• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Collection of odd Norton behavior. Help please!

            Sorry, this post is long, but as you’ll see what has me worried is a whole collection of odd (mostly Norton) behavior. Hopefully some of you can help me out.

            About ten days ago, Norton (Norton Internet Security) registered an Intrusion Prevention event while I was surfing online, with no action needed on my part. I’ve since run a Norton full scan many times, always getting “No Threats Found”; I’ve also run Norton Power Eraser (NPE) several times, always getting “No Risks Found”. Nonetheless, since the Intrusion Prevention event (The Event), I’ve noticed several kinds of odd behavior, mostly concerning Norton.

Unusual NPE behavior since The Event:

1. Once, after NPE rebooted my computer, the scan simply failed to occur. It was only after I restarted my computer again that the scan occurred. (I have a vague memory of this happening on one other occasion before The Event.)

2. Once, NPE stalled upon start-up, giving me something like the following message: “Norton Power Eraser has successfully restored the Internet connection. Hosts file and Norton Power Eraser proxy settings may have been modified.” (This was copied and pasted from an old-ish Norton Community post; I think the message I got was slightly different.) I was then given the option of continuing, did so, but then NPE fully stalled (I forget what words NPE was then displaying).

3. Many times, NPE has stalled upon start-up while “Checking for new version”. (This continues to happen about 50% of the time I run NPE. When it happens, I can exit NPE using Windows Task Manager and then try again. In fact, it now almost always stalls the first time I try NPE; and it almost always works fine the second time after using Windows Task Manager to exit my first, stalled attempt.)

Other unusual Norton behavior since The Event:

4. Just this morning, I ran a Norton full scan, and it seemed to run especially quickly; the whole scan took only 8 minutes. (I don’t know why, but a full scan usually scans around 570,000 files, but sometimes only around 310,000 files. This time it did the latter, but 8 minutes nonetheless seems quite short even for a 310,000 files scan. But maybe right now I’m just primed to notice things I didn’t before.)

5. In my Norton logs, just about 15 minutes after The Event, a "Norton Product Tamper Protection" event appears. (Activity: Unauthorized access blocked (Set Registry Security Key). Actor: C:\WINDOWS\SYSTEM32\SVCHOST.EXE. Target: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\ROOT\LEGACY_BHDRVX64\0000\Control.) Many such events appear in my Norton logs, and researching on Norton Ccommunity it sounds like nothing to worry about. However, this particular such event occurs in the morning, an unusual time compared to the other such events appearing in my Norton logs. (They usually appear in the evening, but occasionally in the morning.)

Other unusual non-Norton behavior since The Event:

6. I use Dragon NaturallySpeaking (DNS) voice dictation software. Once, starting up DNS, it took forever for it to load. (Sometimes it is slow to load; I suspect that’s when Norton is running background tasks. But this was an exceptional case; it was taking so long I exited DNS using Windows Task Manager before it fully started up.)

7. Sometime webpages seem to load a bit slower than usual … maybe. I’m actually unsure about this. Maybe I’m just primed right now to pay attention to how long webpages take to load.

8. Once, starting my computer up, Windows spontaneously decided to give me the option to run a Windows Memory Diagnostic test. (I went with the option, and the test came back clean.) Since this concerns hardware, it’s hard to imagine it’s related to any of the above, but I thought I would still mention it. (I think this has happened twice before The Event, several years ago.)

No one of these things alone (including The Event itself) would have me very worried, but it’s the whole collection that makes me wonder if something undesirable has occurred/is occurring.

Any thoughts about what might be going on? Maybe this is all coincidence and nothing to worry about? A Norton installation that has now gotten buggy? Malware that Norton is not detecting? (I came across one Norton Community post, by delphinium, which makes the claim, “Some malware interferes with internet access and can prevent security programs from operating properly.”)

Suggestions for what to do? I’d appreciate any help.

Thanks!

RubeCube

Replies

Kudos2 Stats

Re: Collection of odd Norton behavior. Help please!

Hi Rube.Cube:

If the event logged in your Norton security history states that no further action is required then you shouldn't be overly concerned.  You might have visited a website that was doing something suspicious (e.g., trying to redirect your browser to a third-party site, running JavaScript for a bitcoin miner, etc.) but it sounds like Norton was able to block the intrusion. If you want to post details about the attempted intrusion then double-click the entry in your security history to view the details, click the Copy to Clipboard link, and then paste the details in your next post.

