Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Virus Scanner Websites


  • Please log in to reply
7 replies to this topic

#1 Katrex

Katrex

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 06 September 2009 - 05:52 AM

Hello everyone.

This section of the forum seemed most appropriate, but the one for discussion on protection seem to be equally good.. feel free to move if it is in the wrong spot.

I hope I can explain this clearly... The websites I'm taking about are the ones that you get directed to (either by a mis-click or ads on some websites redirecting you), and it pops up that little blue box with the [x] in the top right corner and has "Ok" and "Cancel," with the content of the message usually being something like "Your computer is INFECTED. Download x now to scan your computer and ensure it is clean!" And after getting rid of that, it goes to a page where it shows like a fake scanner thing scanning your system and finding all these viruses and usually has like "Click here to download this to fix these!"

They're usually named something like:

h t t p://antivirus-fast-scan02 DOT COM/1/?sess=bunch of random characters (one I just ran into while browsing threads on a forum)
h t t p://onlinepro-antivirus-scanner DOT COM/1/?sess=bunch of random characters

Anyways.

Every time I run into one of these things, I end up panicking. I click the little [X] to close the box, then I immediately close Firefox. I update the various protection programs I use, and proceed to scan with them (as well as with Kaspersky's online scanner.) I can't recall a time where it didn't come up clean, but - still. This usually means I simply cannot use my computer for several hours (give or take me passing out... ) and is kinda frustrating when I need to use the computer for something.

As you can probably guess.. I just ran into one. I'm looking for some answers, but am a bit too on edge to really want to try and find something about them through google so I figured this would be the best (and safest) site with which o get some answers.

Questions
Am I worrying too much about these kind of sites?

Are they anything to really panic about as long as I get them off my browser quickly and do not click anything saying "click here to download"?

Should I continue to do a full virus scan (with everything) after encountering one? Do I need to? Recommended anyway?

Should I CTRL+ALT+DEL and kill the Firefox.exe process instead of clicking the [x] and then closing Firefox? Its' one of those boxes that you need to get rid of before you can do anything else in the browser.

I swear I had more questions, but I can think of no others. If you have any other information you can provide, it'd be appreciated.

System: Windows Vista Home Premium 64-Bit; Service Pack 2.
Browser: Firefox 3.5.2

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:11:26 PM

Posted 06 September 2009 - 09:33 AM

Am I worrying too much about these kind of sites?
No, It is a cause for concern

Are they anything to really panic about as long as I get them off my browser quickly and do not click anything saying "click here to download"?
I would scan right away

Should I continue to do a full virus scan (with everything) after encountering one? Do I need to? Recommended anyway?
Yes, besides your AV, Superantispyware and Malwarebytes would help

Should I CTRL+ALT+DEL and kill the Firefox.exe process instead of clicking the [x] and then closing Firefox? Its' one of those boxes that you need to get rid of before you can do anything else in the browser.
That works. Some Firewalls have a panic mode that shuts down all traffic

Edited by garmanma, 06 September 2009 - 09:34 AM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Bambo

Bambo

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Denmark
  • Local time:05:26 AM

Posted 06 September 2009 - 01:56 PM

They dont do nothing unless you execute offered download. One of the reasons you cant run a file so easy in Firefox, not without extension fixing "problem".

What worry me is you say this happens more than once. How so? I know there are sites listing these but have never seen one just popping up, out of nowhere. Where they come from of course - Tinyurls from twitters, chats and such but still. May be you need to change browser pattern? or complain to a chat, irc channel or whatever? I think most places with some control and lesson learned wisdom remove any link posted without permission. Even autokick user. If in a hopeless environment change it. Since on Firefox you could install extension or userscript revealing actual address of a tinyurl type link. I dont use it but took 30 secs to find this http://www.longurlplease.com/ find more at add-on site. 73 services and counting. A Greasemoney script or 2 do the same.

