Guest pat Posted January 3, 2009 Posted January 3, 2009 Hi, I was just browsing and suddenly got a popup saying they were Microsoft (and looking like Microsoft) telling me that I had multiple viruses and worms. The address was "websecurityexamine.com" It was hard to get rid of-I just kept clicking the "x" Several times it popped up with the "run, open" dialog box. I'm using ZoneAlarm which I can't wait to get rid of, but it is in place. This isn't real, is it? I've never had anything pop up like this... Thanks for your help. -- pat Quote
Guest Shenan Stanley Posted January 3, 2009 Posted January 3, 2009 pat wrote:<span style="color:blue"> > Hi, I was just browsing and suddenly got a popup saying they were > Microsoft (and looking like Microsoft) telling me that I had > multiple viruses and worms. The address was > "websecurityexamine.com" It was hard to get rid of-I just kept > clicking the "x" Several times it popped up with the "run, open" > dialog box. > > I'm using ZoneAlarm which I can't wait to get rid of, but it is in > place. > > This isn't real, is it? I've never had anything pop up like this...</span> If it popped up and you did not run it manually and/or install it... Chances are it is a drive-by attack where if you choose to try it - you've installed it and its half-dozen friends who send your information to places unknown - or worse. My suggestion: Download, install, run, update and perform a full scan (seperately) with the following two applications (freeware versions are the ones to use for this): SuperAntiSpyware http://www.superantispyware.com/ MalwareBytes http://www.malwarebytes.com/ Remove whatever they find. You can uninstall them after you have done this - if desired. -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html Quote
Guest Kerry Brown Posted January 3, 2009 Posted January 3, 2009 "pat" <pat@discussions.microsoft.com> wrote in message news:DE13618B-0D99-44A9-8287-4A6F6DFCC254@microsoft.com...<span style="color:blue"> > Hi, I was just browsing and suddenly got a popup saying they were > Microsoft > (and looking like Microsoft) telling me that I had multiple viruses and > worms. The address was "websecurityexamine.com" It was hard to get rid > of-I just kept clicking the "x" Several times it popped up with the "run, > open" dialog box. > > I'm using ZoneAlarm which I can't wait to get rid of, but it is in place. > > This isn't real, is it? I've never had anything pop up like this... > > Thanks for your help.</span> There is a good chance you are infected if you clicked anywhere on the popup windows. If you get a popup like this it is best never to click anywhere on the window. To close them you should right click on the Task Bar item and pick close. The popup window can be programmed so that when you click on the X (or anywhere on the window for that matter) you are actually clicking on a link that tries to download or run something. Follow Shenan Stanley's advice. One or both of those programs should be able to at least identify if you are infected and in most cases remove the infection. -- Kerry Brown MS-MVP - Windows Desktop Experience: Systems Administration http://www.vistahelp.ca/phpBB2/ http://vistahelpca.blogspot.com/ Quote
Guest VanguardLH Posted January 3, 2009 Posted January 3, 2009 pat wrote: <span style="color:blue"> > Hi, I was just browsing and suddenly got a popup saying they were Microsoft > (and looking like Microsoft) telling me that I had multiple viruses and > worms. The address was "websecurityexamine.com" It was hard to get rid > of-I just kept clicking the "x" Several times it popped up with the "run, > open" dialog box. > > I'm using ZoneAlarm which I can't wait to get rid of, but it is in place. > > This isn't real, is it? I've never had anything pop up like this... > > Thanks for your help.</span> Yes, it is real MALWARE. Don't bother trying to close the popup window. It is scripted to repeat opening that window if you click on any object in that window other than Run, Download, or whatever they use to get the malware on your host. Just go into Task Manager's Processes tab and kill all instances of your web browser. Alternatively, you can create a shortcut to add to a toolbar in the Windows taskbar that kills all instances of your web browser with just one click. The shortcut runs: %windir%\system32\taskkill.exe /im iexplore.exe /f taskkill.exe is available on NT-based versions of Windows. You never mentioned WHICH version of Windows that you use. The above kills off all instances of Internet Explorer. You didn't WHICH web browser that you use. If something else, specify its executable (that you see in Task Manager) instead of iexplore.exe. Quote
