>>> XPPro SP3 all up to date. Avast free all up to date.
>>>>
>>>> Whilst browsing innocent looking kitchen furnishing sites, my browser
>>>> suddenly came up with a window that looked like Windows Security >>>> Centre,
>>>> with an inset window looking like my AV. This inset window showed a >>>> list
>>>> of
>>>> supposed trojans and other malware, and was accompanied by a popup >>>> insisting
>>>> that my system was desperately vulnerable and I should click a link to >>>> scan
>>>> it now.
>>>>
>>>> I, instead, opted for pulling the plug and running ccleaner, clearing
>>>> history and running spybot and malware bytes. No malware found yet. >>>>
>>>> The hijack went to hxxp://x05y08.3utilities.com (Sorry: I can't see >>>> how >>>> to
>>>> write this so it doesn't make a hyperlink: perhaps someone can tell me >>>> how
>>>> to do that too.) The '0's may be 'o's or a combination.
>>>>
>>>> Searches on this link and its various '0' combinations came up with no >>>> other
>>>> mentions of this hijack. The 3utilities domain does get a few >>>> unreliable
>>>> notes.
>>>>
>>>> Anyone know any more about this? Were WSC and Avast actually >>>> responding >>>> to
>>>> this site as they should, or was the site imitating them to fool me >>>> into
>>>> believing the popup and clicking their 'scan your pc now' button? >>>> >>>> Cheers,
>>>>
>>>> S
>>>>
>>>>
>>>
>>> 3utilities.com resolves to this IP: 204.16.252.112
>>> x05y08.3utilities.com yields an 403 Forbidden message and resolves to >>> this
>>> IP: 85.234.191.94
>>> 85.234.191.94 is located in Riga, Latvia, and is on a list of bad sites:
>>>
formatting link
>>
formatting link
>>>>> You were wise to pull the power plug. In situations such as this, one >>> can
>>> open Task Manager and End the Internet Explorer process (iexplore.exe)
>>> instead of pulling the power plug.
>>>
>>> What most likely happened was that either an Iframe or a malware >>> embedded
>>> ad (malvertizement) triggered the phony AV scan.
>>> Avast's popup window when encountering embedded malware on a site is >>> quite
>>> unique and should be difficult to mimic. Key word being *should*. The
>>> phony Windows Security Center warning is not quite as easily to discern
>>> from the one you see that actually stems from Windows XP.
>>>
>>> The malware it claimed was resident on your computer was not present and
>>> yes, the rogue AV was trying to fool you to click the scan button so it
>>> could download malware to your system. Then, to "clean up" the malware
>>> that was not present and the ensuing malware that would be downloaded,
>>> they would tell you that you had to buy their "product".
>>>
>>> The worst part about this rogue AV "software" is that folks get conned >>> by
>>> it, actually purchase it, and then do not dispute the charges -
>>> Rogue Antivirus Victims Seldom Fight Back
>>>
formatting link
>>>>> As to munging a possibly malware laden link, just change the http to
>>> hxxp, like this - hxxp://x05y08.3utilities.com
>>>
>>>
>>> MowGreen
>>
>> Thanks Mow, a very good response.
>>
>> I thought I already had a hosts file with all these black listed sites >> on.
>> Perhaps I lost it when I uninstalled Spybot during a recent hard drive
>> change. Would the SpyBot Resident protection - now reinstalled - have
>> picked this up? If not, how do I incorporate all the blacklisted sites, >> or
>> get a regularly updated hosts list (I used to have something called Hosts
>> Secure, but it seems to have disappeared now I come to think of it?). >> I've
>> added *3utilities.com* to my Add Block Plus filters in Firefox: is there >> a
>> similar add on for IE8?
>>
>> A lot of new questions: sorry! And, finally: should I be posting this as >> a
>> warning somewhere else?
>>
>> Thanks very much for the prompt reply.
>>
>> S
>>
>>
>
> There's no need to block 3utilities.com. There's nothing in any database
> that indicates that it's a "bad site".
> What you want to do is to at least receive a prompt when an IFrame is
> involved. Open Internet Options in Control Panel. Click the Security tab.
> Click on Internet.
> Click the Custom level button.
> Scroll down to the Miscellaneous heading.
> Scroll down to Launching programs and files in an IFRAME
> Set it to at least " Prompt (recommended) "
> You can choose to set it to Disable as that will never allow an IFrame to > open. >
> As for Spybot, it's Resident protection has been known to interfere when a
> newer Version of the Windows Update Agent is installed.
>
> You can post to their forum for any of your questions about using it -
>
formatting link
> MowGreen
Thanks Mow, I do have IFrame set to prompt, but the only 'prompt' I received was the one to have my computer 'scanned'. (?) I was using Firefox at the time though, so perhaps this works differently to IE.
I'll remember to turn off Resident protection before installing the next lot of genuine Windows updates - of which the blog on your hosts-file.net link tells there are some big ones on the way.
I was more interested in getting another hosts file. Is the one that can be downloaded from hosts-file.net recommended, and is this or another you could recommend automatically updateable?
Thankyou, S