pop up suggesting I run a scan?

I was using IE on a web site "wordtwist.org" playing a game while all of a
sudden the browser disappeared (closed?), replaced by a dialog saying
there's some suspicious activity on my PC and I needed a scan, etc. I did
not touch that dialog.

I disconnected from the internet, then I killed the IE process with task
manager. Everything seemed ok after that.

My question is where did this pop-up come from? Is it from wordtwist.org? It
doesn't seem like a malicious site and I have been using it for weeks
without any problem until today. And if it is from wordtwist.org, how is it
able to close my browser window?

Is there a way to prevent this type of pop-up?

Presuming that did not come from your installed AV/anti-malware or some
other protection:

You *may* have run across [as you apparently indicate] one of the
standard methods for malware deployment - fake dialogs/displays to get
you to INSTALL/ALLOW the malicious activity. Forcing a close of a
browser is relatively simple task, though the below seems to indicate
you may have experienced a "lost focus" and close "window" "hidden"
instance.

What was the EXACT displayed message shown?

That does not necessarily mean you have successfully avoided the
potential hack/malware. The hack and/or its injection stub/exploit may
still exist in your system.

You must enable JAVA, cookies, and allow the Google api to run.
Check through the entire listed sites linked.

http://www.google.com/safebrowsing/d....wordtwist.org

* Does finding that there are no apparent issues reflect that any given
site is clean?

NO/not necessarily.
It means that the methods used to check the site/page were able to
check the ALLOWED or *seemingly* OFFERED activities/aspects within the
site/page.
Malicious activity has included the ability to avoid most detection
using methods such as by hiding the activity using: SSI; probe/site/IP
checking tools/methods and identification of that activity; reliance on
other methods such as pre-fetch and cross-site activities; JAVA and
Flash exploits; timed and/or extended interaction injection; Service
Pack and/or update probing; specific OS and browser related exploits;
and other continually modified methods now being deployed to avoid
detection and produce successful injection/hack.
Check through any of the most prevalent found malware and botnet [in
particular] related activities and you will stumble across the
particular methodologies for deployment PRESENTLY known. The key word is
"presently" [hence why it is capped] as these malicious activities are
constantly being modified.

* What might have caused your issue?

Your issue may involve contacts with other pages PRIOR to that site
{e.g., sites which used JAVA and/or Flash, or opened PDFs, or other
similar}, cached materials from other sites, tabs to other sites opened
in the browser, and/or malicious activity from some method as has been
previously indicated or inferred.

* What should you do?

Scan your computer with your present AV/anti-malware tools AND download
and use another for cross-check. Usual recommendation is to (preferably
using another computer) download a Live/bootable image with single or
multiple AV/anti-malware checking programs and burn and use that to
check the problem/target computer. And/OR scanning from another computer
in your local network [though that may already be part of the problem or
may potentially infect those other computers], and/OR using one of the
online scanner services.

IF an infection or malware is found, please post back with that exact
information, including: specific malware identified; file(s) found and
location; AV/anti-malware which is available and which was used to
detect and cross check, as many may not be fully detected or be removed
without further review.

* How to avoid or mitigate some of this potential activity?

Check your present settings for DEP and other related within your
system and increased whatever protections are available.
For examples see:

Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/uk/athome/s...ng_safety.mspx

How to reduce the risk of online fraud
http://www.microsoft.com/protect/fra...ng/reduce.aspx

A detailed description of the Data Execution Prevention (DEP) feature in
Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and
Windows Server 2003
http://support.microsoft.com/kb/875352

Change Data Execution Prevention settings
http://windows.microsoft.com/en-US/w...ntion-settings

Data Execution Prevention: frequently asked questions
http://windows.microsoft.com/en-US/w...sked-questions

How to Configure Memory Protection in Windows XP SP2
http://technet.microsoft.com/en-us/l.../cc700810.aspx

Change Internet Explorer Security settings
http://windows.microsoft.com/en-US/w...urity-settings

Internet Explorer security zones registry entries for advanced users
http://support.microsoft.com/kb/182569

How to strengthen the security settings for the Local Machine zone in
Internet Explorer
http://support.microsoft.com/kb/833633

Security Tools
http://technet.microsoft.com/en-us/s.../cc297183.aspx

Microsoft Baseline Security Analyzer
http://technet.microsoft.com/en-us/s.../cc184924.aspx

-- * further

Adjust your Internet usage habits to avoid some of the simpler methods
of attacks, such as:

Never use tabbed browser abilities when going to interactive sites and
services and never use instances of browsers where you may have
contacted other sites previously, i.e., use fresh instances. Make sure
you limit stored pages, and remove/delete temporary files from previous
instances of Internet activity.

