But there is no browser open on that machine. I have run a full system scan with NSS, in safe mode with system restore disabled. I have also run MalWareBytes. Both found a few registry keys, but no files. Have also run Norton deep erasure program.
The network attempts were even occuring in safe mode without networking enabled!
The siteinfo.txt file above, if downloaded and reviewed in notepad, contains URL information on thousands of online banking sites.
I did have an infection on that machine with trojan.fakeAV, where it was poping up AV 2012 windows. That seems to have stopped with latest NSS and full system scan.
It looks like perhaps the family monitor notices are substantially delayed in reaching my email, so scratch the thought that it continued during safe ode.
However, after full system scan, Malwarebytes, and deep erase, go back to normal login and once again trying to hit that site.
Since family monitor blocks it, I get no firewall entry, and so I cannot tell what file is trying to access teh internet. I will "allow" in family monitor, but block in firewall, and see if I can get process information.
Sorry for the delay, I thought I had subscribed to this thread.
It looks like it tries to contact the network every 2-3 hours. Unfortunately, since the family monitor traps it, I get website info, but not the program initiating the contact. I am hesitant to stop the family monitor from trapping it. I did add that site to the firewall to block all comm, just in case it gets through.
IF I turn off family monitor (I haven't), it appears the firewall will report what program is attempting to connect to the network, but not what site it tried to connect to (so I cannot see anything in older logs that ties to this site). Woudl be nice if either tool (or both) told the source AND the destination.
I am quite concerned that I may have a keylogger running.
I downloaded and ran Spybot S&D, and it found some registry entries having to do with trojans,a nd removed them. The hits went away for a period, but they are back again today.
I tried Super Anti Spyware last night, at suggestion of a friend. It found a few remnants of trojan. It removed some entries, and I lost file association with .exe files, so I think something was hijacking that. Still no clue what it was, ran out of time last night. Norton had not found it.
I had been infected recently with XP antivirus 2012 or some such, and I thnk there are remnants of that. Perahsp SAS has removed the last of it, but I am not holding my breath.
The frustrating thing right now is that the Online Family system was blocking this connection (claiming it was a link to a social networking site), but teh Norton firewall and AV never caught/blocked it. Further, the fact that Online Family does not indicate what software (it assumes a browser) is doing the connection, I have no input as to what to remove or look for. On things teh firewall records, it only says a particualr code is accessing the internet, it does not say where it is going. Teh timestamps in Online Family do not seem to correspond to anything in the Norton firewall, so I ssupect it never gets that for.
I could not get teh registry entries for exe to stick. When I reboot, they would go away again.
I removed Malwarebytes, Spybot, and SuperAntiSpyware, leaving Norton. Rebooted and exe's are fine.
But, almost right away, the site block in Norton Online Family came up with the same site again!
Something is still trying to get out there.
Norton online family is blocking it. Nothing in firewall.
I also have Constant Guard (Comcast) installed. This might be part of Norton suite, I don't know. Is it possible COnstant guard is going to taht site? I don't see why it would, seems like a strange site for a legit program.
I have loaded procmon and procexp, but the hits are so occasional, I am not sure it is of help.
Any suggestions to track down what Online family is seeing, and determine safe or danger, would be good.
I went to Norton support site, and they have a "chat" with "Nathan". This opened a popup for the answer, but was blocked by norton online family, as it is considered "social networking". The address? part of s3.amazonaws.com.
So, perhaps Norton, and constant guard, do use this site? And if so, perhaps the connection is legit?
CAn someone at Norton tell me if the link in my first message, to a text file with lots of banking URL's, is a legit connection for either Norton or COnstant GUard?
I finally broke down and called COmcast. Their Constant Guard people said no way is this their code trying to get to teh internet. They sent me to Comcast Norton support. After abotu two hours of frustration, the guy finally indicated taht this is a known issue with Online Family. He gave me an online family phone number, and a case number (506035466) to call it in. He would not forward me a link or paste information that he had found.
I sat on hold over an hour, nobody answered.
I then reconfigured my firewall. I had a typo in the URL. I rebooted, and lo and behold, started getting plenty of hits on the firewall. Had to reconfigure so that it would display info too. Here is what I found:
Many hits from C:\program files\Norton Online\Engine\2.2.0.20\ccSvcHst.exe, which does appear to be the online family system. I reviewed the text file again, and it is ALLL about banks and online shopping sites. Why is online family so trying to get to that? And blocking itself?
One hit at the end from IDVault.exe, which I suspect is part of Constant Guard. Same web site!
Now, I either have a virus within Norton, or this is strangely legit.
Note that the number right before siteinfo.txt incremented from 623 to 624 today.
Someone at Norton PLEASE tell me this is all legit!
Rob, Thanks for chiming in. It makes me feel better that maybe it is legit. I have spent most of the week trying to see if I have a rogue program. Comcast Constant Guard people swear it is not them, but I suspect they are part of it. Not acceptable to just make an exception so that online family does not block it, I am not willing to make such without some knowledge that this is a legit website. If it is Norton or Constant Guard, why is it getting banking data from a third party site?
I just now read the welcome. Here are my stats as I can remember them. Some has been reported above, but I'll try to be complete here. Not at machine right now.
1. Windows XP MCE SP3
2. Browser IE8 (not active when this occurs)
3. User account Admin (xp only has admin or limited, and the DVR software needs admin)
4. Safety minder appears to be 2.2.0.20, but that is based on a firewall log. Just loaded this week.
5. Norton Security Suite, from comcast, loaded this week, plus Constant Guard, also loaded this week.
6. During diagnostics, trying to remove this "trojan", I also tried Spybot, MalWareBytes, and SuperAntiSpyware. I also ran Norton Deep Erase. All of these are now removed (uninstalled). the problem started before I installed any of these, I was certain a keylogger was active, so tried every reputable tool I knew about.
