SAV 10 just started flagging hosts entires

Forums » Up and Running » Security » Security » SAV 10 just started flagging hosts entires


Uniqs: 683	Share Topic:	RSS topic:	toggle: flat / full normal / watch	Posting:

Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal

Security Software Updates - 12 Nov 2007 »
« Norton and SpywareBlaster updates causing FP (likely)

Indy Sabre Sabre Rider From Indianapolis join:2003-10-02 1 edit	SAV 10 just started flagging hosts entires Just tonight, SAV 10's Startup auto generated quick scan just started finding and trying to remove entries in my hosts file. I am running the latest MVPS hosts file and SAV is finding entries such as .mcafee.com and .CA.com. Just wondered if anyone else has started to see this?
	permalink · 2007-11-11 22:01:50 ·

PrntRhd join:2004-11-03 Fairfield, CA ·Comcast ·Comcast Formerly ..	Re: SAV 10 just started flagging MVPS hosts entires Oh great, now another issue with Symantec AVs conflicting with security software. See the others: »Norton and SpywareBlaster updates causing FP (likely) »CCleaner now installs with adware?
	permalink · 2007-11-11 23:01:53 ·

Indy Sabre
Sabre Rider From Indianapolis

join:2003-10-02

Well i may have been wrong. It kept flagging so i did a full scan and SAV found this -

Adware.SystemProcess

Updated: February 13, 2007 11:46:22 AM
Type: Adware
Version: 1.0.0.1
Risk Impact: High
File Names: ccapp.exe,navshext.dll
Systems Affected: Windows 2000, Windows 98, Windows CE, Windows Me, Windows NT, Windows Server 2003, Windows XP

It was weird that i got hit with this since I surf XP in alimited account with Sav 10, Windows Defender, spywareblaster and MVPS hosts running realtime. I use Fire Fox with no script.

Tech details form SAV -

When Adware.SystemProcess is executed, it performs the following actions:

Creates the following files:

%System%\ccapp.exe
%System%\navshext.dll
%System%\p.dat
%System%\system.dat

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Downloads the following file:

%System%\ustart.exe (This is detected as Adware.WintaskAd.)

Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\Startup
HKEY_LOCAL_MACHINE\SOFTWARE\System Process
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects
\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\anrdoezrs.net
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\bfast.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\cc-dt.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\commission-junction.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\dpbolvw.net
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\fastclick.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\fastclick.net
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\jdoqocy.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\kqzyfj.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\linksynergy.com
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\qksrv.net
HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\P3P\History\tkqlhce.com

Adds the value:

"*.system-processes.com" = ""

to the registry subkey:

HKEY_USERS\S-1-5-21-448539723-413027322-839522115-1003\Software
\Microsoft\Internet Explorer\New Windows\Allow

Adds the value:

"%Windir%\system32\ccapp.exe" = "%Windir%\system32\ccapp.exe:*:Enabled:System Process"

to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile
\AuthorizedApplications\List

Adds the value:

"System Process Uninstall" = "%Windir%\system32\ccapp.exe UAF"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

**********

Doing adaware and defender scans now.

permalink · 2007-11-11 23:10:19 · Print ·

MagMan Life is simpler when you tell the truth. Premium join:2003-10-01 Westlake, OH ·AT&T Midwest ·AT&T Midwest	Re: SAV 10 just started flagging MVPS hosts entires Welcome to the club. »Norton and SpywareBlaster updates causing FP (likely) »CCleaner now installs with adware? -- "The truth is incontrovertible, malice may attack it, ignorance may deride it, but in the end; there it is."
	permalink · 2007-11-11 23:14:16 ·

Indy Sabre Sabre Rider From Indianapolis join:2003-10-02 3 edits	Re: SAV 10 just started flagging hosts entires I just checked my spywareblaster and I have 6 entires now disabled in IE protection like mentioned in the other thread. Defender and Adware came back clean. Looks like SAV FP seeing Spywareblastrer entries........sorry I jumped the gun thinking it was MVPS Hosts.
	permalink · 2007-11-11 23:21:44 ·

MagMan Life is simpler when you tell the truth. Premium join:2003-10-01 Westlake, OH ·AT&T Midwest ·AT&T Midwest 1 edit	Re: SAV 10 just started flagging MVPS hosts entires Yes we have been having this discussion all day here in the security forum.My opinion is it is a FP that will hopefully be corrected soon by Norton. Amysheehan has submitted the above threads to Symantec should have answers tomorrow. -- "The truth is incontrovertible, malice may attack it, ignorance may deride it, but in the end; there it is."
	permalink · 2007-11-11 23:25:48 ·

amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA

·RoadRunner Cable

Re: SAV 10 just started flagging MVPS hosts entires

said by MagMan

:

Yes we have been having this discussion all day here in the security forum.My opinion is it is a FP that will hopefully be corrected soon by Norton.

Amysheehan has submitted the above threads to Symantec should have answers tomorrow.

Yes, I have sent this topic over to Symantec for resolution.
[ This reminder - my contact probably won't get the info until early Monday morning east coast time ]

Thanks for your patience.

-amy-

--
DSLR Phishtracker

permalink · 2007-11-12 00:34:00 · Print ·

mrsplants join:2005-10-27 East Falmouth, MA	Re: SAV 10 just started flagging MVPS hosts entires I got this too on one of my pcs its in quarantine right now I didnt know what to do about it. I don't have spyblaster installed on this pc. I do have Spybot S&D and I ran that its ok but it didnt pick this up.
	permalink · 2007-11-12 09:21:56 ·

NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN

·AT&T Southeast

·Vonage

·Cingular Wireless

·AT&T CallVantage

I don't see any *.mcafee.com and *.ca.com entries, but the latest release of the MVPS hosts file does contain entries for:

ads.mcafee.com
directads.mcafee.com
sdc.mcafee.com

sdc.ca.com

SAV may be a bit paranoid for flagging those entries, but they are definitely mcafee.com and ca.com entries, and modifying the DNS response for security sites is certainly a not uncommon tactic used by malware purveyors.

I doubt that SAV is targeting MVPS. It is more likely that they just got a bit sloppy with their hosts file interpretation.
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower
Test your firewall.
Smell the flowers.

permalink · 2007-11-11 23:21:09 · Print ·

amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA

·RoadRunner Cable

1 edit

Full info

The first set of definitions containing the fixed script is –
Rapid Release Sequence – 75350
Version – 12th November 2007 (rev. 020)
NOTE: Please make sure to select the appropriate release for your version and Operating System.

These updates will be available using the certified definitions from the 13th onwards.

Many thanks to my friends at Symantec who worked this issue today [ a holiday ] and got back to me with the official word before 5PM Pacific !!!!

Link to rapid release definitions:
»www.symantec.com/avcenter/rapidr···oad.html

-amy-

--
DSLR Phishtracker

permalink · 2007-11-12 20:19:15 · Print ·

amysheehan Premium,VIP,MVM join:1999-12-21 Huntington Beach, CA ·RoadRunner Cable	Please post any follow-up info to this consolidated thread here »NAV/ SAV defintions release for 'weekend bug-fixes' It will be used to follow up all the issues pre and post definitions update for more follow-thru by Symantec and the teams who work to make products interact properly for every ones best interests. Thank you- amy -- DSLR Phishtracker
	permalink · 2007-11-13 04:47:41 · Print ·

(topic locked)

Forums » Up and Running » Security » Security	Security Software Updates - 12 Nov 2007 » « Norton and SpywareBlaster updates causing FP (likely)


Saturday, 28-Nov 22:17:01	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF