norton blocked attack - need to worry?

Discussion in 'other anti-virus software' started by thedman, Nov 21, 2008.

Thread Status:
Not open for further replies.
  1. thedman

    thedman Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    6
    I was searching on Yahoo for info on gambling regulation and tried to go to an article on the Covenant Protestant Refrormd Church website

    Norton A/V said 2 attacks blocked by software-clicks.com (Misleading Application Detection) and img-z.com (Fake Codec Webpage)

    so I went directly to the home page and tried again

    cprf.co.uk

    this time Norton didn't do anything

    the address bar changed to wificafe-search.com, then us-euro.biz, then the website sextoyfun.com loaded

    can anyone advise what might have go on here and if I need to worry I've been infected

    thanks for any advice
     
  2. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Do a default scan with MBAM and a full/deep scan with SAS, if it comes up clean then relax.
     
  3. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    Run BitDefender online scan + install,update and run Spybot Search & Distroy in safe mode.:thumb:
     
  4. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I haven't used it in a while but if I recall correctly BitDefender's online scan setting has to be modified not to delete what it finds.
     
  5. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    I've just loaded the church's homepage, without any redirects, and no exploits evident. I would guess that the link you clicked from the Yahoo search page (if that's what you did) was fake; misleading, and since following that episode you were redirected away from the real site, something quite possibly has infected you despite Norton announcing it was blocked.
    I would take the scanning suggestions recommended above fairly seriously. Especially the MBAM and SAS ones; those two are darned good. No experience of the online scan so can't comment.
    DrWeb's Cureit is also an excellent demand AV scanner. Good removal capabilities, if that is a factor.
    It would probably be a good idea to run a disk clean before running the scanners.
     
  6. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54
    Hi thedman,

    That alert is coming from the Intrusion Prevention Engine which scans inbound (and outbound) network traffic and prevents such nasties from even getting into your machine. There is nothing more for you to do.The attack was blocked from infecting your machine.

    It should be noted that these attacks are not easy to reproduce. They may 1 in 5 times. Thats what the JScript is code to do to trick AV Scanners and other web reputation crawlers.

    Shane
     
  7. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Shane,
    I may be as thick as a whale omelet, but if the intrusion was successfully blocked, why did the browser redirect to a sex toys site when the url for the church (which I can verify works correctly) was entered?
     
  8. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54
    Just to clarify, when you "works correctly", are you saying that when you visit that URL on another PC it goes to the expected page, yet on this PC it redirects you to a sex toys site ?
     
  9. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    To clarify, it wasn't my computer affected; I tried the URL in the OP, cprf.co.uk as part of a troubleshoot for thedman. It worked with no indication of redirect, nothing suspicious in the webpage at all, and nothing leapt out at me from viewing the page info (using Firefox.)
    The OP (thedman) apparently had the redirect when he attempted to open the same website following the intrusion attempt alerted to by Norton.
    As specified in the OP.
    Which would make me a little suspicious.
     
  10. thedman

    thedman Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    6
    thanks for all the advice

    it repeated everytime I tried it - 4x in all

    if I tried the link directly to the article on gambling Norton picked it up

    but if I tried the link to their homepage it redirected to sextoyfun

    I then e-mailed the cprf to make them aware and they said they'd fix it - I've now checked again and it does seem fixed

    I've done all the scans recommended and nothing has come up aaprt from hundreds of tracking cookies - these are low danger?

    BTW, should MBAM and SAS be run in safe mode or normal windows mode?

    thanks again
     
  11. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54
    Thanks for the update. So does this mean that the site was indeed infected ?
     
  12. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    And if it was, I'm wondering why it wasn't evident from my computer?
    Using Firefox2, with no script and adblock plus.(All other software kept very up to date.) Was still OK with scripting enabled.
    Thedman, what browser do you use?
     
  13. thedman

    thedman Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    6
    I use IE7

    I think I may have confused people with the chronology

    After having these problems and (retrying x4) I posted on here - then I e-mailed the site owner - and I got an e-mail response within a few hours to say they would change the password and reload the site

    So maybe they fixed it before anyone on here tried it
     
  14. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Maybe they did.
    Wouldn't hurt to run a scan with MBAM, anyway, to be sure.
     
  15. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Safe mode isnt needed, cookies are harmless but no need to keep em on board so remove em. Am glad your safe.
     
Loading...
Thread Status:
Not open for further replies.