Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Infection? Odd Entries in Norton Security History


  • Please log in to reply
2 replies to this topic

#1 bbee_2003

bbee_2003

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 08 January 2017 - 12:22 PM

OS: Windows 10

Primary browser: Firefox

Other browsers: MS Edge (almost never use), Chrome (sometimes use)

 

My user profile: not a gamer, mostly use Internet for online shopping, bank access, and streaming Netflix

 

Computer knowledge: not an idiot, but closer to idiot than computer genius

 

 

Yesterday and today, I've had to reset my modem and router a few times. We have had some light snow in the region, but I don't know of any internet outages from my service provider and it seems unlikely that is the problem.

 

I ran a Quick scan and Full System scan on my Norton Internet Security program that I've had for years. It came back with no problems. However, there was an error when I did the LiveUpdate the first time. The error was 3038, 105. I was able to later run LiveUpdate successfully without errors. I Googled the error and found no explanation of the error. The only thing I found was Norton forum advice that you may want to run Norton PowerEraser or reinstall Norton. At the time, I did neither thing because I wasn't sure what the actual problem was and because Norton seemed to be running okay.

 

I checked my security history in the Norton program and saw several things that looked odd to me. I do not often check the history, so I looked back several weeks to see if I could see similar events recorded. The following items are the events that I thought looked unusual. These events don't seem to go back any earlier than 12/20/16.

 

1/8/2017 10:40:23 AM,Info,"Protecting your connection to a newly detected network on adapter \"Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20)\" (IP address: 192.168.1.137).",Detected,No Action Required,Firewall - Network and Connections,,,
1/8/2017 10:40:05 AM,Info,Connected to a public network. (127.0.0.0/255.0.0.0),Protected,No Action Required,,,127.0.0.0/255.0.0.0,
1/8/2017 10:39:52 AM,Info,"Protecting your connection to a newly detected network on adapter \"Software Loopback Interface 1\" (IP address: ::1).",Detected,No Action Required,Firewall - Network and Connections,,,
1/8/2017 10:39:52 AM,Info,"Protecting your connection to a newly detected network on adapter \"Software Loopback Interface 1\" (IP address: 127.0.0.1).",Detected,No Action Required,Firewall - Network and Connections,,,
1/7/2017 9:02:37 PM,Info,Connected to a public network. (Teredo tunnel adapter(::0)),Protected,No Action Required,,,,Teredo tunnel adapter(::0)
1/7/2017 9:02:37 PM,Info,Connected to a private network. (20 AA 4B 00 43 E9),Shared,No Action Required,,20 AA 4B 00 43 E9,,

1/7/2017 6:32:31 PM,Info,IP address has disappeared from adapter Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20) (IP address: 192.168.1.137).,Detected,No Action Required,Firewall - Network and Connections,,,

 

I Googled these events and found some instances in which someone asked about them on the Norton forums. Each time, the user was advised that these are normal processes. But, I don't understand why these processes seem to only have started on my computer within the past few weeks. I have not installed any new hardware or programs on my computer in several months.

 

 

 

I kept searching through the security history and found the following intrusion attempts that were supposedly blocked.

 

