Browser Problem

Somehow, I got directed to a web site called windowssecurityhealthalert.com (DO NOT GO THERE), that opened a new instance of Firefox. It has a popup with this kind of crap in it:

WARNING!!! A security breach has been detected, your browser being hijacked and monitored. It is highly recommended to contact a Microsoft certified technician, Call toll free 1-844-798-3802 and get a scan done to resolve this serious issue.

WARNING!!! Your credentials aren’t safe, your PC is being monitored by malicious software by Trojan files installed on your PC, This is a serious security breach, This malware and Trojan agent can steal your credentials and use your PC and your TCP/IP address for criminal activity. STOP using your browser now and call a Microsoft technician at toll free 1-844-798-3802 and remove all traces of malware and Trojan files.

WARNING!!! Please stop using your browser until you get your PC scanned and removes all traces of malware, call toll free 1-844-798-3802 and get a computer scan done NOW !!!

Someone is monitoring your browser and can steal your credentials.

WARNING!!! A security breach has been detected, your browser being hijacked and monitored. It is highly recommended to contact a Microsoft certified technician, Call toll free 1-844-798-3802 and get a scan done to resolve this serious issue.

I’m running Linux.

Anyway, it won’t let me close it. Clicking on the upper-right X does nothing, and when I close the popup, it just repops. If it was Chrome I could kill the individual process for it, but Firefox only has a single process for tabs and instances. If I kill Firefox, it just comes back when I restart and restore. I cleared all cookies, but that didn’t help. Anyone know how to track down what’s allowing it to do this and killing it with extreme prejudice?

[Mid-afternoon update]

After a little research, I installed this add-on, which blocks trackers and javascript. Post installation, I was able to kill both the pop up and the instance.

19 thoughts on “Browser Problem”

  1. I’d suggest “kill -9 PID”. When Firefox starts up, it will say “closed unexpectedly. Restore?”

    Then you can pick which tabs you want to reactivate.

    Option 2 is to put an entry in /etc/hosts, pointing that naughty URL to, say, 127.0.0.1

      1. Probably won’t help. From what I can see it is not starting separate processes for each window invoked… Try bookmarking your tabs before you kill it and then try my suggestions.

  2. Can’t help too much right now, maybe later tonight. But I presume you are doing a restore for a reason? Like you want to keep your other TABs around? If you have bookmarked those tabs, then do not do a restore just start clean and visit each bookmark in its own tab.

    Otherwise…

    Let’s hope those tabs you want to keep aren’t using JavaScript and see if this works. Before telling it to do a restore see if you can go to Edit -> Preferences -> Content and uncheck Enable JavaScript.

    Hit OK, then try the restore.

    If you can’t get to Edit -> Preferences -> Content because the stupid Restore/Cancel option is blocking it do this instead:

    .) Exit out / kill firefox, YOU MUST do this first then cd into ~/.mozilla/firefox/
    .) Use the ‘ls’ command and look for a directory called xyzzy.default (the xyzzy part will be some hash gobbledygook of alphanumeric text, not literally “xyzzy”).
    .) cd into that directory
    .) Use your favorite editor to edit the file prefs.js Ignore the text warning at the beginning you are not running firefox at this point. Append the following line EXACTLY AS WRITTEN INCLUDING PUNCTUATION TO THE END of this file: user_pref(“javascript.enabled”, false);

    .) Save the file, exit the editor, cd to whatever directory you were in before or ~ and restart firefox, do the restore and see what happens.

    .) If this works, BOOKMARK YOUR TABS! You can turn javascript back on using the menu options mentioned earlier (or not). You might want to inspect the xyzzy.default file afterwards to make sure the entry you put there is now gone. Otherwise you will have to delete it using a manual edit of this file (with the browser not running!).

    Good Luck and be thankful you are on Linux and not trying to do this under Windows which might have graciously encrypted your disk for you…

    Dave

  3. Rand, sounds to me like it’s running a script. IMHO, the best way to kill that window is to shut down Firefox via whatever the Linux kill process method is, stop your PC from accessing the internet, clear cache and cookies (not from within firefox), then restart firefox with the internet still off. (just disconnect from the internet, via killing power to your cable or DSL modem, or disconnecting a cable, whatever).

    If it still does it when firefox restarts without internet (and probably even if not), then it’s loaded something nasty. My guess would be this virus:
    http://www.2-spyware.com/remove-computer-health-alert-pop-up-virus.html

      1. It not a Windows virus. It’s a browser virus…
        Probably uses JavaScript. Curse it to hell….

        Dave

      2. Rand, I agree in the main, BUT, even with Linux, if you (or a script) install something infected (say, a toolbar or extension with a malicious redirect) it’s still going to be a problem in Linux, right?

        1. Not unless the virus is written for Linux. Very few are. It would have to know not only the OS, but which desktop I was using (like Gnome). There may be Linux viruses, but I’ve never encountered one. Pretty sure it’s confined to the browser. Even if there were one, my browser doesn’t have root privileges. No way for a script to install software.

  4. Sounds exactly like something that happened on my Apple Safari browser a few years ago. I don’t recall how I got out of it, sorry to say. But it was horrible while it lasted

  5. In Chrome, these popups come with a box you can select that prevents that page from raising any more popups. It’s intended just for this sort of malware.

  6. If computer viruses and malware were around in biblical times, I’m sure somewhere in the Old Testament God would promise us a special place in hell for the authors, and authorize all sorts of electrical body probes to use on the offenders.

    I had one just like this, and ended up on the phone with a nice Indian fellow from McAffee for 2 hours. Around $100 later, my computer was working. I’ll second the effectiveness of Malwarebytes mention earlier

  7. Why isn’t the person on the other end of that phone number charged with fraud, trespass, extortion etc. whatever. If they are out of the US (good chance). Whoever is carrying that phone traffic on it’s way out of the US should be charged as an accessory (or whatever, INAL)

Comments are closed.