Not what you were looking for? Ask our experts!
Reply
Visitor
kevlord1
Posts: 2
Registered: ‎08-13-2012

help! am i infected?

hello there. ive seen numerous "what is this in my history" questions that i am familiar with and know that is safe, however my computer has behaved oddly today (longer than average load times, seems kinda buggy in general), and when java auto updated there were some strange postings in my history that i would like to address. please note that i am not normally a worry wort about my history and chalk most of them up as machine talking to itself

 

within a minute of allowing java to attempt to update (which btw SEEMED legit, and the whole install of new java had all the normal java install screens)

- sample submission: jre-7u13-windows-if86-iftw.exe

submission details CSIDL_PROFILE\appdata\local\temp\jre-7u13-windows-i586-iftw.exe

((name of the file was googled and seemed an appropriately named java install file, but in the past norton has never done a submission sample of java when updated.......)) result : pending

 

at the same time there was a STATISTICAL submission with the same information... plus a lotta numbers and letters which may or may not be location on hard disk..... no idea lol in what was called a "detection digest"

 

40 seconds later there was an

"unauthorised access blocked (access process data) actor c:\users\myname\appdata\local\temp\msi3314.tmp

actor pid 4536

target c:\program files\norton internet security\engine

20.2.1.22\ccsvchst.exe

target pid 1108

action access process data

reaction unauthorized access blocked

terminal session 1

((i never have ever remembered a java update which resulted in an attempt to access norton data that i can recall, heck im not even sure that the attempt had anything to do with the java, except that the timing is VERY suspicious and that the two statistical submissions make me wonder))

 

one minute and 2 seconds later there was another attempt to access norton

actor c:\windows\installer\msi20e9.tmp

actor pid 284

target same as previous attempt

target pid 1108

action access process data

reaction unauthorised access blocked

terminal session 1

 

all of these i BELIEVE but am not 100% certain (was only half paying attention to the comp at the time) was during the time that java was updating.

 

50 seconds after the last intrusion attempt into norton

an instance of "c:\program files\java\jre7\bin\javaw.exe" is preparing to access the internet (presumably to check updates after install or similar??) while at the same time firewall rules were automatically created for java(tm) platform se binary. please note the w after java in the exe name... not a typo

 

30 minutes later 

an instance of "c:\program files\java\jre7\bin\java.exe" is preparing to access the internet (please note NO w in the exe name... not a typo)

again firewall rules were automatically created

 

 

((the following entry seemed to be around the time that i went to verify my java due to concerns at the oracle site.. i followed a link found here on norton website so should have been safe there fore i think can be ignored. acording to the verification i verified at version 7.13 and was up to date))

 

3 seconds later NEW firewalls were created this time to an outbound tcp, www-http

 

right after those firewalls were created there was an 

ips detection statistical submission

signature id: 24942

local or remote attacker: 1

remote port: 51419

local port: 80

protocol: 6

signature set version : 20130201.001

etc etc etc. application name boilded down to the java, offending url was java.com it looked like the verification utility

 

half a minute later there seemed to be another firewall rule created.... just the sheer number of firewall rules has me a little worried

 

to boil down my reasons for worry

- the 2 submissions

- the 2 apparent 'intrusion attempts' into norton by 2 different .tmp files

- one java and one javaw in the logs

- the sheer number of firewall rules being created

- the fact (unmentioned till now, because it had no bearing on norton logs, was that after i updated java i attempted to run a game (tera online) which wouldnt run because it kept saying "in use by another program" even though i havent run it all day. i entertained the theory that it was due to java updating and maybe it needed java to open the launch window... but i dont know enough to be sure.

 

i am computer literate but NOT programming literate lol many of the references to some of the stuff in the norton history ive had to google/lookup. so please try not to be to technical :D

 

 

Visitor
kevlord1
Posts: 2
Registered: ‎08-13-2012

Re: help! am i infected?

edit: i should also add that about an hour after all this one more activity came up i havent seen before

 

invalid protocol size in ARP header: 0. Packet has been dropped.

 

SendOfJive
Posts: 10,754
Kudos: 4,794
Solutions: 776
Registered: ‎02-07-2009

Re: help! am i infected?

Hi kevlord1,

 

That all sounds pretty normal - you have a new Java version that Norton has not seen yet, installation files popping up, and firewall rules being created for the newly installed program.  Nowhere has Norton alerted to any threats.  You are just seeing logging data showing the actions that Norton took as the new Java software installed and ran.  IPS statistical submissions and other Norton Community Watch submissions are not malware - they are files that are being sent to Symantec in order to improve detection accuracy and eliminate false positives.  If the files had been malicious or suspicious, they would have been removed from your computer immediately and you would have seen alerts to warn you of a problem.