12/20/2016 5:31:37 PM,High,An intrusion attempt by 163.172.122.48 was blocked.,Blocked,No Action Required,,No Action Required,No Action Required,Web Attack: Fake Flash Update Download 2,"163.172.122.48, 80",24pcupgrade.soft2apt247newest.online/?pcl=nPNEZ_u-mpD4t-to_wUoK73sF9m6mc445AUDaf89YzE.&cid=MTU4Mzk1NXxmaWxlLXNoYXJpbmctc2l0ZS5jb218VVNBfHwxNDc4ODQ0M3x8fDIyOTkzNzN8MTc0LjEwNy4yMzUuMTk2fDUxM3wzMXwwfDQxfDN8NDB8MHwwfHx8MXwwfHx8MTF8fDF8MHxzdHJlYW1kZWZlbmNlLmNvbXwwfDB8MHxiZmMxYWRiNzRlYjY3YWQwMzU4NzIyZjVmMzMzYzE5NA==&sub=file-sharing-site.com&v_id=9mJuy1W7vBVHHV9q6GUqXtQi6mzREzV0FHxD-gOu6FY.,"192.168.1.118, 51735",163.172.122.48,"TCP, www-http"
12/20/2016 4:30:14 PM,High,An intrusion attempt by 107.180.51.3 was blocked.,Blocked,No Action Required,,No Action Required,No Action Required,Web Attack: Fake Scan Webpage 12,"107.180.51.3, 80",www.matrixmartonline.com/morpheus/report2.php,"192.168.1.118, 52143",107.180.51.3,"TCP, www-http"
12/20/2016 4:16:25 PM,High,An intrusion attempt by 173.255.141.8 was blocked.,Blocked,No Action Required,,No Action Required,No Action Required,Web Attack: Fake Scan Webpage 7,"173.255.141.8, 80",quickcheck08.tech/pc7/images/jquery-1.js,"192.168.1.118, 50555",173.255.141.8,"TCP, www-http"
12/20/2016 4:16:25 PM,High,An intrusion attempt by 173.255.141.8 was blocked.,Blocked,No Action Required,,No Action Required,No Action Required,Web Attack: Fake Scan Webpage 11,"173.255.141.8, 80",quickcheck08.tech/pc7/images/jquery-1.js,"192.168.1.118, 50555",173.255.141.8,"TCP, www-http"
12/20/2016 4:16:25 PM,Info,Intrusion Prevention Signature Auto Block has blocked IP: 173.255.141.8 for a period of: 30 minutes,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
12/20/2016 4:16:25 PM,High,An intrusion attempt by 173.255.141.8 was blocked.,Blocked,No Action Required,,No Action Required,No Action Required,Web Attack: Fake Scan Webpage 12,"173.255.141.8, 80",quickcheck08.tech/pc7/index1.html,"192.168.1.118, 50553",173.255.141.8,"TCP, www-http"
12/16/2016 4:30:57 PM,High,An intrusion attempt by 64.38.250.98 was blocked.,Blocked,No Action Required,,No Action Required,No Action Required,Web Attack: Fake Scan Webpage 7,"64.38.250.98, 80",iam.themechanic08.tech/th1/images/jquery-1.js,"192.168.1.118, 50399",64.38.250.98,"TCP, www-http"
12/16/2016 4:30:57 PM,High,An intrusion attempt by 64.38.250.98 was blocked.,Blocked,No Action Required,,No Action Required,No Action Required,Web Attack: Fake Scan Webpage 11,"64.38.250.98, 80",iam.themechanic08.tech/th1/images/jquery-1.js,"192.168.1.118, 50399",64.38.250.98,"TCP, www-http"
12/16/2016 4:30:57 PM,Info,Intrusion Prevention Signature Auto Block has blocked IP: 64.38.250.98 for a period of: 30 minutes,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
 

 

I understand that Norton says it blocked these attempts, but is it possible that something came through that Norton didn't detect?

 

 

I'm also seeing a lot of the following, which doesn't appear before 12/20/16.

 

12/20/2016 4:09:51 PM,Info," Rule \"Default Block EPMAP\" rejected  TCP(6)  traffic with  (::0  Port (0) )",Detected,No Action Required,Firewall - Activities,,,,,,
12/20/2016 4:09:51 PM,Info," Rule \"Default Block EPMAP\" rejected  TCP(6)  traffic with  (0.0.0.0  Port (0) )",Detected,No Action Required,Firewall - Activities,,,,,,

 

 

 

 

 

To do as much as I could, I ran Norton PowerEraser after finding all of these weird events in the history and getting nothing good from Google. It found nothing. I downloaded Malwarebytes and ran it. It found a few files and folders that it said were odd, but seem to me to be probably harmless. I'm listing them below.

