Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spysweeper Communication Shield Blocking Access


  • Please log in to reply
11 replies to this topic

#1 I_am_CanadianEh?

I_am_CanadianEh?

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 PM

Posted 19 November 2007 - 11:29 PM

Hello,
I've had this problem before (see link below):

http://www.bleepingcomputer.com/forums/t/109041/trojan-trying-to-access-malicious-websites/

Now it has started up again. I've done scans with Dr. Web, Superantispyware, SpyBot, Zonealarm Antivirus all in Safe Mode and nothing was found. I also cleaned out all temp files, the problem still persists. There are no other symptoms (no popups, things are working fine, computer is fast) except a very active hard drive at bootup time as if some process was trying to access the blocked sites.

I've looked through Process Explorer and the Task Manager and found nothing unusual....at least nothing that seemed out of the ordinary.

After bootup, here are the sites that are blocked (from the SpySweeper logs):

9:05 PM: The Internet Communication shield has blocked access to: 4SOFTGET.COM
9:04 PM: The Internet Communication shield has blocked access to: 2SEARCH.ORG
9:04 PM: The Internet Communication shield has blocked access to: 2SEARCH.ORG
9:03 PM: The Internet Communication shield has blocked access to: 24-7SEARCHING-AND-MORE.COM
9:03 PM: The Internet Communication shield has blocked access to: 24-7SEARCHING-AND-MORE.COM
9:03 PM: The Internet Communication shield has blocked access to: 1STSEARCHPORTAL.COM
9:03 PM: The Internet Communication shield has blocked access to: 1STSEARCHPORTAL.COM
9:02 PM: The Internet Communication shield has blocked access to: 1-EXTREME.BIZ
9:02 PM: The Internet Communication shield has blocked access to: 1-EXTREME.BIZ
9:02 PM: Your definitions are up to date.
9:02 PM: Automated check for program update in progress.
9:02 PM: The Internet Communication shield has blocked access to: 123TOPSEARCH.COM
9:02 PM: The Internet Communication shield has blocked access to: 123TOPSEARCH.COM
9:02 PM: The Internet Communication shield has blocked access to: 008K.COM
9:01 PM: The Internet Communication shield has blocked access to: 008K.COM

and these from today:

10:51 PM: Tamper Detection
10:50 PM: The Internet Communication shield has blocked access to: AD.MOKEAD.COM
10:50 PM: The Internet Communication shield has blocked access to: AD.MOKEAD.COM
10:46 PM: The Internet Communication shield has blocked access to: ACCESSACTIVEXVIDEO.COM
10:46 PM: The Internet Communication shield has blocked access to: ACCESSACTIVEXVIDEO.COM
10:46 PM: The Internet Communication shield has blocked access to: ABOUTCLICKER.COM
10:46 PM: The Internet Communication shield has blocked access to: ABOUTCLICKER.COM
10:45 PM: The Internet Communication shield has blocked access to: 8AD.COM
10:45 PM: The Internet Communication shield has blocked access to: 8AD.COM
10:45 PM: The Internet Communication shield has blocked access to: 80GW6RY3I3X3QBRKWHXHW.032439.COM
10:45 PM: The Internet Communication shield has blocked access to: 80GW6RY3I3X3QBRKWHXHW.032439.COM
10:44 PM: The Internet Communication shield has blocked access to: 6SEK.COM
10:44 PM: The Internet Communication shield has blocked access to: 6SEK.COM
Operation: File Access
Target:
Source: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
10:42 PM: Tamper Detection
10:42 PM: The Internet Communication shield has blocked access to: 4SOFTGET.COM
Keylogger: On
10:42 PM: Informational: ShieldEmail: Start monitoring port 587 for mail activities
E-mail Attachment: On
10:42 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
10:42 PM: The Internet Communication shield has blocked access to: 4SOFTGET.COM

It's nice to know I'm being protected but this is driving me nuts. I googled this issue and all I got was forum enteries of this issue with no responses.

My Zonealarm logs show nothing unusual or viruses blocked.
I heard this has something to do with SpyBot's host file being immunized??
Last time this happened, it seemed to go away on it's own with very little intervention from me....I booted up the next day and the problem was gone.

This problem happens on bootup. I simply replaced my Spybot added Hosts file with the Microsoft standard. So far, no SpySweeper alerts but I haven't rebooted yet.

Any suggestions to what might be causing this?? :thumbsup:

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:06 PM

Posted 20 November 2007 - 09:31 AM

I've had this problem before

But there was nothing of significant concern in your log.

If the Spybot Hosts file was the problem last time, then its probably the problem again. Reboot and confirm if the Shield alerts go away. If you do a Google search, you will find this issue seems to be a common complaint from those using Spysweeper and other security programs like Spybot and Spywareblaster. Others frustrated by the alerts turned off the Internet Communication shield to stop if from monitoring the HOSTS file but then you loose the protection from that feature. Webroots response has been lacking in response to the numerous complaints about this.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 I_am_CanadianEh?

I_am_CanadianEh?
  • Topic Starter

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 PM

Posted 20 November 2007 - 10:37 AM

I'm glad I'm not the only one and that this is a known problem... :thumbsup:

However, what is strange is that these alerts are not always happening. Even with SpyBot's host file everything seems fine for a while and then...BOOM...Spysweeper starts blocking everything after a reboot. You see it doesn't ALWAYS happen.

As I said, I've removed Spybot's host file with the default "localhost" one and rebooted....the problem was gone. But I want to have all the bad sites route to a dead end.... 127.0.0.1 so if my son surfs carelessly, he won't be able to access.

