"System infected" pop-ups

[Badgerman]

Over the past two weeks I have had pop-ups come up and tell me I'm infected. Then a very official Windows Explorer type box comes up with bogus directory info. It's not from Nod32. The first time I wassurfing some Face member's pics with my cookies on. Today my second time I was simply surfing junk from a link on MSN. My cookies were off. My first time I couldn't close IE, I had to stop the proces in Task Manager. It closed normally today. I ensured I had the latest signature and scanned. Everything was clean. A novice user will be taken inby these instantly.

[siljaline]

If you are currently infected but do not necessarily know it.

[Carbonyl]

I believe that what you are seeing are fake, javascript-crafted windows in IE that are designed to look convincing. Clicking anywhere on them (even the red 'X' or the Cancel button!) will initiate the download of nasties, but if you killed it with the task manager, then you should be A-OK.

To be clear: The source of the popups was a webpage you were browsing. Probably a hijacked banner-ad using flash, or else an iFrame injected into the trusted page to redirect you to the fake 'scan window'.

This is why it's always nice to block flash and javascript.

[Badgerman]

Nod32 scans without finding any bugs. I don't see anything loading with autoruns, Ccleaners startup or in the Task Manager. This is a good reason to use IE 64 as long as flash doesn't work or flip over to Virtualbox and run a Linux flavor. I don't think some super stealth rootkit wouild do this. Would it?

[kasperking]

well a second opinion scan with hitman pro...http://www.surfright.nl/en/hitmanpro and/or mbam....http://www.malwarebytes.org/mbam.php would be good

[Marcos]

You might want to run this ESET Rogue Antivirus clener.

[Badgerman]

Thanks for the help. I run ESET Rogue Antivirus and it came back in seconds reporting my system was clean.

I installed Malwarewbytes and to my dismay it found 3 items. I don't think they amount to anything but how did they get past my Nod32.

Malwarebytes' Anti-Malware 1.44
Database version: 3766
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

2/20/2010 8:07:47 AM
mbam-log-2010-02-20 (08-07-41).txt

Scan type: Full Scan (C:\|D:\|F:\|H:\|)
Objects scanned: 297001
Time elapsed: 23 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay (Hijack.Tray) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files (x86)\super_pi_mod.exe (Malware.Packer.Krunchy) -> No action taken.

[Badgerman]

I have been doing asome reading and it appears that Hijack.DisplayProperties may be a system file. I just scanned my wife's and it's there also.

Hijack.Tray - I am still reading on but I don't believe I got infected. It may have been in the OS.

super_pi_mod.exe - has reports all over of causing false positives. I did use that program.

I knew Nod32 wouldn't let me down!

[Marcos]

Plus registry settings in HKCU/HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies can be modified by malware as well as by administrators.

[siljaline]

super_pi_mod.exe "seems" to be a false postive by Malware Bytes' If this is the case, your system would presumably be clean.

Quote:

Originally Posted by Badgerman

I have been doing asome reading and it appears that Hijack.DisplayProperties may be a system file. I just scanned my wife's and it's there also.

Hijack.Tray - I am still reading on but I don't believe I got infected. It may have been in the OS.

super_pi_mod.exe - has reports all over of causing false positives. I did use that program.

I knew Nod32 wouldn't let me down!

[aigle]

With the pop ups there, system can never be clean.

Please try Hitman Pro, Superantispyware free and another AV scan.

[Badgerman]

The pop-ups only came up twice during an Internet session. They were no different from the ones coming up with other messages like "Do you want to log off" or "Win a laptop" etc. The bad guys are just using these pop-ups to get people to click the link. I have friends that have clicked, paid and got infected. I knew it wasn't a Nod322 warning nand windows doesn't warn me through the Explorer. New users can be drawn in to this scam vey easily. I'm sure my system is clean. I do surf Facebook now with one of my Linux distros.

Thanks to everyone with the help and tips with this issue.

[Carbonyl]

Quote:

Originally Posted by aigle

With the pop ups there, system can never be clean.

Please try Hitman Pro, Superantispyware free and another AV scan.

This isn't strictly true.

Injected iFrames and poisoned advertisements can launch javascript redirects in your browser. The javascript itself can't infect you, but it can trick you into infecting yourself or can exploit unpatched vulnerabilities to infect. The popup itself is not always an indication of infection.

For example, if you whitelist javascript on a per-site basis (HIGHLY recommended for everyone!!!) then hijacked ads and iFrame injections will launch a popup - but it will be a blank, white frame, since javascript will be blocked.

Now, if popups start appearing when you're not browsing the web at all? That's another story all together, and I'd agree.

[aigle]

Quote:

Originally Posted by Carbonyl

This isn't strictly true.

Injected iFrames and poisoned advertisements can launch javascript redirects in your browser. The javascript itself can't infect you, but it can trick you into infecting yourself or can exploit unpatched vulnerabilities to infect. The popup itself is not always an indication of infection.

For example, if you whitelist javascript on a per-site basis (HIGHLY recommended for everyone!!!) then hijacked ads and iFrame injections will launch a popup - but it will be a blank, white frame, since javascript will be blocked.

Now, if popups start appearing when you're not browsing the web at all? That's another story all together, and I'd agree.

Yes, I mean non-browser pop ups.