Two further comments about your observations:

Norton Power Eraser

Norton Power Eraser (NPE)  is a very aggressive scanner that is designed to be used as a rescue tool in emergency situations when your operating system becomes unstable or you believe you have deeply embedded malware that cannot be detected by a standard antivirus / anti-malware scan - see the warning on the NPE home page at https://us.norton.com/support/tools/npe.html, which states "Because Norton Power Eraser is an aggressive virus removal tool, it may mark a legitimate program for removal. However, you can always undo the results of a scan."  Most users in this forum recommend Malwarebytes Free (for Win 7 and higher go to https://www.malwarebytes.com/mwb-download/; for Win XP/Vista go to https://downloads.malwarebytes.com/file/mb3_legacy) for running second-opinion scans to look for threats that might have been missed by a Norton Full System Scan.  See hints in BevStra's thread MyWay Search for hints on installing and scanning with Malwarebyes Free.

There are several examples in this forum where the NPE flagged legitimate programs for removal, including important Windows system files and registry entries.  For example, see Calvin5's thread iqvw64e.sys Identified as a Threat that describes how many users with Dell computers reported that NPE removed the Intel Network Adapter Diagnostic Driver iqvw64e.sys and corrupted their Dell Support Assistant.  As SendOfJive noted <here> in Calvin5's thread:

"One thing to keep in mind is that NPE does not positively detect known malware - that is the job of your regular Norton Security product.  NPE instead looks for files that might warrant investigation if you suspect that you are infected and regular scans come up clean.  NPE will flag many legitimate files, so never assume that what NPE finds is truly malicious."

Unauthorized Access Blocked Messages by Norton Product Tamper Protection

These Unauthorized Access Blocked messages are generally harmless and can be safely ignored.

Norton Product Tamper Protection (NPTP) logs one of these Unauthorized Access Blocked messages every time a Norton file or registry entry (the "target") is touched by a non-Norton executable (the "actor") that tries to read/write/edit/delete the Norton file or registry entry.  Legitimate Windows system files like svchost.exe, defragntfs.exe, etc., will cause NPTP to log one of these Unauthorized Access Blocked messages, and I also see these so-called "blocks" for trusted programs like Process Explorer, Malwarebytes, etc. logged at Security | History | Show | Norton Product Tamper Protection.

I have a NPTP Unauthorized Access Blocked message logged for a similar Norton "target" registry entry as you (note that I have a 32-bit / x86 operating system) every time I boot up my computer .  In this example the "actor" is my Windows Services Host Process svchost.exe.

------------
32-bit Vista Home Premium SP2 * FF ESR v52.9.0 * NS Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1

Kudos0

Re: Collection of odd Norton behavior. Help please!

Hi Imacri.

Thanks for your detailed response!

Re. the Intrusion Prevention event, I would have otherwise thought exactly what you say, i.e., nothing for me to worry about. It's the fact that all this odd behavior, esp. odd NPE behavior, came so soon after that Intrusion Prevention event that left me wondering if something else got through undetected (even if something was indeed successfully blocked).

Do you think it's just a coincidence that this odd behavior began soon after the Intrusion Prevention event?

I understand what you say about NPE. But I've at least never had an issue with it marking/removing legitimate files, so I use it every once in awhile to be on the extra-safe side. In any case, whether or not I should be using NPE in this way, as mentioned, it's the fact that this odd NPE behavior (and other odd behavior) began soon after the Intrusion Prevention event that has me wondering.

I don't see the "Copy to Clipboard" link looking at the details of that Intrusion Prevention event in my Norton history logs. But it does indeed say the following:

"Status: Blocked"

"Recommended Action: No Action Required".

In case this helps, it also says the following:

"IPS Alert Name: Malicious Site: Malicious Domain Request 22"

"Traffic Description: TCP, https"

"Network traffic matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE".

I might give Malwarebytes a shot later tonight or tomorrow, when I have more time. If I come up with anything interesting, I'll let you know.

Thanks again,
Rube.Cube

Kudos2 Stats

Re: Collection of odd Norton behavior. Help please!

Rube.Cube:

...I don't see the "Copy to Clipboard" link looking at the details of that Intrusion Prevention event in my Norton history logs....

