Internet hack trouble with fake MSE graphic.
Hello.
Here is a graphic that shows up on my screen...
This has shown up 2-3 times in the last 10 days while I'm browsing websites with IE 11. You can see in the full screen grab above, the purported URL from which this is coming. I'll be browsing a web site and suddenly when I select something, I lose the screen I was on and this takes over my browser window.
There is another dialogue box that comes up on top of this screen that is from the OS somehow. It is small, and looks very much like what you see when using the MSG.exe command over a network. It says something like the webpage has discovered a problem and you need to clean your computer immediately. I think I clicked the dialogue box away if I remember correctly, then have to quit IE, if I remember correctly.
Details.
I am running Surface RT so I cannot turn off Windows Update which means my Windows Defender that is provided with RTs is up to date on virus/malware issues as far as Microsoft knows. You cannot get MSE for RTs, but Windows Defender GUI looks just like MSE. I ran a full scan using Defender just to say I did. It reported no problems and my system is protected. My arm processor is Nvidia Tegra 3 Quad core 1.3 GHz, in Surface RT with Windows 8.1 RT. Regedit for ...
HKEY_LOCAL_MACHINE\SYSTEM\
1. Is it really that easy to send something to a protected system?
2. Is there a checklist of things to do to close down security issues to prevent this?
3. Was my off status of the NAP agent how they got to me, or unrelated?
4. Is there any useful intelligence I can gather if they do it again?
5. Shouldn't Windows Defender tell me my NAP agent is off?
Any answers or advice would be awesome. Thank you.
Chris
Here is a graphic that shows up on my screen...
This has shown up 2-3 times in the last 10 days while I'm browsing websites with IE 11. You can see in the full screen grab above, the purported URL from which this is coming. I'll be browsing a web site and suddenly when I select something, I lose the screen I was on and this takes over my browser window.
There is another dialogue box that comes up on top of this screen that is from the OS somehow. It is small, and looks very much like what you see when using the MSG.exe command over a network. It says something like the webpage has discovered a problem and you need to clean your computer immediately. I think I clicked the dialogue box away if I remember correctly, then have to quit IE, if I remember correctly.
Details.
I am running Surface RT so I cannot turn off Windows Update which means my Windows Defender that is provided with RTs is up to date on virus/malware issues as far as Microsoft knows. You cannot get MSE for RTs, but Windows Defender GUI looks just like MSE. I ran a full scan using Defender just to say I did. It reported no problems and my system is protected. My arm processor is Nvidia Tegra 3 Quad core 1.3 GHz, in Surface RT with Windows 8.1 RT. Regedit for ...
HKEY_LOCAL_MACHINE\SYSTEM\
1. Is it really that easy to send something to a protected system?
2. Is there a checklist of things to do to close down security issues to prevent this?
3. Was my off status of the NAP agent how they got to me, or unrelated?
4. Is there any useful intelligence I can gather if they do it again?
5. Shouldn't Windows Defender tell me my NAP agent is off?
Any answers or advice would be awesome. Thank you.
Chris
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It sounds like both times you clicked on, or just loaded, spam links. You should just block them from loading. They sometimes insert code that the main sites don't know about unless someone complains. Browser hijacking is common now that Microsoft has somewhat locked down their systems and made it more difficult to get access. It's an easier avenue to exploit because some people are quite easily swayed by flashy ads.
I think you got spammed> spammy looking links to click on for $9 car insurance and such. One of those let this happen.
Check your start-up group/ programs for any new installed software.
Look in uninstall a program also.
Reset Internet Explorer to default settings. This will delete everything including your passwords.
Try Eset online scanner this is an excellent tool and I get very good results.
http://www.eset.com/au/home/products/online-scanner/
Flash Cookie Cleaner is also a good tool keep in your itinerary.
http://www.flashcookiecleaner.com/
Can you run hijackthis on your system?
Post back the results
Install hijackthis to a folder then extract it inside that folder/run it and do a system scan and save a log.
Post the log back here.
http://sourceforge.net/projects/hjt/
I'd also suggest resetting your router to factory defaults please ensure you know all the settings to put back, viruses can also interfere with the router preventing your system to be cleaned.
I have a spare new one that I use for this purpose.
Check your start-up group/ programs for any new installed software.
Look in uninstall a program also.
Reset Internet Explorer to default settings. This will delete everything including your passwords.
Try Eset online scanner this is an excellent tool and I get very good results.
http://www.eset.com/au/home/products/online-scanner/
Flash Cookie Cleaner is also a good tool keep in your itinerary.
http://www.flashcookiecleaner.com/
Can you run hijackthis on your system?