Guest PA Bear [MS MVP] Posted January 3, 2009 Posted January 3, 2009 No it is not real. If this kinda thing happens again, close IE via Task Manager, do NOT click on anything! Unfortunately for you, the machine's already infected. 1. See if you can download/run the MSRT manually: http://www.microsoft.com/security/malwareremove/default.mspx 2. Run this online scan (in safe mode w/networking, if need be): http://onecare.live.com/site/en-us/center/howsafe.htm 3. Run additional checks for hijackware, including posting your hijackthis log to an appropriate forum. Checking for/Help with Hijackware http://aumha.org/a/parasite.htm http://aumha.org/a/quickfix.htm http://aumha.net/viewtopic.php?t=5878 http://mvps.org/winhelp2002/unwanted.htm http://inetexplorer.mvps.org/data/prevention.htm http://inetexplorer.mvps.org/tshoot.html http://www.mvps.org/sramesh2k/Malware_Defence.htm http://defendingyourmachine2.blogspot.com/ http://www.elephantboycomputers.com/page2....emoving_Malware When all else fails, HijackThis v2.0.2 (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in conjuction with some other utilities). HijackThis will NOT fix anything on its own, but it will help you to both identify and remove any hijackware/spyware with assistance from an expert. Post your log to http://spywarehammer.com/simplemachinesfor....php?board=10.0, http://forums.spybot.info/forumdisplay.php?f=22, http://aumha.net/viewforum.php?f=30, or another appropriate forum for review by an expert in such matters, not here. If the procedures look too complex - and there is no shame in admitting this isn't your cup of tea - take the machine to a local, reputable and independent (i.e., not BigBoxStoreUSA) computer repair shop. -- ~Robear Dyer (PA Bear) MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 AumHa VSOP & Admin http://aumha.net DTS-L http://dts-l.net/ pat wrote:<span style="color:blue"> > Hi, I was just browsing and suddenly got a popup saying they were > Microsoft > (and looking like Microsoft) telling me that I had multiple viruses and > worms. The address was "websecurityexamine.com" It was hard to get rid > of-I just kept clicking the "x" Several times it popped up with the "run, > open" dialog box. > > I'm using ZoneAlarm which I can't wait to get rid of, but it is in place. > > This isn't real, is it? I've never had anything pop up like this... > > Thanks for your help. </span> Quote
Guest Richard Urban Posted January 3, 2009 Posted January 3, 2009 Dump McAfee. Install a good antivirus program, such as Avast FREE. This will update itself many times per day so that it stays current. http://www.avast.com/eng/download-avast-home.html Then Install ThreatFire (also FREE). This is a real time scanner that works along with your antivirus program to increase system protection. Also run the manual built in scanner weekly, after getting the latest updates. Why pay when you don't have to? http://www.threatfire.com/ Then download | Install | Run | Update and scan with "MalwareBytes Anti Malware" (also FREE). Do run this program on a weekly basis after updating the program manually. http://www.malwarebytes.org/mbam.php Then download | Install | Run | Update and scan with "Super AntiSpyware" (also FREE). Do run this program on a weekly basis after updating the program manually. http://www.superantispyware.com/ Then download | Install | and run CCleaner (also FREE). You can also use this on a schedule that YOU feel is appropriate to clean out crap files from your computer <it used to be called Crap Cleaner but they changed it to CCleaner to be politically correct after it really took off>. http://www.ccleaner.com/download Download and install WinPatrol (also FREE) to help protect your computer. http://www.winpatrol.com/download.html -- Richard Urban Microsoft MVP Windows Desktop Experience "pat" <pat@discussions.microsoft.com> wrote in message news:DE13618B-0D99-44A9-8287-4A6F6DFCC254@microsoft.com...<span style="color:blue"> > Hi, I was just browsing and suddenly got a popup saying they were > Microsoft > (and looking like Microsoft) telling me that I had multiple viruses and > worms. The address was "websecurityexamine.com" It was hard to get rid > of-I just kept clicking the "x" Several times it popped up with the "run, > open" dialog box. > > I'm using ZoneAlarm which I can't wait to get rid of, but it is in place. > > This isn't real, is it? I've never had anything pop up like this... > > Thanks for your help. > -- > pat </span> Quote