Hi Rube.Cube:

Sorry, I recently performed a clean re-install of Norton and wiped my security history, but my post in VWood's thread Norton Keeps Deleting .EXE Files has an image of the Copy to Clipboard link I'm referring to. The example I used in that thread was for a false positive detection for a well-known diagnostic utility called Farbar Recovery Scan Tool (FRST.exe) that Norton detected as WS.Reputation.1 and removed from my system.  You might want to read through that post since it has useful instructions on how to upload executable files [or their SHA-256 hash (digital fingerprint) if Norton has removed / quarantined the file] to VirusTotal.com for further analysis to see if other antivirus scan engines like Bitdefender, McAfee, Kaspersky, etc. also detect the file as suspicious / malicious.  It's possible the log for your Intrusion Protection detection doesn't have one of these Copy to Clipboard links, so don't worry if you can't find it.

..."Status: Blocked"

   "Recommended Action: No Action Required".

In case this helps, it also says the following:
   "IPS Alert Name: Malicious Site: Malicious Domain Request 22"

The Symantec Security Center description for Malicious Site: Malicious Domain Request 22 states in part "You have been prevented from accessing a known malicious IP address. It is recommended that you do NOT visit this site...Symantec's Network Threat Protection solution has prevented any potential infection attempts from occurring.".  Your detection log says the connection was blocked so it's very unlikely you were infected, but if the domain name and/or IP address wasn't logged in your security history we won't be be able to tell what site you were visiting that caused this alert in the first place.

...I understand what you say about NPE. But I've at least never had an issue with it marking/removing legitimate files, so I use it every once in awhile to be on the extra-safe side. In any case, whether or not I should be using NPE in this way, as mentioned, it's the fact that this odd NPE behavior (and other odd behavior) began soon after the Intrusion Prevention event that has me wondering...

Just use extreme caution when running the NPE, and never allow it to remove a "potential" risk unless you're 100% certain it's a legitimate threat and can be safely removed by the NPE without damaging your operating system.  See see Larry_A's thread Ran NPE And Now Computer Won't Boot to Windows for one example of a worst case scenario where the NPE did serious damage to the Windows system files.

We need to know detailed information about the files and/or registry entries NPE flagged as a "potential" risk before we can determine if you have any cause for concern.  See the NPE support article View Norton Power Eraser Scan Logs for instructions on how to view scans logs of previous NPE repair sessions.
------------
32-bit Vista Home Premium SP2 * FF ESR v52.9.0 * NS Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1

Kudos0

Re: Collection of odd Norton behavior. Help please!

Thanks, Imacri, for the further helpful info and thoughts!

Yeah, I don't have the "Copy to Clipboard" option. Maybe because I'm using Norton for Windows 7?

I'm not sure what file you're talking about that I could consider uploading to VirusTotal.com. Do you mean the file mentioned in what I copied and pasted from the Norton log, namely, \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE? I'm not sure how to find that file using that location description. But I can find C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE. Is that the file you have in mind?

So I finally got Malwarebytes installed. The Threat Scan identified 6 threats/PUPs, 3 registry keys, and 3 registry values; I had all 6 quarantined/removed. All 6 had "Microsoft", "Internet Explorer", and "Searchscopes" in their names/location descriptions. I'm guessing all 6 pre-dated this recent Intrusion Prevention event (perhaps even came installed on my computer when I bought it), but of course I don't know that for sure. I also then ran a Custom Scan on my hard drive, and it came back clean.

After quarantining/removing those 6 items, I ran NPE and it worked just fine on the first attempt, which is a bit interesting.

Thoughts on this Malwarebytes stuff?

Given that Malwarebytes seems not to have come up with anything interesting, are you inclined to see my recent odd NPE behavior soon after the Intrusion Prevention event as just coincidence? Or maybe those 6 items had something to do with it, given my most recent use of NPE worked just fine...?

Any other precautionary suggestions?

Other anti-malware software?

Given my recent odd NPE behavior, do you think it would make sense for me to uninstall and then re-install Norton? I'm thinking that might be wise. If I were to do that, would my computer be safe during the process?

BTW, unless I'm misunderstanding you, the last paragraph in your most recent comment in this thread does not apply to me. I've been getting some odd behavior when running NPE recently, but once I get it to run, it comes back with "No Risks Found". (If I remember correctly, the very first time I ran NPE over a year ago, it identified two files as potential threats. I didn't know what those files were, and I now don't remember their names, but I had them quarantined/removed and my computer continued to run fine. A few months later it identified a Word doc of mine as a potential threat, so I just ignored that. Those are the only times it has identified anything as a potential threat.)

Thanks again,

Rube.Cube

Kudos2 Stats

Re: Collection of odd Norton behavior. Help please!

