Internet hack trouble with fake MSE graphic.

Posted on 2014-04-22
Last Modified: 2014-04-24

Here is a graphic that shows up on my screen...
Full screen grab of hack into my computer.
This has shown up 2-3 times in the last 10 days while I'm browsing websites with IE 11.  You can see in the full screen grab above, the purported URL from which this is coming.  I'll be browsing a web site and suddenly when I select something, I lose the screen I was on and this takes over my browser window.

There is another dialogue box that comes up on top of this screen that is from the OS somehow.  It is small, and looks very much like what you see when using the MSG.exe command over a network.  It says something like the webpage has discovered a problem and you need to clean your computer immediately.  I think I clicked the dialogue box away if I remember correctly, then have to quit IE, if I remember correctly.

 I am running Surface RT so I cannot turn off Windows Update which means my Windows Defender that is provided with RTs is up to date on virus/malware issues as far as Microsoft knows.  You cannot get MSE for RTs, but Windows Defender GUI looks just like MSE.  I ran a full scan using Defender just to say I did.  It reported no problems and my system is protected.  My arm processor is Nvidia Tegra 3 Quad core 1.3 GHz, in Surface RT with Windows 8.1 RT.  Regedit for ...
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\AllowRemoteRPC is set to 0, and "Allow remote assistance connections" is off in the system control panel.  The Surface RT is on WiFi to Apple Airport (maybe 7 years old) which is Ethernet connected to Motorla SB series cable modem (maybe 7 years old) to Comcast.  Under Security control panel, Firewall and everything is on and ok except for "Network Access Protection Agent" which was not running.  Looking into it, I found it off and set to manual.  I changed it to automatic and started it.  It is on now.

1.  Is it really that easy to send something to a protected system?
2.  Is there a checklist of things to do to close down security issues to prevent this?
3.  Was my off status of the NAP agent how they got to me, or unrelated?
4.  Is there any useful intelligence I can gather if they do it again?
5.  Shouldn't Windows Defender tell me my NAP agent is off?

Any answers or advice would be awesome.  Thank you.

Question by:Christopher Jay Wolff
  • 4
  • 2
  • 2
  • +2
LVL 16

Assisted Solution

by:Shaik M. Sajid
Shaik M. Sajid earned 20 total points
ID: 40018117
is seems a malware ...  browser hijacker... which generating fake alerts...of micro soft security essentials..

here check the instructions for removal of fake alerter..

you can download malware byte from the following link...
LVL 20

Assisted Solution

marsilies earned 230 total points
ID: 40018405
"Network Access Protection Agent" is a feature primarily for corporate environments; it reports from a client PC back to a server to make sure its settings are correct. It's set by default to manual start, so it's not the cause of your problems: See these links for more on NAP:

Does the web page hijack occur in the Metro version of IE? From the screenshot it looks like you're using the desktop version.

Is it just one website that's affected? It could be the website that's been hacked to serve up these false alerts.

@Shaik M. Sajid: Malwarebytes won't run on Windows RT
LVL 29

Accepted Solution

serialband earned 250 total points
ID: 40018408
I don't believe you can install malwarebytes on Windows RT, since it's ARM based.  You may have to refresh your browser or delete all your browser settings to clear it.  That also means that most normal Windows viruses will not work on your system.  Browser hijacking is still a possibility, so you should type in your browser links and avoid clicking on spam.

You can enable tracker protection as an alternative to adblock plus (which you can't install).

You can install easy list to your Tracker Protection List.
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.


Author Comment

by:Christopher Jay Wolff
ID: 40018526
Thank you very much everyone for your quick and helpful responses!!  Am checking email on coffee break right now, will be able to look at this late tonight EST and more tomorrow.  I had not heard of web page hijacking before.  And thanks for resubmitting Shaik M. Sajid.

It is the desktop version of IE 11.

So far this exact same thing happened on two different days while on two totally different sites.  First time, I was on and clicked on a news item to read, and at the bottom of the news article they have those spammy looking links to click on for $9 car insurance and such.  One of those let this happen.  Last night its was my resume site, and I cannot remember what I was clicking on.  I think it was my resume update info.  However, about 5 minutes prior I had clicked on a banner ad above my resume for some site that wants to help people publish books called AuthorHouse.  They had typos in their ad so I figured when I write my memoirs I might not have them edit it.  Maybe they'll improve by then though.

The thing is there never seems to be any damage done.  Everything seems to work fine with no data loss after I reboot and/or reset Surface power.  No problems detected.  So it seems like a really annoying thing that is just annoying.  Don't want to be gullible though.

More tonight or tomorrow..
LVL 29

Expert Comment

ID: 40018732
It sounds like both times you clicked on, or just loaded, spam links.  You should just block them from loading.  They sometimes insert code that the main sites don't know about unless someone complains.  Browser hijacking is common now that Microsoft has somewhat locked down their systems and made it more difficult to get access.  It's an easier avenue to exploit because some people are quite easily swayed by flashy ads.
LVL 70

Expert Comment

ID: 40019294
I think you got spammed> spammy looking links to click on for $9 car insurance and such.  One of those let this happen.
Check your start-up group/ programs for any new installed software.
Look in uninstall a program also.
Reset Internet Explorer to default settings. This will delete everything including your passwords.
Try Eset online scanner this is an excellent tool and I get very good results.

Flash Cookie Cleaner is also a good tool keep in your itinerary.

Can you run hijackthis on your system?
Post back the results
Install hijackthis to a folder then extract it inside that folder/run it and do a system scan and save a log.
Post the log back here.

I'd also suggest resetting your router to factory defaults please ensure you know all the settings to put back, viruses can also interfere with the router preventing your system to be cleaned.
I have a spare new one that I use for this purpose.
LVL 29

Expert Comment

ID: 40019328
I don't believe he can install any of those on a Surface RT with an ARM processor.
LVL 70

Expert Comment

ID: 40019363
Thanks serialband I had wondered.

I believed hijackthis is not actually installing as it is a self extracting executable
I just extract it to the same folder as the zip in my downloads.
Can't say about Eset it downloads the latest virus database so it can be run off line.
If it is Surface pro, does it support them?
The point is
No security software can protect when the user clicks on a potential malware and to run a scan as they are active.
Installs hack tools lol?
The fact he gets this warning indicates those pages have privacy threats and other bad stuff on them and he is getting flagged. So his security is just telling him it found some potential.
If I may
Here is the user guide
Surface 2 User Guide
With Windows RT 8.1 Software
scroll to page 90 and see
How can I help protect my Surface from viruses?
Windows RT includes up-to-date virus and malware protection called Windows Defender. This software helps identify and remove viruses, spyware, and other malicious software. Windows Defender is always on and can't be turned off.
To manually scan Surface by using Windows Defender, see How do I find and remove a virus? on

If you're using Windows 8.1, you can run a scanner or antimalware app provided by another company if you prefer.
To keep your PC running smoothly, you should only install and run one antimalware app at a time.
If you're using Windows RT 8.1, Windows Defender is always on and can't be turned off.
Hope that helps.
Regards Merete
LVL 29

Expert Comment

ID: 40020109
It's an ARM processor.  You can't run binaries designed for x86 or x64.  Unless they've specifically compiled for ARM, the installer or binary executable won't run.

Tracker protection is available on Surface RT and installing/enabling easylist is likely the only choice available to reduce attacks for the moment.

Author Closing Comment

by:Christopher Jay Wolff
ID: 40020238
Yes, Marsilies and Serialband are correct, although it will take time for me to prove out EasyList and master the use of Event Viewer for apps and system issues.  I found Malwarebytes interesting because of their leading position in the industry and sent an email request to port their product to arm.  Maybe enough votes like that will get them to do it some day.  Great stuff people!!  I hope the point spread is alright.  Thank you all.

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question