Not sure what to think

Discussion in 'Malware Help (A Specialist Will Reply)' started by bunnyjo, May 20, 2008.

  1. bunnyjo

    bunnyjo Private E-2

    A few months back I formatted and reinstalled XP. Not long afterwards started noticing little things that just didn't seem right. Today I checked my Norton Internet Security 07 log file, and under Network Connections there is a list of sites I haven't been to. In fact, I have three computers but they have all been idle or off during the time that there is supposedly a connection. I feel like something is going on, but I can't find anything.

    Here are some of my specs:
    OS: XP
    Anti-Virus: NIS 07 up to date, Spy Sweeper, and recently I ran SpyBot and for no reason in particular I installed Hijack This.

    I would appreciate any info any one can give me. I just feel like it is strange to have a list of sites showing up that I haven't visited. And if what I am running is not catching anything I guess I should just reinstall Windows again...

    Thanks in advance,
    bj
     
    bunnyjo, May 20, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    I'm not sure if you are having malware problems or not. The below will help us determine that.
    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

    READ & RUN ME FIRST. Malware Removal Guide


    QUESTION: When you say the PCs were idle, do you mean powered down?
     
    chaslang, May 21, 2008
    #2
  3. Michael York

    Michael York Norton Authorized Support Team

    Hi bunnyjo,

    This is Mike from the Norton Authorized Support Team responding to your post. The first thing I can tell you is that Spy Sweeper is incompatible with the real-time protection in Norton Internet Security, and should be removed from your computer.

    As to the sites, etc that you are seeing in the Norton log, they are most likely caused by the Browser Inoculator feature of SpyBot, which puts a bunch of loopback entries to several sites in the hosts file. Norton Internet Security is merely advising you in the log that the hosts file has been compromised. I would suggest that you disable both the Tea-Timer and SD Helper options in SpyBot.

    After you have removed Spy Sweeper and changed the settings in SpyBot or removed it completely, run LiveUpdate and then perform a Full System Scan from within Norton Internet Security to ensure that your computer is not infected.


    Thank you,
    Mike
     
    Michael York, May 21, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    These two features of Spybot are not what puts the the entries into the hosts file. The Immunization feature of Spybot 1.5 (and also many other similar programs including Spy Sweeper) do this. The older versions of Spybot did not include a host file feature. By the way, currently 8528 loopback entries are added by Spybot's Immunization feature.

    However all of the above being stated, as I already mentioned Spy Sweeper also writes thousands of lines to the hosts file to protect you from accessing known bad sites. Thus I would not jump to the conclusion that Spbot was the what added lines to the hosts file when the user has already stated Spy Sweeper was being used.

    Either way, none of the entries that woud be put in to the hosts file by Spybot, Spy Sweeper or any other similar program are problems. Is NIS actually indicating these lines to be problems? If so, it needs to be modified to recognize loobacks and also to recognize loopbacks of bad sites vs good sites which could be quite a bit of work, especially keeping up with it.
     
    chaslang, May 21, 2008
    #4
  5. bunnyjo

    bunnyjo Private E-2

    By "idle" I mean that no one was using them. They were on, but not in use.
     
    bunnyjo, May 23, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They were not in use by any physical human contact is what this means. Software is still running on your PC and there is still a connection to the internet. Thus if you have any malware issues it could be doing something. Also if you have any remote desktop type software that allows remote access, someone could potentially be using the PCs remotely (either legally or illegally).

    Please attach this log of connections that you are referring to.

    You should run the READ & RUN ME and attach the logs that are requested.
     
    chaslang, May 23, 2008
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds