Puppy Linux Discussion Forum

[nubc]

I ran updated AVG 8.5 and latest Malwarebytes Anti-Malware, both report my computer is clean. I searched the C-drive for "alpha", nada. I visit maybe 15 sites on a typical day, Linux news, email, YouTube, etc, but Puppy Forums is the only place I get this popup for Alpha AV. Of course I can use FF 3.5.4 instead, or just use Puppy liveCD, or upgrade IE7 to IE8. I can do a workaround from my end, no problem. Sooner or later, the antivirus industry is gonna clean out Alpha AV, spic and span.
Question: Why does this occur only on Puppy Forums? I close the IE7 browser, up comes the popup. Okay, it's an IE7 exploit. So then something is exploiting IE7 and I only experience the exploit here.

[muggins]

Why on earth would anyone still be using IE?

[nubc]

IE users: 60% of all computers, newbies (potential converts to Linux), office workers, techs who service Windows
http://en.wikipedia.org/wiki/Usage_share_of_web_browsers

[SirDuncan]

@nubc:
Well, I haven't had any problems when visiting with my Win7RC install. Not that this really means anything since I surf in FF. My first piece of advice is to upgrade IE7 to IE8. They fixed a ton of security flaws between the two. Even if you don't use IE for surfing, merely having it on the computer can still allow some exploits, so get the most secure version of it. The second piece of advice is to get your Win install fully upgraded. Third piece of advice is to use a different browser. If you go with FF/SeaMonkey, install adblock plus and consider installing noscript (I think noscript works with SeaMonkey).

@all:
Multiple people have seen this happen while on the forums. This leads me to believe that it is a cross scripting attack coming from an ad on the site. Has anyone noticed what ad was being shown when the attack happened? Also, if this is being initiated by Adobe Flash (as Aitch says above), why has the popup not presented itself to people running Puppy? Or has it and no one has said anything? Flash is crossplatform, so even if it couldn't get the download initiated on its own, it shouldn't have any problem creating a popup.

This is certainly not the way we want to greet potential new users (or old users visiting from their game/legacy/etc. system). We need to confirm where it is coming from and take steps to get rid of it.

[nubc]

Housecall found and fixed 3 rootkits and 3 trojans. When I upgraded AVG to version 9, it complained that the following program should be removed before proceeding:
{B5AB638F-D76C-A8F2-F3CEAC50212}
A search did not find this key in registry. Possible malware: AproposMedia, URLSearchHook. Seeq
Furthermore, 27 Windows XP / IE7 updates became immediately available after the above changes.
Before I hear a chorus of "I told you so's", none of the above points conclusively to a source, nor does it explain why popups occur only on Puppy Forums. But I am inclined to think this laptop had some preconditions for the current problems.

[Aitch]

nubc

glad to see you have tracked down rootkits/trojans on your system

I recommend, if you are to continue using IE, installing WOT

http://www.mywot.com/en/download/ie

as it will warn of malware/bad sites - most times, accurately

see earlier and herein repeated sandboxIE message

For general info, and to put people's minds at rest, I just verified using XP SP2 & a deliberately vulnerable IE6, by trapping any likely malware in a sandbox [as suggested earlier - SandboxIE] - There was NO viral activity from the forum despite nubc's assertions

Keep it clean! Use Puppy/any other browser than IE!!

Good post, Chris, as usual

Aitch

[nubc]

The forum for the other site I mentioned is now getting reports of rogue antivirus hijack attempts. I am gonna let this issue ride for several days, then mark this thread SOLVED. Thanks for all feedback. (Fingers crossed)

[Patriot]

Hmmm .....

Occasionally, I would have to troubleshoot a system with an infected malware ... Most of the time, I had to do it manually .... The minor to medium malware infection can be cleared up in about an hour ... The bad a*ss ones could take up to 3-4 hours ...

One of the symptoms that you're having a bad a*ss malware is when you've attempted all sorts of software assisted disinfection methods and yet you still get "hijacked" ... This is what I call the hocrux effect ... A piece of malware with the ability to split itself/link/service and hide it into several windows objects using the dark arts ... The real smart bad a*ss will definitely do a hidden system service that's tough to remove ... An attempt to kill it will just make it spawn a new one in the background ...

Such a malware have a timer or counter mechanism that triggers an activity ... You could be at Disney's website and still get such an activity ... Many people failed to understand that software assisted malware cleaning is not 100% effective. A cocktail of malware cleaners does help but is still less than 100% effective ...

Hocrux hunting is also a difficult art to master itself ... Whenever I encounter a new malware, it could take me hours to find and destroy all the hocrux ... The only cure to such an infection for the layman is prevention ... Even a fresh re-install from zero does not guarantee a no-reinfection if it has spread to your broom flying pen drives or other external storages .... A suitable antivirus from a trusted source can definitely help (ie. I do recommend Comodo for those who really cannot afford yearly licenses).

Unfortunately, I haven't encounter this AlphaAV malware thus I am unable to say where to find its roots .....


Rgds

[James C]

I was using my XP box earlier this afternoon when I suffered one of the fake anti-virus hijack attempts.I rebooted so fast I didn't even notice the name, but after Malwarebytes, SuperAntispyware And Avira scans my computer luckily wasn't infected.

And I was using Firefox 3.5.5 by the way, so its not just the IE users who need to be careful.

[Pence]

Our Library blocked the link to Barry's Blog for awhile, but it's now working again.