Suspicious looking activities in Security History; what do they mean?

Prior to last night I'd never really taken a good look at Norton 360's Security History, but after a strange incident with Gmail suddenly being blocked by Firefox due to an "Untrusted Connection" and my auto-detected location in the google search results suddenly being inaccurate by a thousand miles (neither of which had ever happened before) I figured it best to take a look to see if I could get to the bottom of it.  (I posted a more detailed description of the problem I was having here.)

So after running a full system scan that came up clean I checked the Security History but haven't been able to make sense of any of the activities it has logged there.  First of all, it has seemingly hundreds of activities listed under "Firewall - Network and Connections," all of which appear to be one of the same 6 messages repeated again and again throughout the day.  Those 6 messages are:

"Protecting your connection to a newly detected network on adapter \"Teredo Tunneling Pseudo-Interface\" (IP address: fe80::xxxx:xxxx:xxxx).",Detected,No Action Required

"IP address has disappeared from adapter Teredo Tunneling Pseudo-Interface and is no longer being protected (IP address: fe80::xxxx:xxxx:xxxx).",Detected,No Action Required

"Protecting your connection to a newly detected network on adapter \"Intel(R) 82566DM Gigabit Network Connection - Packet Scheduler Miniport\" (IP address: 192.168.#.###).",Detected,No Action Required

Connected to a shared network. (## ## #X ## XX #X),Trusted,No Action Required,,## ## #X ## XX #X,

"Protecting your connection to a newly detected network on adapter \"Automatic Tunneling Pseudo-Interface\" (IP address: fe80::5efe:192.168.#.###).",Detected,No Action Required

"Protecting your connection to a newly detected network on adapter \"Loopback Pseudo-Interface\" (IP address: fe80::##).",Detected,No Action Required,Firewall - Activities,,

 

I have no idea what any of these mean...are any of them dangers or threats?  Would any of them indicate a potential hijacking attack or anything else relating to the "Untrusted Connection" problem I was experiencing?  Note: I replaced the letters of the IPs with x's and the numbers with #'s just in case sharing them publicly could lead to further problems.

Here are some other entries that appeared on the list:

 

Intrusion Prevention is monitoring 1483 signatures. Driver version: 9.5.2.11,Detected,No Action Required

Intrusion Prevention Engine version: 4.8.0.20 Definitions Set version: 20110207.001,Detected,No Action Required

Intrusion Prevention has been enabled,Detected,No Action Required

Unauthorized access blocked (Open Process Token),Blocked,No Action Required,c:\program files\google\update\googleupdate.exe,6064,C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe,580,Open Process Token,Unauthorized access blocked

 

These all show up multiple times throughout the day as well; are these anything to be concerned about or anything potentially related to the untrusted connection issue?  I believe the googleupdate.exe is just from having Google Earth installed but that entry is dated from right around the time that I became unable to access gmail so I figured it was worth mentioning.

Other info: My OS is Windows XP Professional SP3 and I have two routers; one is a Linksys Wireless-N Broadband Router and the other is a Netopia ADSL+ Gateway.  I'm not the one who bought or installed either of these (they belong to my roommate) but they're set up so that my desktop computer is using a wired connection and my laptop and my roommate's mac are using a wifi connection.
Thanks in advance for any help or information!

Hello linds42

 

Welcome to the Norton Community Forum

 

Why are you using 2 routers at the same time? What you are seeing are the connections to your router and to the net which are perfectly normal. The other one is the log for the definitions that Intrusion Prevention is monitoring. That also is perfectly normal to see. You should not have 2 antivirus programs installed however. You mentioned that you scanned with AVG and N360. The 2 antivirus programs will just fight with each other and you will have less protection rather than more. The untrusted connection may be due to you having 2 routers connected at once.

 

 

Hi linds42,

 

None of those entries indicate anything out of the ordinary.  The firewall logs record when you connect to a network and when that connection ends (at which point protection for your connection ends because there no longer is a connection).  The connections shown are all local, indicating internal communications and connections to your router,  The Intrusion Prevention entries are just status reports on the Norton IPS component.  And Google Updater is indeed a part of Google Earth, and is well known for its frequent appearances in the Norton Product Tamper Protection logs due to its habit of trying to access Norton files.  All of these entries are normal, unrelated to your issue, and nothing to be concerned about.

To address the certificate error you received, this is also a fairly common occurrence.  When you visit a site that uses encryption to protect information you might enter, such as a password, a certificate is used to verify that the site is the real thing and not an imposter,  and to establish the secure connection.  If there is a problem with the certificate, it means that the site cannot be verified.  Usually when this happens it is due to something being not totally correct with the certificate, and the site itself is fine.  However, this is not always true.  The certificate error could indicate a fraudulent site.  Without a valid certificate, you cannot trust that a site is legitimate and you should not enter any sensitive information at the site.

 

So Firefox was warning you in this case that the certificate that the site presented was actually only valid for a different site.  You can still visit the site, but you cannot be guaranteed that information you enter there will be secure.

 

http://support.mozilla.com/en-US/kb/Secure%20connection%20failed#w_certificate-is-only-valid-for-site-name

 

http://ask-leo.com/what_does_there_is_a_problem_with_this_websites_security_certificate_mean_and_what_should_i_do.html

 

 

Looking at some of your other posts elsewhere on the topic, I'm guessing that you may have been redirected to a fake Google page.  Your Google Location is based on your IP address and Google has gotten pretty precise in pinpointing locations accurately.  A phony Google page might not bother with real geolocation and might use a one-city-fits-all entry there, hoping you don't notice.  And naturally, the certificate would have problems if you were not really at Google. 

 

Redirects can result from malicious scripts inserted into legitimate web pages by bad guys, or they can be caused by malware installed on your computer.  If this is a one-time event and you do not experience anything like it in the near future, it was probably a case of a poisoned website taking you to a phony site.  Pay close attention to secure sites you visit, such as your login pages for anything that looks wrong.  Before logging in anywhere, check the browser's address bar to make sure it shows the site correctly.  If you continue to be redirected to sites that appear to be fraudulent, then you will need to investigate the possibility of malware on your system.

 

Firefox did its job and alerted you not to give out your password or other sensitive data because the site could not be confirmed as actually being Google.com.  If you did not enter any information, you are completely safe.  If you did disclose your password, you should immediately take steps to change it, along with any other credentials that the bad guys could access, such as secret questions and their answers.  If you use the same password at other sites, you would need to change those, too.

SendOfJive;

Thanks for all the info, I feel much better about all those entries as well as the gmail situation now.  When I accessed gmail I simply clicked the shortcut in Firefox's bookmarks toolbar which has been there for ages and the url is only "gmail.com" and nothing else, so I'm not sure how I would have ended up with a phony Google page that way.  Still, if it was a "fake google" brought on by malware or something similar then that would explain the certificate warning and the auto-detected NYC location.  It would also be a bit of a relief since I was picturing something more serious, like a man in the middle attack.

 

To further back up the malware theory, after running the program Malwarebytes' Anti-Malware it found two infections;

 

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent)
  • c:\WINDOWS\system32\uackkplranbxnjvrmt.dat (Rootkit.TDSS)

Not sure why Norton didn't catch these, but MBAM removed them and hasn't found any other infections since.  However, if those infections were the cause of the problem then I'm not sure why unplugging the routers fixed the issue since the infections were both still there afterward; it wasn't until the following day that they were detected and removed.

 

Two other things worth noting: Yesterday when I went to gmail I got a "Server Error" message which went away when I refreshed the page but still seems weird.  Also, yesterday and this morning when logged into Gmail I had this icon at the bottom right of my browser:

 

Normally I think there's just a gold lock, no red exclamation mark.  When I log in now the exclamation mark is gone and it's just a gold lock again so I'm not sure what changed, what caused it in the first place or if it's anything to worry about.  Still, I'm feeling much more assured than I was before, so thanks again for the help and info so far!

Hi linds42,

 

The detection of the TDSS rootkit by Malwarebytes certainly explains the redirections you experienced.  I am glad we have found an explanation for your issue, but unfortunately, of the possible causes of your trouble, a rootkit infection is the more serious.  And Malwarebytes, despite having indicated that it removed TDSS, does not work as well against rootkits as it does against some other types of malware.  Because of the problems this rootkit can cause, such as redirecting to sites that attempt to steal your passwords, it is imperative that you make certain that  this threat is removed completely from your PC.  To do that you will need expert guidance that can be obtained at one of the malware removal sites listed below that have been recommended here by delphinium.  Please register and post the TDSS issue in one of the removal forums:

 

 

http://www.bleepingcomputer.com

http://www.geekstogo.com/forum/

http://www.cybertechhelp.com/forums/

http://forums.whatthetech.com/

 

 

The padlock with the exclamation mark is a Firefox icon that indicates a web page that has both secure, encrypted elements as well as insecure, unencrypted ones.  It is therefore dangerous to enter your credentials on such a page unless you are certain that the part you fill in is the part that is secure ( which is not always easy to do).  That may or may not be related to the other continuing anomalies you are experiencing with Gmail - but the strange happenings are definitely related to the infection.