Prev: Ignore - personal reflection only.
Next: Threats from cyber criminals underestimated!
From: Olof Lagerkvist on 28 Feb 2010 05:50
David Kaye wrote:
> "FromTheRafters"<erratic @nomail.afraid.org> wrote:
>
>> Sometimes you can
>> use taskman to maximize the "alert" and see the address bar, which gives
>> you a numerical IP for further investigation. Clicking anywhere on the
>> displayed 'window' sends you to the site.
>
> Does anybody know if there's a tool out there that can list the processes
> which are displaying icons in the taskbar? Most often there is a taskbar icon
> for some malware and there appears to be no way to isolate it down to which
> process is causing the program to run. This would be extremely helpful to
> have.

I think I see what you are looking for, but, in my experience this would
not give any useful information. In most cases I have seen the taskbar
icons are created by DLL code injected into the explorer.exe process
which means that the owner of the taskbar icons is explorer.exe itself.

> > Also, some tool that would display which process has called the Windows system
> notification bubble would also be really good to have. So far I've been
> unable to find any handy tools that do either of these.

Same problem here.

This kind of malware often uses many processes with different
"system-like" names but for all user visible things many DLLs with
random names attached into for example explorer.exe or iexplore.exe.


--
Olof Lagerkvist
From: Geoff on 28 Feb 2010 07:37
On Sat, 27 Feb 2010 22:47:55 -0800, "james" <nospam(a)nospam.com> wrote:

>>> Is there a way to prevent this type of pop-up?
>>
>> If it is the one that I am thinking of, it might be coming through an
>> advertisement on the legitimate site. Often, it is not repeatable (when
>> you revisit, maybe a different ad is being served?). Sometimes you can use
>> taskman to maximize the "alert" and see the address bar, which gives you a
>> numerical IP for further investigation. Clicking anywhere on the displayed
>> 'window' sends you to the site.
>>
>> In my case the target was one of the fake AV scan scam sites. I'm guessing
>> it is scripting.
>
>I ran into the same pop up again, on a separate PC running a different OS
>(vista) while visiting a different web site (gizmag.com). This time I found
>the warning dialog covering a small IE8 window with the title "My Computer
>Online Scan" and the URL in this IE8 is 217.23.5.233/index.html. It is
>hosted in the neverland. I brought this up in a different newsgroup but for
>the curious, here is the exact text in the dialog:
>
>window title: Message From webpage
>Warning!
>Your computer contains various signs of viruses and malware
>programs presence.
>Your system requires immediate anti viruses check!
>System Security will perform a quick and free scanning of your PC
>for viruses and malicious programs.
>OK Cancel
>
>Perhaps it's a double click ad that is targeting me based on my internet
>searches. That's why I run into it twice on two different PCs.
>
>I wish there is a way to block IP address by country, since I browse usa web
>sites most of the time. Unfortunately, a country may have hundreds or
>thousands of non-contiguous blocks of IP assigned. Whoever is assigning IP
>address is doing a poor job.

The site is in the Netherlands.

This is becoming typical behavior for malware sites now. They hide the
IE windows so you can't report it as a phishing site and they start
the process of depositing the malware payloads.

They use an IP address because normal domain blocking or hosts file
redirection to loopback doesn't work.

Add 217.23.5.233/index.html to your Restricted sites list in Internet
Properties, Security tab. This will prevent IE from running content
from that IP address. Allowing it to continue produces a series of
fake malware reports.

One practice I find very stupid on Microsoft's part is that the IE8
Security Screen submission form doesn't allow users to report a site
like this. You have to VISIT the site to report it as malicious,
therefore you are exposed to the threat just to report it. Idiotic.
This is why the malware sites close the IE windows and reduce you to
the popup.

Block that IP address, kill all IE instances, update your A-V and
conduct a deep scan to establish relative cleanliness. Then head for
the showers. I know I will after dealing with this creepy thing.
From: David Kaye on 28 Feb 2010 14:48
Olof Lagerkvist <sorry(a)no.mail> wrote:

>I think I see what you are looking for, but, in my experience this would
>not give any useful information. In most cases I have seen the taskbar
>icons are created by DLL code injected into the explorer.exe process
>which means that the owner of the taskbar icons is explorer.exe itself.

However, in nearly every case, explorer.exe itself wasn't altered, but
something took control of it, and when I've found that process I was able to
get rid of the problem.

Now, one useful tool I've used is PrcView, which allows me to look at every
DLL called within every process (though one process at a time). All I need to
do is sort by date (by latest then by earliest) to find the culprit -- in most
cases. I find that the processes most likely to be bugged are explorer,
winlogon, and lsass. But the problem is that I can't find the culprit at all.


From: David Kaye on 28 Feb 2010 14:50
Geoff <geoff(a)invalid.invalid> wrote:

>Add 217.23.5.233/index.html to your Restricted sites list in Internet
>Properties, Security tab. This will prevent IE from running content
>from that IP address. Allowing it to continue produces a series of
>fake malware reports.

Does anybody have a script for adding malicious sites to the Restricted Sites
list?

From: Geoff on 28 Feb 2010 19:33
On Sun, 28 Feb 2010 19:50:12 GMT, sfdavidkaye2(a)yahoo.com (David Kaye)
wrote:

>Geoff <geoff(a)invalid.invalid> wrote:
>
>>Add 217.23.5.233/index.html to your Restricted sites list in Internet
>>Properties, Security tab. This will prevent IE from running content
>>from that IP address. Allowing it to continue produces a series of
>>fake malware reports.
>
>Does anybody have a script for adding malicious sites to the Restricted Sites
>list?

I don't know of one off-hand but do you really want to trust the
content of your restricted sites list to another anonymous program?
First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: Ignore - personal reflection only.
Next: Threats from cyber criminals underestimated!