Getting a Phony Virus Warning as I Write This

[WWGD]

Hi,
I'm getting a warning message that is spoofing my Windows Defender and McCaffee. In my Internet settings, I have blocked popups, yet the message below

 

[berkeman]

You got that at PF? @Greg Bernhardt

 

[berkeman]

And I see you've been eating potato chips while typing again. Clean your keyboard man!

 

[jedishrfu]

I think there are still ways for malware to avoid popup blockers. One trick was to wait a few seconds or more before initiating the popup not sure if that was ever really fixed.

https://howtoremove.guide/mcafee-virus-popup-scam/

maybe a search on "fake virus popups" will net some solution that will work for you.

 

[WWGD]

Thanks all.Well, I got my pc in safe mode, trying to delete .tmp files, but system is slow. Typing this from my phone. I guess I'll do the search for fake pop-up viruses from my phone.

 

[WWGD]

And I see you've been eating potato chips while typing again. Clean your keyboard man!

It's an 8 year-old PC, screen partially cracked.

 

[WWGD]

Any chance Wireshark could help here? I'm using my phone as a hotspot, connection is secure, rather than the unprotected WiFi from the coffee shop.

 

[WWGD]

You got that at PF? @Greg Bernhardt

Not sure. No clue, actually. I cleared .tmp files, deleted recent history and so far, so good.
I ran Windows Defender and it gave me a clear, no viruses detected. Somehow someone spoofed
defender, and McCaffee , which I don't have.

 

[WWGD]

Guess that was too soon, too optimistic. Pop ups are back.

 

[Tom.G]

If you are on Windows, try the Restore Point approach. By default, Windows makes periodic back-up copies of the system. Using the 'rstrui.exe' program you can go back in time to when the computer was functioning correctly. On my (quite old) system, rstrui.exe is in <windows>/system32/restore. It can take a while to execute but does show a progress bar, just let it run. I had to use it about a week ago and it took roughly an hour on a system with a terabyte or so of disk storage.

This Not Usually Needed, but can be handy to know::
Another recovery approach is to use System File Checker, SFC. You need the original installation disk (or a laptop may have the data hidden on the hard drive). SFC is a command line program that you run in a DOS window. It compares the critical system files to the original files in the distribution and replaces any that are needed.

Also, if you have a firewall installed, it may have a virus scan feature. They don't catch everything, and sometimes they flag programs that you normally use as being suspicious or infected. Fortunately, some of the virus checkers have an 'undo' feature so you can recover from an overly aggressive cleaning.

Please keep us updated.

Cheers,
Tom

 

[Vanadium 50]

By default, Windows makes periodic back-up copies of the system.

FYI, not Windows 11. It needs to be enabled.

 

[anorlunda]

Somehow someone spoofed
defender, and McCaffee , which I don't have.

How do you know it spoofed McCaffee if you don't have McCaffee?

 

[WWGD]

How do you know it spoofed McCaffee if you don't have McCaffee?

I'm assuming it was malware, and it presented to be a message from McCaffee. It claimed to have detected a virus in my system. How can it detect it without being installed?

 

[anorlunda]

I'm assuming it was malware, and it presented to be a message from McCaffee. It claimed to have detected a virus in my system. How can it detect it without being installed?

Edit: It is trying to trick you into thinking that it came from a trusted source McCaffee. It is definitely malware. It is impossible to know at this point if a virus is permanently installed on your machine, or it remains from a web page you visited.

That sounds exactly like a phishing scam. Don't click on any buttons. Reboot before doing anything else.

 

[WWGD]

Actually, @anorlunda , it may just be adware from

Edit: It is trying to trick you into thinking that it came from a trusted source McCaffee. It is definitely malware. It is impossible to know at this point if a virus is permanently installed on your machine, or it remains from a web page you visited.

That sounds exactly like a phishing scam. Don't click on any buttons. Reboot before doing anything else.

Thanks.I'll follow Tom G.'s advice above, and/or use a restore point.

 

[Oldman too]

Are you familiar with and able to download/run in admin mode
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
?

 

[WWGD]

Are you familiar with and able to download/run in admin mode
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
?

Thanks, Oldman, just tried something. It seems to have helped. Will look into the link.

 

[WWGD]

And I see you've been eating potato chips while typing again. Clean your keyboard man!

Actually, maybe you can help solve this mystery. I use my PC indoors, then store it in a case when not using it, leave it in the case in my backpack. Yet it gathers dust. I have no clue where the dust is coming from. Really.

 

[berkeman]

Actually, maybe you can help solve this mystery. I use my PC indoors, then store it in a case when not using it, leave it in the case in my backpack. Yet it gathers dust. I have no clue where the dust is coming from. Really.

Is that cat hair at the base of the screen, just above the hinge? Do you have a cat?

 

[WWGD]

Is that cat hair at the base of the screen, just above the hinge? Do you have a cat?

No, no animals. Other than myself ;).

 

[WWGD]

As a quick followup: I took some steps, which were largely, but not fully successful, and I saw some strange outcomes. The frequency of unwanted pop-ups decreased by a good amount; from once every 3-4 minutes, to once every 25 minutes or so. But then ( the ' strange ' part) ,I started getting legitimate pop-ups from sites like Norton, McAffee, urging me to buy their protection.
Somehow the malware was missed by Malware Bytes and Windows Antivirus, both of which gave my pc a clean bill of health. Not sure what to make of it.
Thanks to all for your suggestions, input.

 

[Tom.G]

A way to possibly track down the culprit would be to use/install procexp.exe (PROCESS EXPLORER.EXE.) That is an old-time Windows program (that may not still be available) that shows the Win task list, the CPU time percentage that each program is using, the command line that invoked it, etc.

Procexp.exe was written by SystemInternals about a decade ago and included in their SysInternals Suite, but the company was bought by Microsoft several years ago. A poor relation is PVIEWER.EXE, in the Microsoft Support Package for your operating system (do they still supply those?)

Another program that might be useful is SYSMON which was distributed by Microsoft and also with UBCD4Win, but as I recall it is a lot harder to use.

Be sure look in the Startup directory which holds the programs that get loaded when Windows starts: "C:\Documents and Settings\All Users\Start Menu\Programs\Startup". (there is a directory for each account on the machine, All Users, Administrator, etc). You may find the culprit listed there. There is a utility for editing the startup process but I can't find it at the moment; try a search for" Startup" and have fun, Carefully!

Cheers,
Tom

 

[Mark44]

Procexp.exe was written by SystemInternals about a decade ago and included in their SysInternals Suite, but the company was bought by Microsoft several years ago.

The whole SysInternals suite, written by Mark Russinovich, is available for free download here - https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
The above web page seems to be updated regularly. It includes Process Explorer (mentioned above) and many other utilities. I've used several of these utilities, including one that force-deletes files that some other entities hold handles to, which would prevent deletion by ordinary means.

 

[WWGD]

The whole SysInternals suite, written by Mark Russinovich, is available for free download here - https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
The above web page seems to be updated regularly. It includes Process Explorer (mentioned above) and many other utilities. I've used several of these utilities, including one that force-deletes files that some other entities hold handles to, which would prevent deletion by ordinary means.

Thanks again:
This is the latest I've tried. I gathered the popup was using Microsoft Edge. I had disallowed all popups on the Internet Options menu. But I guess kind of tricky that sets of Options/Permissions may overlap and contradict each other ( like, say, county-level, city-level, state-level, etc ). So I checked Edge Content Permissions, which somehow had given permissions ( I think this was the default )
I went to :

edge://settings/content/notifications:

And blocked all access to the webpage listed in the pop-up: advtnow.com that Edge had given by (default)
all sorts of access:

 

[WWGD]

Now, please all join me in a prayer to the God Computus, so that this is permanently fixed. It's been a full hour ( Edit: 4 hours) without popups so far, compared to once every 5-10 minutes or so. This was proposed by someone else.

 

[Melbourne Guy]

Any chance Wireshark could help here? I'm using my phone as a hotspot, connection is secure, rather than the unprotected WiFi from the coffee shop.

Ouch! @WWGD, there are a few VPNs that offer a reasonable monthly allowance at no cost, and you can sign up with a throwaway email address (ie, create a Proton Mail or Gmail or whatever just for the VPN) for added personal security. I've used Tunnel Bear and Windscribe before, not looked at their free tiers recently, but if you're using public WiFi it is worth finding and installing one.

 

[WWGD]

Ouch! @WWGD, there are a few VPNs that offer a reasonable monthly allowance at no cost, and you can sign up with a throwaway email address (ie, create a Proton Mail or Gmail or whatever just for the VPN) for added personal security. I've used Tunnel Bear and Windscribe before, not looked at their free tiers recently, but if you're using public WiFi it is worth finding and installing one.

Thanks, Melbourne, I've been using my phone as a hotspot. it's secure.

Just curious: Is it possible to have an inbound rule in Windows' Firewall that blocks a website? It seems it can restrict access to ports, to TCP/UDP packets, to processes/software, but not to website addresses that I can tell.

 

[Tom.G]

Just curious: Is it possible to have an inbound rule in Windows' Firewall that blocks a website? It seems it can restrict access to ports, to TCP/UDP packets, to processes/software, but not to website addresses that I can tell.

See post #8 above (https://www.physicsforums.com/posts/6644953/)

 

[Jarvis323]

Now, please all join me in a prayer to the God Computus, so that this is permanently fixed. It's been a full hour ( Edit: 4 hours) without popups so far, compared to once every 5-10 minutes or so. This was proposed by someone else.

All you did was disable popups. The malware that was creating them in the first place is likely still functioning and spying on you. Do you have any extensions installed?

 

[WWGD]

All you did was disable popups. The malware that was creating them in the first place is likely still functioning and spying on you. Do you have any extensions installed?

I think I've removed all from Edge. Will double check, though. Edit: If there's something still there , its likely a 0-day, since I've received a clean bill of health from 3 AV programs.