Solved

Internet hack trouble with fake MSE graphic.

Posted on 2014-04-22
11
1,244 Views
Last Modified: 2014-04-24
Hello.

Here is a graphic that shows up on my screen...
Full screen grab of hack into my computer.
This has shown up 2-3 times in the last 10 days while I'm browsing websites with IE 11.  You can see in the full screen grab above, the purported URL from which this is coming.  I'll be browsing a web site and suddenly when I select something, I lose the screen I was on and this takes over my browser window.

There is another dialogue box that comes up on top of this screen that is from the OS somehow.  It is small, and looks very much like what you see when using the MSG.exe command over a network.  It says something like the webpage has discovered a problem and you need to clean your computer immediately.  I think I clicked the dialogue box away if I remember correctly, then have to quit IE, if I remember correctly.

Details.
 I am running Surface RT so I cannot turn off Windows Update which means my Windows Defender that is provided with RTs is up to date on virus/malware issues as far as Microsoft knows.  You cannot get MSE for RTs, but Windows Defender GUI looks just like MSE.  I ran a full scan using Defender just to say I did.  It reported no problems and my system is protected.  My arm processor is Nvidia Tegra 3 Quad core 1.3 GHz, in Surface RT with Windows 8.1 RT.  Regedit for ...
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\AllowRemoteRPC is set to 0, and "Allow remote assistance connections" is off in the system control panel.  The Surface RT is on WiFi to Apple Airport (maybe 7 years old) which is Ethernet connected to Motorla SB series cable modem (maybe 7 years old) to Comcast.  Under Security control panel, Firewall and everything is on and ok except for "Network Access Protection Agent" which was not running.  Looking into it, I found it off and set to manual.  I changed it to automatic and started it.  It is on now.


1.  Is it really that easy to send something to a protected system?
2.  Is there a checklist of things to do to close down security issues to prevent this?
3.  Was my off status of the NAP agent how they got to me, or unrelated?
4.  Is there any useful intelligence I can gather if they do it again?
5.  Shouldn't Windows Defender tell me my NAP agent is off?

Any answers or advice would be awesome.  Thank you.

Chris
0
Comment
Question by:Christopher Jay Wolff
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 16

Assisted Solution

by:Shaik M. Sajid
Shaik M. Sajid earned 20 total points
ID: 40018117
is seems a malware ...  browser hijacker... which generating fake alerts...of micro soft security essentials..

here check the instructions for removal of fake alerter..

https://forums.malwarebytes.org/index.php?showtopic=62507

you can download malware byte from the following link...

www.malwarebytes.org
0
 
LVL 19

Assisted Solution

by:marsilies
marsilies earned 230 total points
ID: 40018405
"Network Access Protection Agent" is a feature primarily for corporate environments; it reports from a client PC back to a server to make sure its settings are correct. It's set by default to manual start, so it's not the cause of your problems: See these links for more on NAP:
http://answers.microsoft.com/en-us/windows/forum/windows_8-networking/do-i-need-the-network-access-protection-agent/057037ec-4953-45d7-9465-0539cfacba05
http://searchconsumerization.techtarget.com/definition/network-access-protection-NAP

Does the web page hijack occur in the Metro version of IE? From the screenshot it looks like you're using the desktop version.

Is it just one website that's affected? It could be the website that's been hacked to serve up these false alerts.


@Shaik M. Sajid: Malwarebytes won't run on Windows RT
0
 
LVL 27

Accepted Solution

by:
serialband earned 250 total points
ID: 40018408
I don't believe you can install malwarebytes on Windows RT, since it's ARM based.  You may have to refresh your browser or delete all your browser settings to clear it.  That also means that most normal Windows viruses will not work on your system.  Browser hijacking is still a possibility, so you should type in your browser links and avoid clicking on spam.

http://forums.wpcentral.com/microsoft-surface-windows-rt/217496-virus-surface-rt.html


You can enable tracker protection as an alternative to adblock plus (which you can't install).  http://www.edandersen.com/2012/10/28/adblock-alternative-on-windows-rts-ie10/

You can install easy list to your Tracker Protection List.
http://blog.hougaard.com/easy-way-to-add-adblock-to-ie-11-incl-windows-rt-version/
0
 
LVL 9

Author Comment

by:Christopher Jay Wolff
ID: 40018526
Thank you very much everyone for your quick and helpful responses!!  Am checking email on coffee break right now, will be able to look at this late tonight EST and more tomorrow.  I had not heard of web page hijacking before.  And thanks for resubmitting Shaik M. Sajid.

It is the desktop version of IE 11.