Rube.Cube:

...So I finally got Malwarebytes installed. The Threat Scan identified 6 threats/PUPs, 3 registry keys, and 3 registry values; I had all 6 quarantined/removed. All 6 had "Microsoft", "Internet Explorer", and "Searchscopes" in their names/location descriptions. I'm guessing all 6 pre-dated this recent Intrusion Prevention event (perhaps even came installed on my computer when I bought it), but of course I don't know that for sure. I also then ran a Custom Scan on my hard drive, and it came back clean....

Hi Rube.Cube:

Sorry, I was just suggesting that you read the comments about VirusTotal in VWood's thread Norton Keeps Deleting .EXE Files for future reference.  If the details of the Intrusion Protection log for your Malicious Site: Malicious Domain Request 22 detection don't include the URL (http://...) of the web site that Norton blocked then you won't be able to submit the URL at https://www.virustotal.com/gui/home/url for further analysis, so in this case VirusTotal won't be of any help to you.

If you have any concerns that you still have remnants of malware or a lower-risk PUP (e.g., a potentially unwanted program like a browser hijacker) affecting your system performance then I'd suggest posting in Malwarebytes' Windows Malware Removal Help & Support board.  One of their trained malware removal specialists will be assigned to your case and check your system to ensure it's not infected.  See AdvancedSetup's post I'm Infected - What Do I Do Now? for instructions on how to include your Malwarebytes Threat Scan log and Farbar Recovery Scan Tool (FRST) diagnostic logs in your first post in that malware removal board.

If you are still experiencing issues after Malwarebytes has confirmed your system is clean, be sure that you have run a few manual LiveUpdates and then check at Help | About to ensure your Norton Internet Security (NIS) is fully patched to v22.17.1.50 (released 29-Apr-2019).  Some of the glitchy behaviour you've been seeing lately might have started after this update was applied to your computer, and it might be worth trying a re-install of NIS. The Norton Remove and Reinstall (NRnR) tool at https://www.norton.com/nrnr will refresh your Norton installation - just make sure you run consecutive LiveUpdates after NIS is re-installed to make sure you're fully patched.  If you prefer, I can also post instructions for a clean re-install of NIS that is more thorough than the NRnR tool and will wipe Norton off your system before the program is re-installed.
------------
32-bit Vista Home Premium SP2 * FF ESR v52.9.0 * NS Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1

Kudos0

Re: Collection of odd Norton behavior. Help please!

Thanks, Imacri, for the even further thoughts!

Gotcha re. VirusTotal.

Thanks for the info on malware removal specialists. I'll hold off for now but keep the possibility in mind.

What exactly is a browser hijacker? Might both Norton and Malwarebytes miss certain browser hijackers? Would re-installing Firefox (the browser I use) be a way of ensuring my browser is free of browser hijackers?

I checked and my version of Norton is indeed v22.17.1.50. And, as a matter of fact, two of the kinds of odd NPE behavior I mentioned in my original post began around April 29 (one began on April 29, the other on April 30). So I'm now quite inclined to think that all of this is a combination of (i) significant coincidence in the timing of several independent issues, and (ii) given these issues, my simply paying more attention to how long certain computer processes (like a Norton full scan) take.

However, I did run NPE again and on my first attempt it stalled on "Checking for new version". So my installation of Norton does remain glitchy. If you're willing, I'd appreciate you posting the instructions you mentioned on a maximally clean re-install of Norton (a full wipe + completely new installation).

If I do a clean re-install of Norton, will my computer be safe in the interim?

Cheers,
Rube.Cube

Kudos2 Stats

Re: Collection of odd Norton behavior. Help please!

Rube.Cube:

....Thanks for the info on malware removal specialists. I'll hold off for now but keep the possibility in mind.

What exactly is a browser hijacker? Might both Norton and Malwarebytes miss certain browser hijackers? Would re-installing Firefox (the browser I use) be a way of ensuring my browser is free of browser hijackers?...

Hi Rube.Cube:

If full system scans with Norton and Malwarebytes do not detect any further threats but you suspect you still have a hidden infection then have a trained malware removal specialist do a thorough check of your system as suggested. <above>.  If your system is infected they should be able to diagnose the cause and provide a targeted solution.  Reinstalling Firefox as described <here> would likely have little effect if your browser was infected because your configuration settings and add-ons are stored separately in your hidden Firefox profile folder and would be restored as soon as Firefox was reinstalled.

See the Wikipedia article Browser Hijacking, which states:

"Browser hijacking is a form of unwanted software that modifies a web browser's settings without a user's permission, to inject unwanted advertising into the user's browser. A browser hijacker may replace the existing home page, error page, or search engine with its own. These are generally used to force hits to a particular website, increasing its advertising revenue."

