Vocal Voices

[Aggers]

Tonight I had a notice on my laptop, asking whether I would allow a download,
the verified publisher being Microsoft Windows. I clicked 'No', but it wouldn't go
away. I could not get rid of the notice, and I couldn't even shut down the website
I was on, or shut down the laptop in the normal way. The notice kept re-appearing.
It said the programme name was 'WMI Commandline utility'.
Eventually I had to shut off my laptop by holding down the Start button.

What should I have done ? Do you think it was genuine ?
I might tell you, I was bloody annoyed.

[Suff]

Erm, no, I don't think it was genuine. The WMI command line utility is an attack vector into the PC and you can do a huge amount of damage or illicit work on the machine with it. Simply put the Windows Management Interface (WMI), is one of the most powerful tools on your machine for making changes to windows.

Any software trying to leverage WMI with elevated rights (the warning you got), is doing absolutely no good at all and NO and I do mean _NO_ ordinary website should leverage that utility. When it said that the program was from Microsoft, it was exactly correct, WMI is signed with a Microsoft Certificate. However the program that called it was almost certainly not!

[Workingman]

It sounds odd, and if the pop-up was unable to be closed, very suspicious.

Do you know the site you were on when this happened? If so please post the address, but leave out the www..

[Suff]

Thinking about it you might want to do an offline virus scan and an adware scan.

Recently I had to explain to our French friend why her PC was taking 30 seconds to open her Orange web mail portal. Yet it only took 5 seconds in Chrome.

When I showed her that the virus scanner, integrated into IE, was blocking the adverts in the banner at the top of the mail, yet Chrome was letting it in, she was surprised. She believed what everyone was saying. Chrome was perfect.....

Best to make sure you have a virus suite which can verify the pages before you open them and make sure it is switched on. It seriously slows down the speed of page loading so some less highly performing suites make it an option...

[Aggers]

Frank - At the time I was on my usual E-mail website, gmx.

I have Avast antivirus installed.

I am always very wary, and if anything suspicious pops up I leave the website by using Alt+ F4 ,
rather than clicking on anything. On this occasion that didn't work either.

[Workingman]

John, I have checked gmx and it is clean.

So, what happened? Have you clicked on a link in an email from someone you thought was legit? This is often the way in. You get an email from someone you 'think' that you know, but the link they give is to ... who knows.

My second thought is: have you downaloaded software? This is another way in. If you download software from a third party site you can often get other software bundled with the one you want and if you are not careful a lot of this can be malware.

As a stopgap go, get and run Malwarebytes and SuperAnti Spyware as well as AdwCleaner. They are all free and catch most malware.

But firstly do a full scan with Avast! and see what it turns up.

[Suff]

I'm wondering. Does GMX have a preview pane? I don't use preview panes but it is possible for a malicious mail to launch javascript code from the preview pane, on webmail just by moving over it. Something it can't do in a traditional mail client.

Just a thought.

[Workingman]

No, Suff, it has View Page Source, View Frame Source and Inspect Element.

You are always on the Internet unless a desktop client is used, so nothing is downloaded.

If a malicious mail invoked a javascript code Aggers should be safe, but a malware check is still worthwhile.

[Suff]

It is always worthwhile to do a malware check, that's true.

[Aggers]

Frank - I never even open an email from anyone I don't know, and I haven't downloaded anything for months.

I've run security checks and full scans with GMX and with Windows Defender but no malware was found.

Anyway, things seem to be working OK now.

Thanks for your help lads.