After you install and set up WOT http://www.mywot.com/ how easy is it to get to these sites? As your post also screams of trick about infection-sites is to make user click like crazy because scared! If scared and dumb, drunk or very new to internet chances of bingo are not so bad. Scanners have big problems, Kaspersky should never let you enter. They do get caught but then Malware makers just change files a bit and back to square one. Http scanners for "safe" browsing often useless. I found it fun to test downloads for a couple of weeks, soon got tired of submitting files to AV maker. Why not just block the damn domain and get it over with? Their way of thinking, resources must be targeted towards files/code examination, or they are just lazy - but why WOT :thumbsup: Problem is here to stay. Check out site and settings to understand how it works (especially browser plugin). There are similar free tools from AVG and Mcafee Siteadvisor. A few others I guess. I only mention to be polite.

WOT seems to be racing towards stardom but who says it is worth anything in 6 months time. If submitting and voting system breaks WOTs becomes a mess fast. I have the feeling some (desperate) AV companies might be lurking with fat wallets - for now they have "partnership" with Panda. Keep an eye on this area if you install and approve. If you like to be kept on your toes and use Twitter, follow them there http://twitter.com/Web_of_Trust Seems like they are zzzz now but usually frequent tweets on disasters/risks/safe computing and such. Some look at us going! but not too much.

Btw, WOT blocks much more than just fake scanner sites. This summer there was a fake Adobe site suggesting Flash upgrade. I downloaded, send it to Virustotal. Nono of the 30 something AVs detected it - was blocked by WOT. Such stories are not hard to find. Speed of updating is difference. Also it take care of the big area where scanners fail completely, for example crap products which you dont want to go near. Can be anything, there are obvious and not so obvious scams all over. If you see something in RED you most likely want to avoid, in Yellow you want to check things out one more time. Basically how it works but much is up to you - see plugin settings.

Edited by Bambo, 06 September 2009 - 02:21 PM.


#4 Katrex

Katrex
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 07 September 2009 - 09:02 AM

This is the sort of websites I've run into each time. In the event I wasn't clear. I didn't think of just getting a youtube video to show what I meant. xD

The little box he shows at the start (with "This page at http://.. " in the title) and Ok/Cancel is the one I was talking about clicking the little [X] for (in the video, the guy says he's going to click Ok, but then clicks cancel to see what happens) Then I close Firefox. I never see it finish (and popup that "Infections found!" message and NEVER download nor execute anything. I'm not totally dumb! Just very paranoid. ;p

I'm sure you all were able to figure it out anyway, but - just to be sure. ;]

@garmanma
Thanks for the topic move. I guess of the two places I saw, I picked the wrong one. That's a 50/50 for you!

At present, I scan with the following: AVG 8.5, Ad-Aware, Spybot S&D, Malwarebytes, SUPERAntiSpyware, Windows Defender (after I update, I always go offline to do these scans) and when I get back online after they're finished - I give Kaspersky's online scanner a go.

Thus far, everything has come up clean. :] Just about to give Kaspersky a check.

@Bambo:
I never execute anything. I just click the [x] to close the initial box-thing, then immediately exit Firefox. I was thinking maybe using CTRL+ALT+DEL to kill the Firefox.exe process may be better... but it'd also take longer, since Vista pops up a bunch of options when I hit that button combination, and I have to select task manager from that list (no idea how to make it default to task manager)

So far, this year.. I'd say its' happened less than 10 times. The three most recent times were near the end of July, the start of August, and just last night. I'm -fairly- certan there is nothing malicious in my computer, as after the first two I posted in the Am I Infected? forum, which sent me to the Hijack This! logs forum - only for the helper there to tell me I was clean, and there was no infection (I also located some information on the matter myself, see the links below.)

However, this is pretty much the only time where they happened so closely together. The first two are from this website I frequent (as to many others - www.gaiaonline.com) and were the result of an adserver putting in bad ads which redirected to these kinds of websites. They quickly resolved the issue, but not before causing me to worry (and sent me to the Am I infeccted? forum! xD). You can see two topics from that website here and here The third (one last night) happened when I went to www.forums.diii.net. I was linked to it by some posters on the gamefaqs (www.gamefaqs.com) message boards, when inquiring about character ideas. After looking at a few topics, I opened up a few more in tabs and that is when I was hit with the redirect. I suspect it is much the same as Gaia - an adserver (since the site did have ads) forcing a redirect.

