Norton Internet Security 2002

[astroc]

I am running W2k sp4, IE 6.0...Also running Norton Internet Security 2002. My system ran nice and smooth until I use Live Update to download the latest Norton Internet Security Program update and install it....then my system is now running like molasses. I also now have an Error code on my System Event ID 7009...and it says " Timeout (30000 milliseconds) waiting for Norton Internet Security Service to connect." I have since disabled my Norton Internet Security and my system is running fine again when connected to the internet. Any suggestions anyone? Appreciate any inputs. Thanks, astroc

Here is my Hyjack Log just in case something snuck in there... Thanks again


Logfile of HijackThis v1.97.7
Scan saved at 11:36:32 PM, on 5/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Bill Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink, Inc.
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: CTCBridge UTS - https://gw-r6.airline.compuserve.co...lassi/jutsi.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} - http://pcpitstop.com/pcpitstop/diskhealth.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptem...iveSecurity.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} - http://getdway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7577.8495138889
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.symantec.com/SSC/Sh...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tec...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tec.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB2D3C34-4BB0-4159-9BE6-F61118955CEC}: NameServer = 205.171.3.65 205.171.2.65

[Pieter_Arntz]

Hi astroc,

You should get this one fixed:
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptem...iveSecurity.cab

I will move this thread to the other firewalls forum, since I think we can not resolve this here.

Regards,

Pieter

Hi Astroc,

It could be that the latest updates for NIS/NPF have caused problems, in particular for 2002.

Here are two threads at DSLR about it:

http://www.dslreports.com/forum/rema...7452~mode=flat

http://www.dslreports.com/forum/rema...8995~mode=flat

At the moment I haven't read that whole second thread.

I hope that Joseph, CrazyM, Randy or others might be able to advise you.

[jvmorris]

Oops, sorry, just picked up on your similar post at Computer Cops!
No need to repeat all that here. FanJ has pointed you to the threads at BBR/DSLR that contain everything we know about this at the moment.

Hoping for a fix from Symantec . . . .

Hi,

As has been written in that second DSLR thread, the error messages are looking more or less similar as the ones you might get when you're using a big block-list.
Eric Howes describes those error messages in his Readme file for AGNIS:
http://www.staff.uiuc.edu/~ehowes/res/agnis.txt

It is not completely sure however whether it is the same situation.

[astroc]

Hello Everyone, just went back to the Symantec Site via Live Update and downloaded the latest NIS Security as well as the Redirector...after reboot...everything was back to normal....guess Symantec did come back from their weekend retreat and got on the ball right away. I am running NIS 2002 4.0....all ahead full speed at this point...Thanks everyone for your inputs. Regards, Astroc

[astroc]

Sorry for the moment of excitment....it did work for awhile and then it acted the same after reboot....I was being an optimist and hoping that Symantec would get on the ball on this issue. So I am back to running my system by disabling NIS totally and it is working just fine that way until there is a good permanent fix for it... regards, astroc

[tanviry]

Quote:

Originally Posted by astroc

Hello Everyone, just went back to the Symantec Site via Live Update and downloaded the latest NIS Security as well as the Redirector...after reboot...everything was back to normal....guess Symantec did come back from their weekend retreat and got on the ball right away. I am running NIS 2002 4.0....all ahead full speed at this point...Thanks everyone for your inputs. Regards, Astroc

I am having the same probelm as uand it seems that you have sorted yours out.

I am still having problems. Can you post exactly what you did and what web site you visited and how your problem got fixed.

I really apperacite any help you give me please.

[jvmorris]

It appears that Symantec may now have fixed this problem. See http://www.dslreports.com/forum/rema...2609~mode=flat , which apparently came out late on Friday evening.

Have any of the NIS/NPF 2002 users that experienced the problem after the 12 May LiveUpdate applied this patch; does it solve the problem?

Next question: Does this fix, primarily for NIS/NPF 2002 users, still provide a solution to the eEYE vulnerabilities that started all this? (Anyone checked using eEYE's Retina scanner?)

And finally, by way of feedback, just what files are changed by this update?

