Personal Antivirus -

[ccorwin]

Last night, my hubby was on Facebook doing something and suddenly got an "official looking" dialog box that said our computer was infected and to immedicately run "Personal Antivirus"... We run McAfee for our antivirus and I just purchased Malwarebytes about 6 wks ago. mcAfee is run almost everyday - I haven't run malwarebytes as often. Anyway, I had never heard of this personal antivirus program, so I didn't want to run it. Besides it was trying to tell me I had over 100 trojans on my hard drive (even listed several by name). I knew this was impossible since that many trojans couldn't have slipped through in less than 24 hours!... I kept trying to close the box and it kept wanting me to run the program. I finally used task manager and closed it out. I closed all my programs and immediately ran Malwarebytes. It came back 'clean'. I then ran McAfee and it came back 'clean'.

My question is, did I act quickly and correctly and prevented this from getting installed on my computer or could Malwarebytes and/or McAfee have missed it? How can I make sure? The computer has been acting 'normal' today

Thanks in advance for your help...

Cindy L

cll_918@att.net

[mountaintree16]

Cindy,

Did it look like a pop up window or was it actually on your computer?

Did it look like one of these: http://www.malwarebytes.org/forums/index.php?showforum=39

http://www.malwarebytes.org/forums/index.php?showtopic=16755 (winbluesoft, for example)

Do you know exactly what he did prior to getting that message?

That's pretty scary... I use facebook and I've never had that happen but I did get a website redirection to antimalwarescanner . com several months back now.... blech Makes me not want to use Facebook ever sometimes... :/

Edit: Other than that, I am almost certain that it is a rogue/fake application.

Other than that, if you aren't sure, please do the following:

Scan and post logs - read note at bottom in green

If you're having Malware related issues with your computer that you're unable to resolve.

1. Please read and follow the instructions provided here: I'm infected - What do I do now?
2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
   
3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.
   

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review
  

• NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.
  

[Fatdcuk]

Hi Cindy L,

Yes you did do the right thing by terminating browser page via task manager!

What you had encountered is commonly known as a fake scanner page,it is an exploit embedded into webpage inorder to generate the imagery of a scanner at work finding mass's of malware to remove but this is purely to act as a goad to install the malware software.

When someone trips apon a fake scanner exploit they will need to agree to install the malicious software inorder for it to install on their computers.This is in the form of a file download consent alert box.

If you accept and install this file then the malicious software will install unless blocked by resident security measures and folks would have an infected PC on their hands.

If folks dont fall for this trick and navigate away from the exploit by killing the browser session(via task manager) then their computer has not been compromised

[Kondro]

ALT + F4 works well also to close any active window. Often times the "X", "Close", or "No Thanks", etc. button will be programmed to install the nastie program.

[mountaintree16]

@ Fatdcuk

Sorry to jump into your response here, but I thought maybe you could answer my question.

I had a similar experience in February. I got redirected to antimalwarescanner . com twice, once in Feb and again in March, first on Myspace, then on Facebook. I closed out via the browser, but then I found out that closing via the taskmanager is the best option, which I think I did the second time. I closed out via the browser the first time.

One of the times, this thing came up looking as though it was scanning in the my computer folder/area of my computer (green scan bar with blocks) but I can't remember if it was actually on my computer or if it was a fake scan in a browser window.

Do you think that I may have gotten compromised? The first product I tried was SpywareDoctor :/, and then I found out about Malwarebytes the second time My AVG and MBAM and Spybot have been clean for months (MBAM found adware.mywebsearch the first time and heuristics.malware another time maybe two months later but other than that and a PUP and tracking cookies on AVG I have been clean) - so I assume I am probably in the clear, but I was wondering if you might know.

Also, are these fake scanner pages common? Do otherwise legitimate websites generally find them and remove them do you know?

[Fatdcuk]

Hi ya,

It sounds very much like you had the typical fake scanner page and no you were not compromised unless you installed the software as suggested at the end of the scan.

Here's the limus test for the layman when ya reboot does the fake scanner appear again on rebooting ?

If answer is yes then something has installed on your pc and it is now compromised.

If no then you avoided installing it

In your case it sounds like you are not compromised but have encountered the fake scanner page's via different vectors, some as compromised sites and others c/o links spammed at the social network sites.

As far as removing malicious code form a compromised site then it all boils down to the webmaster or site admin.

As in life some folks are more quick to act then others,some cant be found in a rush to be notified etc so even legitimate sites that been hacked can sometimes host the exploits for far too long

[mountaintree16]

@ Fatdcuk

I don't think that I installed anything. Only thing I did wrong, I think, was mistakenly close out via the browser window instead of using ctrl alt del.

This was back in February and March, so I honestly don't remember if the fake scanner appeared again on rebooting. Do you mean as the computer was booting up or after the desktop had loaded up?

As far as removing malicious code form a compromised site then it all boils down to the webmaster or site admin.

As in life some folks are more quick to act then others,some cant be found in a rush to be notified etc so

Yeah, that makes sense.

even legitimate sites that been hacked can sometimes host the exploits for far too long

Ugh :/

Thanks for answering me! I really appreciate it.