cancel
Showing results for 
Search instead for 
Did you mean: 

SiteAdvisor pop up advised that a download was annoying/dangerous pressed blocked is my PC safe?

Jump to solution

Sorry if this is answered already elsewhere.

Using IE9

Site advisor version: 3.6.3.549, Last update 04/10/2013 - which is part of my McAfee suite from BT which includes: Security Center 11.6, Virus scan 15.6 (last update today) and firewall etc.

My son 10yr was on TMNT wiki and clicked on (he said he hovered over) a image - which changed the page to a blank page with a different address (can put link if requested but it opens a dodgy page).

There was also a pop up

pop up.png

Which my son pressed OK  then there was this page with the SiteAdvisor window on top (I took screen clipping after I had pressed block) - this is also where he called me over

pop up 2.png

The SiteAdvisor window said something like annoying (I cant remember if it said annoying or dangerous) download detected:  download anyway or block download (there ws also a few lines about what was found and the address).

I pressed block and closed the window via task manager (there is nothing in the download folder).

So my questions are is my PC safe? is there anything else I should do?. I have Malwarebytes and Superantispyware on my PC (both the free on demand versions) if I decide to run them could they have been courpted by this should i re install them and my Mcafee suite?.

There is no record of this in the McAfee security centre logs is this normal?

Many thanks

0 Kudos
1 Solution

Accepted Solutions
Hayton
Level 17

Re: SiteAdvisor pop up advised that a download was annoying/dangerous pressed blocked is my PC safe?

Jump to solution

It's the download that does the damage, and in this case the download was blocked and failed to execute.

Analysis :

"security_cleaner.exe" is confirmed as malware - see the VirusTotal report

It was blocked by SiteAdvisor because McAfee detects it as "Ransom-FEB!880B836588FD"

Microsoft are aware of this, not least because the malware spoofs a MSE warning -

http://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning/i-have-been-notif...

http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/securitycleanerexe-is-not-comm...

The screenshot shows that this is coming from "tophersheybearso.com". I thought at first that domain name was fake - Google turns up no records for it at all. In fact, the domain was registered today - 16 hours ago according to urlvoid (http://www.urlvoid.com/scan/tophersheybearso.com).

So it is likely that it was registered with the sole intent of spreading malware.

The IP address is 162.218.179.107, and both the domain name and the IP address should be reported as malicious.  For details see

http://whois.domaintools.com/162.218.179.107

http://whois.domaintools.com/tophersheybearso.com

http://reverseip.domaintools.com/search/?q=162.218.179.107

http://www.domaintools.com/research/dns/?query=162.218.179.107

There is a connection to this Turkish domain - http://whois.domaintools.com/turkrdns.com - according to the 'Resolve Host' entry on the first of those domaintools links. See also the IPVoid report for that address - http://www.ipvoid.com/scan/162.218.179.107/

And if the urlquery report is anything to go by that domain has now reached the end of its useful life and been abandoned - "File not found" according to the site screenshot.

http://urlquery.net/report.php?id=7777864

Message was edited by: Hayton on 17/11/13 20:52:47 GMT

Message was edited by: Hayton - add IPVoid information on 17/11/13 20:58:05 GMT
0 Kudos
10 Replies
spc3rd
Level 10

Re: SiteAdvisor pop up advised that a download was annoying/dangerous pressed blocked is my PC safe?

Jump to solution

Greetings Unhappy-Bunny,

     Your post needs more attention than I can provide, but from looking at the screenshots you provided, I suspect you may have malware issues.  In the 2nd screenshot, the MSE Alert has a mispelled word in the top portion.  The next questionable item is what is shown at the bottom of the screenshot...where it is asking if you want to run a particular type of security program, and the list of "supposed infections" that is displayed in the screen.  This type of behavior is often seen with fake anti-malware programs.

There are others here who can provide more explicit directions on how best to proceed with your issue.

Message was edited by: spc3rd on 11/17/13 7:16:58 AM EST

Message was edited by: spc3rd on 11/17/13 7:17:37 AM EST
0 Kudos

Re: SiteAdvisor pop up advised that a download was annoying/dangerous pressed blocked is my PC safe?

Jump to solution

Thank you for replying, I know that that is a fake security pop up and have found many mentions of it on google. I will give a bit more info, the first one image  (which i recreated by going in his history) says message from web page and we dont even have microsoft security essentials. I presume that if he had called me then I would be safe, but he pressed ok then the siteadvisor pop up (not pictured) appeared a split second before the second image (thats when he called me over) I pressed block  (on the siteadvisor pop up) so has that stopped anything getting on the machine? or has the fact that he pressed ok and/or thesecond image image appearing mean that some thing has got on?

Or does the fact that these pop up appeared at all mean that I already have malware?

There was nothing in downloads on IE or  PC, I ran superantispyware- that just found usual tracking cookies, ran malwarebytes (through chameleon in case of corruption) it didnt find anything

Message was edited by: Unhappy-bunny on 17/11/13 12:40:51 GMT
0 Kudos

Re: SiteAdvisor pop up advised that a download was annoying/dangerous pressed blocked is my PC safe?

Jump to solution

Also nothing in the mafee logs

0 Kudos
exbrit
Level 21

Re: SiteAdvisor pop up advised that a download was annoying/dangerous pressed blocked is my PC safe?

Jump to solution

The chances are you are OK, but clicking anything on these weird popups can initiate malware invasion so to be absolutely sure I recommend you run a Hijackthis session and post the log as instructed lower down the last link in my signature below on one of the forums that specialize in such things.   Those specialist forums will advise you best.

0 Kudos

Re: SiteAdvisor pop up advised that a download was annoying/dangerous pressed blocked is my PC safe?

Jump to solution

Thanks,  can i ask some questions, could going back to a system restore point help? and should siteadvisor events show in the main macafee logs?

0 Kudos
exbrit
Level 21

Re: SiteAdvisor pop up advised that a download was annoying/dangerous pressed blocked is my PC safe?

Jump to solution

You could but make sure you update afterwards and then temporarily turn off System Restore to delete the affected restore point.    I don't think SA keeps logs but Technical Support might know.

0 Kudos

Re: SiteAdvisor pop up advised that a download was annoying/dangerous pressed blocked is my PC safe?

Jump to solution

Thanks for the reply, I'm just running some scans at the moment -  I've already run (in safe mode with networking) McAfee, stinger and McAfee rootkit remover. I also reinstalled and ran (in safe mode) malwarebytes. I have also ran cleaner and super anti spyware all have found nothing.

Do you think GetSusp maybe worth a try?. Thanks again

Edit; also windows defender found nothing

Message was edited by: Unhappy-bunny on 17/11/13 19:38:15 GMT
0 Kudos
Hayton
Level 17

Re: SiteAdvisor pop up advised that a download was annoying/dangerous pressed blocked is my PC safe?

Jump to solution

It's the download that does the damage, and in this case the download was blocked and failed to execute.

Analysis :

"security_cleaner.exe" is confirmed as malware - see the VirusTotal report

It was blocked by SiteAdvisor because McAfee detects it as "Ransom-FEB!880B836588FD"

Microsoft are aware of this, not least because the malware spoofs a MSE warning -

http://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning/i-have-been-notif...

http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/securitycleanerexe-is-not-comm...

The screenshot shows that this is coming from "tophersheybearso.com". I thought at first that domain name was fake - Google turns up no records for it at all. In fact, the domain was registered today - 16 hours ago according to urlvoid (http://www.urlvoid.com/scan/tophersheybearso.com).

So it is likely that it was registered with the sole intent of spreading malware.

The IP address is 162.218.179.107, and both the domain name and the IP address should be reported as malicious.  For details see

http://whois.domaintools.com/162.218.179.107

http://whois.domaintools.com/tophersheybearso.com

http://reverseip.domaintools.com/search/?q=162.218.179.107

http://www.domaintools.com/research/dns/?query=162.218.179.107

There is a connection to this Turkish domain - http://whois.domaintools.com/turkrdns.com - according to the 'Resolve Host' entry on the first of those domaintools links. See also the IPVoid report for that address - http://www.ipvoid.com/scan/162.218.179.107/

And if the urlquery report is anything to go by that domain has now reached the end of its useful life and been abandoned - "File not found" according to the site screenshot.

http://urlquery.net/report.php?id=7777864

Message was edited by: Hayton on 17/11/13 20:52:47 GMT

Message was edited by: Hayton - add IPVoid information on 17/11/13 20:58:05 GMT
0 Kudos

Re: SiteAdvisor pop up advised that a download was annoying/dangerous pressed blocked is my PC safe?

Jump to solution

Thank you, that's a relief as I didn't know blocking it was enough or if it had already got on so you have set my mind at ease.

I have also just finished running hitman pro (recommended on the Microsoft forums) and ESET which both found nothing.

Ive had a chat to my son and he won't do that again (at least he called me when he did) he's usually very careful ,he knows to only go on sites that have a green tick (as this one did) should I report it to site adviser or is it too late now? (or is there no point as pictures and ads can get "hijacked" on any site).

Message was edited by: Unhappy-bunny on 17/11/13 21:04:04 GMT
0 Kudos