Getting a Phony Virus Warning as I Write This

  • Thread starter Thread starter WWGD
  • Start date Start date
  • Tags Tags
    Virus
AI Thread Summary
A user is experiencing persistent pop-up warnings that spoof Windows Defender and McAfee, indicating potential malware infection. Despite blocking pop-ups and running antivirus scans, the user continues to receive these alerts, suggesting the presence of adware or phishing attempts. Recommendations include utilizing Windows' Restore Point feature to revert to a previous system state, and employing tools like Process Explorer to identify suspicious processes. The user has attempted to clear temporary files and adjust browser settings, which have reduced the frequency of pop-ups but not eliminated them entirely. There is a discussion about the effectiveness of various antivirus programs and the possibility of zero-day vulnerabilities in Microsoft Edge. The user is advised to remain cautious and consider using a VPN for secure browsing, especially when on public Wi-Fi.
WWGD
Science Advisor
Homework Helper
Messages
7,679
Reaction score
12,446
Hi,
I'm getting a warning message that is spoofing my Windows Defender and McCaffee. In my Internet settings, I have blocked popups, yet the message below
Resized_20220718_174602(1).jpeg
 
Computer science news on Phys.org
And I see you've been eating potato chips while typing again. Clean your keyboard man!
 
  • Haha
  • Like
Likes Delta2, Melbourne Guy, Oldman too and 1 other person
I think there are still ways for malware to avoid popup blockers. One trick was to wait a few seconds or more before initiating the popup not sure if that was ever really fixed.

https://howtoremove.guide/mcafee-virus-popup-scam/

maybe a search on "fake virus popups" will net some solution that will work for you.
 
  • Like
Likes WWGD
Thanks all.Well, I got my pc in safe mode, trying to delete .tmp files, but system is slow. Typing this from my phone. I guess I'll do the search for fake pop-up viruses from my phone.
 
berkeman said:
And I see you've been eating potato chips while typing again. Clean your keyboard man!
It's an 8 year-old PC, screen partially cracked.
 
Any chance Wireshark could help here? I'm using my phone as a hotspot, connection is secure, rather than the unprotected WiFi from the coffee shop.
 
berkeman said:
You got that at PF? @Greg Bernhardt
Not sure. No clue, actually. I cleared .tmp files, deleted recent history and so far, so good.
I ran Windows Defender and it gave me a clear, no viruses detected. Somehow someone spoofed
defender, and McCaffee , which I don't have.
 
Guess that was too soon, too optimistic. Pop ups are back.
 
  • #10
If you are on Windows, try the Restore Point approach. By default, Windows makes periodic back-up copies of the system. Using the 'rstrui.exe' program you can go back in time to when the computer was functioning correctly. On my (quite old) system, rstrui.exe is in <windows>/system32/restore. It can take a while to execute but does show a progress bar, just let it run. I had to use it about a week ago and it took roughly an hour on a system with a terabyte or so of disk storage.

This Not Usually Needed, but can be handy to know::
Another recovery approach is to use System File Checker, SFC. You need the original installation disk (or a laptop may have the data hidden on the hard drive). SFC is a command line program that you run in a DOS window. It compares the critical system files to the original files in the distribution and replaces any that are needed.

Also, if you have a firewall installed, it may have a virus scan feature. They don't catch everything, and sometimes they flag programs that you normally use as being suspicious or infected. Fortunately, some of the virus checkers have an 'undo' feature so you can recover from an overly aggressive cleaning.

Please keep us updated.

Cheers,
Tom
 
  • Like
Likes WWGD
  • #11
Tom.G said:
By default, Windows makes periodic back-up copies of the system.
FYI, not Windows 11. It needs to be enabled.
 
  • #12
WWGD said:
Somehow someone spoofed
defender, and McCaffee , which I don't have.
How do you know it spoofed McCaffee if you don't have McCaffee?
 
  • Like
Likes WWGD
  • #13
anorlunda said:
How do you know it spoofed McCaffee if you don't have McCaffee?
I'm assuming it was malware, and it presented to be a message from McCaffee. It claimed to have detected a virus in my system. How can it detect it without being installed?
 
  • #14
WWGD said:
I'm assuming it was malware, and it presented to be a message from McCaffee. It claimed to have detected a virus in my system. How can it detect it without being installed?
Edit: It is trying to trick you into thinking that it came from a trusted source McCaffee. It is definitely malware. It is impossible to know at this point if a virus is permanently installed on your machine, or it remains from a web page you visited.

That sounds exactly like a phishing scam. Don't click on any buttons. Reboot before doing anything else.
 
  • Like
Likes Oldman too and WWGD
  • #15
Actually, @anorlunda , it may just be adware from
anorlunda said:
Edit: It is trying to trick you into thinking that it came from a trusted source McCaffee. It is definitely malware. It is impossible to know at this point if a virus is permanently installed on your machine, or it remains from a web page you visited.

That sounds exactly like a phishing scam. Don't click on any buttons. Reboot before doing anything else.
Thanks.I'll follow Tom G.'s advice above, and/or use a restore point.
 
  • #18
berkeman said:
And I see you've been eating potato chips while typing again. Clean your keyboard man!
Actually, maybe you can help solve this mystery. I use my PC indoors, then store it in a case when not using it, leave it in the case in my backpack. Yet it gathers dust. I have no clue where the dust is coming from. Really.
 
  • #19
WWGD said:
Actually, maybe you can help solve this mystery. I use my PC indoors, then store it in a case when not using it, leave it in the case in my backpack. Yet it gathers dust. I have no clue where the dust is coming from. Really.
Is that cat hair at the base of the screen, just above the hinge? Do you have a cat? :wink:
 
  • Love
Likes Delta2
  • #20
berkeman said:
Is that cat hair at the base of the screen, just above the hinge? Do you have a cat? :wink:
No, no animals. Other than myself ;).
 
  • Haha
Likes Tom.G
  • #21
As a quick followup: I took some steps, which were largely, but not fully successful, and I saw some strange outcomes. The frequency of unwanted pop-ups decreased by a good amount; from once every 3-4 minutes, to once every 25 minutes or so. But then ( the ' strange ' part) ,I started getting legitimate pop-ups from sites like Norton, McAffee, urging me to buy their protection.
Somehow the malware was missed by Malware Bytes and Windows Antivirus, both of which gave my pc a clean bill of health. Not sure what to make of it.
Thanks to all for your suggestions, input.
 
  • #22
A way to possibly track down the culprit would be to use/install procexp.exe (PROCESS EXPLORER.EXE.) That is an old-time Windows program (that may not still be available) that shows the Win task list, the CPU time percentage that each program is using, the command line that invoked it, etc.

Procexp.exe was written by SystemInternals about a decade ago and included in their SysInternals Suite, but the company was bought by Microsoft several years ago. A poor relation is PVIEWER.EXE, in the Microsoft Support Package for your operating system (do they still supply those?)

Another program that might be useful is SYSMON which was distributed by Microsoft and also with UBCD4Win, but as I recall it is a lot harder to use.

Be sure look in the Startup directory which holds the programs that get loaded when Windows starts: "C:\Documents and Settings\All Users\Start Menu\Programs\Startup". (there is a directory for each account on the machine, All Users, Administrator, etc). You may find the culprit listed there. There is a utility for editing the startup process but I can't find it at the moment; try a search for" Startup" and have fun, Carefully!

Cheers,
Tom
 
  • Like
Likes Oldman too and WWGD
  • #23
Tom.G said:
Procexp.exe was written by SystemInternals about a decade ago and included in their SysInternals Suite, but the company was bought by Microsoft several years ago.
The whole SysInternals suite, written by Mark Russinovich, is available for free download here - https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
The above web page seems to be updated regularly. It includes Process Explorer (mentioned above) and many other utilities. I've used several of these utilities, including one that force-deletes files that some other entities hold handles to, which would prevent deletion by ordinary means.
 
  • Like
  • Informative
Likes Wrichik Basu, Tom.G and WWGD
  • #24
Mark44 said:
The whole SysInternals suite, written by Mark Russinovich, is available for free download here - https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
The above web page seems to be updated regularly. It includes Process Explorer (mentioned above) and many other utilities. I've used several of these utilities, including one that force-deletes files that some other entities hold handles to, which would prevent deletion by ordinary means.
Thanks again:
This is the latest I've tried. I gathered the popup was using Microsoft Edge. I had disallowed all popups on the Internet Options menu. But I guess kind of tricky that sets of Options/Permissions may overlap and contradict each other ( like, say, county-level, city-level, state-level, etc ). So I checked Edge Content Permissions, which somehow had given permissions ( I think this was the default )
I went to :

edge://settings/content/notifications:

And blocked all access to the webpage listed in the pop-up: advtnow.com that Edge had given by (default)
all sorts of access:

1658437767819.png
 
  • Informative
Likes Oldman too
  • #25
Now, please all join me in a prayer to the God Computus, so that this is permanently fixed. It's been a full hour ( Edit: 4 hours) without popups so far, compared to once every 5-10 minutes or so. This was proposed by someone else.
 
Last edited:
  • Like
Likes Delta2
  • #26
WWGD said:
Any chance Wireshark could help here? I'm using my phone as a hotspot, connection is secure, rather than the unprotected WiFi from the coffee shop.
Ouch! @WWGD, there are a few VPNs that offer a reasonable monthly allowance at no cost, and you can sign up with a throwaway email address (ie, create a Proton Mail or Gmail or whatever just for the VPN) for added personal security. I've used Tunnel Bear and Windscribe before, not looked at their free tiers recently, but if you're using public WiFi it is worth finding and installing one.
 
  • Like
Likes Oldman too and WWGD
  • #27
Melbourne Guy said:
Ouch! @WWGD, there are a few VPNs that offer a reasonable monthly allowance at no cost, and you can sign up with a throwaway email address (ie, create a Proton Mail or Gmail or whatever just for the VPN) for added personal security. I've used Tunnel Bear and Windscribe before, not looked at their free tiers recently, but if you're using public WiFi it is worth finding and installing one.
Thanks, Melbourne, I've been using my phone as a hotspot. it's secure.

Just curious: Is it possible to have an inbound rule in Windows' Firewall that blocks a website? It seems it can restrict access to ports, to TCP/UDP packets, to processes/software, but not to website addresses that I can tell.
 
Last edited:
  • Like
Likes Melbourne Guy
  • #28
WWGD said:
Just curious: Is it possible to have an inbound rule in Windows' Firewall that blocks a website? It seems it can restrict access to ports, to TCP/UDP packets, to processes/software, but not to website addresses that I can tell.
See post #8 above (https://www.physicsforums.com/posts/6644953/)
 
  • Like
Likes WWGD
  • #29
WWGD said:
Now, please all join me in a prayer to the God Computus, so that this is permanently fixed. It's been a full hour ( Edit: 4 hours) without popups so far, compared to once every 5-10 minutes or so. This was proposed by someone else.
All you did was disable popups. The malware that was creating them in the first place is likely still functioning and spying on you. Do you have any extensions installed?
 
  • Like
Likes WWGD and Oldman too
  • #30
Jarvis323 said:
All you did was disable popups. The malware that was creating them in the first place is likely still functioning and spying on you. Do you have any extensions installed?
I think I've removed all from Edge. Will double check, though. Edit: If there's something still there , its likely a 0-day, since I've received a clean bill of health from 3 AV programs.
 

Similar threads

Windows updates driving me crazy
2
Replies
51
Views
6K
How can I fix the constant popup window on my PC after a virus removal?
Replies
15
Views
3K
What is the NWJS virus and how can I protect my computer from it?
Replies
17
Views
5K
Is My New Windows 11 Laptop Infected with Malware?
Replies
12
Views
2K
Opera browser is trying to visit a harmful website everytime I open it
Replies
12
Views
3K
Watch out for some articles on Yahoo (virus?)
Replies
5
Views
2K
Viruses: A pain in the head and my laptop.
Replies
11
Views
2K
Reminders that scammers and hackers are clever
Replies
6
Views
2K
False Error Messages Win10 64-bit
Replies
19
Views
2K
Using Word for Equation Editing
Replies
15
Views
2K

Hot Threads

Recent Insights

Back
Top