norton blocked attack - need to worry?

[thedman]

I was searching on Yahoo for info on gambling regulation and tried to go to an article on the Covenant Protestant Refrormd Church website

Norton A/V said 2 attacks blocked by software-clicks.com (Misleading Application Detection) and img-z.com (Fake Codec Webpage)

so I went directly to the home page and tried again

cprf.co.uk

this time Norton didn't do anything

the address bar changed to wificafe-search.com, then us-euro.biz, then the website sextoyfun.com loaded

can anyone advise what might have go on here and if I need to worry I've been infected

thanks for any advice

[GES/POR]

Do a default scan with MBAM and a full/deep scan with SAS, if it comes up clean then relax.

[Sm3K3R]

Run BitDefender online scan + install,update and run Spybot Search & Distroy in safe mode.

[The Hammer]

Quote:

Originally Posted by Sm3K3R

Run BitDefender online scan + install,update and run Spybot Search & Distroy in safe mode.

I haven't used it in a while but if I recall correctly BitDefender's online scan setting has to be modified not to delete what it finds.

[Tarq57]

I've just loaded the church's homepage, without any redirects, and no exploits evident. I would guess that the link you clicked from the Yahoo search page (if that's what you did) was fake; misleading, and since following that episode you were redirected away from the real site, something quite possibly has infected you despite Norton announcing it was blocked.
I would take the scanning suggestions recommended above fairly seriously. Especially the MBAM and SAS ones; those two are darned good. No experience of the online scan so can't comment.
DrWeb's Cureit is also an excellent demand AV scanner. Good removal capabilities, if that is a factor.
It would probably be a good idea to run a disk clean before running the scanners.

[shanep]

Quote:

Originally Posted by thedman

I was searching on Yahoo for info on gambling regulation and tried to go to an article on the Covenant Protestant Refrormd Church website

Norton A/V said 2 attacks blocked by software-clicks.com (Misleading Application Detection) and img-z.com (Fake Codec Webpage)

so I went directly to the home page and tried again

cprf.co.uk

this time Norton didn't do anything

the address bar changed to wificafe-search.com, then us-euro.biz, then the website sextoyfun.com loaded

can anyone advise what might have go on here and if I need to worry I've been infected

thanks for any advice

Hi thedman,

That alert is coming from the Intrusion Prevention Engine which scans inbound (and outbound) network traffic and prevents such nasties from even getting into your machine. There is nothing more for you to do.The attack was blocked from infecting your machine.

It should be noted that these attacks are not easy to reproduce. They may 1 in 5 times. Thats what the JScript is code to do to trick AV Scanners and other web reputation crawlers.

Shane

[Tarq57]

Shane,
I may be as thick as a whale omelet, but if the intrusion was successfully blocked, why did the browser redirect to a sex toys site when the url for the church (which I can verify works correctly) was entered?

[shanep]

Quote:

Originally Posted by Tarq57

Shane,
..but if the intrusion was successfully blocked, why did the browser redirect to a sex toys site when the url for the church (which I can verify works correctly) was entered?

Just to clarify, when you "works correctly", are you saying that when you visit that URL on another PC it goes to the expected page, yet on this PC it redirects you to a sex toys site ?

[Tarq57]

To clarify, it wasn't my computer affected; I tried the URL in the OP, cprf.co.uk as part of a troubleshoot for thedman. It worked with no indication of redirect, nothing suspicious in the webpage at all, and nothing leapt out at me from viewing the page info (using Firefox.)
The OP (thedman) apparently had the redirect when he attempted to open the same website following the intrusion attempt alerted to by Norton.
As specified in the OP.
Which would make me a little suspicious.

[thedman]

thanks for all the advice

it repeated everytime I tried it - 4x in all

if I tried the link directly to the article on gambling Norton picked it up

but if I tried the link to their homepage it redirected to sextoyfun

I then e-mailed the cprf to make them aware and they said they'd fix it - I've now checked again and it does seem fixed

I've done all the scans recommended and nothing has come up aaprt from hundreds of tracking cookies - these are low danger?

BTW, should MBAM and SAS be run in safe mode or normal windows mode?

thanks again

[shanep]

Quote:

Originally Posted by thedman

I then e-mailed the cprf to make them aware and they said they'd fix it - I've now checked again and it does seem fixed

Thanks for the update. So does this mean that the site was indeed infected ?

[Tarq57]

Quote:

Thanks for the update. So does this mean that the site was indeed infected ?

And if it was, I'm wondering why it wasn't evident from my computer?
Using Firefox2, with no script and adblock plus.(All other software kept very up to date.) Was still OK with scripting enabled.
Thedman, what browser do you use?

[thedman]

Quote:

Originally Posted by Tarq57

And if it was, I'm wondering why it wasn't evident from my computer?
Using Firefox2, with no script and adblock plus.(All other software kept very up to date.) Was still OK with scripting enabled.
Thedman, what browser do you use?

I use IE7

I think I may have confused people with the chronology

After having these problems and (retrying x4) I posted on here - then I e-mailed the site owner - and I got an e-mail response within a few hours to say they would change the password and reload the site

So maybe they fixed it before anyone on here tried it

[Tarq57]

Quote:

So maybe they fixed it before anyone on here tried it

Maybe they did.
Wouldn't hurt to run a scan with MBAM, anyway, to be sure.

[GES/POR]

Quote:

Originally Posted by thedman

I've done all the scans recommended and nothing has come up aaprt from hundreds of tracking cookies - these are low danger?

BTW, should MBAM and SAS be run in safe mode or normal windows mode?

thanks again

Safe mode isnt needed, cookies are harmless but no need to keep em on board so remove em. Am glad your safe.