As a general rule, antivirus programs like Norton specialize in protecting you against high-risk malware like virus, trojans, worms, etc. that can damage your operating system, while anti-malware scanners like Malwarebytes are better at detecting lower-risk PUPs (potentially unwanted programs) like adware, browser hijackers, unwanted toolbars, etc.

You can install a reputable ad blocker like Adblock Plus or uBlock Origin in your browser that will help block adware and domains that are known to spread malware.  Browser toolbars and other PUPs are often bundled with installers for free utilities and software programs like CCleaner, Adobe Flash, etc. and can be installed without your knowledge. See How-To Geek's PUPs Explained: What is a “Potentially Unwanted Program”? and Emsisoft's Top 10 Ways PUPs Sneak Onto Your Computer And How To Avoid Them for tips on how to prevent these types of PUPs from being installed on your system.

I'll post instructions for a clean reinstall of NIS in a separate reply.
------------
32-bit Vista Home Premium SP2 * FF ESR v52.9.0 * NS Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1

Kudos2 Stats

Re: Collection of odd Norton behavior. Help please!

Rube.Cube:
...If you're willing, I'd appreciate you posting the instructions you mentioned on a maximally clean re-install of Norton (a full wipe + completely new installation).

If I do a clean re-install of Norton, will my computer be safe in the interim?

Hi Rube.Cube:

Here are the instructions for performing a clean reinstall of the latest available Norton Internet Security (NIS) on a Win 7 or higher PC.  Post back before starting if you have any other Norton products installed like Norton Utilities, Norton Ghost, etc. that could be removed / damaged by this method and I'll provide revised instructions. You shouldn't be overly concerned about being infected during the short time that Norton is uninstalled as long as you aren't browsing the internet, but I've modified the instructions slightly so you can perform the reinstall using the full offline (standalone) installer while disconnected from the internet.

  1.  Download the Norton Remove and Reinstall tool (NRnR.exe) from https://www.norton.com/nrnr and save to your desktop.  
  2. Download the latest offline installer for Norton Internet Security (NIS) at https://www.norton.com/latestnis and save to your desktop (see note below for installers for other Norton products).
  3.  Disconnect from the internet.
  4. Uninstall Norton from the Control Panel and choose the option to "Please remove all user data" as shown in the image below. [Warning: This option will remove additional static data files (e.g., .txt, .dat, .log, etc.) like your security history logs and personalized configuration settings].
  5. Double-click the Norton Remove and Reinstall tool and run in advanced "Remove Only" mode (Advanced Options | Remove Only | Remove) to wipe most of the orphaned files and registry entries left behind during the Control Panel uninstall.  [Warning: The advanced "Remove Only" mode of the NRnR tool can remove or damage other Norton products like Norton Utilities, Norton Family, Norton Ghost,etc.]. After you click Restart Now and your system re-boots you should see a pop-up with on-screen instructions on how to re-install Norton by downloading the small online "stub" installer from your Norton Account. Ignore those instructions and close the pop-up.
  6. Double-click the full offline installer on your desktop to reinstall Norton.
  7. Reconnect to the internet.
  8. Run multiple LiveUpdates until no further updates are available and re-boot.  Continue this cycle of LiveUpdates and re-boots until Help | General Information | About shows that you are fully patched to the latest Norton version.

If your main Norton interface does not show the correct number of days remaining on your subscription go to Help | Account Information | Subscription Status to sync to your Norton account.

If the download link at https://www.norton.com/latestnis does not offer the correct Norton Internet Security (NIS) installer for your language/region (e.g., NIS-EDS-Def-22-17-1-50-EN.exe for English-US) or you are installing on a Win XP or Vista computer that requires a legacy v22.15.2.22 installer then post back before proceeding to STEP # 3.  Here are links to the latest available offline installers for Norton Security products that other users can substitute in STEP # 2:
    Norton Security Standard or Deluxe: https://www.norton.com/latestns      (no Norton Backup)
    Norton Security Premium:                   https://www.norton.com/latestnsbu  (with Norton Backup)
------------
32-bit Vista Home Premium SP2 * FF ESR v52.9.0 * NS Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1

Kudos0

Re: Collection of odd Norton behavior. Help please!

Thanks, Imacri, for further info, answers to questions and detailed instructions!

Sorry, I guess I should have just Googled to learn what a browser hijacker is.

