Weird windows security pop-up

Discussion in 'other anti-virus software' started by nine9s, Oct 26, 2015.

  1. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
    I went to a search result while searching for subwoofer information, so it was a site I have never visited. Got some popup stating my computer is infected and to call Microsoft at an 877 number. It even had a voice recording stating it. I was using Google Chrome. I could not kill the browser via the X and I was not going to click on the pop-up (it was not a normal pop-up anyway, and pop-ups are usually blocked on my browser.)

    I know the message was fake, but I am worried that perhaps it put a virus or something on my computer. I did not read it long, but I think it was warning that my files were locked and I needed to call Microsoft to unlock them or something. I only caught a glimpse of it because as soon as I saw I could not shutdown my browser by the X on it, I used Task Manager to kill, so I am not absolutely sure how it read.

    I use Emsisoft, and I have Malwarebytes Anti-Exploit protecting the browser.

    I ran a complete Antimalware (free) scan and it found nothing wrong. I will reboot and run Hitman Pro, and Emsisoft scans, as well as Microsoft Safety Scanner and Avira PC Cleaner free scanner.

    I have never had something like this happened, some I am paranoid.

    If none of them find anything wrong, should I be safe? Should I re-image my computer (latest image is fairly old, so would need 9+ months of updates.)
     
    Last edited: Oct 26, 2015
  2. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
    The link was http: // www . emacoustics.co.uk/product/i-12-compound-isobaric-ulf-subwoofer and VirusTotal shows it to be a cleansite 0/65 So I guess it was some drive by. I have ad-block etc on my computer, so not sure what happened.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Sounds similar to something that happened to me a week ago. The site showed clean by Zulu and Securi. Site attempted to download an exploit/Trojan payload and Eset's web scanner caught the download before it ever hit my PC.

    If none of your security software shows any logs of the blocking activity or quarantine activity, I would be concerned. Check your MBAE logs for any activity.

    Also the fact that your browser showed malware activity; the pop-up and message plus inability to kill the browser leads me to believe you might be infected. You might want to run Eset 's Online scanner to see if it finds anything.
     
  4. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,904
    Location:
    U.S.A.
  5. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,957
    Location:
    Brasil
    It's hard to tell if a computer was compromised, only analysts with keen eyes and checksums of important files can tell.

    In any case, you learned a valuable lesson: run your browser on a sandbox.
     
  6. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
    I reimaged my computer. First I formatted my data drive. Then I went to Windows installation DVD disk, where I deleted all partitions and resized them and formatted again on both my data drive and primary drive. So both drives repartitioned and formatted multiple times. I then reinstalled an old image on my main drive, and restored files on my data drive from another source.

    Should I be safe after that?
     
    Last edited: Oct 26, 2015
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,860
    Location:
    Australia
    A little overkill perhaps.
     
  8. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
    I wanted to be safe, and re-image my system, but I am wondering if it was a problem. Before I re-imaged my computer, scans from Malware Bytes (nothing), Hitman Pro (nothing but found some some tracking cookies), Avira PC Cleaner (nothing) and Emsisoft (nothing.) The website was a .uk website, which is something I do not frequent. Could it have just been part of the web page, versus an addon or anything on my computer? It was not really a pop-up, as I have a pop blocker, it seemed more a part of the page, versus a third party pop-up, but it did have an "OK" button to push which I did not - I assume that is why I could not close the browser. But using Task Manager to end it worked quickly (usually killing stuff in Task Manager ha a delay but the browser closed instantly when I did it.)
     
  9. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,027
    Location:
    Lloegyr
    It might be worth running the website address through Virus Total just to see. Some UK newspapers and other sites sometimes have weird adverts that look like pop-ups and seem to freeze the browser so you can't just click it closed. If I ever come across these I find Ctrl-W usually gets me out of it. If anything like it happens to me I usually scan with my AV and antimalware programs (or even online scanners) after as well. I've never detected malware.
     
  10. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
    Thanks. I ran Virustotal scan on the link (I reproduced the link search results but I did not go to site again.) Results were clean, but I think I went to link within that site (not really sure because it happen so fast, and I quickly killed browser.)
     
  11. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
    My Emsisoft subscription ends soon, so I am hesitant to renew thinking it might have failed on this (but if it were part of the website and not really a virus etc., I guess it did not.)
     
  12. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    In the future, do a scrub once (like write all zeroes from a bootable CD like PartEd Magic or your drive's OEM diags) and repartition/reformat once. Only repartitioning/reformatting is not completely effective in eradicating malicious logic.

    As far as what happened, it looks like it was just a window with an alarming message (odd that it got through) with no other malware behind it--but I would be paranoid anyway and wipe/reinstall.

    As far as the browser being hard to kill, it happens with normal browsing occasionally; Windows is a wimp with task management.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    As far as the malware that tried to nail me that I mentioned previously, VirusTotal URL scan the malicious redirect link came back 100% clean. Why? Because the malware is resident on the web site's server.

    Beware of Wordpress sites using Striker themes!

    2 possible reasons:
    1) Bad/infected "free" theme with encrypted php code in footer
    2) Scrupulous plugin that inject trojans/malware on client's side.

