

Three days ago, I had a Fake AV Website 32 attack that was blocked by Norton Internet Security 2011. What made this different from other blocked attacks that I’ve had in the last year, was that this time, I wasn’t on the internet using my browser. Later that night, once again, without using my browser, I had another FAKE AV Website 32 attack, from a web address  different than the first one.

About two hours later, I had a Malevertisement Redirect Attack that was blocked, attributed to another web address. Once again, I wasn’t using my browser at the time. In all three cases, NIS said that the attack "resulted from \Device\HardDiskVolume3\Program Files\Spybot - Search & Destroy 2\SDFSSVC.exe."

A few hours later, I had another  Malvertisement 3 attack, emanating from the same web address as the prior one, and linked to the same Spybot file, which was blocked by NIS.

The next day, there was another Fake AV Website 32 attack that was blocked, attributed to the same web address as the first Fake AV Website 32 attack. This happened again three hours later, and then two hours after that, there was another intrusion attempt, this one a portscan, which unlike the prior attacks, was of medium severity. The others were all high severity.

All of these attacks occurred with my browser closed, and none of the scans done with NIS turned up any malware at all. The Spybot file which NIS had implicated in all of these attacks, with the exception of the one portscan, came up clean in every Norton scan that I’ve done since the first attack occurred.

I used Norton Power Eraser several times, and it found nothing wrong.

Spybot turns up nothing with the system scan or the rootkit scan, and Malwarebytes found no compromised file on my computer throughout all this.

Yesterday, I didn’t see any portscans or any attempt Fake website attacks or any Malvertisement attacks, until late in the day, when I saw yet another Malvertisement Redirect attack coming from the same website as before (but this one occurred with my broswer open, unlike all the others), followed by a portscan two hours later with the browser closed. I did notice  earlier in the day that when I went to a secure bank site, there was one IPS submission having to do with jscript.dll. Also, I’ve noticed more than a few references to "rule rejected TCP(6) Traffic" over the last three days, usally occurring not long after I first turn on my computer, or waking up from sleep.

I’ve noticed a few attempted attacks over the last year, and they were usually either Fake website attacks or Exploit website toolkits, but they all occurred while I was using my  browser going from one site to another.  What concerns me is that the attacks I’ve seen this week all, with one exception, occurred with my browser closed, and with Norton, Spybot and Malwarebytes not finding any compromised file in any system scan (even though NIS says that all of these attacks, but for the portscan, emanated from that one Spybot SDFSSVC.exe file). I've also never seen this many attacks in such a short span of time.

I did go to Yahoo and put the names of all three of the websites that were linked to the attacks, but all three of them had green Norton boxes. They were all supposedly safe and secure.

Why would this be happening? What is going on?

Hello gamott2015

Welcome to the Norton Community Forum !

First of all, Spybot doesn't play nicely with NIS. It used to be ok, but the program isn't as good as it used to be. If you have TeaTimer turned on, it's even worse as it doesn't allow Norton to make registry changes.when it's necessary to make them. I would recommend unistalling Spybot. With NIS installed and the use of the free Malwarebyte program should be enough to protect your computer.

Another problem is that you are using an older version of NIS. We are currently on NIS 2014. You can update your NIS 2011 to NIS 2014 free of charge if you have a current license. We can give you instructions on how to do this if they are necessary. The newer version will protect you better.

Norton does protect your computer when ever it is turned on. To get the latest updates, you should run live update after your computer wakes up from sleep and when you first turn on your computer. Your computer does get protected even if you are not browsing the internet.

Norton Power Eraser is a powerful tool and should only be used as a last resort and under the supervision of an expert malware remover. Deleting the wrong file can make your computer useless.

I started to uninstall Spybot the other day, but stopped because I got a message asking me what I wanted to do with the items that it had quarantined, and I wasn't sure what to do. If I need to get rid of it, I will.

I run Live Update several times a day, and I realize that as long as the program is running and I have the firewall up, I'm protected.

My license for NIS 2011 has 83 days left on it. I noticed when I clicked on my subscription status, there is a link where I can check for updates. Is this what I need to do to update to NIS 2014, because I would like to do it? It had occurred to me that a newer version would help, and I was planning to get NIS 2014 when my current subscription ran out.

After checking my subscription status, I clicked on the update link, and was told that I have the most up-to-date version.

Please give me instructions on how I can update to Norton 2014.

Hi, gamott20115. The simplest way to upgrade to the latest version if you have a current subscription, is to use the Norton Remove and Reinstall Tool, which will replace your current install with v 21.1.1.7, which is the latest version.

The link is here.  http://www.norton.com/nrnr

After the download and install, please run Live Updates until no more are found.

Hello gamot2015

I would still recommend getting rid of Spybot. The things in quarantine if they came from legit progrmas would likely be safe to remove. Some of those things in quarantine might be false positives because you had 2 real time programs running at the same time. After installing an up to date version of NIS and see how that comes out. As a 2nd and 3rd line of defense you can run the free versions of Malwarebytes and SuperAntiSpyware. Between those 3 scans your computer should be safe. I would do this before install the new version as both programs go deep into your computer. Usually files go into quarantine after they have  been deleted from your computer and are there just in case you need them for legit programs

If you can get to the files in quarantine, you can always submit them to Virus Total and see whaat they have to say about the files.

Thanks. I'm going to install the new version of Norton, and will get rid of Spybot.

An edit to my original post. Using the Norton Remove and Reinstall Tool will now bring down v 21.2.0.38, which has now been generally released.