I do already use uBlock Origin. (Perhaps you're starting to realize that my knowledge of computer security stuff is hit-or-miss.)

My only Norton product is NIS, so I don't need revised instructions, but thanks for the offer.

I haven't yet done the un-install + clean re-install, but probably will soon when I get a bit more time on my hands.

A few more questions, if you're willing. (I could also just Google for answers, but you seem really knowledgeable so I thought I'd see what you say.)

It is common for Norton to be running/doing tasks in the background (esp. when you haven't been using your computer for a bit), right? So that software might run slower until Norton is done with these tasks?

My current computer is over seven years old, and I've thus started having thoughts about getting a new one. So:

If there is malware on my current computer, do I have to worry that it will also end up on my new computer? I assume I do only if the malware has infected those files I transfer to my new computer. Is that assumption correct?

The files I would transfer are: some old MS Works files, Word Doc files, PowerPoint files, PDFs, and photos (mostly JPEGs, but also a few PNGs). Maybe some video files in the future, if I end up trying out the video function of my new camera. And maybe a file that saves my Firefox bookmarks, if I figure out how that works (I'm not sure what kind of file that would be). Is it at all common for malware to infect any of those kinds of files?

Cheers,

Rube.Cube

Kudos2 Stats

Re: Collection of odd Norton behavior. Help please!

Hi Rube.Cube:

Your questions are getting a bit off-topic but I'll see if I can provide some context.

... It is common for Norton to be running/doing tasks in the background (esp. when you haven't been using your computer for a bit), right? So that software might run slower until Norton is done with these tasks?

 As a general rule, the background tasks listed at Settings | Administrative Settings | Background Tasks | Configure like Automatic LiveUpdates, Quick Scans, etc. will only run when your system is idle (not in use) so they don't consume system resources or interfere when other programs are running on your computer - see the support article Monitor Norton Background Tasks.  If you bring your system out of idle by using an input device like a keyboard, mouse or touchpad any unfinished Norton background tasks will temporarily pause (the Status of the task will change from "Running" to "Canceled") and will try to run to completion the next time your system goes back into idle mode.

.... If there is malware on my current computer, do I have to worry that it will also end up on my new computer? I assume I do only if the malware has infected those files I transfer to my new computer. Is that assumption correct? ...

No, that's not entirely correct. If your main hard drive is infected with a self-propagating virus or worm it's even possible that you could infect your backup media [e.g., an external backup drive or thumb drive (USB stick) that you plug in to your "old" infected computer] and then infect your "new" computer by simply plugging in that infected backup drive without actually transferring any files between computers or taking any further action.  See the Norton blog entry What is a Computer Worm, and How Does it Work?.

The files I would transfer are: some old MS Works files, Word Doc files, PowerPoint files, PDFs, and photos (mostly JPEGs, but also a few PNGs)....Is it at all common for malware to infect any of those kinds of files?

It's more common for executable and compressed files (e.g., .exe, .zip, etc.) like software installers to contain malware but yes, all those file types you've mentioned can be infected with malicious code like macros and Javascript that can execute when you open the file - especially if you use older, unsupported PDF readers and/or MS Office suites (e.g., MS Office 2003 or 2007) or if you open .pdf, .doc(x), .ppt(x) or other files that were sent to you via an e-mail or downloaded from the internet. See the Microsoft support article Macro Malware for one method of hiding malware inside MS Office documents, as well as the SOPHOS Security article How PDFs Can Infect Your Computer, and the PCWorld article Watch Out for Photos Containing Malware.  These infected files are usually delivered as e-mail attachments or downloaded from infected websites - if you're asking about documents or images files you created yourself then the risk of infection is obviously much lower.

... And maybe a file that saves my Firefox bookmarks, if I figure out how that works (I'm not sure what kind of file that would be)....

For future reference, use the backup/restore feature described in the Mozilla support article Restore Bookmarks From Backup or Move Them to Another Computer to transfer bookmarks (saved as a .json file) to another Firefox browser.  Note that a restore will wipe the current bookmarks in the target browser and replace them with the backup set of bookmarks.

See Export Firefox Bookmarks to an HTML File to Back Up or Transfer Bookmarks if you are exporting from Firefox and importing into a different browser like Internet Explorer, etc.
------------
32-bit Vista Home Premium SP2 * FF ESR v52.9.0 * NS Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1

Kudos0

Re: Collection of odd Norton behavior. Help please!

Thanks, Imacri, for further info and helpful links! You've been super-helpful, much appreciated!

Take care,
Rube.Cube