On each of the past 3 days, a Norton pop-up on my computer has reported that an intrusion attempt was blocked. Each time the "Severity" rating was "High." Following is the data for these events from "Security History - Advanced Details."
NORTON DATA
2012-11-24 16:23 (PST)
IPS Alert Name: Web Attack: Exploit Toolkit Website 30
Default Action: No Action Required
Action Taken: No Action Required
Attacking Computer: [My computer name] ([My IP address], 56278)
Attacker URL: 2f14b7bed3.osnart.info/?b=5
Destination Address: 2f14b7bed3.osnart.info (94.23.144.48, 80)
Source Address: [My IP address] ([My IP address])
Traffic Description: TCP, Port 56278
2012-11-25 15:32 (PST)
IPS Alert Name: Web Attack: Exploit Toolkit Website 30
Default Action: No Action Required
Action Taken: No Action Required
Attacking Computer: [My computer name] ([My IP address], 56196)
Attacker URL: 6f6fc59800.agninde.info/?b=5
Destination Address: 6f6fc59800.agninde.info (94.23.144.48, 80)
Source Address: [My IP address] ([My IP address])
Traffic Description: TCP, Port 56196
2012-11-26 16:10 (PST)
IPS Alert Name: Web Attack: Malicious Exploit Toolkit Website 4
Default Action: No Action Required
Action Taken: No Action Required
Attacking Computer: statstrng.com (209.139.209.126, 80)
Attacker URL: statstrng.com/stats
Destination Address: [My computer name] ([My IP address, 55730)
Source Address: 209.139.209.126, 80 (209.139.209.126, 80)
Traffic Description: TCP, www-http
ADDITIONAL INFORMATION
whatsmyip.org reports Vancouver, Canada as the location of 209.139.209.126 (the "Source Address" in the third event above).
IPVoid reports 209.139.209.126 as a Canadian IP address, and that it is detected (as infected) by MyWOT.
MyWOT gives 209.139.209.126 ratings of 1 and 2 (their highest rating is 100).
According to comments on MyWOT, the name of the site for 209.139.209.126 appears to be askreview.net, and it has "malicious content, viruses." Specifically, the content is hidden in iframes and redirects the user to "exploit kit hosted sites."
ZScaler rates askreview.net as "Suspicious 55/100."
URLVoid reports that 209.139.209.126 is associated with the new domains linkstatic.com and staticslist.com, and that the latter site is detected (as infected) by AVGThreatLabs.
AVGThreatLabs reports for staticslist.com that "During the last 7 days potentially active threats were detected on the main site of this domain." Furthermore, there were 147 "compromised pages" and 1 "Threat Type."
MY QUESTIONS
1. Each Norton Security History page says "No Action Required." My computer is running fine. But the fact that I am getting repeated notifications of a blocked intrusion attempt raises the question, Are there actions I should indeed take because of these intrusion reports?
So far I have been running full scans: with Norton (in both regular mode and Safe Mode); MS Safety Scanner (clicking "Run" on the download bar on the MS website); Windows Defender (which I keep up to date); MalwareBytes (free version, downloaded a month ago); and Norton Eraser. The only positives found by these scans were tracking cookies that were found and quarantined by Norton, which is an everyday occurrence. I have also run CheckDisk and System File Checker, both with negative results.
Should I run more scans, using programs such as Hitman Pro, SuperAntiSpyware, or the Kaspersky Anti-rootkit utility?
2. In its history of the first 2 events, Norton states that the "Attacking Computer" is my own. Does this mean that malware is already resident on my computer and is causing it to attack itself? Does it merely mean that Norton Antivurs found the attack at the point at which my computer was beginning to respond to the attacking computer?
3. The attacks have occurred on subsequent days between about 3:30 and 4:30 p.m. local time ( stayed offline today till 5 p.m). Does that indicated a hacker is sending out this malware during this period every day? And that when a target computer's AV program prevents the attack, the hacker tries again the next day, with a different version of the malware? (According to ZScaler, there is a report that anyone can buy a Blackhole exploit kit from a Russian malware developer for 3 months for $700.) Should I simply continue stay offline for the time being between, say, 3 and 5 p.m. every day?
4. Is there a way to block 209.139.209.126, so that I do not have to rely on Norton's recognition of one type of malware after another?
5. What kind of URL and "Destination Address" is "6f6fc59800.agninde.info/?b=5"?
6. What do the Norton "Traffic Descriptions" mean: "TCP, Port 56278" "TCP, Port 56196"and "TCP, www-http"?
As is evident, I am an ordinary computer user trying to keep my nose above water, so any help will be gratefully received.