Guest Kayman Posted January 4, 2009 Posted January 4, 2009 On Sat, 3 Jan 2009 07:41:18 -0800, pat wrote: <span style="color:blue"> > Hi, I was just browsing and suddenly got a popup saying they were Microsoft > (and looking like Microsoft) telling me that I had multiple viruses and > worms. The address was "websecurityexamine.com" It was hard to get rid > of-I just kept clicking the "x" Several times it popped up with the "run, > open" dialog box. </span> After you've cleaned your os successfully (pertinent advice provided by resident experts) do this: Routinely practice Safe-Hex. http://www.claymania.com/safe-hex.html Hundreds Click on 'Click Here to Get Infected' Ad http://www.eweek.com/article2/0,1895,2132447,00.asp <span style="color:blue"> > I'm using ZoneAlarm which I can't wait to get rid of, but it is in place.</span> It can be very challenging removing this software application. Oftentimes using the method in Add or Remove Programs will not do the job comprehensively enough. Good alternatives to uninstall ZA: Uninstall/Remove ZA from your OS and DON'T re-install! http://zonealarm.donhoover.net/uninstall.html --or-- Revo Uninstaller http://www.revouninstaller.com/ For the average homeuser, the Windows Firewall in XP and Vista does a fantastic job at its core mission and is really all you need if you have an 'real-time' anti-virus program, [another firewall on your router or] other edge protection like SeconfigXP (WinXP users only) and practise Safe-Hex. The windows firewall deals with inbound protection and therefore does not give you a false sense of security. Best of all, it doesn't implement lots of nonsense like pretending that outbound traffic needs to be monitored. Configure WindowsXP by using: Seconfig XP 1.1 http://seconfig.sytes.net/ Good luck style_emoticons/ Quote
Guest VanguardLH Posted January 4, 2009 Posted January 4, 2009 Richard Urban wrote: <span style="color:blue"> > Install a good antivirus program, such as Avast FREE. ... > > Then Install ThreatFire (also FREE). ...</span> Threatfire will interfere with many other security products, including the Avast that you mention. Read their forums. Anyone using Avast with its Web Shield enabled will have problems with Threatfire. Besides the problems mentioned in the Threatfire forums, another result is that your host may become extremely unresponsive (it can take several minutes before explorer.exe gets unlocked so the desktop UI is usable again, and then it lock again later, and again, and again). By itself, Threatfire is okay but layering is still suggested to improve malware protection and Threatfire just doesn't work very well with other security products. You don't need to believe me. Just go visit the Threatfire and Avast forums (and do a search on the other product). Quote
Guest Richard Urban Posted January 4, 2009 Posted January 4, 2009 I have been running Avast and ThreatFire for about three months now. Both Avast and ThreatFire got their acts together (collaboration?) and there are currently no problems. You need the latest version of each. -- Richard Urban Microsoft MVP Windows Desktop Experience "VanguardLH" <V@nguard.LH> wrote in message news:gjp8a6$je9$1@news.motzarella.org...<span style="color:blue"> > Richard Urban wrote: ><span style="color:green"> >> Install a good antivirus program, such as Avast FREE. ... >> >> Then Install ThreatFire (also FREE). ...</span> > > Threatfire will interfere with many other security products, including > the Avast that you mention. Read their forums. Anyone using Avast with > its Web Shield enabled will have problems with Threatfire. Besides the > problems mentioned in the Threatfire forums, another result is that your > host may become extremely unresponsive (it can take several minutes > before explorer.exe gets unlocked so the desktop UI is usable again, and > then it lock again later, and again, and again). By itself, Threatfire > is okay but layering is still suggested to improve malware protection > and Threatfire just doesn't work very well with other security products. > You don't need to believe me. Just go visit the Threatfire and Avast > forums (and do a search on the other product). </span> Quote
Guest VanguardLH Posted January 4, 2009 Posted January 4, 2009 Richard Urban wrote: <span style="color:blue"> > I have been running Avast and ThreatFire for about three months now. > Both Avast and ThreatFire got their acts together (collaboration?) > and there are currently no problems. You need the latest version of > each.