few months back, I was having network issues with symptoms my network was hacked. I tired to access my router's admin interface via browser using my assigned wired IPv4 gateway address which is 192.168.1.254. Like you, I was receiving the same messages from Firefox that connection could not be established. When I performed ipconfig /all, the IPv4 gateway address shown was surprisingly the same you posted - 192.168.0.1. What the *!#&? At least this explains why I couldn't connect to the router via browser using its preset IPv4 gateway address.

The only way to straighten out this mess was to perform a hard reset of the router which restored the ISP factory IPv4 gateway address of 192.168.1.254. Then I could access the router's admin interface via a browser. What I found then is the following.

Appears someone had accessed the router and set the dormant wireless USB dongle connection as the router's only connection method. I then again deactivated that connection. The "someone" I suspect, as in your case, was my next door neighbor.  How he was able to access my router is still unclear. But since this router also supports wireless TV desktop boxes, it may have been by hacking its WAP connection.

 

Edited by itman
Link to comment
Share on other sites

Posted (edited)
44 minutes ago, itman said:

Here's what I suspect is going on in regards to your router since this happened to me a while back.

Routers support both wired and wireless networks. The admin interface to the router is via the wired connection gateway IPv4 address.

When AT&T installed my router originally, they set up a secondary wireless gateway connection to allow a USB wireless dongle attached to my PC to connect to my router.

Subsequent to the above, I stopped using the above wireless connection and connect to the router via a wired Ethernet connection.

A few months back, I was having network issues with symptoms my network was hacked. I tired to access my router's admin interface via browser using my assigned wired IPv4 gateway address which is 192.168.1.254. Like you, I was receiving the same messages from Firefox that connection could not be established. When I performed ipconfig /all, the IPv4 gateway address shown was surprisingly the same you posted - 192.168.0.1. What the *!#&? At least this explains why I couldn't connect to the router via browser using its preset IPv4 gateway address.

The only way to straighten out this mess was to perform a hard reset of the router which restored the ISP factory IPv4 gateway address of 192.168.1.254. Then I could access the router's admin interface via a browser. What I found then is the following.

Appears someone had accessed the router and set the dormant wireless USB dongle connection as the router's only connection method. I then again deactivated that connection. The "someone" I suspect, as in your case, was my next door neighbor.  How he was able to access my router is still unclear. But since this router also supports wireless TV desktop boxes, it may have been by hacking its WAP connection.

 

I managed to get into the interface without resetting, i don't know why, but now it worked - i entered hxxp://192.168.0.1/

I reset the password, but how can i see the connected devices?

*EDIT - i found the page, it seems ok for now, it only shows my laptop and my phone. So it shows only the currently connected devices. But i can't see where to remove a connected device

Edited by neodrago1324
Link to comment
Share on other sites

2 hours ago, neodrago1324 said:

But i can't see where to remove a connected device

You will have to navigate to a router setting page that shows connected devices. You should be able to remove devices from that page by mouse clicking on the device and selecting the "Disconnect" or like option.

Link to comment
Share on other sites

Edit your screen shots not to show the last 6 digits of MAC address shown. Showing full MAC addresses on the Internet is a security risk.

As far as what your screen shots show pertaining to different MAC addresses, it normal activity. Ref.: https://www.quora.com/What-is-the-difference-between-the-wired-and-wireless-MAC?share=1

Link to comment
Share on other sites

  • 3 weeks later...
On 7/19/2021 at 5:49 PM, itman said:

Edit your screen shots not to show the last 6 digits of MAC address shown. Showing full MAC addresses on the Internet is a security risk.

As far as what your screen shots show pertaining to different MAC addresses, it normal activity. Ref.: https://www.quora.com/What-is-the-difference-between-the-wired-and-wireless-MAC?share=1

Hey, its been a while, i thought of making a new thread, but since this isn't closed I'll try to write here.

So basically the original problem with blocked traffic form svchost.exe still occurs, and this time more seriously, before it would just block 50-100 times, but now the count racks up every couple of seconds(see screenshots). i updated my router's firmware and reset it, also changed the WiFi password, anti-virus scans find nothing. What could the problem be?

 

 

1.png

2.png

3.png

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...