    Solution: Fix your site by replacing "free" themes with "premium" from reputable sites, as well as the plugins too.

    http://www.blackhatworld.com/blackh...ascript-kryptik-rw-trojan-wordpress-site.html
     
  14. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    I don't understand. Can you elaborate?
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    This is the site that tried to nail me: http: //winhow.org/wp-content/themes/striker/winhow.php?efs=1&ujmbg=Dcom+Errors+Ie+11+On+Windows+7+Reviews . Notice the .php suffix?

    Per Google:

    PHP is a general-purpose scripting language that is especially suited to server-side web development, in which case PHP generally runs on a web server. Any PHP code in a requested file is executed by the PHP runtime, usually to create dynamic web page content or dynamic images used on websites or elsewhere.

    The malicious .php script was encrypted and was a redirect to a site that attempted to download a Trojan/exploit combo. Eset's network adapter web filter caught the malicious download by signature detection i.e.JS/Kryptik.AWN Trojan before it ever got to my HDD.

    Also just like the OP, I never clicked on anything on that web site. The redirect happened almost simultaneous with the display of the web page in my browser.

     
    Last edited: Oct 27, 2015
  16. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    I've developed in PHP. PHP has always runs server-side and the output of it is delivered in-line with HTML; there's nothing intrinsically malicious or "encrypted" about that--the client never sees PHP scripts, only its output. This is inconsequential since the result is all that matters: either the content was benign or malicious, regardless of the mechanism that delivered it.

    Without any evidence to highlight anything in particular, here are some possibilities:
    • The site was hacked
    • The theme/plugin was a trojan ("buy premium" may be a workaround but I wouldn't skip freeware entirely--one just has to exercise sound judgement/due diligence but that is also true for premium software) Edit: The Striker theme has premium versions, so there goes your theory ;)
    • The site's ads were malicious rather than the site itself (which may explain why one pass--your visit--had an issue but another pass--the URL scanner--didn't have an issue)
    • The client (your PC) is compromised and that site happened to be viewed at the time (sounds unlikely but I mention it for completeness)
    If I had a sheep dip right now, I would visit that URL and look around.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I vote for this since free Striker themes are known to harbor malware.

    Don't believe an ad could nail you unless you clicked on it.
     
  18. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    What supports this theory? Why would Striker free be any different than Striker Pro (premium)?

    Two ways: exploits and pre-caching
     
  19. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,027
    Location:
    Lloegyr
    Yeah, it sounds kinda scary that could just happen like that. When something deliberately stops the browser easily closing it is worrying.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
  21. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    I can't see where an article about pirated Joomla extensions has anything to do with a legitimately freemium WordPress theme.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Malicious Code and Encrypted Footer Links

    Free themes are notorious for being a conduit for malicious code, encrypted spammy links and link injections for malware or whatever else.

    https://premium.wpmudev.org/blog/free-wordpress-themes-ultimate-guide/
     
  23. Sprocket

    Sprocket Registered Member

    Joined:
    Dec 24, 2012
    Posts:
    73
    I had a similar thing happen the other day (warning popup, couldn't close it, had to go into Task Manager to kill the browser process, etc.) I scanned, found nothing, but restored from a known-good image anyway. (I use Clonezilla running from a USB drive - very flexible, though its user interface can be confusing at first.) My browser is Firefox Portable, running from a different partition, so I deleted the browser's entire folder and replaced it from a known-good backup. Then I did an off-line scan of everything using Avira's rescue disk. No threats detected.

    FWIW, the popup I had blew right past popup blocking in Firefox, Adblock Plus in the browser, URL filtering I run in my router, and URL filtering from Symantec's DNS servers. My antivirus didn't make a peep, neither did Malwarebytes Anti-Exploit. I don't recall what web site I was on - ironically, it came up in a google search for how to do URL filtering in a Cisco IOS router. (Someday when I have the time, I may spin up a Linux VM and see if I can find that site, just to learn more about it.)

    I think Krusty13's probably right - your repartitioning and multiple reformats might have been overkill, but I can't criticize anyone for being extra cautious.
     
  24. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    This goes for any freeware but there's no mention of the Striker theme (which has a premium version--I doubt the authors would include malware with the free version), which is what I asked about based on your original conclusion. Also note that the link you posted isn't an article about free themes and malware; it's a sales pitch to buy/subscribe to their premium theme platform.

    Reputation is one guard against malware and with 36K+ downloads on Wordpress.org alone and a support forum for that theme (and conspicuous absense of a mention of malware), this isn't your problem. If you're not convinced, you could inquire here: https://wordpress.org/support/theme/striker or take it up witht he author: http://www.templateexpress.com/striker-theme/

    These do nothing for sector, track 0, et. al. viruses. DISKPART CLEAN is handy: http://www.sevenforums.com/tutorials/52129-disk-clean-clean-all-diskpart-command.html
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    There is nothing wrong with using free web site plug-ins and themes as long as they have been downloaded from the manufacturer's web site. This is the same recommendation that applies to all web downloads.

    The point I am trying to make is:

    1. There is no way to tell if the web site developer did so i.e. download from the manufacturer web site.
    2. That the web site developer properly scanned his web site code for malware prior to implementing it.
    3. That url scanners have limited effectiveness is detecting web site malware.
     
Loading...