Jump to content

Pop up viruses


Recommended Posts


Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Wait for further instructions


 

Link to post
Share on other sites

This is a web based fraud.  In this case it is probably to goad you to buy some anti-malware software by demonstrating a fake scan of a computer and fraudulently indicating "viruses" were found.

Example Video:   Fake Scan of your PC

I have created a 1series of videos generated from these kinds of fraud sites for the purposes of recognition and education.  They are all  videos from real web sites.  ALL are FRAUDS.

All these have one thing in common and they have nothing to do with any software on your PC.  They are all nefarious web sites meant to defraud you of money. The objective is to, falsely, goad you to make the phone call and pay for some service contract for an incident that never happened.  From there they may continue to charge your Credit Card for other services, remote into your computer and do real damage and/or exfiltrate your personal data and they may use the information they obtain from you to commit additional frauds.

MalwareScam.wmv
MalwareScam-1.wmv
MalwareScam-2.wmv
MalwareScam-3.wmv
MalwareScam-4.wmv
MalwareScam-5.wmv
MalwareScam-6.wmv

I have also created a PDF ScreenShow of a myriad of FakeAlert screens - FakeAlert-Screens.pdf  /  Flash Version


Reference:                   
US FBI PSA - Tech Support Fraud
US FTC Consumer Information -  Tech Support Scams
US FTC - Tech Support Operators Agree to Settle Charges by FTC and the State of Ohio
US FTC - FTC and Federal, State and International Partners Announce Major Crackdown on Tech Support Scams
Malwarebytes' Blog - Search on - "tech support scams"
Malwarebytes' Blog - "Tech support scams: help and resource page"



1.  Also located at "My Online Security" - Some videos of typical tech support scams

 

Edited by David H. Lipman
Edited for content, clarity, spelling and grammar
Link to post
Share on other sites

I'm sorry, but you don't fully grasp the concept. 

These are web sites.  The content emanates from the Internet and they are not generated from any software on your computer.  As such there is nothing that can be "removed" from your computer.  All the sites I visited where I generated Screen Captures and Videos from were by visiting recorded malvertising URLs that directed my Browser to the FakeAlerts.

At best MBAM can block these sites if the site is known by Malwarebytes' blocked sites list.  FakeAlerts are a sub-type of malicious advertisement or in short, a  malvertisement.  A malvertising URL is a web site who's purpose is to redirect people to malicious sites which includes, but not limited to, HTML.FakeAlerts, Fake Java updates and Fake Adobe Flash updates.  If you get them fairly consistently, think about what web sites you are visiting when this happens.  The web sites contain advertisements.  Based upon whom the web site contracts out to advertise, a malvertisement may be intermixed with the regular advertisements or may be rotated-in.

For example a couple of years back, I consistently received a Fake Mozilla Firefox update notification when visiting the Weather Channel web site.  It was not due to any software on my PC, it was due to whom the Weather Channel had been allowing to advertise on their web site. 

 

Edited by David H. Lipman
Edited for content, clarity, spelling and grammar
Link to post
Share on other sites

Hi,

Thank you Dave for your detailed information.

danilka I checked your logs and confirm  that no malware was found.
The attached Fixlist will remove remnants items from the registry.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

fixlist.txt

Link to post
Share on other sites

Hi,

Please see below.

Start::
CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Mozilla Corporation) C:\Program Files\Mozilla Firefox\tobedeleted\moz99ed7835-9211-4dbc-a56c-fc097488ceed
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\tobedeleted\moz99ed7835-9211-4dbc-a56c-fc097488ceed
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\tobedeleted\moz99ed7835-9211-4dbc-a56c-fc097488ceed
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\tobedeleted\moz99ed7835-9211-4dbc-a56c-fc097488ceed
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\tobedeleted\moz99ed7835-9211-4dbc-a56c-fc097488ceed
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 -> {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox

FirewallRules: [{80961498-5808-463C-A94D-DB14DD17671B}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\Media\DVD\HPTouchSmartMusic.exe No File
FirewallRules: [{82D14D6E-EA4C-4F24-83DD-F29BC0A30A54}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\Media\DVD\HPTouchSmartPhoto.exe No File
FirewallRules: [{3721F8E1-FBB5-4762-B6D7-9E70364D68AA}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\Media\DVD\HPTouchSmartVideo.exe No File
FirewallRules: [{7EAB38F0-3213-4483-8058-A97FABB64A0A}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\Media\DVD\TSMAgent.exe No File
FirewallRules: [{A22C3254-7602-4226-A040-09F9BBFA4AB4}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\Media\DVD\Kernel\CLML\CLMLSvc.exe No File

 

Reboot:

End::

Link to post
Share on other sites

As I previously wrote...

On 1/31/2019 at 7:18 PM, David H. Lipman said:

 If you get them fairly consistently, think about what web sites you are visiting when this happens.  The web sites contain advertisements.  Based upon whom the web site contracts out to advertise, a malvertisement may be intermixed with the regular advertisements or may be rotated-in.

For example a couple of years back, I consistently received a Fake Mozilla Firefox update notification when visiting the Weather Channel web site.  It was not due to any software on my PC, it was due to whom the Weather Channel had been allowing to advertise on their web site.

As an example please reference this thread;  Virus

In that thread visitors of 1AllMusic.Com would be occasionally foisted a FakeAlert.  Visitors weren't getting these FakeAlerts too often and I tried numerous times to coax a FakeAlert in my visitations.  Eventually I got one just as it had been reported.  I contacted the owners of the site and he give me permission to post his email reply in Post #20.  As he noted it was being generated "via one of our third-party advertisers".  Which is what I was trying to convey in Post #8.

In conclusion., the site/sites you are visiting when these FakeAlerts occur need to be noted.  They either should be avoided or if they are legitimate sites ( not nefarious sites who don't care about who advertises on their site and what the content being presented is ) then they can be contacted and the problem mitigated.

Additionally, submitting the URLs of the FakeAlerts is beneficial to all.  Since they are web sites, and there is nothing on the PC generating the Alerts, the objective is to submit the URLs to malwarebytes such that they can have their software block access to them so others will not see the Fraudulent crap.

URLs can be submitted in;  Newest IP or URL Threats  after reading;   READ ME: Purpose of this forum


1.  It should be noted that there have been no new reports concerning FakeAlerts when accessing AllMusic.Com since its was brought to their attention in April '18.

 

 

Edited by David H. Lipman
Edited for content, clarity, spelling and grammar
Link to post
Share on other sites

What site you visited is not readily evident in the attached graphic.  I can see pubmatic.com and doubleverify.com.  The graphic eludes to eBay but that could havre been an ad on any web site advertising for eBay.  

What would be explicit would be the URL as shown in the below graphic.

Image2.jpg.c392bac3d2d2d70c0e8ebfa7097aad1e.jpg

Presuming it happens on eBay, what are the exact URLs on eBay that you are viewing that lead to the eventual FakeAlert.
{ If you feel the content of said eBay sales are too private for public consumption, feel free to send me the URLs via a PM }

 

 

Link to post
Share on other sites

I've been able to check the full screenshot of doubleverify.com pop up and there's ebay.com shown in the address bar. I've seen some of those strange URL's you're talking about but they don't always appear in the address bar. If I get these URL's, I'll provide them.

Thank you!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.