</span> I do have the latest version of each. It wasn't Threatfire that solved the problem. The conflict mostly (but not always) goes away after applying a December update for Avast (which is a program update, not just a signature update). Alas, it helps on some hosts but not all of them. So far, the only reliable cure is to disable the Web Shield in Avast. However, I'd rather keep the Web Shield and uninstall Threatfire. This is a known conflict where Threatfire would get stuck in "initializing" when it tried to load. The other problem is a slowdown of the host ranging from overall impact of responsiveness to sporadic severe delays that make the host look like it is hung, then works okay for awhile, and repeat. PC Tools bought Cyberhawk and renamed it to Threatfire. It is very light on resources. Uses very little memory and doesn't significantly impact the responsiveness of the host (when it works right). If it doesn't get stuck not loading on Windows startup and doesn't make your host appear to get hung for many minutes at random intervals or cause a general slowdown of your host then it is usable. Don't just install and think your system is just fine with Threatfire. Install Threatfire and then monitor how your host behaves thereafter along with running all your installed applications to make sure they don't get impacted. Got any independent testing agency to show the effectiveness of Threatfire at detecting malware? So far, I haven't found anyone that has actually measured how well Threatfire protects your host. I saw one mention that 18 of 20 pests were detected but there was an indication that the pests were selected to be those most likely to inflict users and 20 is a tiny sample size. PC Tools makes a lot of claims. I'm more interested in measured results. Because Threatfire does not rely on signatures, it will NOT prevent malware from getting onto your host (i.e., it will install). It uses heuristics to monitor the behavior of programs (i.e., what they do) and when a set of triggers exceeds some threshold in Threatfire then it alert on those actions - but the malware MUST install to actually see those behaviors, and it must perform enough suspicious behavior to get caught. The reviews indicate a good level of pest detection by Threatfire but falls for spotty removal of those pests. Quote
Guest Richard Urban Posted January 4, 2009 Posted January 4, 2009 I was fooling around when ThreatFire was still at version 3.5. I uninstalled all my other safety programs, including Avast. I then went to one of the wrestling web sites that lays down a lot of crapware on a persons computer (forget which one now). Anyway, ThreatFire began firing windows at me. After about 25-30 warnings I killed IE7. I then reinstalled all my safety programs and ran complete scans on partition C:. I was still clean and had no problems for 2 weeks - when I reverted to an earlier image because of another condition. Not scientific, but I was impressed. During normal operation I get a warning every once-in-a-while that slips through Avast, or something that Avast doesn't check for. -- Richard Urban Microsoft MVP Windows Desktop Experience "VanguardLH" <V@nguard.LH> wrote in message news:gjq8uf$vii$1@news.motzarella.org...<span style="color:blue"> > Richard Urban wrote: ><span style="color:green"> >> I have been running Avast and ThreatFire for about three months now. >> Both Avast and ThreatFire got their acts together (collaboration?) >> and there are currently no problems. You need the latest version of >> each.</span> > > I do have the latest version of each. It wasn't Threatfire that solved > the problem. The conflict mostly (but not always) goes away after > applying a December update for Avast (which is a program update, not > just a signature update). Alas, it helps on some hosts but not all of > them. So far, the only reliable cure is to disable the Web Shield in > Avast. However, I'd rather keep the Web Shield and uninstall > Threatfire. This is a known conflict where Threatfire would get stuck > in "initializing" when it tried to load. The other problem is a > slowdown of the host ranging from overall impact of responsiveness to > sporadic severe delays that make the host look like it is hung, then > works okay for awhile, and repeat. > > PC Tools bought Cyberhawk and renamed it to Threatfire. It is very > light on resources. Uses very little memory and doesn't significantly > impact the responsiveness of the host (when it works right). If it > doesn't get stuck not loading on Windows startup and doesn't make your > host appear to get hung for many minutes at random intervals or cause a > general slowdown of your host then it is usable. > > Don't just install and think your system is just fine with Threatfire. > Install Threatfire and then monitor how your host behaves thereafter > along with running all your installed applications to make sure they > don't get impacted. > > Got any independent testing agency to show the effectiveness of > Threatfire at detecting malware? So far, I haven't found anyone that > has actually measured how well Threatfire protects your host. I saw one > mention that 18 of 20 pests were detected but there was an indication > that the pests were selected to be those most likely to inflict users > and 20 is a tiny sample size. PC Tools makes a lot of claims. I'm more > interested in measured results. > > Because Threatfire does not rely on signatures, it will NOT prevent > malware from getting onto your host (i.e., it will install). It uses > heuristics to monitor the behavior of programs (i.e., what they do) and > when a set of triggers exceeds some threshold in Threatfire then it > alert on those actions - but the malware MUST install to actually see > those behaviors, and it must perform enough suspicious behavior to get > caught. The reviews indicate a good level of pest detection by > Threatfire but falls for spotty removal of those pests. </span> Quote
