Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Norton IS Says Malware blocked from this site


  • Please log in to reply

#1
MarcL

MarcL

    Member

  • Member
  • PipPip
  • 27 posts
Hello,

This may seem really strange, but My Norton Internet Security tells me that it is blocking something called "Cookie Monster" from being downloaded from this site when I try to access the forums. Afterwards, I cannot view the forums -- the page refuses to load properly and mouse clicks don't work. Can anyone help me with this. Thanks in advance.
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi MarcL an Welcome!

I will have none of this So Called Monster defacing my good Name!!!!! :tazz:

Can you try to Start here and Get HijackThis Installed and Post the Scan Results

http://www.geekstogo..._Log-t2852.html

Post back and Let me know if you need an Alternate link to HijackThis!
  • 0

#3
MarcL

MarcL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Thanks for answering so rapidly Cretemonster.

The problem is I can't log on to the site from home because I get a message from my Norton Internet Security blocking an attempt to install the "cookie monster" from the Geeks to Go site. Once I accept to block it, I can't use the site. The rest of the internet works OK though. I may have a workaround to post the HJT log though -- I'll give it a try tonight. I already have HJT installed, and I may be able to get on the GTG site via my daughter's computer, which is networked with mine. She is not running Norton IS, but only Norton Antivirus.

BTW, I was trying to go to the Forums for an issue having nothing to do with Malware when this happened.

Again, thatks for your help, and I'll try to post an HJT log when I get back from work.
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,Thats Fine,ow I am going to share a option I use but seldom Advise!

In this case the Shoe will fit perfect!

Crank the PC up Tapping F8 to get to Safe Mode,Choose Safe Mode with Networking if this is a Windows 2000 model or later!

Keep in mind,you will have access to the Internet but with No Antivirus or Internet Security Blankets!

Use that option to post a single HijackThis log to this thread and then get out of that mode!

Restart Normal!

Chances are,you Internet Explorer Security Settings are at the Highest possible point and wont allow any 3rd party cookies!

There is the chance I am wrong and something is serioulsy screwing with the System but I figure in all likelyhood its the Security settings!

So get the HijackThis log posted and we will take it from there!
  • 0

#5
MarcL

MarcL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
OK, I'll do that and get the log posted. I did check my security settings in IE, though, and they are at the default settings. The message is not coming from IE, but from Norton Internet Security. It classifies the threat as Medium, not High though.
  • 0

#6
MarcL

MarcL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Cretemonster, I don't know if this can help, but I found a site to download this "Cookie Monster" thing (don't know if it's the same thing that Norton is alerting me to though). It seems pretty innocuous, but that still raises the issue as to why the Geeks to Go site would be trying to unload this on my computer, at least according to Norton. Here is the description of the software I found, in case this can help you. Again, thanks for your time:

"Cookie Monster is a tool to manage and delete your browser cookies. It supports Internet Explorer, Netscape, Opera and Gecko-based browser like Mozilla or Firefox - allowing you to manage all your cookies from a single location. Once started, Cookie Monster will list all the cookies found on your machine and then allows you to view the content of selected cookies, delete them or preserve them. The preserve function ensures that you can always delete your cookies without loosing your important login cookies etc. Easy to use interface."
  • 0

#7
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Dont Take it as a Geeks to Go issue,rather take it as a destination problem!

For some unknown reason,the browsers are sending a message to Norton that something is about to change which is the entire Synopsis behind Browser Hijacks!
  • 0

#8
MarcL

MarcL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Cretemonster (I love that name!!!)

I never meant to imply that this is a Geeks to Go issue. If this can help, the actual name of the thing is HTTP Netscape Cookie Monster. There is a description of what it does on the Norton Site. Tries again to log on to the forums and Norton blocked it again.

Here is my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 8:56:47 PM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {850F23ED-AC36-4E9D-A5BB-B0AAE453FEAE} (Sympatico E-mail Configuration Tool) - http://upgradecentre...s/emcconfig.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#9
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Now this is just bizarre,there is not the first malicious thing in that log!

Can you look at your Firewall logs from Norton and See what has tried to access the PC Inbound and what is trying to access the Internet outbound?

See if you can access this Online Scan and Run it
http://www.pandasoft...n_principal.htm

Save the Report and Post it if possible!
  • 0

#10
MarcL

MarcL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Cretemonster,

Bizarre, though I'm not really surprised. I run adaware and spybot every day, ewido once a week, norton antivirus once a week for a full scan, have spywareblaser installed as well, have a hardware firewall, and Norton Internet Security running real time. Before initially posting, I ran all the scans, and they were all clean.

I'm at work now, so can't post the log from home before tonight, but I did look at it last night after posting my HJT log, and what I found is this:

The Norton log says that it has blocked an intrusion attempt from www.geekstogo.com involving HTTP Netscape Cookie Monster, and will block the ICP address for 30 minutes. That. presumably, is why I can't get on the Geeks to Go forums. If this can help you, see this link to Symantec's site:

http://securityrespo...ids/s20506.html

I have not seen any outbound attempts at all.

I'll do my best to post back tonight, but I may not be able to do so before tomorrow morning.

Again, thanks for your help.

Edited by MarcL, 24 June 2005 - 05:52 AM.

  • 0

Advertisements


#11
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,that scan will only work with Internet Explorer if thats a problem use this one

http://uk.trendmicro...call_launch.php
  • 0

#12
MarcL

MarcL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I shouldn't have a problem with Pandaware -- I'll do it the minute I can and post. IE is OK, I just can't get on to this site. all others are fine.
  • 0

#13
MarcL

MarcL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Cretemonster, I just got the sense of your last post. The symantec site says it affects Netscape. I'm not using Netscape. I'm using IE. If that's the case, should I just tell Norton to ignore it? Or is there something more going on here. Still doesn't answer why it NIS identifies GTG as the culprit.
  • 0

#14
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Thats what has me puzzled,I too have NIS and have never had this problem!

I am just playing it safe until we know more about whats going on!

Most frown on NIS but I have to say I am pleased with the Firewall Norton has!
  • 0

#15
MarcL

MarcL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Cretemonster. I finally got back to my computer. Panda did find two infected files, infected with Gator apparently. This is bizarre, since I had not found this with any other scan before (unless it happened since I last scanned -- I have a 10-year old daugher also using this machine) This is the type of log I get when trying to acces the GTG forums:

Details: Attempted Intrusion "HTTP Netscape Cookie Monster" against your machine was detected and blocked.
Intruder: 69.65.20.162(http(80)).
Risk Level: Medium.
Protocol: TCP.
Attacked IP: 0.0.0.0.
Attacked Port: 2616.


You can get detailed information about this attack at Symantec Security Response.


And, here is the log from the Panda Scan:

Incident Status Location

Adware:Adware/Gator No disinfected C:\WINDOWS\FT*_GEPFAH.EXE
Adware:Adware/Gator No disinfected C:\WINDOWS\FT2_0_0_629_GEPFAH.EXE
Again, thanks for your help!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP