1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Bogus Virus Warning - How Did I get to the Webpage?

Discussion in 'Internet Explorer' started by Roger, Feb 19, 2010.

  1. Roger

    Roger Flightless Bird

    This morning I think I had one copy of IE8 running and was on my
    my.yahoo.com home page when I got a popup "Message from webpage" that said:

    "Warning! Your computer contains various signs of viruses and malware
    programs presence. Your system requires immediate anti viruses check!
    System Security will perform a quick and free scanning of your PC for
    viruses and malicious programs." "OK" "Cancel"

    I hit cancel, but was redirected to 94.102.55.9 anyway and a very
    convincing virus checker appeared to be running.

    I am running Windows 7 and MS System Security Essentials says no
    problems found.

    My question is - is there anyway to be certain where the popup message
    or the link to 94.102.55.9 originated? Does the IE history contain
    something like a referrer link that I can access?

    Once the popup message appeared, I was unable to do a view source or run
    any of the IE debuggers on the parent page. Is there any way to
    investigate the source of the popup when it is on my screen?

    Roger
     
  2. Leonard Grey

    Leonard Grey Flightless Bird

    Even if you could find out who served the pop-up, it probably won't be
    there in a few hours.

    If you regularly see that phony warning on the same web page (or
    domain), /stop visiting that web page or domain/ and inform the
    webmaster that their page has been hacked. You can also inform Microsoft
    (or Mozilla as the case may be) to consider that page or domain for
    their phishing filters.

    Do /not/ attempt to learn anything about that bogus pop-up; there's
    nothing you can do about it and your attempts may end up installing
    malware on your computer.

    When you see one of those things, the safest way to dismiss it is via
    Task Manager > End Task.
    ---
    Leonard Grey
    Errare humanum est

    Roger wrote:
    > This morning I think I had one copy of IE8 running and was on my
    > my.yahoo.com home page when I got a popup "Message from webpage" that said:
    >
    > "Warning! Your computer contains various signs of viruses and malware
    > programs presence. Your system requires immediate anti viruses check!
    > System Security will perform a quick and free scanning of your PC for
    > viruses and malicious programs." "OK" "Cancel"
    >
    > I hit cancel, but was redirected to 94.102.55.9 anyway and a very
    > convincing virus checker appeared to be running.
    >
    > I am running Windows 7 and MS System Security Essentials says no
    > problems found.
    >
    > My question is - is there anyway to be certain where the popup message
    > or the link to 94.102.55.9 originated? Does the IE history contain
    > something like a referrer link that I can access?
    >
    > Once the popup message appeared, I was unable to do a view source or run
    > any of the IE debuggers on the parent page. Is there any way to
    > investigate the source of the popup when it is on my screen?
    >
    > Roger
     
  3. VanguardLH

    VanguardLH Flightless Bird

    Roger wrote:

    > This morning I think I had one copy of IE8 running and was on my
    > my.yahoo.com home page


    Which means you have no control over the content in that web page or the 3rd
    party content that shows up in Yahoo's page, and we wouldn't know what was
    there anyway since you're asking about a customized version of Yahoo's web
    page.

    > when I got a popup "Message from webpage"


    Since Yahoo doesn't regulate the 3rd party content then some other site
    could have used a script to load another web page (to run the script that
    presents what you saw). That would make it appear that Yahoo doesn't
    restrict what HTML can be used to display 3rd party content that they
    channel through their web pages.

    > that said:
    >
    > "Warning! Your computer contains various signs of viruses and malware
    > programs presence. Your system requires immediate anti viruses check!
    > System Security will perform a quick and free scanning of your PC for
    > viruses and malicious programs." "OK" "Cancel"
    >
    > I hit cancel, but was redirected to 94.102.55.9 anyway and a very
    > convincing virus checker appeared to be running.


    The OK button is another script that opens the new web page.

    > I am running Windows 7 and MS System Security Essentials says no
    > problems found.


    And there is no problem. A picture of a gun shooting your computer doesn't
    actually damage your real computer. A web page showing a bogus scanner is
    just text, graphics, animation, and scripts as would occur for any other web
    site. It's just a presentation. Not until YOU decide to download their
    software would you get infected with malware or rogueware.

    > My question is - is there anyway to be certain where the popup message
    > or the link to 94.102.55.9 originated?


    It originated from something being rendered from your customized version of
    Yahoo's web page. Contact Yahoo about their ineffectiveness in restricting
    their 3rd party content from running scripts.

    > Does the IE history contain
    > something like a referrer link that I can access?


    It will show the Yahoo page and the page you got moved to. It won't show
    where the 3rd party content originated in the Yahoo page. If it did,
    imagine how useless the history list would become. You would visit one site
    but your history would get populated with every domain for all 3rd party
    content, and because there are ads then they rotate between different
    domains and further increase the list of source domains. History shows what
    you visited, not where are all the sources for each page you load.

