Results 1 to 6 of 6

Thread: Possible attack, I don't know what to do.

  1. #1
    Join Date
    Jul 2005
    Posts
    43

    Default Possible attack, I don't know what to do.

    I'm using ZAISS 9.3.014.000. Vista 32 SP2 Ultimate in Spanish, updated regularly through Windows updates.

    After clicking a link to a web that I trust 100% (website removed) two small IE8 windows have appeared, the smaller hidden by the larger. Both appear in the taskbar with the IE icon and the title "System scanner - Windows Internet Explorer" (Vista shows the title and a small picture of the window as normal).

    The larger and visible one doesn't look like an IE window, rather it looks like a Windows message. Its title is "Mensaje de página web" (this is Spanish, it means "Web page message"), the canvas has a yellow "!" triangle, the text "Warning! Your computer is at risk of malware attacks. We recommend you to check your system inmediately. Press OK to start the process now..." (this text goes in English), and a button "Aceptar" (Spanish this time, it means "OK"). It also has a "x" button to close it, no minimize or maximize ones.

    Dragging the described window apart you can see the smaller window. This one looks like a real IE8 one but very small, and it's not resizable or movable. In the title bar you can read "System scanner - Wi..." at the left of the buttons to minimize, maximize and close. It has the left side of the upper IE8 bars but it's too small to have canvas.

    Is this an attack or a legitimate Windows prompt? Is it wise to close the larger window (the one with the "Aceptar" (OK) button) with the "x" button in the upper right corner and perform a virus scan with ZAISS?
    Last edited by Greb49er; April 20th, 2011 at 06:17 AM. Reason: removed website

  2. #2
    naivemelody Guest

    Exclamation Re: Scareware, fake av attack, I don't know what to do.

    As soon as you see the first "fake scanning" image - you...

    Generally should not click any link/ button from the pop-up's/ "Warning..."/ "Alert..." boxes not even the (red)" X "/ Close button" to normally shut it off (sometimes that X button = their false link to download more malware which is not what you want).

    And of course don't buy the rogue scareware you can remove the real infection which 'is the rogue/ scareware itself' and it's scare tactics( fake pop-up's and fake infections) .

    Recommended: immediately...to close these browsers/ pop-up's externally...

    - if you have a stand-alone ForceField or ZoneAlarm Extreme Suite (not to be confused with the ForceField toolbar of the rest of the ZA line of firewalls {ZA Free/ ZA Pro/ ZA Anti-Virus/ ZA Suite})...

    >with 'Browser Security' click/ open
    -> Settings
    -> Advanced
    -> Virtualization
    -> simply click "Clear Virtual Data"
    -> OK - this will clear all open "virtual" browser pages, boxes, pop-ups providing extra security.

    When you are using ZoneAlarm Extreme Suite or a stand-alone ForceField the first fake pop-up scan/ scareware will be eliminated and not affect your 'real' pc after you 'clear virtual data'/ close out that browser(s).

    or

    - press hold/ keys > 'Alt' and 'F4' keys (F4 = single key usually at the top of keyboard) or 'Ctrl' and 'F4' keys

    or

    - enter Windows 'task manager' to shut off all "Applications"/ web pages running,

    or
    - press keys > 'Ctrl' and 'Alt' and 'Delete' < together at the same time
    __________________________________________________ __________

    Click here for more info. -> http://forums.zonelabs.com/showthrea...472#post285472
    ---> see post # 2, 3 , 4

    ~ always follow rules in post #4
    ~ to clean your pc - follow rules in link of post #2 - click here -> http://forums.zonealarm.com/showthread.php?t=70448
    ~ I would recommend... install Malwarebytes - free version/ or paid
    ~ and always follow rules in post #4

    __________________________________________________ ________

    ~ additional reading - WashingtonPost.com article - What To Do When Scareware Strikes - click here > http://voices.washingtonpost.com/sec..._anti-vir.html <

    ~ further reading - long detailed analysis of scareware - Anatomy of a malware scam - click here -> http://www.theregister.co.uk/2008/08...omy_of_a_hack/

    __________________________________________________ _

    The site you visited was hacked with malware; do not go there again until they clean it up (even on once 'trusted' sites - they can be hacked). Some of my tools says it's clean, but one tool 'red flag' with malware. Click here -> http://sitecheck.sucuri.net/scanner/...ragereview.com

    Update: 4-20-11 ~ 11:15pm - it appears 'SR.com' has cleaned up it's site. Rescans show clean. Nevertheless, user -factor - will have to clean up his pc.
    __________________________________________________ ________

    Attention: Gurus/ FM - please edit out the website name from op's post - as others may get too curious and follow to a bad site. (stor...age.view.com)

    __________________________________________________ ______
    NaiveMelody NYC - 4-19-11 - Hold On Tight - ELO
    Last edited by naivemelody; April 20th, 2011 at 07:18 PM.