So far this exact same thing happened on two different days while on two totally different sites.  First time, I was on msn.com and clicked on a news item to read, and at the bottom of the news article they have those spammy looking links to click on for $9 car insurance and such.  One of those let this happen.  Last night its was my resume site, beyond.com/Christopherjaywolff and I cannot remember what I was clicking on.  I think it was my resume update info.  However, about 5 minutes prior I had clicked on a banner ad above my resume for some site that wants to help people publish books called AuthorHouse.  They had typos in their ad so I figured when I write my memoirs I might not have them edit it.  Maybe they'll improve by then though.

The thing is there never seems to be any damage done.  Everything seems to work fine with no data loss after I reboot and/or reset Surface power.  No problems detected.  So it seems like a really annoying thing that is just annoying.  Don't want to be gullible though.

More tonight or tomorrow..
0
 
LVL 27

Expert Comment

by:serialband
ID: 40018732
It sounds like both times you clicked on, or just loaded, spam links.  You should just block them from loading.  They sometimes insert code that the main sites don't know about unless someone complains.  Browser hijacking is common now that Microsoft has somewhat locked down their systems and made it more difficult to get access.  It's an easier avenue to exploit because some people are quite easily swayed by flashy ads.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 69

Expert Comment

by:Merete
ID: 40019294
I think you got spammed> spammy looking links to click on for $9 car insurance and such.  One of those let this happen.
Check your start-up group/ programs for any new installed software.
Look in uninstall a program also.
Reset Internet Explorer to default settings. This will delete everything including your passwords.
Try Eset online scanner this is an excellent tool and I get very good results.
http://www.eset.com/au/home/products/online-scanner/

Flash Cookie Cleaner is also a good tool keep in your itinerary.
http://www.flashcookiecleaner.com/

Can you run hijackthis on your system?
Post back the results
Install hijackthis to a folder then extract it inside that folder/run it and do a system scan and save a log.
Post the log back here.
http://sourceforge.net/projects/hjt/

I'd also suggest resetting your router to factory defaults please ensure you know all the settings to put back, viruses can also interfere with the router preventing your system to be cleaned.
I have a spare new one that I use for this purpose.
0
 
LVL 27

Expert Comment

by:serialband
ID: 40019328
I don't believe he can install any of those on a Surface RT with an ARM processor.
0
 
LVL 69

Expert Comment

by:Merete
ID: 40019363
Thanks serialband I had wondered.

I believed hijackthis is not actually installing as it is a self extracting executable
I just extract it to the same folder as the zip in my downloads.
Can't say about Eset it downloads the latest virus database so it can be run off line.
If it is Surface pro, does it support them?
The point is
No security software can protect when the user clicks on a potential malware and to run a scan as they are active.
Installs hack tools lol?
The fact he gets this warning indicates those pages have privacy threats and other bad stuff on them and he is getting flagged. So his security is just telling him it found some potential.
If I may
Here is the user guide
Surface 2 User Guide
With Windows RT 8.1 Software
http://download.microsoft.com/download/B/D/4/BD44C612-D08E-4586-9345-ACA8AB978BC8/en-us_Surface_2_User_Guide.pdf
scroll to page 90 and see
How can I help protect my Surface from viruses?
Windows RT includes up-to-date virus and malware protection called Windows Defender. This software helps identify and remove viruses, spyware, and other malicious software. Windows Defender is always on and can't be turned off.
To manually scan Surface by using Windows Defender, see How do I find and remove a virus? on Windows.com.
http://windows.microsoft.com/en-US/windows-8/how-find-remove-virus

Notes:
If you're using Windows 8.1, you can run a scanner or antimalware app provided by another company if you prefer.
To keep your PC running smoothly, you should only install and run one antimalware app at a time.
If you're using Windows RT 8.1, Windows Defender is always on and can't be turned off.
Hope that helps.
Regards Merete
0
 
LVL 27

Expert Comment

by:serialband
ID: 40020109
It's an ARM processor.  You can't run binaries designed for x86 or x64.  Unless they've specifically compiled for ARM, the installer or binary executable won't run.

Tracker protection is available on Surface RT and installing/enabling easylist is likely the only choice available to reduce attacks for the moment.
0
 
LVL 9

Author Closing Comment

by:Christopher Jay Wolff
ID: 40020238
Yes, Marsilies and Serialband are correct, although it will take time for me to prove out EasyList and master the use of Event Viewer for apps and system issues.  I found Malwarebytes interesting because of their leading position in the industry and sent an email request to port their product to arm.  Maybe enough votes like that will get them to do it some day.  Great stuff people!!  I hope the point spread is alright.  Thank you all.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now