Author Topic: New virus,or new Windows "feature"  (Read 3820 times)

0 Members and 1 Guest are viewing this topic.

Offline sneakypete

  • Hero Member
  • *****
  • Posts: 33,766
  • Twitter is for Twits
New virus,or new Windows "feature"
« on: March 25, 2017, 10:30:40 am »
I can't be the only one that has recently been hit with a locked Firefox screen and the message my browser had been hacked,all my credit card and financial information was at risk,and that I needed to call a number to contact Microsoft to clear it up.

Since I didn't just fall off the turnip truck,I immediately hit con-alt-delete to close the browser,and started running Zone Alarm Pro. Or trying to. Couldn't update ZA until I used the ZA "PC Tune Up" feature. That eliminated 14 files of unknown size,but didn't identify them as viruses.

I then wen to control panel and removed Mozilla from my system,ran a virus check again,and then rebooted. IE booted up right away with zero problems,other than I never use it and had no saved bookmarks there. Used IE to download Mozilla again,checked the download for viruses and found it to be virus-free,so I downloaded and installed it.

The "SKY IS FALLING,RUN FOR  YOUR LIFE!" web page immediately popped up again,but this time I was able to close it,and when I did,the web pages I had open in Mozilla when the panic alert first showed up were restored,and so were all my bookmarks.

This all started when I clicked on a photo link on a old car board I have been visiting ever since I got my first computer. That page was back up again also,and the first thing I did was make sure I closed that one without clicking on that photo link to Facebook again.

Was this a virus attached to that facebook link,or an attempt by MS to force Windows users to use their browser?
Anyone who isn't paranoid in 2021 just isn't thinking clearly!

Oceander

  • Guest
Re: New virus,or new Windows "feature"
« Reply #1 on: March 26, 2017, 10:16:21 am »
Whatever else MS might do, they wouldn't do something like that. 

Offline Blizzardnh

  • Hero Member
  • *****
  • Posts: 451
  • Gender: Male
Re: New virus,or new Windows "feature"
« Reply #2 on: March 26, 2017, 10:25:35 am »
I can't be the only one that has recently been hit with a locked Firefox screen and the message my browser had been hacked,all my credit card and financial information was at risk,and that I needed to call a number to contact Microsoft to clear it up.

Since I didn't just fall off the turnip truck,I immediately hit con-alt-delete to close the browser,and started running Zone Alarm Pro. Or trying to. Couldn't update ZA until I used the ZA "PC Tune Up" feature. That eliminated 14 files of unknown size,but didn't identify them as viruses.

I then wen to control panel and removed Mozilla from my system,ran a virus check again,and then rebooted. IE booted up right away with zero problems,other than I never use it and had no saved bookmarks there. Used IE to download Mozilla again,checked the download for viruses and found it to be virus-free,so I downloaded and installed it.

The "SKY IS FALLING,RUN FOR  YOUR LIFE!" web page immediately popped up again,but this time I was able to close it,and when I did,the web pages I had open in Mozilla when the panic alert first showed up were restored,and so were all my bookmarks.

This all started when I clicked on a photo link on a old car board I have been visiting ever since I got my first computer. That page was back up again also,and the first thing I did was make sure I closed that one without clicking on that photo link to Facebook again.

Was this a virus attached to that facebook link,or an attempt by MS to force Windows users to use their browser?
My mother called last weekend with exact same problem , and she's always on F B . I told her to just unplug the the computer and try again , and it was fine , I think she uses chrome.

Offline EC

  • Shanghaied Editor
  • Hero Member
  • *****
  • Posts: 10,869
  • Gender: Male
  • Cats rule. Dogs drool.
Re: New virus,or new Windows "feature"
« Reply #3 on: March 26, 2017, 10:26:05 am »
If it disabled ZA updating, it's a worm. Looks like you got hit by the new ransomware thing going around. Bet you any money the number was not Microsofts. If you still have a note of the number, send it along to your local bunco squad.
The universe doesn't hate you. Unless your name is Tsutomu Yamaguchi

Avatar courtesy of Oceander

I've got a website now: Smoke and Ink

Offline endicom

  • Hero Member
  • *****
  • Posts: 5,620
Re: New virus,or new Windows "feature"
« Reply #4 on: March 26, 2017, 10:38:31 am »
If it disabled ZA updating, it's a worm. Looks like you got hit by the new ransomware thing going around. Bet you any money the number was not Microsofts. If you still have a note of the number, send it along to your local bunco squad.