I'll put a support ticket into SpySweeper to see if they address the issue this time.

Thanks for the response. :flowers:

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:06 PM

Posted 20 November 2007 - 11:05 AM

I'll put a support ticket into SpySweeper to see if they address the issue this time

Please lets us know what they have to say.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 I_am_CanadianEh?

I_am_CanadianEh?
  • Topic Starter

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 PM

Posted 21 November 2007 - 10:17 AM

I sent in a support ticket and they responded within 30 minutes. This is quite impressive....I've heard that SpySweeper's tech support is only average.

Anyways, they've asked me to submit my System File information so they can look and study for incompatibilites. It's almost like: "we better investigate this common problem now or people or going to stop buying our product".

I'll keep you updated. Thanks. :thumbsup:

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:06 PM

Posted 21 November 2007 - 10:22 AM

It's almost like: "we better investigate this common problem now or people or going to stop buying our product".

You would think so. The complaints I have read included quite a few folks you said they were going to remove Spysweeper.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 I_am_CanadianEh?

I_am_CanadianEh?
  • Topic Starter

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 PM

Posted 26 November 2007 - 12:14 PM

No reply from SS yet, however I think they were closed for the Thanksgiving Long Weekend....

But I have a hunch.....I have a feeling it has something to do with Dell Support Centre software. I think I installed that program around the September timeframe....just when my problems started. I removed the program and all traces of it late last night. I couldn't keep my eyes open so I went to bed and now I'm at work.

I will test the machine to see if it got rid of the problem this evening.

I've also noticed with this Spy Sweeper problem that my Zonealarm blocked Access counts have increased by more than 45 alerts in the past 3 days. :flowers: Before the blocked access sites in SS started I only got 1 or 2 blocked alerts in the ZA log once or twice a month!! Something weird is going on.... :thumbsup:

These ZA blocked Access counts are found in the middle of the Overview tab in Zone Alarm.

I'll keep you posted..I love a good mystery! :trumpet:

#8 I_am_CanadianEh?

I_am_CanadianEh?
  • Topic Starter

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 PM

Posted 26 November 2007 - 12:17 PM

Forgot to mention that the Zonealarm logs show that communication is coming from my ISP to my Dell computer. Antivirus & antispyware logs show nothing malicious. It also shows that Zonealarm has blocked SpySweeper from listening to UDP port "n" where n is a 5 digit number that changes every so often.

#9 I_am_CanadianEh?

I_am_CanadianEh?
  • Topic Starter

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 PM

Posted 27 November 2007 - 10:04 AM

I THINK I FIXED THE PROBLEM! :trumpet: :flowers:

The culprit was indeed Dell Support Center. All the alerts have stopped after uninstalling. The computer seems to run a little more smoothly on bootup as well. I'm going to write a nasty in the DELL forums as well as call them to discuss this issue.

Monitoring programs like this one push the envelope to privacy invasion. And to make matters worse, scare the crap out of people when their security apps start screaming at them and putting up shields saying their computer has been blocked from accessing rogue websites. :thumbsup:

Thumbs down for Dell. :inlove:

However, I'm still awaiting what Spy Sweeper has to say. :huh:

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:06 PM

Posted 27 November 2007 - 05:08 PM

Thanks for keeping us updated.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 I_am_CanadianEh?

I_am_CanadianEh?
  • Topic Starter

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 PM

Posted 27 November 2007 - 09:34 PM

Thanks for keeping us updated.


Hey, no problem. :flowers:

...and here's SpySweeper's response...

After taking a look at the session log, it appears that (as you may be able to notice) the ads being blocked are listed in reverse alphabetical order in the session log. Combine that with the fact that you have run multiple scans/sweeps and nothing has been found; more than likely this is another one of your security applications are causing this to happen. I would be inclined to lean towards the Spybot Search and Destroy because of the hosts file protection that you mentioned. More than likely, Spybot is adding these entries to the hosts file or basically adding all the entries so that if anything attempts to access these sites, they will be redirected to a "safe address." When Spy Sweeper sees this, that is triggering our shield because the process is imitating what a piece of spyware/adware would do when trying to access the sites.

To resolve this, we have seen good results with deleting the hosts file, and then restarting the computer (as the hosts file is regenerated upon restart). Because the hosts file was modified more than likely in a different manner than normal, simply deleting it and allowing Windows to recreate it should no longer present the prompts you have been seeing, and that way we will not have to disable any real time protection features from our software or theirs so they can work better in tandem.

You can do this by following the steps below:

*Please disable any security applications you may be using, including Spy Sweeper, before performing these instructions. Also, close any web browser windows you have opened*

Download the attached hoster.zip file to your desktop. (This file is attached directly to your ticket. If the attachment did not come through attached to this email, please log into your ticket using the instructions contained at the bottom of every email you receive from us)

Double-click the file and move the hoster.exe to your desktop.

Once the hoster.exe file is on your desktop, double-click the file and then click the Restore Original Hosts button and then click OK.

Please let me know if you continue to experience problems in your next reopen.

Thanks again for your time and patience.


Well, they made a good effort and I originally thought it was the Spybot's host file, but now I know it was Dell's software. I'm going to see if I can play: Hi, Dell, meet Spy Sweeper....Spy Sweeper this is Dell Support Center..." Maybe Dell will update their software with a fix that won't cause anyone's pants to turn brown anymore.. :thumbsup:

Anyways, thanks for the help Quietman!

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:06 PM

Posted 27 November 2007 - 10:12 PM

Your welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users