Bogus Virus Warning - How Did I get to the Webpage?

[Roger]

This morning I think I had one copy of IE8 running and was on my
my.yahoo.com home page when I got a popup "Message from webpage" that said:

"Warning! Your computer contains various signs of viruses and malware
programs presence. Your system requires immediate anti viruses check!
System Security will perform a quick and free scanning of your PC for
viruses and malicious programs." "OK" "Cancel"

I hit cancel, but was redirected to 94.102.55.9 anyway and a very
convincing virus checker appeared to be running.

I am running Windows 7 and MS System Security Essentials says no
problems found.

My question is - is there anyway to be certain where the popup message
or the link to 94.102.55.9 originated? Does the IE history contain
something like a referrer link that I can access?

Once the popup message appeared, I was unable to do a view source or run
any of the IE debuggers on the parent page. Is there any way to
investigate the source of the popup when it is on my screen?

Roger

 

[Leonard Grey]

Even if you could find out who served the pop-up, it probably won't be
there in a few hours.

If you regularly see that phony warning on the same web page (or
domain), /stop visiting that web page or domain/ and inform the
webmaster that their page has been hacked. You can also inform Microsoft
(or Mozilla as the case may be) to consider that page or domain for
their phishing filters.

Do /not/ attempt to learn anything about that bogus pop-up; there's
nothing you can do about it and your attempts may end up installing
malware on your computer.

When you see one of those things, the safest way to dismiss it is via
Task Manager > End Task.
---
Leonard Grey
Errare humanum est

Roger wrote:
> This morning I think I had one copy of IE8 running and was on my
> my.yahoo.com home page when I got a popup "Message from webpage" that said:
>
> "Warning! Your computer contains various signs of viruses and malware
> programs presence. Your system requires immediate anti viruses check!
> System Security will perform a quick and free scanning of your PC for
> viruses and malicious programs." "OK" "Cancel"
>
> I hit cancel, but was redirected to 94.102.55.9 anyway and a very
> convincing virus checker appeared to be running.
>
> I am running Windows 7 and MS System Security Essentials says no
> problems found.
>
> My question is - is there anyway to be certain where the popup message
> or the link to 94.102.55.9 originated? Does the IE history contain
> something like a referrer link that I can access?
>
> Once the popup message appeared, I was unable to do a view source or run
> any of the IE debuggers on the parent page. Is there any way to
> investigate the source of the popup when it is on my screen?
>
> Roger

 

[VanguardLH]

Roger wrote:

> This morning I think I had one copy of IE8 running and was on my
> my.yahoo.com home page

Which means you have no control over the content in that web page or the 3rd
party content that shows up in Yahoo's page, and we wouldn't know what was
there anyway since you're asking about a customized version of Yahoo's web
page.

> when I got a popup "Message from webpage"

Since Yahoo doesn't regulate the 3rd party content then some other site
could have used a script to load another web page (to run the script that
presents what you saw). That would make it appear that Yahoo doesn't
restrict what HTML can be used to display 3rd party content that they
channel through their web pages.

> that said:
>
> "Warning! Your computer contains various signs of viruses and malware
> programs presence. Your system requires immediate anti viruses check!
> System Security will perform a quick and free scanning of your PC for
> viruses and malicious programs." "OK" "Cancel"
>
> I hit cancel, but was redirected to 94.102.55.9 anyway and a very
> convincing virus checker appeared to be running.

The OK button is another script that opens the new web page.

> I am running Windows 7 and MS System Security Essentials says no
> problems found.

And there is no problem. A picture of a gun shooting your computer doesn't
actually damage your real computer. A web page showing a bogus scanner is
just text, graphics, animation, and scripts as would occur for any other web
site. It's just a presentation. Not until YOU decide to download their
software would you get infected with malware or rogueware.

> My question is - is there anyway to be certain where the popup message
> or the link to 94.102.55.9 originated?

It originated from something being rendered from your customized version of
Yahoo's web page. Contact Yahoo about their ineffectiveness in restricting
their 3rd party content from running scripts.

> Does the IE history contain
> something like a referrer link that I can access?

It will show the Yahoo page and the page you got moved to. It won't show
where the 3rd party content originated in the Yahoo page. If it did,
imagine how useless the history list would become. You would visit one site
but your history would get populated with every domain for all 3rd party
content, and because there are ads then they rotate between different
domains and further increase the list of source domains. History shows what
you visited, not where are all the sources for each page you load.