@sneakypete

Report it to Facebook. That might not only spare some other innocent clickers your fate but also alert who can do something about the malefactors.

Offline sneakypete

  • Hero Member
  • *****
  • Posts: 33,766
  • Twitter is for Twits
Re: New virus,or new Windows "feature"
« Reply #5 on: March 26, 2017, 10:49:23 am »
If it disabled ZA updating, it's a worm. Looks like you got hit by the new ransomware thing going around. Bet you any money the number was not Microsofts. If you still have a note of the number, send it along to your local bunco squad.

@endicom @EC

All I remember about the number is it was a 866 number. I wasn't about to dial it for any reason,so my prime concern was to get rid of that page and all histories of it.

BTW,I made virtually the same post on the antique car board,and nobody else there that clicked on that link had any problems. It took them directly to the link instead of a random FB page like the one it took me to.

Is it possible the "spoofers" have created FB pages that "time out" and disappear to keep the software guys with pockets deep enough to track them down from finding them?

BTW,in case it wasn't obvious,I use the most recent version of Firefox.
Anyone who isn't paranoid in 2021 just isn't thinking clearly!

Offline EC

  • Shanghaied Editor
  • Hero Member
  • *****
  • Posts: 10,869
  • Gender: Male
  • Cats rule. Dogs drool.
Re: New virus,or new Windows "feature"
« Reply #6 on: March 26, 2017, 10:59:14 am »
I'm afraid the limits of my understanding of malware are how to get rid of it (or how to find out how to get rid of it).  :shrug: @roamer_1 might have a few ideas - he sorts out computer systems for a living.

I'd not be surprised though, or a dodgy link that only goes through once every X clicks. That sort of thing seems to be used on malware embedded in ads, from what I've read. Stops the ad being spotted and pulled fast.
The universe doesn't hate you. Unless your name is Tsutomu Yamaguchi

Avatar courtesy of Oceander

I've got a website now: Smoke and Ink

Offline roamer_1

  • Hero Member
  • *****
  • Posts: 36,498
Re: New virus,or new Windows "feature"
« Reply #7 on: March 26, 2017, 11:04:05 am »
Was this a virus attached to that facebook link,or an attempt by MS to force Windows users to use their browser?

@sneakypete

Nah. You got hit with a drive-by.

Go get EmsiSoft's EEK https://www.emsisoft.com/en/software/eek/
Install it (it will install to the root of C: unless you tell it otherwise).
Run it, let it update and do a full scan - It isn't that I don't trust ZA, I don't trust ANY... Not even king Kaspersky. Get a second opinion.

EEK is a great clean-up scanner. Unlike most of them it is perpetually useful, because both the program and the defs are able to be updated. If you are done with it, make sure it is closed, del any shortcuts to it, and del it's folder in C:\, and it s all gone.

If you'd like, I can do a post teaching how to move Firefox's data to a folder local to your user. That way, when you do backup, your FF profile will be backed up too. Makes it a whole lot easier to restore, since mostly, FF gets infected at the user level, and if the main prog gets infected, it has the means onboard to go back to factory, which will fix everything except user level stuff.



« Last Edit: March 26, 2017, 11:13:38 am by roamer_1 »

Offline sneakypete

  • Hero Member
  • *****
  • Posts: 33,766
  • Twitter is for Twits
Re: New virus,or new Windows "feature"
« Reply #8 on: March 26, 2017, 11:25:53 am »
@sneakypete

Nah. You got hit with a drive-by.

Quote
Go get EmsiSoft's EEK https://www.emsisoft.com/en/software/eek/
Install it (it will install to the root of C: unless you tell it otherwise).
Run it, let it update and do a full scan - It isn't that I don't trust ZA, I don't trust ANY... Not even king Kaspersky. Get a second opinion.