Make sure you keep updated on/in ALL of your installed applications
INCLUDING your browser, AV/anti-malware, and OS.

Make sure that ActiveX controls and killbits are properly installed/set
correctly.

Make sure to set JAVA and Flash restrictions. Check periodically as
there are methods to reset these via malware.

Limit or remove search bars, and other like browser "enhancements" to
avoid whatever exploitable aspects they might have or bring.

Install, if possible, browser plug-ins which limit and deny JAVA,
Flash, and other scripting activities pending your approval.

Set your browser zone settings to HIGH and further restrict JAVA,
Flash, iframe, redirects, and other activities using your system and
browser management tools.

Avoid, if possible, having an instant message, video, or other similar
applications/instances open when using other interactive services. Make
sure you have done everything possible to restrict activity within those
as well.

Since the above general recommendations aren't likely to be used as
they are not the way most people interact on the Internet today, at
least use SOME of the suggestions and make an effort to set some of the
restrictions. And NEVER use an administrator's account when contacting
the Internet.

NOTE: These should really only be your STARTING points to online
protection and local system security.

If it is the one that I am thinking of, it might be coming through an
advertisement on the legitimate site. Often, it is not repeatable (when
you revisit, maybe a different ad is being served?). Sometimes you can
use taskman to maximize the "alert" and see the address bar, which gives
you a numerical IP for further investigation. Clicking anywhere on the
displayed 'window' sends you to the site.

In my case the target was one of the fake AV scan scam sites. I'm
guessing it is scripting.

Does anybody know if there's a tool out there that can list the processes
which are displaying icons in the taskbar? Most often there is a taskbar icon
for some malware and there appears to be no way to isolate it down to which
process is causing the program to run. This would be extremely helpful to
have.

Also, some tool that would display which process has called the Windows system
notification bubble would also be really good to have. So far I've been
unable to find any handy tools that do either of these.

Back to the "scan" website: Sometimes Google indexes malware sites along with
legit sites. I think I may have mentioned there a site that had a Shaun White
photo on it. Within about 2 seconds of going to the webpage and seeing the
photo, it was replaced by another page allegedly "scanning" my hard drive for
non-existent malware. My experience has been to click the "go away" button in
the upper right of the window IMMEDIATELY to get rid of it without infection.
If there is no go-away button, then press Alt-F4 to close the window via the
keyboard, and then close the browser.

I ran into the same pop up again, on a separate PC running a different OS
(vista) while visiting a different web site (gizmag.com). This time I found
the warning dialog covering a small IE8 window with the title "My Computer
Online Scan" and the URL in this IE8 is 217.23.5.233/index.html. It is
hosted in the neverland. I brought this up in a different newsgroup but for
the curious, here is the exact text in the dialog:

window title: Message From webpage
Warning!
Your computer contains various signs of viruses and malware
programs presence.
Your system requires immediate anti viruses check!
System Security will perform a quick and free scanning of your PC
for viruses and malicious programs.
OK Cancel

Perhaps it's a double click ad that is targeting me based on my internet
searches. That's why I run into it twice on two different PCs.

I wish there is a way to block IP address by country, since I browse usa web
sites most of the time. Unfortunately, a country may have hundreds or
thousands of non-contiguous blocks of IP assigned. Whoever is assigning IP
address is doing a poor job.

I think I see what you are looking for, but, in my experience this would
not give any useful information. In most cases I have seen the taskbar
icons are created by DLL code injected into the explorer.exe process
which means that the owner of the taskbar icons is explorer.exe itself.

Same problem here.

This kind of malware often uses many processes with different
"system-like" names but for all user visible things many DLLs with
random names attached into for example explorer.exe or iexplore.exe.

The site is in the Netherlands.

This is becoming typical behavior for malware sites now. They hide the
IE windows so you can't report it as a phishing site and they start
the process of depositing the malware payloads.