> Once the popup message appeared, I was unable to do a view source or run
> any of the IE debuggers on the parent page. Is there any way to
> investigate the source of the popup when it is on my screen?

Fiddler2 might work but you probably need to have it running before the
popup appeared. You're going down a dead path, anyway. You think that
malicious site still exists? Most malware proliferating sites disappear in
1 to 4 hours. http://94.102.55.9 doesn't respond now.

There is no reverse DNS lookup on 94.102.55.9. That IP is allocated to
NL-ECATEL, Netherlands, who then temporarily assigns it to one of their
users (which could be a freebie trial account and no way to trace the actual
customer or an infected user host). You could bitch to Ecatel
(use@ecatel.net) but they won't care about a single complaint from a user,
especially one that isn't their own customer. You said you left IE running
and then many hours later incurred the bogus AV scan so it was already too
late to report to the IP owner, to Google, to Websense, to Microsoft via the
SmartScreen report, or anywhere else that lets users report malicious sites.
You were way too late to report the site.

 

[PA Bear [MS MVP]]

@Roger:

And if a Norton or McAfee free trial came preinstalled on the Win7 computer
when you bought it, MSE may not have installed properly and therefore may
not be working properly.

Leonard Grey wrote:
> Even if you could find out who served the pop-up, it probably won't be
> there in a few hours.
>
> If you regularly see that phony warning on the same web page (or
> domain), /stop visiting that web page or domain/ and inform the
> webmaster that their page has been hacked. You can also inform Microsoft
> (or Mozilla as the case may be) to consider that page or domain for
> their phishing filters.
>
> Do /not/ attempt to learn anything about that bogus pop-up; there's
> nothing you can do about it and your attempts may end up installing
> malware on your computer.
>
> When you see one of those things, the safest way to dismiss it is via
> Task Manager > End Task.
> ---
> Leonard Grey
> Errare humanum est
>
> Roger wrote:
>> This morning I think I had one copy of IE8 running and was on my
>> my.yahoo.com home page when I got a popup "Message from webpage" that
>> said:
>>
>> "Warning! Your computer contains various signs of viruses and malware
>> programs presence. Your system requires immediate anti viruses check!
>> System Security will perform a quick and free scanning of your PC for
>> viruses and malicious programs." "OK" "Cancel"
>>
>> I hit cancel, but was redirected to 94.102.55.9 anyway and a very
>> convincing virus checker appeared to be running.
>>
>> I am running Windows 7 and MS System Security Essentials says no
>> problems found.
>>
>> My question is - is there anyway to be certain where the popup message
>> or the link to 94.102.55.9 originated? Does the IE history contain
>> something like a referrer link that I can access?
>>
>> Once the popup message appeared, I was unable to do a view source or run
>> any of the IE debuggers on the parent page. Is there any way to
>> investigate the source of the popup when it is on my screen?
>>
>> Roger

 

[G. R. Woodring]

The site below explains how to use Process Explorer and MalwareBytes'
Anti-Malware to remove the infection, which is frequently recommended in this
newsgroup. You might not yet actually be infected but you should assume you are
until you have completed the tests described.

<http/www.bleepingcomputer.com/virus-removal/remove-system-security>

Clicking _any part_ of a malware pop-up is like saying "Please come in." to a
vampire!

--
G. R. Woodring


Date: 2/19/2010 11:06 AM, Author: Roger Wrote:
> This morning I think I had one copy of IE8 running and was on my
> my.yahoo.com home page when I got a popup "Message from webpage" that said:
>
> "Warning! Your computer contains various signs of viruses and malware
> programs presence. Your system requires immediate anti viruses check!
> System Security will perform a quick and free scanning of your PC for
> viruses and malicious programs." "OK" "Cancel"
>
> I hit cancel, but was redirected to 94.102.55.9 anyway and a very
> convincing virus checker appeared to be running.
>
> I am running Windows 7 and MS System Security Essentials says no
> problems found.
>
> My question is - is there anyway to be certain where the popup message
> or the link to 94.102.55.9 originated? Does the IE history contain
> something like a referrer link that I can access?
>
> Once the popup message appeared, I was unable to do a view source or run
> any of the IE debuggers on the parent page. Is there any way to
> investigate the source of the popup when it is on my screen?
>
> Roger