EEK is a great clean-up scanner. Unlike most of them it is perpetually useful, because both the program and the defs are able to be updated. If you are done with it, make sure it is closed, del any shortcuts to it, and del it's folder in C:\, and it s all gone.

Thank you. I will be doing that this morning.

Quote
If you'd like, I can do a post teaching how to move Firefox's data to a folder local to your user. That way, when you do backup, your FF profile will be backed up too. Makes it a whole lot easier to restore, since mostly, FF gets infected at the user level, and if the main prog gets infected, it has the means onboard to go back to factory, which will fix everything except user level stuff.

That would be a public service that rates it's own dedicated thread. I can't be the only one here this ignorant on this subject.

Please ping me to that thread if you decide to start it.
Anyone who isn't paranoid in 2021 just isn't thinking clearly!

Offline roamer_1

  • Hero Member
  • *****
  • Posts: 36,498
Re: New virus,or new Windows "feature"
« Reply #9 on: March 26, 2017, 11:46:12 am »
Thank you. I will be doing that this morning.

@sneakypete

Happy to help.
If EEK says you are clean, and it is still giving you trouble, it is a homepage hijack, or a hidden attribute attack within FF...

If that is true, then you probably know how to change the homepage by yourself... change it to something else, anything else, and close/restart FF. If it comes up clean, you beat it... if no joy, go get Malwarebytes

//END

IF Malwarebytes THEN:

Here: https://www.malwarebytes.com/
or here: http://filehippo.com/download_malwarebytes_3/

Pay attention on install You want the FREE VERSION, and *not* the free trial, which it will try to get you to do. It's all stupid human tricks... sneaky dialog toward the end. Don't 'next' your way through... watch it going in.

Malwarebytes is probably the premiere ad-ware specialist. it handles most things that might hijack or add-on the browser.
Keep it around and run it now and then. Like EEK, it is not going to run in the back ground, and is not taking anything from your machine without manually running it.

To uninstall, follow normal Windows uninstall procedures.

If STILL no joy, Ping me back, and we'll have to work on saving bookmarks, getting a new profile going, and restoring FF to factory.

Quote
That would be a public service that rates it's own dedicated thread. I can't be the only one here this ignorant on this subject.

Please ping me to that thread if you decide to start it.

Be happy to... It will probably be a couple days, unless your current dilemma demands it now. Hopefully you are well before that and we can fix you up slow and easy.

Offline sneakypete

  • Hero Member
  • *****
  • Posts: 33,766
  • Twitter is for Twits
Re: New virus,or new Windows "feature"
« Reply #10 on: March 26, 2017, 12:43:32 pm »
Ok,I downloaded and installed the free version of EEK,and ran a scan. It found 1 piece of malware and registered it as two pieces for some reason. It also reported it as being "no risk"

Here is exactly what it reported "Application.InstallDrive(A)  no risk".

My options were to delete it or quarantine it,but there was no "ignore" button. Correct me if I am wrong,but if I quarantine it or delete it,my drive A will be useless.

How can it be malware,and no risk?


BTW,I see no icon on my desktop to click on to run checks. Did I screw up somehow on the installation? Never heard of a security software program without an icon.

Quote
Be happy to... It will probably be a couple days, unless your current dilemma demands it now. Hopefully you are well before that and we can fix you up slow and easy.

Nope,I'm good. I had everything restored before I made the original post. I was  just seeing if there was something I could do to prevent this from happening in the future.

PLEASE ping me when you start the new thread.
« Last Edit: March 26, 2017, 12:49:17 pm by sneakypete »
Anyone who isn't paranoid in 2021 just isn't thinking clearly!

Offline roamer_1

  • Hero Member
  • *****
  • Posts: 36,498
Re: New virus,or new Windows "feature"
« Reply #11 on: March 26, 2017, 01:34:20 pm »
Ok,I downloaded and installed the free version of EEK,and ran a scan. It found 1 piece of malware and registered it as two pieces for some reason. It also reported it as being "no risk"

Here is exactly what it reported "Application.InstallDrive(A)  no risk".