Guest Stefan Kanthak Posted January 4, 2009 Posted January 4, 2009 "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote: Your wrong email address creates backscatter to other people! <span style="color:blue"> > Dump McAfee.</span> [ Lots of crap to install ] No, there is ABSOLUTELY no need to install or even use any of those Anti-XXX applications. They will DEFINITELY not prevent like infections in the future! In general all these Anti-XXX work AFTER the fact, they don't cure the cause, they just treat the symptoms (even not all of these). Especially with Trojans or Downloaders they won't (and can't) restore the system to the state before the compromise. And some of them create(d) security holes themselves: remember Witty! The goal but is to PREVENT malicious code to be run in the first place, which but needs a "little" education of the user in SAFER hex! 0. Flatten the infected system and perform a clean reinstall (i.e. clear all partitions and recreate them) from scratch from the (if possible UPDATED) original media onto an NTFS formatted partition. Updated means to slipstream the current service pack and the current hotfixes into the media. C.f. <http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx> and <http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx> 1. DON'T create user accounts during setup as they will become administrative accounts. Create "restricted" or "standard" user account(s) after setup and use ONLY these accounts for everyday work. 2. Remove all optional components which installed automatically but you don't need. 3. Turn off all unused services: you won't need File and Printer Sharing when you don't have a LAN, and almost never DCOM or RPC. See <http://ntsvcfg.de/ntsvcfg_eng.html> for more. 4. Turn off possibly dangerous functions like AutoRun and AutoPlay! 5. Turn on Software Restriction Policies a.k.a. SAFER (unfortunately XP Home needs the registry to be edited directly) and set the default level to "Not allowed" except for the "Administrators" (and remove .LNK from the list of executables): this allows execution only in %SystemRoot% and below as well as %ProgramFiles% and below. Thus your standard user(s) can only run applications installed into paths where they don't have write access, and vice versa. Additionally consider <http://blogs.msdn.com/michael_howard/archive/2005/01/31/363985.aspx> 6. Use a safe Quote
Guest VanguardLH Posted January 5, 2009 Posted January 5, 2009 Richard Urban wrote: <span style="color:blue"> > I was fooling around when ThreatFire was still at version 3.5. > > I uninstalled all my other safety programs, including Avast. I then went to > one of the wrestling web sites that lays down a lot of crapware on a persons > computer (forget which one now). Anyway, ThreatFire began firing windows at > me. After about 25-30 warnings I killed IE7. I then reinstalled all my > safety programs and ran complete scans on partition C:. I was still clean > and had no problems for 2 weeks - when I reverted to an earlier image > because of another condition. > > Not scientific, but I was impressed. > > During normal operation I get a warning every once-in-a-while that slips > through Avast, or something that Avast doesn't check for.</span> Actually I'd like to use Threatfire but can't (because of the aforementioned problems). Alas. Maybe someday they'll have a magic version (i.e., one that suddenly relieves many of the reported problems) and I can try it again. Quote
Guest Rabbit Posted January 5, 2009 Posted January 5, 2009 BoClean from www.comodo.com works very much in the same way. I used that for about 1 1/2 years before ThreatFire. "VanguardLH" <V@nguard.LH> wrote in message news:gjrjpl$iqk$1@news.motzarella.org...<span style="color:blue"> > Richard Urban wrote: ><span style="color:green"> >> I was fooling around when ThreatFire was still at version 3.5. >> >> I uninstalled all my other safety programs, including Avast. I then went >> to >> one of the wrestling web sites that lays down a lot of crapware on a >> persons >> computer (forget which one now). Anyway, ThreatFire began firing windows >> at >> me. After about 25-30 warnings I killed IE7. I then reinstalled all my >> safety programs and ran complete scans on partition C:. I was still >> clean >> and had no problems for 2 weeks - when I reverted to an earlier image >> because of another condition. >> >> Not scientific, but I was impressed. >> >> During normal operation I get a warning every once-in-a-while that slips >> through Avast, or something that Avast doesn't check for.</span> > > Actually I'd like to use Threatfire but can't (because of the > aforementioned problems). Alas. Maybe someday they'll have a magic > version (i.e., one that suddenly relieves many of the reported problems) > and I can try it again. </span> Quote
Guest VanguardLH Posted January 5, 2009 Posted January 5, 2009 Rabbit wrote: <span style="color:blue"> > VanguardLH wrote ...<span style="color:green"> >> >> Richard Urban wrote: >><span style="color:darkred"> >>> I was fooling around when ThreatFire was still at version 3.5. >>> >>> I uninstalled all my other safety programs, including Avast. I then went >>> to >>> one of the wrestling web sites that lays down a lot of crapware on a >>> persons >>> computer (forget which one now). Anyway, ThreatFire began firing windows >>> at >>> me. After about 25-30 warnings I killed IE7. I then reinstalled all my >>> safety programs and ran complete scans on partition C:. I was still >>> clean >>> and had no problems for 2 weeks - when I reverted to an earlier image >>> because of another condition. >>> >>> Not scientific, but I was impressed. >>> >>> During normal operation I get a warning every once-in-a-while that slips >>> through Avast, or something that Avast doesn't check for.</span> >> >> Actually I'd like to use Threatfire but can't (because of the >> aforementioned problems). Alas. Maybe someday they'll have a magic >> version (i.e., one that suddenly relieves many of the reported problems) >> and I can try it again.</span> > > BoClean from www.comodo.com works very much in the same way. I used that for > about 1 1/2 years before ThreatFire.</span> BOClean (Back Orifice Clean) was purchased by Comodo. It has not received any development work on it for a long time. It still can get signature updates but the heuristics are antiquated. Rather than scan files, it scans memory for trojans (and the only type of pest which it detects). The author has stated that the product is antiquated and that was in a discussion somewhere around 1-1/2 years ago. It has devolved into a signature-based detection tool and only for a limited number of specific-type of pests. If you feel compelled to increase the layering of your security suite, you could add BOClean but it offers almost nothing in advantage over other more recent and currently supported anti-malware products. BOClean is a long-stagnant and largely ineffective security product - unless it's the only security product you use but expect it to miss a LOT of malware. It's purpose is limited and its coverage is also limited so it will necessarily miss a lot of malware. BOClean is ancientware. It's time has long passed. There hasn't been any ongoing development to add or improve on the heuristics so now it's primarily a signature-based detection tool but which only scans memory images (as a means of eliminating polymorphism used to disguise the same content within files but disappears when the image is loaded into memory). Database updates for signatures are few and extremely infrequent. If all you wanted was signature-based detection, there are better products than BOClean and that cover more than just trojan malware. Comodo's intent (but never realized) was to incorporate the memory scan algorithms for trojan detection from BOClean into their AntiVirus product. Never happened or separate development in their antivirus product to scan memory obviated the need to port any code over from BOClean. Alas, Comodo's antivirus product has been deliberately kept in beta status for around 3 years to prevent it from being compared against other antivirus products (which often also incorporate malware detection). When reported that they only detected 38% of the pest sample, their counter was that the product was still in beta status, and it remained in beta status. They never did get their AV product out of beta status. Instead, they shoved it into their Internet Suite along with their excellent firewall+HIPS product. If Comodo ever did incorporate BOClean into their AV product as they claimed, they kept it a secret. More likely there wasn't anything salvageable from BOClean to bother including in currently developed security products. Comodo's firewall+HIPS is excellent. Comodo's antivirus sucks. Comodo let BOClean languish. BOClean? No thanks. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.