 

Folder: 2
PUP.Optional.AmazonTB, C:\Users\MacsHouse\AppData\Roaming\Mozilla\Firefox\Profiles\c7avdvot.default-1469759094674\jetpack\abb@amazon.com\simple-storage, Quarantined, [12436], [175409],1.0.948
PUP.Optional.AmazonTB, C:\USERS\MACSHOUSE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\C7AVDVOT.DEFAULT-1469759094674\JETPACK\ABB@AMAZON.COM, Quarantined, [12436], [175409],1.0.948

File: 2
PUP.Optional.AmazonTB, C:\Users\MacsHouse\AppData\Roaming\Mozilla\Firefox\Profiles\c7avdvot.default-1469759094674\jetpack\abb@amazon.com\simple-storage\store.json, Quarantined, [12436], [175409],1.0.948
PUP.Optional.AmazonTB, C:\USERS\MACSHOUSE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\C7AVDVOT.DEFAULT-1469759094674\EXTENSIONS\ABB@AMAZON.COM.XPI, Quarantined, [12436], [235406],1.0.948
 

 

 

 

 

Once I discovered that things seemed to change on my security history around 12/20/16, I went to my Internet history and found the following items on that day. I did a Google search on these web addresses (limited to 32 words) and found a Mozilla forum page on which it was advised that these addresses were part of an Amazon add-on, but another poster said that it was evidence of a scam, though that poster didn't offer any more information and seemed less reputable.

 

https://identity.browserapps.amazon.com/assets/identity-process.html?locale=US&assetTag=define(%7B%0A%20%20%22eTag%22%20%3A%20%2241725661e7b2205c6617881ecb9202e3%22%2C%0A%20%20%22lastUpdated%22%20%3A%20%222016-12-19T12%3A00%3A47.430Z%5BEtc%2FUniversal%5D%22%0A%7D)%3B

 

https://dossier.browserapps.amazon.com/assets/dossier-process.html?locale=US&assetTag=define(%7B%0A%20%20%22eTag%22%20%3A%20%2241725661e7b2205c6617881ecb9202e3%22%2C%0A%20%20%22lastUpdated%22%20%3A%20%222016-12-19T12%3A00%3A47.430Z%5BEtc%2FUniversal%5D%22%0A%7D)%3B

 

https://reporter.browserapps.amazon.com/assets/reporter-process.html?locale=US&assetTag=define(%7B%0A%20%20%22eTag%22%20%3A%20%2241725661e7b2205c6617881ecb9202e3%22%2C%0A%20%20%22lastUpdated%22%20%3A%20%222016-12-19T12%3A00%3A47.430Z%5BEtc%2FUniversal%5D%22%0A%7D)%3B

 

https://storage.browserapps.amazon.com/assets/storage-process.html?locale=US&assetTag=define(%7B%0A%20%20%22eTag%22%20%3A%20%2241725661e7b2205c6617881ecb9202e3%22%2C%0A%20%20%22lastUpdated%22%20%3A%20%222016-12-19T12%3A00%3A47.430Z%5BEtc%2FUniversal%5D%22%0A%7D)%3B

 

 

 

 

 

 

Before 12/16/16-12/20/16, the events in my security history seem plenty normal and repeat over time. Lots of definitions updated, LiveUpdate runs successfully, etc. My husband thinks I'm crazy, but I feel that there must be something going on.

 

 

To be fair, my computer doesn't seem slower and I haven't been getting a bunch of weird messages or errors popping up on my screen. I haven't found anyone accessing my financial accounts and records yet. My main concern is a keylogger program or some other snooping that maybe Norton isn't catching. Norton has done a fine job so far, but I am not foolish enough to think it will catch everything.

 

 

Can you tell me if everything looks normal? Am I overreacting? Is there some other way to tell if Norton is missing something lurking on my computer or network?

 

 

I appreciate any help I can get because I have done everything I can think of.

 



BC AdBot (Login to Remove)

 


#2 bbee_2003

bbee_2003
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 08 January 2017 - 12:41 PM

I am reminded that I got a Amazon FireTV and Fire Stick in early December and downloaded the PS Vue app and Kodi later in December on both devices. Not sure if that helps.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:37 AM

Posted 29 January 2017 - 06:42 PM

I (nor do most of our members) use Norton so I am not too familiar with its logs. You may want to ask about that at the Norton Community Users Discussion Forum.

Blocking intrusion attempts with no further action required is not uncommon with many Internet Security suites. Norton is doing it's job to protect you.

Malwarebytes did not find anything of significant concern. The items were related to PUPs in your Firefox browser.

Usually when a computer is infected with malware there most likely will be obvious indications (signs of infection and malware symptoms) that something is wrong. Are you having any such symptoms?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users