Not sure this the right spot for this post. I guess reason I picked here is because of NOD 32. I am posting for your advice. Not sure I am still infected or not. I was just amazed none of my security software ware made a peep at all. yesterday while trying to down a torrent, I got a web page open and it also had sound. the page said I was infected with zues and if I closed the page my hard drive would be erased. I used task manager and closed it anyway. I was using IE with all security apps enabled except for ADGuard because my lic ran out yesterday and had not renewed it yet. I did not have Quietzone enabled and I did have foolishly my recovery USB inserted. I then downloaded NOD 32 trial and here is what it said it found and deleted. Eset Log C:\Users\Bruce\AppData\Local\Microsoft\Windows\INetCache\Low\IE\MQW4OPHA\websolutions[1].htm - HTML/FakeAlert.DV trojan - cleaned by deleting [1] Doesn't any of my security programs check that location?
The file should not be functional as it likely contains only relative references to files. It most likely looks as follows:
Marcos. yep that is it!!!!! had sound too. Didn't they have to use an exploit to do that? anon , zeus but I left the page and do not notice anything yet. not sure if this was happening before since I have not used it since updating to win 10 but I can not get into safe mode for some reason.
It is just a Fake Alert HTML trojan, you are not infected. None of your security setup reacted because it isnt a real infection, but a traditional antivirus should had stopped the loading of this fake alert with its web scanner. Ps: In my opinion your security setup is "too much of a good thing", very redundant and lacks a good "traditional" antivirus like Eset (that would had stopped this fake alert for sure)
I think the clue is in the term 'fake'. Not all AVs will detect fake webpages in the same way not all AVs detect PUA/PUPs. Anti-exploit probably didn't trigger because you're patched up, that is, the programs most commonly used to exploit are up to date, plus there may well have been no exploit there anyway.
Because you abended IE, the crap was since in your browser cache. That is why Eset detected it. If you would have manually flushed your browser catch afterwards which you should do in these instances, the crap would have been deleted. Appears this was a phishing attack with the purpose of panicking the user into calling the phone number for service to clean the bogus malware.
I understand it was a fake but somehow it still managed to freeze the browser. what does a common user do when they see that sort of thing? If I would not have known how to use task manager, autoruns, process explorer and was a normal house hold user, I would either called the number or fearfully pushed the power button. I guess I could be wrong but still think my other software should have stopped the browser hijack too.
sorry itman posting at same time. it was a drive by not phishing. clicked to down load a torrent and bang. went back a second time for more and nothing.
I believe if you would have clicked on either of the buttons on the crapware web page is when you would have been nailed by the drive-by download. That is when the security solution should kicked in. However, there is malware now that runs entirely from the web page. Hence a need for a security solution with a strong web filter at the network level like Eset. And if the malware was delivered from a HTTPS web site, a need to unencrypt the traffic so it can be scanned by the web filter.
I am now wondering if I would have renewed adguard if that would have stopped it too. they have a pretty good web filter also. it ran out yesterday before I had a chance to renew. I think you are right about the clicking on either button but then I didn't. what if a home user would have? would it still have been a fake pay up site? also what is strange is when I went back for a second look I did not get hit again. same page same download. here is the site in case you want to sniff around. http://extratorrent.cc/
I believe your adguard (or any adblocker) would have stopped it. I too saw these fake buttons on torrent sites, when I have disabled uBO.
Based on this comment over at Reddit, perhaps you should renew your AdGuard subscription: Ref.: https://www.reddit.com/r/torrents/comments/2xlwzk/how_to_torrent_safely_without_getting_viruses_or/ I just browsed to that web site and received no alerts from Eset or Emsisoft. I did try to download anything. Do you have IE's SmartScreen Filtering enabled? Perhaps you disabled that when you installed AdGuard and forgot to re-enable it? SmartScreen filtering did block two services on that web site.
Just scanned that web site using Zulu. Web site is OK. Must have been something w/the download you were doing:
@ boredog Did you have Java Scripting enabled in IE ? The first part of the phone # seems to indicate it's the same gang as in here https://www.wilderssecurity.com/threads/video-codec-malware-back-again.387405
It possibly depends on which browser you use, how many users visited the site before, which referer you have, how long since the Google spider came around, ....., if the scam popup is delivered, or not. These are all popular techniques, to hide from being discovered quick.
Worth noting is Eset had a signature for this July 1: http://www.virusradar.com/en/HTML_FakeAlert.DV/description . If you had NOD32 or Smart Security installed in the first place, their web filter would have caught this bugger before it ever hit your HDD.
itman yes I had looked at that page a while ago but you noticed peak activity was 7/25/2016? yes it would have been nice to have eset installed before hand but as I mentioned I had adguard but had expired same day. now isn't that strange? I think adguard would have stopped it also with it's web filter. with all my other security software I didn't se how it could touch my hard drive at all but then again this seems to be a new variant.
That webpage produces random ADs, so I would say, you were a victim of malvertising. If it were a stable AD, it would get removed ASAP.
Only way to know for sure is to install AdGuard as a trial and repeat what you did when you received the fake malware alert.
itman I do have it still installed, just have not renewed it yet. I have gone back and tried to repeat it and nothing. even used comodos inspector and still nothing. http://app.webinspector.com/ not sure if site figured it out or if they bad guys pulled the plug since they were busted.
@boredog - also take a look at this article: https://malwaretips.com/blogs/remove-tech-support-scam-popups/ . Note that their first mitigation is what I recommended - run AdwCleaner.