They use an IP address because normal domain blocking or hosts file
redirection to loopback doesn't work.

Add 217.23.5.233/index.html to your Restricted sites list in Internet
Properties, Security tab. This will prevent IE from running content
from that IP address. Allowing it to continue produces a series of
fake malware reports.

One practice I find very stupid on Microsoft's part is that the IE8
Security Screen submission form doesn't allow users to report a site
like this. You have to VISIT the site to report it as malicious,
therefore you are exposed to the threat just to report it. Idiotic.
This is why the malware sites close the IE windows and reduce you to
the popup.

Block that IP address, kill all IE instances, update your A-V and
conduct a deep scan to establish relative cleanliness. Then head for
the showers. I know I will after dealing with this creepy thing.

However, in nearly every case, explorer.exe itself wasn't altered, but
something took control of it, and when I've found that process I was able to
get rid of the problem.

Now, one useful tool I've used is PrcView, which allows me to look at every
DLL called within every process (though one process at a time). All I need to
do is sort by date (by latest then by earliest) to find the culprit -- in most
cases. I find that the processes most likely to be bugged are explorer,
winlogon, and lsass. But the problem is that I can't find the culprit at all.

Does anybody have a script for adding malicious sites to the Restricted Sites
list?

I don't know of one off-hand but do you really want to trust the
content of your restricted sites list to another anonymous program?

That's why I asked for a script. I want to look it over first.

If I may:

I'm not sure of what you hope to achieve with such a script, as
anything you might find and attempt to place may change at any time.
This would appear to not address or ignore the methodology being
employed within these types of attacks. Any given entry found and placed
may not be viable within a matter of hours at the whim of the
controllers, or as pre-defined, or due to a take-over of a legitimate
site, or other common deployment methods.

Moreover, it would appear what you desire would require something more
in-line with advanced intrusion detection services/applications used *in
conjunction with* other methods.

http://www.google.com/search?&q=adva...ws&btnG=Search

I had hoped something like this wouldn't be released [though the
potentials were discussed in several places], it has as of today.
Consider this as an additional Warning, of which you should be aware.

Internet Exploiter 2 – bypassing DEP

"I am releasing this because I feel it helps explain why ASLR+DEP are
not a mitigation to put a lot of faith in, especially on x86 platforms.
32-bits does not provide sufficient address space to randomize memory to
the point where guessing addresses becomes impractical, considering heap
spraying can allow an attacker to allocate memory across a considerable
chunk of the address space and in a highly predictable location."

Make sure you understand the ramifications, and make sure to look for
ways help mitigate the issues involved. Be forewarned that this exploit
vector will likely be used far more than before...

I agree, they love to obfuscate their addresses and domains and they
have demonstrated agility at retargeting their links as needed.

This is part of the problem with direct IP addresses as you (David)
found with your popup. If the IP is globally black-holed they simply
compromise another host and redirect their traffic to it.

FWIW, IE8 stores the security ranges in the registry:
HKEY_USERS\S-1-5-21-**********-*********-**********-****\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Ranges

If you want an automated method of preventing access to known bad
sites then you should consider SpyBot S&D, it's still reactive and you
have to do updates manually but it can help against known active
malware sites. Believe it knows how to manipulate these keys.

No need to manually update SpyBot S&D. Just create a .JOB in the Task Scheduler using the
following command line...

"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoupdate /autoclose

I would agree as long as there isn't a reliance on *just* these types
of protections, as what this uses are as well known as the
AV/anti-malware's protection schemes/methods, and definitions.

And SpyBot S&D relies upon user input for a large part of its
assignments, which may be dated or changed by the time of update to
include those ranges or IP to be blocked. Not saying its not effective,
just the simple reality involved with its usage.
So per usual, the old layered/multi protections still remains viable
while/when attempting to control the activities along with those found
in the system and browser, and other Web interfaces.

That wasn't the question. Avast along with an early copy of ZoneAlarm are
quite nice in and of themselves. I was just hoping for something I could give
my customers (like the MVP hosts file) and be done with 90% of the problems.

First we need to know is!
you on a Windows 9x, or 2000's, Xp, Vista, on the New Windows 7?
your Internet Explorer is 5, 6, 7, or 8

Know one here can help you if you can gave us this Info first!