ISearch DNS Request Intruder Alerts
Pterocarpous
Rosie the Riveter Lives On in CA, USA! New
I'd put this in our Spyware forum but I really think this is Webroot Spysweeper (SS) v 5.3.1 locking horns w/ Norton Antivirus' Internet Worm Protection.
I updated a client's computers w/ the Webroot Spysweeper v 5.3.1
update last night (early this a.m.). When I remoted back in to contunue working this a.m. these alerts were popping up. They're constant.
I found that if I disable Webroot Spysweeper service, the alerts go away.
I've gone into NAV's IWP Program Control and Permitted literally every executable in the SS Program Files directory - including the update excutable ssu.exe. Still the bloody error keeps popping up.
There's nothing on Webroot's site about this. I read in another thread on the 'net that a user had contacted Webroot re: the issue but they won't respond.
Here's the alert:
Intrusion: ISearch DNS Request
Intruder: 0.0.0(1426) or (1487) (SS off); (1290) (SS On) (ports change based on whether SS is enabled or not)
risk level: medium
protocol: udp
Attacked IP: 192.168.1.1 (that's the router LAN side)
Attacked Port: domain(53)
I'm tempted to kill Norton Internet Worm Protection and install Comodo Firewall on the computers.
Interesting note, though. Only one of the two computers that I installed the same update on are experiencing this issue.
I'm gonna run HijackThis and take a look there. In the interim, I'd be glad for any input.
TIA!
I updated a client's computers w/ the Webroot Spysweeper v 5.3.1
update last night (early this a.m.). When I remoted back in to contunue working this a.m. these alerts were popping up. They're constant.
I found that if I disable Webroot Spysweeper service, the alerts go away.
I've gone into NAV's IWP Program Control and Permitted literally every executable in the SS Program Files directory - including the update excutable ssu.exe. Still the bloody error keeps popping up.
There's nothing on Webroot's site about this. I read in another thread on the 'net that a user had contacted Webroot re: the issue but they won't respond.
Here's the alert:
Intrusion: ISearch DNS Request
Intruder: 0.0.0(1426) or (1487) (SS off); (1290) (SS On) (ports change based on whether SS is enabled or not)
risk level: medium
protocol: udp
Attacked IP: 192.168.1.1 (that's the router LAN side)
Attacked Port: domain(53)
I'm tempted to kill Norton Internet Worm Protection and install Comodo Firewall on the computers.
Interesting note, though. Only one of the two computers that I installed the same update on are experiencing this issue.
I'm gonna run HijackThis and take a look there. In the interim, I'd be glad for any input.
TIA!
0
Comments
Logfile of HijackThis v1.99.1
Scan saved at 1:22:41 PM, on 2/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Warecentral\PrintKey-Pro\PKey_Pro.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] "C:\Program Files\Logitech\iTouch\iTouch.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [HPWNTOOLBOX] "C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe" "-i"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: DING!.lnk = Southwest Airlines\Ding\Ding.exe
O4 - Startup: PrintKey-Pro.lnk = Warecentral\PrintKey-Pro\PKey_Pro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170428688953
O17 - HKLM\System\CCS\Services\Tcpip\..\{AAC5EA55-9E5A-42A1-8FA1-2EFF786DC0D0}: NameServer = 192.168.1.1
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Having gotten a clean bill of health (on my HijackThis log) from Trogan, one of Short Media's shining Malware experts, I'm going to concede that this is a software conflict issue (between Norton Internet Worm Protection and the latest Webroot Spysweeper update (v 5.3.1).
To resolve this, I'm going to revert back to the previous version of Spysweeper and stay with it until Webroot comes up w/ a resolution to this problem.
This is the second problem I've run into with Norton AV 07 that I never had with my past Norton AV products. I had to delete my Zone Alarm Firewall. Norton indicated this during the installation process.
When I spoke to Symantec Help they told me that Norton AV has a firewall, but it is only for incoming material, not outgoing. And you cannot click to shut off Internet access, and I had been able to do.
I then spoke to them about the ISearch threat messages appearing every five seconds.
They told me to turn off the ISearch protection. This does not seem the best solution.
The Help people also told me that I am having these problems because I bought the Norton AV in a store. They sent me a link to download a different version from Symantec that should allow me to avoid these problems.
So much for my story. I thought this might help others who purchase Norton AV 07 from a store and run into similar headaches. Maybe Norton shouldn't sell their products in stores.
Should I now go out and buy the Norton Firewall? The Zone Alarm was free and seemed to work fine.
Highly recommend:
AVG Free (anti-virus and anti-malware)
Ad-Aware
SpywareBlaster
Spybot
all free!