I'm often paranoid of websites, as I do certain interactions involving money with this Laptop (also the reason I wanted to check for infections, as I mentioned earlier ;]). I try to stay away from anything that even looks suspicious, but this forum had a number of posters and active topics, and it was being linked in a several posts on gamefaqs by a number of different people.. so I figured it was okay. And after checking a few topics, I didn't see anything to cause alarm. ;/ Until the popup.

I'm not sure about WOT.. I think I may just go for the NoScript Add-on. Honestly, I'm not sure why I haven't redownloaded this yet... maybe because on my old PC (died Jan 09) it was a bit of a bother. But after these, I think I'm going to go grab it since my old PC was never redirected to these sites, so I suspect it will be all I need to prevent further encounters. I think I reasoned I found it more of a bothersome then helpful, but naturally.. I never noticed it was doing anything else, because it was doing its' job and blocking the bad stuff.

Edited by Katrex, 07 September 2009 - 09:06 AM.


#5 Bambo

Bambo

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Denmark
  • Local time:05:26 AM

Posted 07 September 2009 - 09:24 AM

You can only be sure if you have tried WOT. So test and throw it away if you dont like. Be sure to check options in plugin. Is the least intrusive way to clean up social sites I think. Only as good as blocklist of course. A good helper for free. And remember there are many other scams than these silly fake scanner sites. If you are an internet oldie you are not fooled but so easy to be do stupid things. You have noticed all these IQ-ads all over right? Why are most of them considered red sites in WOT? I actually know people who have giving them cell phone number and shock at what they charge - wicked world. Scanner sites are easy to see through once you know. Try go to orbasoft.com - no popup or anything. Investigate who is behind that product, what it was just few months ago (Registry booster/cleaner) This is just as bad as what you have seen, yet much more pleasant to the eye ;).

Noscript is also for you since you mentioned paranoia :thumbsup: I dont like it at all. If you feel "internet" is unsafe then go ahead. Taking off scripting takes out most of these sites.

Also go to add-on site for Firefox - check privacy/security section. Noscript is just a start :flowers: Adblock Plus? I think internet sites should be viewed as intended but Im a new member of that club. Have blocked for years and years. Ads can definitely be direct links to infections or at least scams. Consider every Google AD suspicious, no matter where you see it. If I had kids on computer adblocking would be a top priority for sure. WOT helps allowing ads or something, but I would still take them out.

Edited by Bambo, 07 September 2009 - 09:53 AM.


#6 RedDawn

RedDawn

  • Members
  • 454 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:26 AM

Posted 07 September 2009 - 12:14 PM

I give Kaspersky's online scanner a go.

Thus far, everything has come up clean. :] Just about to give Kaspersky a check.


I would steer clear of Kaspersky's Online Scanner for the time being as an unspecified vulnerability has been reported, see HERE & HERE.

Two excellent alternatives are F-Secure's and ESET's Online Scanners, both of which offer removal if anything is found - unlike Kaspersky's.


:thumbsup:

#7 tug

tug

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 07 September 2009 - 01:19 PM

I have WoT set to block everything thats not green on all counts, NoScript to only allow those I trust and If you run Firefox I would check the box to warn you if a site is trying to redirect you, Thats in options/advanced, and it should stop a page redirecting you unless you want it to which you might want it too as some legit sites reload and redirect your pages alot so you get a few warnings about it.

#8 Katrex

Katrex
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 10 September 2009 - 02:32 AM

Thanks to all for the information.

I think I'll use that Firefox option that tug pointed out, as well as NoScript for the time being. With my browsing habits, those two should be more than enough to prevent any further run-ins with these websites especially when they're the result of bad advertisements, or even a misclick or two (though this doesn't happen often for me.)

However, I'll keep WOT in mind for a future, possible download and the ability to look up sites on it is something I will be using for sure. I've also bookmarked those other two scanners.

@RedDawn:
Oh, dang... I didn't see your post until after I ended up running it. @.@ My computer seems fine though, so I guess I'm alright. I'll just be weary of that for the future, and keep an eye on it. The replacement sites are great though.

@tug:
Wow, I totally wasn't aware that Firefox had an option like that. You can be sure I've checked that now and will leave it checked.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users