Quote:

Originally Posted by jvmorris

And finally, by way of feedback, just what files are changed by this update?

I'm a NAV2002 user only - the May 12 Redirector update gave me a "burp" and the new startup - Symantec NetDriver Monitor - which I disabled from the get-go. I did keep track of what new executes were added to my system here http://www.windowsbbs.com/showthread.php?t=30524 if its of any help to anyone. Otherwise I've been following this issue via the threads you've been part of at the Computer Cops Symantec forum.

For the time being, I'm holding off on the latest Redirector Symantec update.

Regards - Charles

[essenbee]

I had serious issues with net connectivity after downloading the May 12th Live Update. I only had connectivity about 10% of the time. Now, after the most recent update to Redirector, my net connectivity is incredibly s l o w .

Does anybody know if a new fox is due from Symantec? If not, is there a way to diable just the redirector program?

Thanks

[jvmorris]

It is beginning to look like there may well be two, distinct problems affecting NIS/NPF users since the 12 May LiveUpdates.

AplusWebMaster, in his thread regarding Akamai just pointed out this little tidbit over at SANS (see http://isc.sans.org/diary.php?date=2004-05-26 )

Quote:

And an unconfirmed report that Norton Internet Security 4.0 2002, 2003 & 2004 for Windows has added a new feature which pre-scans the inline html images prior to writing the images to the temp directory and displaying them in the web-browser. This effort is to try to identify web borne worms and viruses. The unfortunate side effect is that pages load incredibly slowly. The report stated that Verizon's page took over 3 minutes to load with the scanner and under 3 seconds without it. This could result in users disabling their firewalls which is not a good thing.

[SamVimes]

I'm running NIS 2002 on a Windows 2000 box - all patches applied.
I updated using LiveUpdate some days ago and since then the firewall
rules are getting updated around four times a second and are bringing the machine to a halt ....

Then tried LiveUpdate, both manual and Interactive, and there are no updates available. Ran the Virus checker and there are no infections ...

I've emailed Symantec twice - with no reply. I asked them why I
am bothering paying them a subscription for such horrendous service .....

Can anyone suggest what to next - this is making this box unusable.

Ahhh - symantec are now saying that it is a known(but not understood) error... Well that helps...

Andrew

[jvmorris]

Quote:

Originally Posted by SamVimes

. . . Ahhh - symantec are now saying that it is a known(but not understood) error... Well that helps...

Andrew,

Can we have a URL or quotation on just what Symantec is now saying? It would be most appreciated. I've seen absolutely no feedback whatsoever.

[SamVimes]

yes, the url is

http://service1.symantec.com/SUPPORT...rc=bar_sch_nam

[jvmorris]

Quote:

Originally Posted by SamVimes

yes, the url is

http://service1.symantec.com/SUPPORT...rc=bar_sch_nam

Thank you.

Unfortunately, that write-up is so vague, I can't tell if it's relevant to what I'm trying to deal with or not. I've not seen a single person mention a "LU1856" error, for example.

[SamVimes]

just to make my cup runneth over I know get this from LiveUpdate...

[jvmorris]

Sam,

Now tell me you didn't just fabricate that screen! Well, it had to happen to someone at some point, I suspect.

What I find extremely odd, however, is the specific updates it crashed on! I've never heard of anyone having problems downloading those (specific) updates.

What version of LU (LUCOMServer.exe) do you find yourself running? I've seen different people showing everything from 1.6.x to 2.0.x .

[SamVimes]

I'm trying to check but the box is being a "little" uncooperative

A coda to this issue:

I originally posted here - post #10 - about a new startup generated by the Redirector update of May 12 - SNDMon.exe (Symantec NetDriver Monitor).

I stumbled on to what Norton was up to with this. This adds auto scheduling to LiveUpdate - adds this entry to Task Schedular:

check for updates "starting at 12.05 AM for 24 hours every day, starting 05/14/2004"

There is a number two which is start looking at log in.

The TS entries are disabled because I don't allow SNDMon.exe to run.

My AV version is 2002. While I'm not certain, I think this was added to 2000, 2001, and 2003.