  3. #3
    dietcokefiend Guest

    Default Re: Possible attack, I don't know what to do.

    **** is about all I can say right now. Sometime yesterday our site (SR.com) got nailed with that code. We are still investigating how it got in and are in the process of cleaning everything out. First thought was through Google Ads, then with those disabled it was still coming through, until we saw it embedded at the bottom of the page source in IE.

    So far from what we can tell it will only load while using IE (including IE9). FireFox, Chrome, Safari, etc are all playing it cool. Assuming none of the redirect or download file prompts are clicked there is no virus or malware detected on a local machine if you can kill the IE processes.

    I will update the progress of our site admins as the code is gone through and cleaned out.

  4. #4
    Join Date
    Jun 2006
    Location
    The 3rd Coast - South Central Texas
    Posts
    10,465

    Smile Re: Possible attack, I don't know what to do.

    Quote Originally Posted by dietcokefiend View Post
    **** is about all I can say right now. Sometime yesterday our site (SR.com) got nailed with that code. We are still investigating how it got in and are in the process of cleaning everything out. First thought was through Google Ads, then with those disabled it was still coming through, until we saw it embedded at the bottom of the page source in IE.

    So far from what we can tell it will only load while using IE (including IE9). FireFox, Chrome, Safari, etc are all playing it cool. Assuming none of the redirect or download file prompts are clicked there is no virus or malware detected on a local machine if you can kill the IE processes.

    I will update the progress of our site admins as the code is gone through and cleaned out.
    Welcome to the Zone Alarm User Forum..

    This Forum exist to allow Volunteer experienced Zone Alarm Users to help the Few Users who encounter a problem with ZoneAlarm and need to be guided in the right direction..



    1.) Follow ALL the steps as detailed here:
    Malware Clean-up Guidance

    2.) After cleaning it up please review this post:

    xyz was not detected. What I should do?

    3.) IE9 is not supported at this time in ZA version 9.x or below..

    ZoneAlarm security toolbar and ForceField version 9.x and below are not compatible with Firefox 4 and IE 9


    We are currently in BETA Testing with a new version 10 which will be compatible with IE9 and Firefox 4 once its been release to the public.


    Sorry no ETA when that will be released.


    Best regards,

    Forum Moderator
    Last edited by GeorgeV; April 24th, 2011 at 06:42 AM. Reason: typo
    GeorgeV
    ZoneAlarm® Extreme Security


    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

  5. #5
    Join Date
    Jul 2005
    Posts
    43

    Default Re: Possible attack, I don't know what to do.

    Well I killed IE8 with the task manager and launched a full virus scan that reported no infections.

    To dietcokefiend: if it helps I followed the ocz_vertex_2_25nm_review_oczssd22vtxe60g link. I was able to read text for maybe seconds and see the pics. I'm nearly sure that I didn't click anything but maybe I passed the mouse over whatever. The page window disappeared when all happened, but two other IE8 windows stuck.

  6. #6
    dietcokefiend Guest

    Default Re: Possible attack, I don't know what to do.

    Well it took about a day or so after the attack, and maybe 5 hours after it was found to fix the malware injection and patch the breach. From talking with our IT guy it was an exploit coming through our forums avatar upload feature. Everything is back in order (thankfully) and as long as nothing was downloaded by the prompts pushing those nasty executables, no harm should have been done to visitors computers.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. attack from outside?
    By victim in forum Security Issues
    Replies: 6
    Last Post: April 17th, 2010, 09:44 AM
  2. Is this an attack?
    By ollvin in forum Windows and ZoneAlarm Messages and Alerts
    Replies: 0
    Last Post: April 7th, 2010, 01:44 AM
  3. Arp Attack
    By galal in forum Security Issues
    Replies: 15
    Last Post: August 19th, 2006, 11:44 PM
  4. Im under attack?
    By chrisszkoda in forum General - Questions that don't fit any other category
    Replies: 2
    Last Post: March 20th, 2006, 11:04 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •