Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Websites Pushing Malware

2 views
Skip to first unread message

Patient Guy

unread,
Jun 6, 2010, 1:08:57 AM6/6/10
to

An issue came up with a relative who likes to visit "adult entertainment
sites" and I did not have an answer other than that porn sites are
notorious for trying to commit criminal acts against their "customers" (not
a very intelligent business model).

The http client (FF 3.6.x) was reported not to close the History panel when
the "close" control was clicked. This just happened after visiting an
attack website that reports to the user that they have a security problem
and do not let the user "navigate away" from the page by pressing "OK" or
"Cancel" dialog window. Other peculiar things were noted for the FF
client. This made me suspect a compromised installation of FF.

Is it known if pressing "OK" on these windows authorizes FF to install
malicious code or to exploit a vulnerability?


Security on this computer is offered by Kaspsersky Internet Security 2010,
which according to PC Pitstop report (see URL below) is best on viruses but
worst on spyware. The Lavasoft Ad-Aware is present but not in a monitoring
mode.

<URL:http://techtalk.pcpitstop.com/2010/05/13/the-state-of-pc-security/>

Greywolf

unread,
Jun 6, 2010, 11:41:14 AM6/6/10
to
On 06/06/2010 01:08, Patient Guy wrote:
> An issue came up with a relative who likes to visit "adult entertainment
> sites" and I did not have an answer other than that porn sites are
> notorious for trying to commit criminal acts against their "customers" (not
> a very intelligent business model).
>
> The http client (FF 3.6.x) was reported not to close the History panel when
> the "close" control was clicked. This just happened after visiting an
> attack website that reports to the user that they have a security problem
> and do not let the user "navigate away" from the page by pressing "OK" or
> "Cancel" dialog window. Other peculiar things were noted for the FF
> client. This made me suspect a compromised installation of FF.

Only if the weird behaviour shows up again next time FF is started.
O'wise, it's just a JS script doing its thing.

> Is it known if pressing "OK" on these windows authorizes FF to install

> malicious code or to exploit a vulnerability? [...]

Don't know, but I wouldn't take any chances. The sites themselves just
download a JavaScript applet that prevents the browser from behaving as
it should. Keep in mind that a browser just does as it's told. If it's
told to "Ignore close window command", that's what it will do.

I suggest clean-up and preventive action. The following will take a
couple of hours or more of your time, so drop hints that your relative
owes you food and entertainment. ;-)

- get Revo or Your Uninstall;
- unplug modem cable;
- restart in safe mode (press F8 and select);
- complete uninstall of FF using Revo or Your uninstall
- run all anti-malware software, one at a time. You may want to reboot
into safe mode between scans. (Your relative does have more than one
anti-malware installed, right? If not, download some on _your_ computer,
copy them to a flash-drive, and install from it while in safe mode. Make
sure you get an anti-rootkit program);
- reboot into normal mode;
- reinstall FF (relative will have to rebuild their bookmarks - oh the
humanity! ;-0);
- get NoScript add-on, and teach your relative how to use it. Won't
provide 100% protection, but will reduce odds of malicious infection a
little.
- set his computer for automatic updates, which will ensure that some of
MS's anti-rootkit (etc) runs from time to time.
- teach him about making backups of important data. I know it's probably
a lost cause, but you can say you did your bit.

HTH
wolf k.

Pete Holsberg

unread,
Jun 6, 2010, 1:19:12 PM6/6/10
to Firefox user help
Patient Guy has written on 6/6/2010 1:08 AM:

> An issue came up with a relative who likes to visit "adult entertainment
> sites" and I did not have an answer other than that porn sites are
> notorious for trying to commit criminal acts against their "customers" (not
> a very intelligent business model).
>
> The http client (FF 3.6.x) was reported not to close the History panel when
> the "close" control was clicked. This just happened after visiting an
> attack website that reports to the user that they have a security problem
> and do not let the user "navigate away" from the page by pressing "OK" or
> "Cancel" dialog window. Other peculiar things were noted for the FF
> client. This made me suspect a compromised installation of FF.
>

This has nothing to do with FF. Your relative's computer is infected
with a virulent virus! The only course of action is to reformat his hard
drive and reinstall Windows and other software.

I have a friend who visits such sites frequently and he runs the paid
version of Malwarebyte's Antimalware. His computer has never had such an
infection. Not a scientific conclusion -- just sayin'. :-)

--
Pete Holsberg
Columbus, NJ

ARTIFICIAL INTELLIGENCE IS NO MATCH FOR NATURAL STUPIDITY.

clay

unread,
Jun 7, 2010, 2:36:32 PM6/7/10
to
Patient Guy wrote:
> An issue came up with a relative who likes to visit "adult entertainment
> sites" and I did not have an answer other than that porn sites are
> notorious for trying to commit criminal acts against their "customers" (not
> a very intelligent business model)...

Go offline (File>Work Offline), Esc to clear the popup, then close the
window.

David McRitchie

unread,
Jun 7, 2010, 6:12:34 PM6/7/10
to
"clay" <c...@ymation.com> wrote in message news:n-SdnSBuo7itoZDR...@mozilla.org...

That certainly has been true in the past anyway, particularly with double-click,
but that particular problem I suspect is more likely to have been linked to from
Google search results.
A gif file comes up, you click on it, the link starts a JavaScript showing
you fictitious virus checking and results, and is after your email address, or credit
card number. Suggestions were made for removal, I would add that
one turns off JavaScript until the problem is actually resolved. You may have
to start up in Firefox Safe Mode to turn off JavaScript.

Protection from such sites is to install hosts file, and "Adblock Plus" extension,
keeping in mind that the bad guys will always be at least one up on a lot of
people until they get filtered out again with added filters.

You can get a hint of what to block by a name in the pop-up or the url
of the pop-up. I force pop-ups to always show the url bar.

Don't know if these hosts file entries have anything to do with such a problem
but I added them and they are not in the hosts file online.

127.0.0.1 www.avsystemcare.com #rogue antispyware
127.0.0.1 wwwz.websearch.verizon.net #force not found instead of search
127.0.0.1 wwwwz.websearch.verizon.net #force not found instead of search
127.0.0.1 gemoney.co.uk #shows up as visited per about:history
127.0.0.1 www.gemoney.co.uk #shows up as visited per about:history
127.0.0.1 www1.my-system-defender.net #trojan initials match msdn 2010-01-22
127.0.0.1 www1.ondeep-cleanatpc.net #trojan initials match msdn
127.0.0.1 cloudninecatering.net #trojan initials match msdn
127.0.0.1 regnow.com #trojan initials match msdn (implicated)

My sketchy notes from 2009-11-17 for something that might be similar
remove regcure.exe
removed PC Mighty Max 2009

Move any window purporting to install software to the far edge as far off screen as possible
since you can't close it.
Bring up Task Manager, delete 28414019.exe immediately (don't know
of any valid programs that are all numbers)

Dir 28414019.exe /s
found to exist in
C:\Program data\ and c:\users\all users\28414019\
install & run Spybot Search and Destroy

see removal instructions at spyware.com
http://www.2-spyware.com/remove-security-tool.html

Spyware Doctor is a waste of time, after running it, you are told
what is wrong, but you are told that you have a crippled version,
and need to buy Spyware Doctor maybe you can search spyware.com
for how to remove anything found.

0 new messages