Over the past month Norton has blocked several intrusion attempts on my computer. It appears that my own computer is the attacking computer so I don't understand what is causing this. The risk names shown by Norton are FakeAV WebPage requests, MSIE FakeAV Notification Alert, HTTP Malicious Toolkit Variant Activity 22, HTTP Phoenix Toolkit Download Request, HTTP Suspicious Redirect Request 4.
Any ideas on how to prevent any further such attempts? as it is quite concerning having had so many high severity warnings in a short space of time.
Thanks in advance for your assistance.
For time being, I would suggest to try to run Norton Power Eraser tool :
http://www.symantec.com/norton/support/DIY/index.jsp
Check if it detects any threats and if it does, please provide us the filename and other details. Don't fix any files now, you can fix those after getting confirmation in this thread. You can also try to run a full system scan by booting into safe mode.
Yogesh
Thanks for the reply. I ran the software and it detected a risk in the dns file 'hosts'.
I had previously run an anti-malware tool recommended on another site which detected and removed some adware and the system has been running much better since without any more attempted intrusion reports.
Is it worth looking into the risk detected by Power Eraser any further?
Let us know the exact details of the detection from Norton Power Eraser. You can follow steps 1, 2 and 3 from the following link to check incorrect DNS settings:
http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=v51672945_EndUserProfile_en_us
Yogesh
Hi Yogesh, having searched the message boards this seems to be the exact issue as in the below link (screenshots shown there the same as what I'm getting)... I have Spybot Search and Destroy installed and I think it updates the hosts file which is causing this error to show.
http://community.norton.com/t5/Other-Norton-Products/Norton-Power-Eraser-thinks-Hosts-File-by-Spybot-is-Bad/m-p/357072#M29942
Hello 2nafish
If you are using Spybot with Tea Timer enabled, that will interfere with your Norton product..
To get a 2nd opinion to see if your computer is clean, I would visit one of the free malware removal sites. You can just ask if your computer is clean in one of those sites.. They will have all the proper tools and they will be able to tell you what's happening.
Please go to one of these free Forums for help in removing your bad malware or rootkits.
http://www.bleepingcomputer.com
http://www.geekstogo.com/forum/
http://www.cybertechhelp.com/forums/
http://forums.whatthetech.com/
(Thanks to Delph for providing the list of sites)
Please come back and let us know what they say after you sign up with one of them. Thanks.
Hi 2nafish,
Spybot Search and Destroy does populate the Hosts file and updates the entries weekly when you use the Immunization feature. Aggressive scanners, like NPE, might alert you to such changes, since some malware is also known to mess with the Hosts file. This is why you really need to be careful when evaluating scan results from these types of tools.
If your a host file jockey, check out the one you can download from mvps.org. That is the "mother" of all host files.
Do realize that the larger your host file gets, the slower your browser performance. Then there are the security issues of if a bad guy dumps bad IP address in your host file, it's hard to recognize.
I gave up on host files years ago. I now use SpywareBlaster. It's free, idiot proof, and uses minimum resources. It also updates the "restricted web site" area of IE where in my opinion, the bad guy blocking should be done. As a plus, it will check your ActiveX settings and ensure they are set securely.
donziehm wrote:
I gave up on host files years ago. I now use SpywareBlaster. It's free, idiot proof, and uses minimum resources. It also updates the "restricted web site" area of IE where in my opinion, the bad guy blocking should be done. As a plus, it will check your ActiveX settings and ensure they are set securely.
I too am a big fan of SpywareBlaster. The third really useful thing it does is to populate the Privacy setting per-site lists in Internet Explorer and Firefox to block tracking cookies from sites that are known to set them.
Thanks for pointing me in the direction of those websites, I used the bleeping computer site and found them very helpful. Carried out several scans which showed my pc was now free of any infections.
If I were to use Spyware Blaster, would you recommend using it instead of Spybot Search and Destroy or as well as? What about the hosts file, delete it or leave as is?
Thanks
Hi 2nafish,
There is a bit of overlap in Immunization protection between SpywareBlaster and Spybot in the areas of populating sites in IE's Restricted Sites Zone and blocking cookies in IE and Firefox. Even so, they can be used together. If you want to use a Host file, you can either continue to use Spybot's or download one of the other popular ones that are available.
SpywareBlaster does not populate or use the hosts file for site blocking. It does have a feature called "Host Safe" that will create an encrypted copy of your existing hosts file that will allow you to restore your system host file if it was destroyed or tampered with.
If you decide to stop using SpyBot make sure you un-immuninize prior to uninstalling it. Otherwise, all the crud it created including host file and IE entries remain on your PC hard drive. Also I would recommend unlocking your hosts file if you locked it with the Spybot feature.
I personally would not run both SpywareBlaster and Spybot concurrently.
A question I have is if NIS 2011 protects the Hosts file? From what I can tell, the answer is no.
I have been using Spywareblaster and removed Spybot. I keep finding that the list of blocked sites is sporadically being cleared in internet explorer. Any ideas how to overcome this or what might be causing these entries to be cleared? Protection remains enabled in Firefox.
Hi 2nafish,
I assume you are talking about the cookies per-site list, rather than the IE Restricted Sites Zone. Click Safety (or Tools on the menu bar) > Delete browsing history and make sure Cookies is unchecked.
I clear everything in IE8 when IE8 closes; temp files, cookies, search history, you name it.
All my SpywareBlaster cookie site restrictions remain in place. Something else is going on.
You might want to remove all your existing SpywareBlaster settings using it's "Disable All Protection" option. Then exit SpywareBlaster and check IE and make sure everything has been removed. Then open SpywareBlaster and select "Enable All Protections". Exit SpywareBlaster and open IE and ensure blocked cookies exist.
If the above doesn't work, your probably going to have to reset IE to it's initial settings, configure to your own particulars, and then apply SpywareBlaster settings as given above.
[Oops] Thought you were using IE. Can't comment on Firefox since I don't use it.
Hi, thanks for the quick responses. Yes it was the cookie protection that would be cleared - it would keep saying that 230 items were disabled and the blocked list in IE would be empty except for a motive.com entry which was set to always allow. I had done several Google searches for similar problems before my previous post but kept drawing blanks. Since posting, I finally stumbled across someone else with the same problem and seems that this was being caused by the BT desktop help which was installed with my home-hub. For some reason a feature of this is to remove cookies and clear the block list which doesn't seem that helpful. I have now removed this from my computer and so far the list of blocked sites has remained in place. I'll give it a couple of days to make sure this has resolved the problem and report back.
Removing the BT help program seems to have solved the problem - the per-site list has not changed since it was removed whereas it would have been cleared several times in the same space of time previously.
Hello 2nafish
Thanks for coming back and giving us an update. I'm glad that you were able to have your problem solved. Can you please pick a post and mark the thread as solved? This way everyone will know it is solved and will be able to find the solution quickly. Thanks again.
BTW - did you do what I highlighted below in red?
HTTP Malicious Toolkit Variant Activity
Severity: - HighThis attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
Description- This signature detects attempt to download exploits from a malicious toolkit which may compromise a computer through various vendor vulnerabilities.
Additional Information - This signature detect attempts to download exploits from a malicious toolkit which may compromise a computer through various vendor vulnerabilities.
Response - Update all vendor patches to the latest versions.
Hi Donziehm, the person at bleeping computer that helped me with my query talked me through updating a couple of things and got me to remove some old versions of java that were still on the system. Since their assistance I have had no more attempted intrusions and the system is running as smooth as ever so (touch wood) everything seems in order.
Thanks to all who have contributed to this thread, your help is much appreciated.