The help file entry on frequency for LU:

From the LU help file: [/quote]
Note: (ISDN users only) By default, automatic LiveUpdate checks for updates to Norton AntiVirus every four hours, when your computer is connected to the Internet. If you have an ISDN (Integrated Services Digital Network) router that is set to "Automatically Connect," you could be incurring connection and phone charges every time automatic LiveUpdate runs. If this is a concern, you can disable automatic connection on your ISDN router, or disable automatic LiveUpdate.

Copyright© 2000-2002 Symantec Corporation. All rights reserved.[/quote]

Regards - Charles

[jvmorris]

Charles,

Good to see you back! I see you've found the thread (and presumably the fix for NIS/NPF 2002 users on both Win NT/2K/XP and Win 9x/ME buried therein) from browsing the other thread, so I won't bother to reference it again.

But, what you say below is very interesting, nevertheless:

Quote:

Originally Posted by charlesvar

... I stumbled on to what Norton was up to with this. This adds auto scheduling to LiveUpdate - adds this entry to Task Schedular:

check for updates "starting at 12.05 AM for 24 hours every day, starting 05/14/2004"

There is a number two which is start looking at log in...

Now, I'm running NIS 2002 FE on Win 98 SE at the moment, and I don't have that entry in Task Scheduler (but I do have SndMON.exe running, just for the heck of it).

So, here's what I'm wondering: Could it be related to the version of LiveUpdate in use? (Or possibly to LiveReg?) I have not updated LiveUpdate and my version of LUCOMServer.exe is still 1.6x. (Indeed I wasn't offered an update to LiveUpdate itself.) There's also a LU 1.8x out there and a LU 2.x was released in Jan 2004, as I recall. So, which are you running?

I'm wondering (again in the NIS/NPF 2002 context) if maybe I'm running an unexpected version of LU and if this is what's causing the roll-back that's giving us so much grief on the re-boot?

The other possibility involves the LiveReg updates, which I did not install (at all), whereas I notice that you apparently did.

Any thoughts?

[zcv]

Hello Joseph,

As per your request:

My version of LU: v2.0.39.0
Date modified: Jan 02,2004

Want to reiterate that I'm running NAV2002 only, so the NIS issue I think is probably seperate.

On another forum, there was a post from a NAV2000 user - also sans NIS -asking what/why of SNDMon.exe, which is why I'm making the assumption about pre NAV2004 users getting this LU scheduling option. I'm thinking of asking via a thread for general confirmation of this on that forum.

Regards - Charles

[jvmorris]

Quote:

Originally Posted by zcv

. . . My version of LU: v2.0.39.0
Date modified: Jan 02,2004 . . .

That's what I expected to see!

Quote:

Want to reiterate that I'm running NAV2002 only, so the NIS issue I think is probably seperate.

Yes, the NIS/NPF 2002 problem is an entirely different issue as far as I can tell. Randy Bell also has NAV 2002 (alone) on a machine and had no problems, but I believe he already had LU 2.x installed. Auto LiveUpdate is actually listed on the options menu in LU 2.x, IIRC. In the old version I have, one would have to do it manually.

Quote:

On another forum, there was a post from a NAV2000 user - also sans NIS -asking what/why of SNDMon.exe, which is why I'm making the assumption about pre NAV2004 users getting this LU scheduling option. I'm thinking of asking via a thread for general confirmation of this on that forum.

Yes, Charles, please follow up on that. I hadn't run across that situation to date.

Interestingly, I was still running NIS 2001 (3.x) FE on this Win 98 SE box when I installed LU 2.x. It immediately blew out the NAV component and I could not get it re-installed. (I've got a long and very heated dialog about that over at BBR/DSLR.)

[zcv]

Hello Joseph,

I've asked others running pre NAV2004 Symantec AV's to confirm whether the May 12th update gave them the scheduling option:

So that you can monitor the responses if you wish: http://www.windowsbbs.com/showthread.php?t=31813

Also feel free to make suggestions or add additional questions.

Regards - Charles

[jvmorris]

Keep an eye peeled for sndupdater.exe in the near future from Liveupdate.