My options were to delete it or quarantine it,but there was no "ignore" button. Correct me if I am wrong,but if I quarantine it or delete it,my drive A will be useless.


@sneakypete

You still have a floppy drive???
No, I think all it will do is prevent installations from the floppy... It will still be fine for data transfer. It's a registry hack, so it is fixable. Quarantine, if you want to, and reverse the quarantine if it is problematic.

Quote
How can it be malware,and no risk?[/size]

There are many things that are safety tweaks, that the creator or manufacturer call industry spec, but technically leave a risk vector, or programs that technically are not able to be classified as malware because their installation method gives notice... These programs are called PUPS in the industry. Risk is subjective at that level, because technically, the user approved the action ('wants' it)... It is a distinction in nomenclature.

But none of the above, to include the floppy thing are addressing your current problem - For all intents and purposes , it came up 'clean'. So you don't have a system wide problem - no viral payload was installed. That's what I was worried for.

Quote
BTW,I see no icon on my desktop to click on to run checks. Did I screw up somehow on the installation? Never heard of a security software program without an icon.[/size]

No, I'd say not... They changed their install a while ago to make it more convenient for end users, they probably changed it back the way it was. I really don't know, because once it is installed, it is portable... So I keep a live copy in my machines, and copy it out to my service thumb from there (I don't use the brandy new installation much). In fact,  the copy on my service thumb updates with the rest of everything on it if the thumb finds itself to be plugged in at home (in my server).

Long story short, I dunno directly, but probably not your fault... Keep it in there and run it now and then to keep ZA honest, and be happy. Worst case, next time you'll have a back up AV ready to go if you have trouble.

Quote
Nope,I'm good. I had everything restored before I made the original post. I was  just seeing if there was something I could do to prevent this from happening in the future.

Excellent. Tho I made you jump through hoops for nothing, sounds like. Better safe than sorry.  :shrug:
One last thing: Restart the machine and run FF... If it doesn't come back on the fresh boot, it's fer sure.
Your quick thinking and action has served you well.

 888high58888

Quote
PLEASE ping me when you start the new thread.[/size]

10-4
« Last Edit: March 26, 2017, 01:38:55 pm by roamer_1 »

Offline sneakypete

  • Hero Member
  • *****
  • Posts: 33,766
  • Twitter is for Twits
Re: New virus,or new Windows "feature"
« Reply #12 on: March 26, 2017, 05:59:02 pm »
@sneakypete

@roamer_1

Quote
You still have a floppy drive???
No, I think all it will do is prevent installations from the floppy... It will still be fine for data transfer. It's a registry hack, so it is fixable. Quarantine, if you want to, and reverse the quarantine if it is problematic.

No,but I was thinking that MIGHT be a place to hook a removable drive. I actually still have a removable 3-1/2 inch drive from a old Dell laptop.

I still have some games like Doom and Descent on 3-1/2 inch discs,too.


Quote
There are many things that are safety tweaks, that the creator or manufacturer call industry spec, but technically leave a risk vector, or programs that technically are not able to be classified as malware because their installation method gives notice... These programs are called PUPS in the industry. Risk is subjective at that level, because technically, the user approved the action ('wants' it)... It is a distinction in nomenclature.

I also have SpyBot,and when I run it I always get a message that a PUP program wasn't immunized,and asking me if I want to quarantine it. Now  I  have a faint suspicion about what a PUPS program is. What would happen if I delete it? Or should I just quarantine it just in case I need it to be active again later?

THANKS!


Quote
Excellent. Tho I made you jump through hoops for nothing, sounds like.

Nope. I learned something. That's never a waste of time.

Now all I have to do is remember it.


Quote
Better safe than sorry.  :shrug:

Yup! Saves a lot of time,too.

Quote
If it doesn't come back on the fresh boot, it's fer sure.

Already done it. In fact,I did that before I made my post here. Wanted to try to make sure my system was "clean" before posting anywhere.
 
« Last Edit: March 26, 2017, 06:59:43 pm by sneakypete »
Anyone who isn't paranoid in 2021 just isn't thinking clearly!