    > Once the popup message appeared, I was unable to do a view source or run
    > any of the IE debuggers on the parent page. Is there any way to
    > investigate the source of the popup when it is on my screen?


    Fiddler2 might work but you probably need to have it running before the
    popup appeared. You're going down a dead path, anyway. You think that
    malicious site still exists? Most malware proliferating sites disappear in
    1 to 4 hours. http://94.102.55.9 doesn't respond now.

    There is no reverse DNS lookup on 94.102.55.9. That IP is allocated to
    NL-ECATEL, Netherlands, who then temporarily assigns it to one of their
    users (which could be a freebie trial account and no way to trace the actual
    customer or an infected user host). You could bitch to Ecatel
    (use@ecatel.net) but they won't care about a single complaint from a user,
    especially one that isn't their own customer. You said you left IE running
    and then many hours later incurred the bogus AV scan so it was already too
    late to report to the IP owner, to Google, to Websense, to Microsoft via the
    SmartScreen report, or anywhere else that lets users report malicious sites.
    You were way too late to report the site.
     
  4. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    @Roger:

    And if a Norton or McAfee free trial came preinstalled on the Win7 computer
    when you bought it, MSE may not have installed properly and therefore may
    not be working properly.

    Leonard Grey wrote:
    > Even if you could find out who served the pop-up, it probably won't be
    > there in a few hours.
    >
    > If you regularly see that phony warning on the same web page (or
    > domain), /stop visiting that web page or domain/ and inform the
    > webmaster that their page has been hacked. You can also inform Microsoft
    > (or Mozilla as the case may be) to consider that page or domain for
    > their phishing filters.
    >
    > Do /not/ attempt to learn anything about that bogus pop-up; there's
    > nothing you can do about it and your attempts may end up installing
    > malware on your computer.
    >
    > When you see one of those things, the safest way to dismiss it is via
    > Task Manager > End Task.
    > ---
    > Leonard Grey
    > Errare humanum est
    >
    > Roger wrote:
    >> This morning I think I had one copy of IE8 running and was on my
    >> my.yahoo.com home page when I got a popup "Message from webpage" that
    >> said:
    >>
    >> "Warning! Your computer contains various signs of viruses and malware
    >> programs presence. Your system requires immediate anti viruses check!
    >> System Security will perform a quick and free scanning of your PC for
    >> viruses and malicious programs." "OK" "Cancel"
    >>
    >> I hit cancel, but was redirected to 94.102.55.9 anyway and a very
    >> convincing virus checker appeared to be running.
    >>
    >> I am running Windows 7 and MS System Security Essentials says no
    >> problems found.
    >>
    >> My question is - is there anyway to be certain where the popup message
    >> or the link to 94.102.55.9 originated? Does the IE history contain
    >> something like a referrer link that I can access?
    >>
    >> Once the popup message appeared, I was unable to do a view source or run
    >> any of the IE debuggers on the parent page. Is there any way to
    >> investigate the source of the popup when it is on my screen?
    >>
    >> Roger
     
  5. G. R. Woodring

    G. R. Woodring Flightless Bird

    The site below explains how to use Process Explorer and MalwareBytes'
    Anti-Malware to remove the infection, which is frequently recommended in this
    newsgroup. You might not yet actually be infected but you should assume you are
    until you have completed the tests described.

    <http://www.bleepingcomputer.com/virus-removal/remove-system-security>

    Clicking _any part_ of a malware pop-up is like saying "Please come in." to a
    vampire! :-(

    --
    G. R. Woodring


    Date: 2/19/2010 11:06 AM, Author: Roger Wrote:
    > This morning I think I had one copy of IE8 running and was on my
    > my.yahoo.com home page when I got a popup "Message from webpage" that said:
    >
    > "Warning! Your computer contains various signs of viruses and malware
    > programs presence. Your system requires immediate anti viruses check!
    > System Security will perform a quick and free scanning of your PC for
    > viruses and malicious programs." "OK" "Cancel"
    >
    > I hit cancel, but was redirected to 94.102.55.9 anyway and a very
    > convincing virus checker appeared to be running.
    >
    > I am running Windows 7 and MS System Security Essentials says no
    > problems found.
    >
    > My question is - is there anyway to be certain where the popup message
    > or the link to 94.102.55.9 originated? Does the IE history contain
    > something like a referrer link that I can access?
    >
    > Once the popup message appeared, I was unable to do a view source or run
    > any of the IE debuggers on the parent page. Is there any way to
    > investigate the source of the popup when it is on my screen?
    >
    > Roger
     

Share This Page