System Security Pop-up on doomworld

[J-selva]

When I tried to click on one of the topics in this section, one of those scareware rogue anti-virus pop-ups appeared. This scared the crap out of me (not the false message, but the fact that I got this pop-up). Fortunately, I managed to stop it before anything critical happened.

I considered two possibilities:
1) The computer itself has this first part of the infection
2) Perhaps some ads on Doomworld or maybe a vulnerability.

I first tested out 1 by browsing the internet through lots of pages. Nothing happened and it seemed safe. Then I tried 2 by clicking into lots of threads and looking around these forums. Again nothing happened. Now I'm wondering how that pop-up appeared, did anyone else ever encounter this on the forums?

It happened only once so far, just a few moments ago.

Similarly, on a different site (but a different computer), the same pop-up appeared when I left the computer idle. Like here, it happened only once.

[fraggle]

If popups are appearing when your computer is idle, you probably have spyware installed. Run AdAware and check if you've picked anything up.

[Maes]

Are you seriously throwing a fit over a pop-up? Welcome to the Internet, dude, 'nuff said.

[J-selva]

It's not just any pop-up that you can close simply by clicking on the x or hitting alt-F4. Do you know much about rogue antivirus pop-ups? If not, they try to look like a genuine system error message and no matter what you click on (yes/no/the x in the corner), it'll open the fake av site and do much more. Due to the severity of such pop-ups, I am "throwing a fit", like you say since it appeared on Doomworld forums.

@Fraggle: I tested my own computer to see if anything is wrong and there seems to be nothing (from which it appeared on cpczone). Currently at work, it appeared on doomworld. Like I said, it only happened once, and when:
-On Doomworld, I clicked on a thread
-cpczone, when I left the computer and came back in a little while

[Maes]

What browser are you using? Does it come up only when a browser is active? Is it framed in a browser window that also appears on the taskbar? Can you give focus to the pop-up window? If yes, under what process does it appear to be running? Is it a browser window (nothing to worry about, usually) or a stand-alone process running off iexplore.exe or with a funny name (in which case I'd worry more)?

Some notes here:

• At least Firefox now doesn't allow "frameless popups" anymore, and all of them have a normal [X] control, respond to ALT+F4 and always have a visible URL bar, so it's not possible to disguise them as genuine system messages anymore. They could still trap the act of closing their window with launching a new one (that can be done with Javascript.
  
• If I recall, older IE versions didn't have the above precautions, so a fake window title and controls could fool most people into starting a ton of nasty things (well...unless you saw Windows controls on SunOS ;-)
  
• Even if built-in pop-up suppression is getting better and better, those making money out of popups always come with subtler ways to generate them, even on the latest Firefox. The only way to avoid spontaneous popups would be to disable all active content -which is unrealistic.
  
• In the worst possible case you'll have some sort of actual executable spyware installed, although these are often easy to detect -less to remove- but not impossible or format-inducing.
  

[J-selva]

Both cases, it happened with IE8. I'm not exactly sure by when the browser is active, but the browser window was open and displayed the webpage. In the task manager, it appears as another iexplorer.exe and it doesn't appear in the taskbar at the bottom, itself. Maybe an image might be able to explain more than me: http://en.wikipedia.org/wiki/File:Winfixer-message.png It looks like that, except it advertises System Security (and has the XP-style outline).

Also noteworthy is that upon clicking on the thread (DNA Adolf Hitler one), the url box showed that I was redirected to something like madsecuritycenter or madsystemcenter.

What got to me is that in both cases, it was for System Security; separate sites and separate computers.

[Malinku]

you should change browsers ,I think, as IE is the only browser that ever gave me virus when I didn't download it myself. I find that IE lets more pop-ups work and works slower then the other broswers I use. (FireFox and Opera).


but then again I also had problems with FireFox getting a virus or something where it said the browser was already running when I opened it.


I only had any fake antivirus messeges when I got a virus,(or what ever its called), that spawned the messege form the task bar not a browser (think I got it from a download).

[Maes]

I haven't used IE for a long time, but the window title (which is real ?) clearly says that it belongs to IE (an old version too, since it doesn't state that this is a JavaScript dialog. Mozilla does this though), while the rest of the buttons are actually fakes, and clicking anywhere on it will probably start a drive-by download (IE-exclusive vulnerability).

If the popups only appear with IE open, then it's "just" a case of toolbar/plugins hijacking, with all that it brings. If it pops up when it wants....even with no IE window open..then it's a a lot more serious, for it means that you have active spyware.

Malinku said:

I only had any fake antivirus messeges when I got a virus,(or what ever its called), that spawned the messege form the task bar not a browser (think I got it from a download).

There's even a whole joke app that simulates a bad virus infection, complete with fake rebooting, automatic formatting etc.

Anyway, talk is cheap: go through the usual drill of

• Installing an antivirus software that works (Avast is effective and free).
  
• Download and burn Avast boot CD that will operate without activating the malware, and thus have a higher chance of removing it than when it's actually acive.
  
• Installing and running Ad-aware and Spybot-SD.
  
• Move to a browser that doesn't suck, and start making a habit of disabling autorun functionality on your drives, holding down shift when inserting USB drives and turn "hide system files" off, so that you can actually see infections coming from USB drives. And open drive letters with RIGHT click and Explore, never by double clicking.
  

Better have some geeky friend of yours take care of the above and of further steps, because any malware worth its salt is not so easy to remove once installed . However Avast's boot-up scanner may take care of a lot of cases with relative ease.

[deathbringer]

Oh, right, i must have got it from here and not from animutation then. I had to format my computer a few days back (it needed doing anyway) because it was infected with "supascan2009" or some such crap. I've now got an AVG toolbar installed that's blocked popups well enough so far. I'll have to get an ad-busting HOSTS file again at some point too.

[wildweasel]

Maes said:

And open drive letters with RIGHT click and Explore, never by double clicking.

A very good habit to get into, but I've noticed that if you disable AutoRun completely in Windows (from TweakUI or something similar), double-clicking will always Explore the drive instead of triggering AutoRun.

Though there are still some rather irritating brands of USB drive, like the Cruzer, which have one partition specifically for their retarded "built in" software.