Offline endicom

  • Hero Member
  • *****
  • Posts: 5,620
Re: New virus,or new Windows "feature"
« Reply #13 on: March 26, 2017, 06:04:26 pm »

I also have SpyBot,and when I run it I always get a message that a PUP program wasn't immunized,and asking me if I want to quarantine it. Now  I  have a faint suspicion about what a PUPS program is. What would happen if I delete it? Or should I just quarantine it just in case I need it to be active again later?

THANKS!


https://en.wikipedia.org/wiki/Potentially_unwanted_program

Offline Idiot

  • Hero Member
  • *****
  • Posts: 4,035
Re: New virus,or new Windows "feature"
« Reply #14 on: March 26, 2017, 10:17:32 pm »
I had this exact same problem.  I went to Google...typed in Facebook and a page SIMILAR to the Facebook one popped up....I clicked on it without thinking and this page saying exactly what was posted previously came up.  I immediately turned off the computer and rebooted and all was fine.  This had happened to me twice. 

I guess if I added Facebook to my favorite instead of going through Google, this would stop the problem.

Offline sneakypete

  • Hero Member
  • *****
  • Posts: 33,766
  • Twitter is for Twits
Re: New virus,or new Windows "feature"
« Reply #15 on: March 26, 2017, 11:41:23 pm »


I guess if I added Facebook to my favorite instead of going through Google, this would stop the problem.

@mrpotatohead

Yeah,I don't see me adding FB to my favorites anytime soon. Maybe LEAST favorites,though. I just don't get the format,and can never find anything. I only go there when someone emails me a FB link to something related to antique cars.
Anyone who isn't paranoid in 2021 just isn't thinking clearly!

Offline roamer_1

  • Hero Member
  • *****
  • Posts: 36,498
Re: New virus,or new Windows "feature"
« Reply #16 on: March 27, 2017, 12:41:27 am »
I also have SpyBot,and when I run it I always get a message that a PUP program wasn't immunized,and asking me if I want to quarantine it. Now  I  have a faint suspicion about what a PUPS program is. What would happen if I delete it? Or should I just quarantine it just in case I need it to be active again later?

@sneakypete
Normally they can be uninstalled cleanly using standard Windows procedures - Some of the things that makes something malware by definition are if it installs without authority, piggybacks a surreptitious program without authority, does not provide a means to uninstall, makes itself hard to uninstall, or leaves something behind to operate after uninstall.

If it tells you it's gonna do it and you say OK, if it tells you it is piggybacking another program and you say OK, and providing that it uninstalls cleanly if you want it to, then you are considered informed and accepting, and able to correct your decision if you change your mind. So while the program is doing what malware does, you've been informed, so it is not technically doing anything behind your back - Such is the description of a PUP. It does things which you shouldn't want it to do, but you said you wanted it to do them...

As a general rule PUPS provide a base for advertising within the program, or provide advertisers with tracking information per your usage, or per your usage of other common apps (browsers as the main instance)

PopCap Games are/were a pretty good example of a PUP. The games were given away freely, but unless you bought their upscale product, they provided advertising space within the game, and tracked users in order to sell tracking info to advertisers. But their installation plainly informed the user of their intention, and providing that the PopCap platform (not individual games) was uninstalled, there was a total removal of all tracking and etc.

To answer your question directly, you can research any identified pup to see why it is considered a pup... If all it is is a shady advertising platform for their partners, you might choose to keep the program... but if it is tracking, I would uninstall it, and find a replacement if that is possible. 

Personally, if something is considered a PUP, I won't put up with it. No software is beyond replacement.

YMMV
« Last Edit: March 27, 2017, 12:41:56 am by roamer_1 »

geronl

  • Guest
Re: New virus,or new Windows "feature"
« Reply #17 on: March 27, 2017, 12:54:21 am »
Was this a virus attached to that facebook link,or an attempt by MS to force Windows users to use their browser?

Microsoft isn't that smart.

The virus/trojan/ransomware thing is most likely independent of the site it popped up on.