Post back the results
Install hijackthis to a folder then extract it inside that folder/run it and do a system scan and save a log.
Post the log back here.
http://sourceforge.net/projects/hjt/
I'd also suggest resetting your router to factory defaults please ensure you know all the settings to put back, viruses can also interfere with the router preventing your system to be cleaned.
I have a spare new one that I use for this purpose.
I don't believe he can install any of those on a Surface RT with an ARM processor.
Thanks serialband I had wondered.
I believed hijackthis is not actually installing as it is a self extracting executable
I just extract it to the same folder as the zip in my downloads.
Can't say about Eset it downloads the latest virus database so it can be run off line.
If it is Surface pro, does it support them?
The point is
No security software can protect when the user clicks on a potential malware and to run a scan as they are active.
Installs hack tools lol?
The fact he gets this warning indicates those pages have privacy threats and other bad stuff on them and he is getting flagged. So his security is just telling him it found some potential.
If I may
Here is the user guide
Surface 2 User Guide
With Windows RT 8.1 Software
http://download.microsoft.com/download/B/D/4/BD44C612-D08E-4586-9345-ACA8AB978BC8/en-us_Surface_2_User_Guide.pdf
scroll to page 90 and see
How can I help protect my Surface from viruses?
Windows RT includes up-to-date virus and malware protection called Windows Defender. This software helps identify and remove viruses, spyware, and other malicious software. Windows Defender is always on and can't be turned off.
To manually scan Surface by using Windows Defender, see How do I find and remove a virus? on Windows.com.
http://windows.microsoft.com/en-US/windows-8/how-find-remove-virus
Notes:
If you're using Windows 8.1, you can run a scanner or antimalware app provided by another company if you prefer.
To keep your PC running smoothly, you should only install and run one antimalware app at a time.
If you're using Windows RT 8.1, Windows Defender is always on and can't be turned off.
Hope that helps.
Regards Merete
I believed hijackthis is not actually installing as it is a self extracting executable
I just extract it to the same folder as the zip in my downloads.
Can't say about Eset it downloads the latest virus database so it can be run off line.
If it is Surface pro, does it support them?
The point is
No security software can protect when the user clicks on a potential malware and to run a scan as they are active.
Installs hack tools lol?
The fact he gets this warning indicates those pages have privacy threats and other bad stuff on them and he is getting flagged. So his security is just telling him it found some potential.
If I may
Here is the user guide
Surface 2 User Guide
With Windows RT 8.1 Software
http://download.microsoft.com/download/B/D/4/BD44C612-D08E-4586-9345-ACA8AB978BC8/en-us_Surface_2_User_Guide.pdf
scroll to page 90 and see
How can I help protect my Surface from viruses?
Windows RT includes up-to-date virus and malware protection called Windows Defender. This software helps identify and remove viruses, spyware, and other malicious software. Windows Defender is always on and can't be turned off.
To manually scan Surface by using Windows Defender, see How do I find and remove a virus? on Windows.com.
http://windows.microsoft.com/en-US/windows-8/how-find-remove-virus
Notes:
If you're using Windows 8.1, you can run a scanner or antimalware app provided by another company if you prefer.
To keep your PC running smoothly, you should only install and run one antimalware app at a time.
If you're using Windows RT 8.1, Windows Defender is always on and can't be turned off.
Hope that helps.
Regards Merete
It's an ARM processor. You can't run binaries designed for x86 or x64. Unless they've specifically compiled for ARM, the installer or binary executable won't run.
Tracker protection is available on Surface RT and installing/enabling easylist is likely the only choice available to reduce attacks for the moment.
Tracker protection is available on Surface RT and installing/enabling easylist is likely the only choice available to reduce attacks for the moment.
Yes, Marsilies and Serialband are correct, although it will take time for me to prove out EasyList and master the use of Event Viewer for apps and system issues. I found Malwarebytes interesting because of their leading position in the industry and sent an email request to port their product to arm. Maybe enough votes like that will get them to do it some day. Great stuff people!! I hope the point spread is alright. Thank you all.
ASKER
It is the desktop version of IE 11.
So far this exact same thing happened on two different days while on two totally different sites. First time, I was on msn.com and clicked on a news item to read, and at the bottom of the news article they have those spammy looking links to click on for $9 car insurance and such. One of those let this happen. Last night its was my resume site, beyond.com/Christopherjayw
The thing is there never seems to be any damage done. Everything seems to work fine with no data loss after I reboot and/or reset Surface power. No problems detected. So it seems like a really annoying thing that is just annoying. Don't want to be gullible though.
More tonight or tomorrow..