I finally got through on the phone to Norton Family Online support.
They spent almost 2 hours, just trying to understand the problem. They insisted a Norton product would not go to amazonaws.com website, although my firewall clearly says it is. I took them to www.norton.com, customer support link, and tried typing a question. Family online blocked it, indicated it was going to amazonaws.com.
After two hours, they said they would have to research and call me back.
I have "my" computer, which has norton security suite, but not norton family online. I had added the same firewall block, but no hits. I then added Norton Family Online last night, and the firewall now shows thousands of hits to amazonaws.com.
Unfortuantely, the firewall does not give the full URL=, just the site. I cannot be sure it is goign to that same site.
Norton Security Suite people had told me to call family online people to learn of the "known issue". However, he put no info in teh case file to tell them that this is a known issue. REally just getting shoved back and forth.
I am 80% sure this is all legit, but I am not about to open my firewalls until I am assured by someone in the know.
KATIEQ: CAN YOU PLEASE CHIME IN ON THIS? I HAVE spent countless hours pursuing this.
Still no callback from Family Online folks. They committed to Saturday callback. No responses online either.
I am now convinced two things go to Amazonaws.com. the first is Online Family, which is NOT the site getting trapped by online family (or not the page). It is going in such a way as to not get trapped by online family, but does get trapped by firewall rule I added.
The second thing that is likely going to this site is part of Comcast (Norton?) Constant Guard. This is apparently going using http protocols, so is seen by Online Family as a web site visit, and therfore trapped. There are MANY hits also for IDguard.exe, which are not flagged or blocked, but recorded by online family.
I just want confirmation that this is a legit site. It woudl be best if Constant Guard (if that is wnat is doing this) played well with Online Family, so taht I don't get cosntant hits on these sites. this siteinfo.txt file is a long list of banking information.
Has anyone at Norton looked at this yet? Cannot seem to get answers, either here or by phone. by phone they said they would call back on Saturday, still no call nor email.
Can someone at Norton at least tell me if this is being looked at?
In the meantime, I have firewall blocking this website. I again think it may be a legit need of one or more Norton products to go to amazonaws.com, but I woudl like to get confirmation.
We checked with the Online Family team on the issue. It sounds like you have some software installed on the PC and they keep checking back with their servers and Norton Safety Minder just records these activities as it should. As you know, Norton Online Family is a parental control program, it records and monitors the children's online activities and records what links have been accessed.
I'm including a couple of threads in hoping these might give you a better explanation.
Yes. NSS looked at my computer for about 3 hours. When they finally saw teh pop up, when no browser was open, they went away for 5 minutes, came back and said "This is a known issue with Norton Online Family". They would not give me the information about the known issue. They indicated that I had to contact online family help, give them the case number, and they could help.
I did so, and the help people had no idea what the "known issue" might have been. They could not help. They said they would research it (last Friday) and contact me Saturday. They did not.
Norton SS, Norton online family, and Constant Guard have all said their tool would not go to this site (amazonaws.com). However, when I put a block in my firewall, I see that ccSvcHst.exe in the online directory is going there on a regular basis. I also see that Norton web site "Ask Nathan" goes to that site. It appears Norton uses that site. They all deny it. But, I beleive the thing going there is a combination of online family and Constant Guard.
All I ask is that someone look into it and confirm it! All I get is denial. You must have a virus. It must be the other tool. Call them. It's a known issue that nobody knows about, and the one person that saw that it was known said he was not allowed to tell me what the issue was.
Ughh.
Somebody just tell me what the known issue is (see prior case number), and just tell me this is legit, so I can open my firewall again.
I have read your thread from Norton Forums and also played around with the URLs' you had listed. I downloaded the text files,unchecked Word Warp under Format of Notepad to see more clearly what the entires were. I discovered they in fact contained URL's for various back sign-ins.
What little I know and what small amount of information is available from the Constant Guard team here at Comcast, it does in fact appear that Constant Guard Protective Suite is causing the situtation. IDVault and GuidedID are part of the CGPS.
The following are excerpts from past threads/posts that lead me to believe CGPS is the root cause:
"1) direct IP connection: Constant Guard maintains a listing of thousands of banking web sites and through a secure browser connects you to the IP address of the financial institution to avoid a man in the middle attack."
"Hi USAF_E-8_RET : i might be misunderstanding your comment. But - CGPS does require updates to function. While it does not rely on DATS (bc its not an AV solution) - it does require an update when a patch is required. There are two kinds of updates. 1) software update like the one we released in July to fix the keyboard issue - this requires a download of the latest patch and may require a restart of the computer; 2) a backend DB update. CG connects to a massive DB that tells the software the IP address of the bank - and also the layout of the page to ensure auto login. This update is transparent to the user - but depending on the change to the banking site that occured, may requier that the user reset up their credential for auto login. "
I have tried emailing and also PMing SecurityJim with no luck. So perhaps if you could contact the folks you contacted before re: Constant Guard they could help.
FWIW, IMHO, Constant Guard has been nothing but problem after problem with more being discovered as the useage base increases. It appears to me CG is casuing a conflict of sorts with Online Family. To that end, I would suggest you remove Constant Guard from add/remove programs (I believe you said you were using XP). This removal should leave your Norton Security Suite in tact and functioning.
Once you have removed CG, please report back if any improvement.
