Results 1 to 2 of 2

Thread: What to do about what looks like an attack attempt

  1. #1
    Join Date
    Jul 2005
    Posts
    43

    Default What to do about what looks like an attack attempt

    So I was using Google to research about safety of deleting given temporary files (the search was 'is it safe to delete "av" tmp', simple quotes not included, double quotes surrounding av included) and I clicked a link apparently to a page at Kaspersky web (that was in a page of Google results as said, I completely trust Kaspersky and Google in case it isn't clear; PS: the page is NOT Kaspersky's, see below). Instead of anything from Kaspersky, I was redirected to http:// url4short dot info slash 12e30542 (never ever try this as a link!!!).

    For a split second I saw what looks like a trustable page with info, although it doesn't seem what I expected (it treats about LANs, routers, Ethernet,...). Then the page turned dark, as if a dark glass window pane had been put over it, although it's possible to read the page and I can also use IE8 -> View -> Source code. Over this "pane", an opaque window with custom look and a strange offer with 2 options about games or similar appeared saying it's necessary to accept one to unblock the page. There's also a yellow bar in the upper part of the canvas saying (in Spanish, the language here) 'This web site wants to run the following add-on: "Microsoft (R) Dynamic HTML Editing Control" of "Microsoft Corporation". If you trust the web site and the add-on and want to allow its execution, click here...' (the name of the likely fake control and "Microsoft Corporation" are in English).

    I think I clicked on IE8's left arrow to return to previous page. For sure, I've tried to kill IE8 with the task manager (if I did the former thing, after it). After one of the two actions a prompt with Windows look and the following contents appeared:

    -----------------------
    Title bar: Windows Internet Explorer
    -----------------------
    Canvas: a yellow triangle with a "!" inside at the left, 3 phrases (in Spanish, English and Spanish respectively) and 2 buttons (both in Spanish):

    Are you sure you want to go out this page?

    Hey Wait! Please spare a minute to complete one of these offers to gain access to this site's content. Are you sure you want lo leave?

    Click OK to continue or Cancel to stay in current page.

    OK Cancel
    -----------------------

    Windows is saying it cannot kill IE8 and Task Manager is listing both IE8 and the task to kill it as active applications. Now I've clicked on "Kill task" again and I've succeeded.

    I open IE8 again and repeat the Google search. This is the paragraph of the possibly malicious link, copy-pasted from the Google page:

    Removal of *.tmp files - Kaspersky Fan Club Forumforum dot kasperskyclub dot com › ... › Help and AdviceEn caché - Similares - Traducir esta página
    Has publicado que a ti también te gusta esto. Deshacer
    28/04/2009 – Removal of *.tmp files Whether safe to delete? ... Some 533 files and 8,360.54 MB with extension av*.tmp in folder : ... Kindly suggest whether it is safe to delete these files, also what are these files which are created itself.

    "Traducir esta página" means "Translate this page". It's usual in Google search results.

    There are things in this copy-paste that aren't visible in the original Google page:

    - "En caché" (cached) and "Similares" (similars). Maybe 2-3 years ago and before I could see and use these links in my Google searches, at least the cached one that could be quite useful, but not since then.

    - "Has publicado que a ti también te gusta esto. Deshacer" (You have posted that you like this too. Undo). I cannot recall anything like this!


    I've followed other link without problems just now. Reading carefully, the link doesn't go to Kaspersky web but to other with similar name...

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,291

    Default Re: Report about what looks like an attack attempt

    Please follow the suggestions as indicated here:
    Malware Clean-up Guidance
    If one step does not apply to you go to the next. This way you will ensure you are free from malware.

    To improve your configuration and setup please see here below (if it applies to you):
    xyz was not detected. What I should do?

    Thanks,
    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. no more antivirus after update attempt
    By phyl in forum ZoneAlarm Installation
    Replies: 2
    Last Post: April 20th, 2010, 03:34 PM
  2. Connection at second attempt
    By cedricdawnhawk in forum Access Issues
    Replies: 8
    Last Post: March 23rd, 2009, 04:21 AM
  3. How To Report Phishing Attempt?
    By hytec in forum General - Questions that don't fit any other category
    Replies: 1
    Last Post: July 30th, 2008, 03:15 AM
  4. Outgoing contact attempt to set DNS
    By tanquiamco in forum Windows and ZoneAlarm Messages and Alerts
    Replies: 1
    Last Post: January 6th, 2007, 10:20 AM
  5. I'm worried about this connection attempt
    By dvdwant in forum Windows and ZoneAlarm Messages and Alerts
    Replies: 0
    Last Post: April 24th, 2006, 11:42 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •