• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1373
  • Last Modified:

Internet hack trouble with fake MSE graphic.

Hello.

Here is a graphic that shows up on my screen...
Full screen grab of hack into my computer.
This has shown up 2-3 times in the last 10 days while I'm browsing websites with IE 11.  You can see in the full screen grab above, the purported URL from which this is coming.  I'll be browsing a web site and suddenly when I select something, I lose the screen I was on and this takes over my browser window.

There is another dialogue box that comes up on top of this screen that is from the OS somehow.  It is small, and looks very much like what you see when using the MSG.exe command over a network.  It says something like the webpage has discovered a problem and you need to clean your computer immediately.  I think I clicked the dialogue box away if I remember correctly, then have to quit IE, if I remember correctly.

Details.
 I am running Surface RT so I cannot turn off Windows Update which means my Windows Defender that is provided with RTs is up to date on virus/malware issues as far as Microsoft knows.  You cannot get MSE for RTs, but Windows Defender GUI looks just like MSE.  I ran a full scan using Defender just to say I did.  It reported no problems and my system is protected.  My arm processor is Nvidia Tegra 3 Quad core 1.3 GHz, in Surface RT with Windows 8.1 RT.  Regedit for ...
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\AllowRemoteRPC is set to 0, and "Allow remote assistance connections" is off in the system control panel.  The Surface RT is on WiFi to Apple Airport (maybe 7 years old) which is Ethernet connected to Motorla SB series cable modem (maybe 7 years old) to Comcast.  Under Security control panel, Firewall and everything is on and ok except for "Network Access Protection Agent" which was not running.  Looking into it, I found it off and set to manual.  I changed it to automatic and started it.  It is on now.


1.  Is it really that easy to send something to a protected system?
2.  Is there a checklist of things to do to close down security issues to prevent this?
3.  Was my off status of the NAP agent how they got to me, or unrelated?
4.  Is there any useful intelligence I can gather if they do it again?
5.  Shouldn't Windows Defender tell me my NAP agent is off?

Any answers or advice would be awesome.  Thank you.

Chris
0
Christopher Jay Wolff
Asked:
Christopher Jay Wolff
  • 4
  • 2
  • 2
  • +2
3 Solutions
 
Sajid Shaik MSr. System AdminCommented:
is seems a malware ...  browser hijacker... which generating fake alerts...of micro soft security essentials..

here check the instructions for removal of fake alerter..

https://forums.malwarebytes.org/index.php?showtopic=62507

you can download malware byte from the following link...

www.malwarebytes.org
0
 
marsiliesCommented:
"Network Access Protection Agent" is a feature primarily for corporate environments; it reports from a client PC back to a server to make sure its settings are correct. It's set by default to manual start, so it's not the cause of your problems: See these links for more on NAP:
http://answers.microsoft.com/en-us/windows/forum/windows_8-networking/do-i-need-the-network-access-protection-agent/057037ec-4953-45d7-9465-0539cfacba05
http://searchconsumerization.techtarget.com/definition/network-access-protection-NAP

Does the web page hijack occur in the Metro version of IE? From the screenshot it looks like you're using the desktop version.

Is it just one website that's affected? It could be the website that's been hacked to serve up these false alerts.


@Shaik M. Sajid: Malwarebytes won't run on Windows RT
0
 
serialbandCommented:
I don't believe you can install malwarebytes on Windows RT, since it's ARM based.  You may have to refresh your browser or delete all your browser settings to clear it.  That also means that most normal Windows viruses will not work on your system.  Browser hijacking is still a possibility, so you should type in your browser links and avoid clicking on spam.

http://forums.wpcentral.com/microsoft-surface-windows-rt/217496-virus-surface-rt.html


You can enable tracker protection as an alternative to adblock plus (which you can't install).  http://www.edandersen.com/2012/10/28/adblock-alternative-on-windows-rts-ie10/

You can install easy list to your Tracker Protection List.
http://blog.hougaard.com/easy-way-to-add-adblock-to-ie-11-incl-windows-rt-version/
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
Christopher Jay WolffWiggle My Legs, OwnerAuthor Commented:
Thank you very much everyone for your quick and helpful responses!!  Am checking email on coffee break right now, will be able to look at this late tonight EST and more tomorrow.  I had not heard of web page hijacking before.  And thanks for resubmitting Shaik M. Sajid.

It is the desktop version of IE 11.

