# Solved: Norton blocking many intrution attempts



## black99gm (Nov 9, 2004)

My Norton antivirus is going nuts blocking intrusion attempts (5 in less than a minute). I have run Ad-Aware & spybot scans. Can someone check this Hijack This scan for problems?

Thanks Bob

P.S. I may have posted this in the wrong forum. Can it be moved to the malware & hijack this forum?

Thanks Bob

Logfile of HijackThis v1.99.1
Scan saved at 10:38:52 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Common Files\Symantec Shared\SecurityHistory\mcui32.exe
C:\Documents and Settings\Administrator\My Documents\old computer\Hijack This V1.99.1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-CA
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172173733312
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A5E88A67-4F93-44BB-A30F-772F7FE31D38} (Colonies.com Photo Upload Tool Control) - http://colonies.com/pages/PhotoUploadTool.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A3CCB12-EBDB-43BC-80E4-F8BD9A92D35E}: NameServer = 199.166.6.2 209.239.11.98
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


----------



## lunarlander (Sep 22, 2007)

Can you give some examples of what Norton is blocking?


----------



## Michael Bennett (Nov 23, 2007)

The log doesn't look good (but I'm not an expert)!

If you disconnect from the internet do the intrusion attempts keep happening?

Michael.


----------



## black99gm (Nov 9, 2004)

Thanks for the replies; to answer the questions the alerts stop as soon as the internet is disconected. The following is the Norton log files.

Category: Security risks
Date Time,Feature,Risk Name,Result,Item Type,Virus Definition Version,Product Version,User Name,Computer Name,Details
11/26/2007 10:08:48 AM,Auto-Protect,Downloader,Blocked,File,N/A,14.0.4.1,SYSTEM,USER-D93275BC9F,"Source: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MXBWTWZ6\land[1].htm,Risk category: Virus,Overall Risk Impact: High,Action taken: Blocked"
11/25/2007 9:47:21 PM,Auto-Protect,ExpertAntiVirus,Blocked,File,N/A,14.0.4.1,SYSTEM,USER-D93275BC9F,"Source: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4RF7EKLT\install247[1].cab,Risk category: Security risk,Overall Risk Impact: Medium,Action taken: Blocked"
11/25/2007 9:47:07 PM,Auto-Protect,Downloader,Blocked,File,N/A,14.0.4.1,SYSTEM,USER-D93275BC9F,"Source: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPEVOL6Z\land[1].htm,Risk category: Virus,Overall Risk Impact: High,Action taken: Blocked"
11/25/2007 9:10:17 PM,Auto-Protect,Downloader,Blocked,File,N/A,14.0.4.1,SYSTEM,USER-D93275BC9F,"Source: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\03JNQCX5\land[1].htm,Risk category: Virus,Overall Risk Impact: High,Action taken: Blocked"
11/24/2007 4:39:56 AM,Virus scanner,Downloader,Fully removed,File,2007.11.22.022,14.0.4.1,SYSTEM,USER-D93275BC9F,"Source: c:\documents and settings\administrator\local settings\temporary internet files\content.ie5\tc0nx5c1\8[1].htm,Risk category: Virus,Overall Risk Impact: High,Action taken: Fully removed"
11/24/2007 4:39:56 AM,Virus scanner,SpyShredder,Fully removed,File,2007.11.22.022,14.0.4.1,SYSTEM,USER-D93275BC9F,"Source: [webinst[1].cab] inside of [c:\documents and settings\administrator\local settings\temporary internet files\content.ie5\d8c35lo5\webinst[1].cab],Risk category: Security risk,Overall Risk Impact: Medium,Action taken: Fully removed"
11/24/2007 4:39:56 AM,Virus scanner,Tracking Cookie,Fully removed,File,2007.11.22.022,14.0.4.1,SYSTEM,USER-D93275BC9F,"Source: ,Risk category: Cookie,Overall Risk Impact: Low,Action taken: Fully removed"


----------



## Michael Bennett (Nov 23, 2007)

Definitely looks bad.

Post your HJT! log in the Malware Removal forum and someone will get to you as soon as possible.


----------



## Nesjemannen (Nov 9, 2007)

Also: *Update your Hijackthis! *

Download


----------



## Michael Bennett (Nov 23, 2007)

The bigwigs will sort him out, Nes.


----------



## lunarlander (Sep 22, 2007)

Well, in addition to posting a new hijackthis log in the correct forum, you can empty the contents of your C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\ folder, as I see several malware attempting to 'call home' resides there. 

I see you are surfing with your Administrator account, don't do that. Create a limited user account and surf with that one, so any attempts of intrusion will not affect the entire system.


----------



## black99gm (Nov 9, 2004)

How do I create a limited user account? My girls use this computer as well for homework and course messenger & facebook. I don't have much experience.

Thanks


----------



## lunarlander (Sep 22, 2007)

In XP: 
Control Panel / User Accounts / Create A New Account /
Enter account name / Next / Choose 'Limited' radio button 
Click 'Create new Account' button


----------



## black99gm (Nov 9, 2004)

Thanks for the reply; I created a new user but the problem is it is now the adminitrator user and I have lost the original administrator and can't find it! There also is another account called "ASP.net machine A..." I don't know where it came from.

Bob


----------



## lunarlander (Sep 22, 2007)

press CTRL-ALT-DEL twice at the login screen and you will be given a field to enter the user name. 

I think the ASP.NET user account is installed by MS's Dot Net Framework. Somebody correct me if I'm wrong


----------



## black99gm (Nov 9, 2004)

Thanks wk2000 that worked. I have looked at the user accounts to change the Family user account to limited but the radio button won't change. It has a message "you must assign another user on this computer with a computer administrator before you can change this user's account type" The user accounts page shows both as computer administrators. The only options with the administrator account are " create a password" - "change my picture" & "change my .net passport" Any ideas?


----------



## lunarlander (Sep 22, 2007)

Yes, in addition to the built in Administrator account, there must be one more account which is an admin. So there are two accounts with admin rights. Create a fourth account which is limited then.


----------



## black99gm (Nov 9, 2004)

OK I have done the 4th account and called it "Family users" the second administrator account I have named "Adm 2". The original Administrator account does not show when I am at the log in screen, the only time I can get to it is by doing the CNTL-ALT-DEL twice. Is this normal? I would also like to get my e-mail and my documents (pics & music) from the original Administrator to Family users.

Thanks for taking the time with a novice!!!


----------



## lunarlander (Sep 22, 2007)

Yes, the built in 'Administrator' does not show up normally. 

I assume you are using Outlook Express for your email. I dont know enough about Outlook Express to tell you how to move its data from one account to another. Maybe someone else can help. Or you can post the question in another forum. 

To move your files, log into your Administrator account and just cut and paste them as you would do to any file to /Documents and Settings/ Family Users/ Family Users Documents.


----------



## black99gm (Nov 9, 2004)

Thanks for all the help wk2000. I am using Outlook 2000 for e-mail. I will do as you suggest and post that question in another forum. 

Thanks again! 
99


----------



## breadcrab (Nov 21, 2007)

go to command prompt and type in net user you can see ur user accounts


----------

