Norton 2006 log viewer (system) question

Discussion in 'other software & services' started by blueplanetphoto, Feb 6, 2007.

Thread Status:
Not open for further replies.
  1. blueplanetphoto

    blueplanetphoto Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    9
    Thank you all for your information, it's been a great help. Another question.

    In the Log Viewer of Norton 2006, worm protection/system log, I see a lot of the following series of messages and cannot find out what they mean, if they are typical or indicators of something going on.

    2/3 11:13:47am IP address (192.168.1.101) has disappeared and is no longer being protected.

    2/3 11:13:53am Protecting your connection to a newly detected network on adapter "SMC EZ Card 10/100 PCI (SMC1211TX) - Packet Scheduler Miniport" (IP address: 192.168.1.101).

    2/3 11:51:15am User logged in.

    2/3 11:55:13am No user logged in.

    2/4 10:01:57am User logged in.

    2/4: 11:01:22pm Internet Worm Protection setting "Port Block Allow NetBIOS" changed.
    Old Value: 1.
    New Value: 0.
     
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi blueplanetphoto, I'll simplify...
    your offline
    your online
    logged into Norton or not (yourself)
    setting now changed NetBIOS...infact everything routine
     
    Last edited: Feb 6, 2007
  3. blueplanetphoto

    blueplanetphoto Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    9
    Meriadoc,

    Thanks. This occurs also when I'm not at the computer, at all hours of the day and night. I'm going to assume that these instances are related to application activity (email, Norton auto update, scanning, etc.) rather than me personally being online/offline?
     
  4. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    192.168.1.101 is a local address, default gateway Linksys router? Everything is routine.
    Is this Norton av and not NIS? What firewall do you have apart from Nortons Intrusion Detection?
     
  5. blueplanetphoto

    blueplanetphoto Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    9
    Yes, Linksys router. No firewall other than Windows (need to get ZoneAlarm). Also, Norton AV 2006, not NIS. MS Explorer has been very slow (as has general operations) and I noticed in the Norton log this morning new local ports being used that I haven't seen before:

    backdoor-g-1
    lotusnotes(1352) I don't have Lotus Notes
    phone(1167)
    socks(1080)

    Now and then I also get a "returned to sender" email message that is undeliverable. It is spam apparently sent from my email address.

    No virus scans detect anything, though.
     
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    192.168.1.101 in common for Linksys. If it has a firewall, nat then your very safe against intrusions and really only need a desktop firewall to stop outbound.

    Nortons Worm Protection I think is still the Intrusion Detection, some describe it as a mini firewall, this is what it is : Intrusion Detection scans all the network traffic that enters and exits your computer and compares this information against a set of attack signatures, arrangements of information that identify an attacker's attempt to exploit a known operating system or program vulnerability.

    backdoor-g-1 is probably a false positive if flagged by Norton, I'd have to see the log. The operating system has assigned that port backdoor-g to a connection, so normal as are the rest.
    Norton and the backdoor-g-1 false positive

    So it is not your mail, that you have sent just to be clear? Spam from your address? Do you have anymore info on that? How does your machine feel you say : MS Explorer has been very slow (as has general operations) any other observations, errors, BSOD, pop-ups...?
    You could try an online scan at Kaspersky for a second opinion and a scan with Blacklight (Rootkit Unhooker or IceSword would be better but with blacklight you wont have to analyse) and SAS free.


    Would be good to check your network connections as well. Do you have any Linksys logs and can you check what is sent/recieved with nav2006? If not check out TCPView
     
    Last edited: Feb 7, 2007
  7. blueplanetphoto

    blueplanetphoto Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    9
    I'll try this again. Posted a long reply, got timed out and lost it.

    sample Log entries from Norton 2006 AV, connections log:

    10:25:43 Details: Connection: mx1.blueplanetphoto.com(65.175.65.249): pop3(110).
    from C1206450-A(192.168.1.101): radius(1812).
    85 bytes sent.
    8042 bytes received.
    1:09.990 elapsed time.

    10:24:37 Details: Redirected Connection: localhost: 1029.
    from localhost: radacct(1813).
    64 bytes sent.
    89 bytes received.
    3.645 elapsed time.

    10:24:37 Details: Connection: localhost: radacct(1813).
    to localhost: 1029.
    89 bytes sent.
    213 bytes received.
    3.645 elapsed time.

    10:07:24 Details: Connection: localhost: pptp(1723).
    to localhost: 1029.
    89 bytes sent.
    212 bytes received.
    0.841 elapsed time.

    10:07:24 Details: Redirected Connection: localhost: 1029.
    from localhost: pptp(1723).
    63 bytes sent.
    89 bytes received.
    0.841 elapsed time.

    These are local ports I've never seen before. I'm used to seeing ports in the 16xx range for email, etc. and other ports 17xx that are fairly consistent. These are new, never seen before. Just wondering what it's about.

    The behavior of my system is this: while surfing or retrieving/sending email, occasionally the application will freeze. No modem activity, no CPU activity in Task Manager, but showing as "running" (sometimes, "not responding"). Other times, response is just much slower than typical for a DSL connection.

    I did run the online Kaspersky on Monday, which found 3 viruses in unopened emails in my deleted email folder. I deleted those. It didn't find anything else.

    Norton worm detection did find this on 1/29:

    Details: Attempted Intrusion "BD Duddie 3.1" from your machine against 216.15.230.2 was detected and blocked.
    Intruder: C1206450-A(192.168.1.101)(2281).
    Risk Level: High.
    Protocol: TCP.
    Attacked IP: 216.15.230.2.
    Attacked Port: 2001.

    Click the address to trace the attacker.

    No clickable link, though. This was before I ran the online Kaspersky. Nothing else detected since.
     
  8. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi blueplanetphoto,
    Yes localhost refers to the location of the currently used system.
    a connection from you to your mail server using the Post Office Protocol
    Could be any number of things down to Windows, program or the machine sometimes.
    Checkout your connections with TCPView or similar to check what is established and what is listening. Scan for spyware and use hijackthis, if you cannot read the HJT log post it to a forum that analyses them or send me it (wilders does not allow posting of HJT logs) to rule out infection.

    'BD Duddie 3.1' from your machine against webminders.

    'Three Arch Rocks' - Nice!
     
  9. blueplanetphoto

    blueplanetphoto Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    9
    Thanks again. I'll run those checks as soon as I can.
     
Loading...
Thread Status:
Not open for further replies.