So far this exact same thing happened on two different days while on two totally different sites.  First time, I was on msn.com and clicked on a news item to read, and at the bottom of the news article they have those spammy looking links to click on for $9 car insurance and such.  One of those let this happen.  Last night its was my resume site, beyond.com/Christopherjaywolff and I cannot remember what I was clicking on.  I think it was my resume update info.  However, about 5 minutes prior I had clicked on a banner ad above my resume for some site that wants to help people publish books called AuthorHouse.  They had typos in their ad so I figured when I write my memoirs I might not have them edit it.  Maybe they'll improve by then though.

The thing is there never seems to be any damage done.  Everything seems to work fine with no data loss after I reboot and/or reset Surface power.  No problems detected.  So it seems like a really annoying thing that is just annoying.  Don't want to be gullible though.

More tonight or tomorrow..
0
 
serialbandCommented:
It sounds like both times you clicked on, or just loaded, spam links.  You should just block them from loading.  They sometimes insert code that the main sites don't know about unless someone complains.  Browser hijacking is common now that Microsoft has somewhat locked down their systems and made it more difficult to get access.  It's an easier avenue to exploit because some people are quite easily swayed by flashy ads.
0
 
MereteCommented:
I think you got spammed> spammy looking links to click on for $9 car insurance and such.  One of those let this happen.
Check your start-up group/ programs for any new installed software.
Look in uninstall a program also.
Reset Internet Explorer to default settings. This will delete everything including your passwords.
Try Eset online scanner this is an excellent tool and I get very good results.
http://www.eset.com/au/home/products/online-scanner/

Flash Cookie Cleaner is also a good tool keep in your itinerary.
http://www.flashcookiecleaner.com/

Can you run hijackthis on your system?
Post back the results
Install hijackthis to a folder then extract it inside that folder/run it and do a system scan and save a log.
Post the log back here.
http://sourceforge.net/projects/hjt/

I'd also suggest resetting your router to factory defaults please ensure you know all the settings to put back, viruses can also interfere with the router preventing your system to be cleaned.
I have a spare new one that I use for this purpose.
0
 
serialbandCommented:
I don't believe he can install any of those on a Surface RT with an ARM processor.
0
 
MereteCommented:
Thanks serialband I had wondered.

I believed hijackthis is not actually installing as it is a self extracting executable
I just extract it to the same folder as the zip in my downloads.
Can't say about Eset it downloads the latest virus database so it can be run off line.
If it is Surface pro, does it support them?
The point is
No security software can protect when the user clicks on a potential malware and to run a scan as they are active.
Installs hack tools lol?
The fact he gets this warning indicates those pages have privacy threats and other bad stuff on them and he is getting flagged. So his security is just telling him it found some potential.
If I may
Here is the user guide
Surface 2 User Guide
With Windows RT 8.1 Software
http://download.microsoft.com/download/B/D/4/BD44C612-D08E-4586-9345-ACA8AB978BC8/en-us_Surface_2_User_Guide.pdf
scroll to page 90 and see
How can I help protect my Surface from viruses?
Windows RT includes up-to-date virus and malware protection called Windows Defender. This software helps identify and remove viruses, spyware, and other malicious software. Windows Defender is always on and can't be turned off.
To manually scan Surface by using Windows Defender, see How do I find and remove a virus? on Windows.com.
http://windows.microsoft.com/en-US/windows-8/how-find-remove-virus

Notes:
If you're using Windows 8.1, you can run a scanner or antimalware app provided by another company if you prefer.
To keep your PC running smoothly, you should only install and run one antimalware app at a time.
If you're using Windows RT 8.1, Windows Defender is always on and can't be turned off.
Hope that helps.
Regards Merete
0
 
serialbandCommented:
It's an ARM processor.  You can't run binaries designed for x86 or x64.  Unless they've specifically compiled for ARM, the installer or binary executable won't run.

Tracker protection is available on Surface RT and installing/enabling easylist is likely the only choice available to reduce attacks for the moment.
0
 
Christopher Jay WolffWiggle My Legs, OwnerAuthor Commented:
Yes, Marsilies and Serialband are correct, although it will take time for me to prove out EasyList and master the use of Event Viewer for apps and system issues.  I found Malwarebytes interesting because of their leading position in the industry and sent an email request to port their product to arm.  Maybe enough votes like that will get them to do it some day.  Great stuff people!!  I hope the point spread is alright.  Thank you all.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

  • 4
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now