"System infected" pop-ups

Discussion in 'ESET NOD32 Antivirus' started by Badgerman, Feb 19, 2010.

Thread Status:
Not open for further replies.
  1. Badgerman

    Badgerman Registered Member

    Joined:
    Feb 7, 2007
    Posts:
    9
    Over the past two weeks I have had pop-ups come up and tell me I'm infected. Then a very official Windows Explorer type box comes up with bogus directory info. It's not from Nod32. The first time I wassurfing some Face member's pics with my cookies on. Today my second time I was simply surfing junk from a link on MSN. My cookies were off. My first time I couldn't close IE, I had to stop the proces in Task Manager. It closed normally today. I ensured I had the latest signature and scanned. Everything was clean. A novice user will be taken inby these instantly.
     
  2. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  3. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    I believe that what you are seeing are fake, javascript-crafted windows in IE that are designed to look convincing. Clicking anywhere on them (even the red 'X' or the Cancel button!) will initiate the download of nasties, but if you killed it with the task manager, then you should be A-OK.

    To be clear: The source of the popups was a webpage you were browsing. Probably a hijacked banner-ad using flash, or else an iFrame injected into the trusted page to redirect you to the fake 'scan window'.

    This is why it's always nice to block flash and javascript.
     
  4. Badgerman

    Badgerman Registered Member

    Joined:
    Feb 7, 2007
    Posts:
    9
    Nod32 scans without finding any bugs. I don't see anything loading with autoruns, Ccleaners startup or in the Task Manager. This is a good reason to use IE 64 as long as flash doesn't work or flip over to Virtualbox and run a Linux flavor. I don't think some super stealth rootkit wouild do this. Would it?
     
  5. kasperking

    kasperking Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    406
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You might want to run this ESET Rogue Antivirus clener.
     
  7. Badgerman

    Badgerman Registered Member

    Joined:
    Feb 7, 2007
    Posts:
    9
    Thanks for the help. I run ESET Rogue Antivirus and it came back in seconds reporting my system was clean.

    I installed Malwarewbytes and to my dismay it found 3 items. I don't think they amount to anything but how did they get past my Nod32.

    Malwarebytes' Anti-Malware 1.44
    Database version: 3766
    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    2/20/2010 8:07:47 AM
    mbam-log-2010-02-20 (08-07-41).txt

    Scan type: Full Scan (C:\|D:\|F:\|H:\|)
    Objects scanned: 297001
    Time elapsed: 23 minute(s), 49 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay (Hijack.Tray) -> Bad: (1) Good: (0) -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Program Files (x86)\super_pi_mod.exe (Malware.Packer.Krunchy) -> No action taken.
     
  8. Badgerman

    Badgerman Registered Member

    Joined:
    Feb 7, 2007
    Posts:
    9
    I have been doing asome reading and it appears that Hijack.DisplayProperties may be a system file. I just scanned my wife's and it's there also.

    Hijack.Tray - I am still reading on but I don't believe I got infected. It may have been in the OS.

    super_pi_mod.exe - has reports all over of causing false positives. I did use that program.

    I knew Nod32 wouldn't let me down!
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Plus registry settings in HKCU/HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies can be modified by malware as well as by administrators.
     
  10. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    super_pi_mod.exe "seems" to be a false postive by Malware Bytes' If this is the case, your system would presumably be clean.

     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    With the pop ups there, system can never be clean.

    Please try Hitman Pro, Superantispyware free and another AV scan.
     
  12. Badgerman

    Badgerman Registered Member

    Joined:
    Feb 7, 2007
    Posts:
    9
    The pop-ups only came up twice during an Internet session. They were no different from the ones coming up with other messages like "Do you want to log off" or "Win a laptop" etc. The bad guys are just using these pop-ups to get people to click the link. I have friends that have clicked, paid and got infected. I knew it wasn't a Nod322 warning nand windows doesn't warn me through the Explorer. New users can be drawn in to this scam vey easily. I'm sure my system is clean. I do surf Facebook now with one of my Linux distros.

    Thanks to everyone with the help and tips with this issue.
     
  13. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    This isn't strictly true.

    Injected iFrames and poisoned advertisements can launch javascript redirects in your browser. The javascript itself can't infect you, but it can trick you into infecting yourself or can exploit unpatched vulnerabilities to infect. The popup itself is not always an indication of infection.

    For example, if you whitelist javascript on a per-site basis (HIGHLY recommended for everyone!!!) then hijacked ads and iFrame injections will launch a popup - but it will be a blank, white frame, since javascript will be blocked.

    Now, if popups start appearing when you're not browsing the web at all? That's another story all together, and I'd agree.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes, I mean non-browser pop ups.
     
Thread Status:
Not open for further replies.