What to do about what looks like an attack attempt
So I was using Google to research about safety of deleting given temporary files (the search was 'is it safe to delete "av" tmp', simple quotes not included, double quotes surrounding av included) and I clicked a link apparently to a page at Kaspersky web (that was in a page of Google results as said, I completely trust Kaspersky and Google in case it isn't clear; PS: the page is NOT Kaspersky's, see below). Instead of anything from Kaspersky, I was redirected to http:// url4short dot info slash 12e30542 (never ever try this as a link!!!).
For a split second I saw what looks like a trustable page with info, although it doesn't seem what I expected (it treats about LANs, routers, Ethernet,...). Then the page turned dark, as if a dark glass window pane had been put over it, although it's possible to read the page and I can also use IE8 -> View -> Source code. Over this "pane", an opaque window with custom look and a strange offer with 2 options about games or similar appeared saying it's necessary to accept one to unblock the page. There's also a yellow bar in the upper part of the canvas saying (in Spanish, the language here) 'This web site wants to run the following add-on: "Microsoft (R) Dynamic HTML Editing Control" of "Microsoft Corporation". If you trust the web site and the add-on and want to allow its execution, click here...' (the name of the likely fake control and "Microsoft Corporation" are in English).
I think I clicked on IE8's left arrow to return to previous page. For sure, I've tried to kill IE8 with the task manager (if I did the former thing, after it). After one of the two actions a prompt with Windows look and the following contents appeared:
Title bar: Windows Internet Explorer
Canvas: a yellow triangle with a "!" inside at the left, 3 phrases (in Spanish, English and Spanish respectively) and 2 buttons (both in Spanish):
Are you sure you want to go out this page?
Hey Wait! Please spare a minute to complete one of these offers to gain access to this site's content. Are you sure you want lo leave?
Click OK to continue or Cancel to stay in current page.
Windows is saying it cannot kill IE8 and Task Manager is listing both IE8 and the task to kill it as active applications. Now I've clicked on "Kill task" again and I've succeeded.
I open IE8 again and repeat the Google search. This is the paragraph of the possibly malicious link, copy-pasted from the Google page:
Removal of *.tmp files - Kaspersky Fan Club Forumforum dot kasperskyclub dot com › ... › Help and AdviceEn caché - Similares - Traducir esta página
Has publicado que a ti también te gusta esto. Deshacer
28/04/2009 – Removal of *.tmp files Whether safe to delete? ... Some 533 files and 8,360.54 MB with extension av*.tmp in folder : ... Kindly suggest whether it is safe to delete these files, also what are these files which are created itself.
"Traducir esta página" means "Translate this page". It's usual in Google search results.
There are things in this copy-paste that aren't visible in the original Google page:
- "En caché" (cached) and "Similares" (similars). Maybe 2-3 years ago and before I could see and use these links in my Google searches, at least the cached one that could be quite useful, but not since then.
- "Has publicado que a ti también te gusta esto. Deshacer" (You have posted that you like this too. Undo). I cannot recall anything like this!
I've followed other link without problems just now. Reading carefully, the link doesn't go to Kaspersky web but to other with similar name...
Re: Report about what looks like an attack attempt
Please follow the suggestions as indicated here:
Malware Clean-up Guidance
If one step does not apply to you go to the next. This way you will ensure you are free from malware.
To improve your configuration and setup please see here below (if it applies to you):
xyz was not detected. What I should do?