Tech Support Guy banner
Cancel
Create thread New Forums
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

Fake Windows Security alerts

Solved
Jump to Latest
2.8K views 13 replies 2 participants last post by  DR M  
M
#1 ·
Hi. One of our HP laptops running Windows 10 and Avast Internet Security developed a malware infection today. With Word, several Chrome tabs, and a few other apps open, the system locked and displayed a fake Windows Security Alert screen, which was immediately overlayed by several other alert and warning screens. An additional popup at top of screen started an audio message saying we must call the displayed Microsoft Support number immediately to prevent the system being locked and files damaged. Quick search on another PC indicated this is malware, as I suspected.

I could see parts of the overlaid alert windows and saw references to "trojan:SLocker" and another with "threat detected: xxbc." None of these alert windows was generated by Avast.

I powered off the PC, restarted, and ran the Avast scan. It reported a few issues detected and cleaned, but nothing major. Restarted the PC. Within five minutes the same fake security alerts reappeared.

I've posted the Farbar FRST.txt and Addition.txt below.

Thanks in advance for helping me with this!

Mark V.
 

Attachments

#2 ·
Hello.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

====================

1. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code: 
Start::
CreateRestorePoint:
CloseProcesses:
FirewallRules: [{8CE60BD3-02D3-4BAF-A1E1-F9535DE7759C}] => (Allow) C:\Users\mvand\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{08B6BB50-08A2-44DE-9D55-2CABCC386645}] => (Allow) C:\Users\mvand\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{0A6F0A4A-8121-4CC3-85EF-C9C232893CE1}] => (Allow) C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHost.exe => No File
FirewallRules: [{4B235A1E-A1D4-48D2-9296-E3042AED7BA4}] => (Allow) C:\Program Files (x86)\Common Files\Mcafee\MMSSHost\MMSSHost.exe => No File
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
CHR Profile: C:\Users\mvand\AppData\Local\Google\Chrome\User Data\xDefault-OLD [2020-01-15] <==== ATTENTION
EmptyTemp:
End::
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.[/*]
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.

2. Eset Online Scan

Download ESET Online Scanner and save it to your desktop.
  • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
  • When the tool opens, click Get Started.
  • Read and accept the license agreement.
  • At the Welcome to ESET Online Scanner window, click Get Started.
  • Select whether you would like to send anonymous data to ESET.
  • Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
  • Click on the Full Scan option.
  • Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
  • ESET will now begin scanning your computer. This may take some time.
  • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
  • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
  • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
  • Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.


In your next reply please post:
  1. The fixlog.txt
  2. The eset.txt
 
M
#3 ·
Dr M:

The fixlog.txt is attached.

I downloaded ESET Online Scanner, and ran as administrator. It downloaded several module updates, then appeared to start scanning, but shut down without showing me any of the additional options listed above, including Save Scan. So I don't have an eset.txt to attach.

Let me know of any suggestions.

Thanks,

Mark V.
 

Attachments

M
#5 ·
No, but I've only been using the laptop to interact with you since I made my first post. That said, I've done a few searches related to my problem while writing my posts to you, and haven't seen any sign of the phishing post.

I redownloaded the ESET online scanner and noticed a couple odd things.

1. The .exe file that downloads is esetonlinescanner.exe, not esetonlinescanner_enu.exe as in your instructions.

2. When I run the scan (as admin), it first downloads three module updates and the status bar slowly progresses from 0% to 100% for each one. While this is happening, a label at top left of screen says "Preparing to Scan." When the third download completes, the label continues to read "Preparing to Scan", but the colored portion of the status bar suddenly extends all the way to the right border of the ESET screen, and the status % jumps to 2000% and rapidly increases from there. About 90 seconds later, the status is over 7000% and then suddenly the program closes. I don't see any option to save the log, etc. and no .txt file is saved to my desktop.

Have you encountered this behavior before?

Thanks,

Mark
 
#6 ·
Hi, Mark.

I tried it today myself, and it seems that there is a problem with the scanner. It's not something related to your computer.

Let's take a different approach.

1. Run Malwarebytes (scan only)
  • Download Malwarebytes and save it to your Desktop.
  • Once downloaded, close all programs and Windows on your computer.
  • Double-click on the icon on your desktop named MBSetup.exe. This will start the installation of MBAM onto your computer.
  • Follow the instructions to install the program.
  • When finished, double click the program's icon created on your Desktop.
  • Click the little gear on the top right (Settings) and when it opens, click the General tab. Under the title Windows Security Center, make sure the option is disabled.
  • Click the Scan and Detections tab and under the Scan options title, enable Scan for rootkits option. Do not change any other option.
  • Return to the Dashboard and choose Scan.
  • When finished, you will see the Threat Scan Summary window open.
  • If threats are not found, click View Report and proceed to the two last steps below.

    If threats are found, make sure that all threats are not selected,close the program and proceed to the next steps below.
    • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
    • Find the report with the most recent date and double click on it.
    • Click on Export and then Copy to Clipboard.
    • Paste its content here, in your next reply.

2. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click the Scan Now button.
  • Once the scan completes, AdwCleaner shows you all detected PUPs and adware. DO NOT check anything found, and click Next.
  • If any preinstalled software was detected on your device, a message notifies you that your action is requested. DO NOT check anything, and click Cancel to continue.
  • Click the Log Files tab.
  • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
  • A Notepad file will open containing the results of the removal.
  • Please post the contents of the file in your next reply.
Note: Click Skip Basic Repair if you are asked to.


In your next reply, please post:
  1. The Malwarebytes report
  2. The AdwCleaner[S0*].txt
 
M
#7 ·
Hi Dr. M. Sorry for the delay getting back. Requested reports are below. Thanks!

Malwarebytes report:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/15/2024
Scan Time: 11:04 AM
Log File: 647bcc4c-fb39-11ee-b757-4023431ae6a2.json

-Software Information-
Version: 5.1.2.109
Components Version: 1.0.1214
Update Package Version: 1.0.83475
License: Trial

-System Information-
OS: Windows 10 (Build 19045.4291)
CPU: x64
File System: NTFS
User: LAPTOP-DV50J8MD\Pat Vanderslice

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 247495
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 4 min, 22 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
File system: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

# -------------------------------
# Malwarebytes AdwCleaner 8.4.2.0
# -------------------------------
# Build: 03-04-2024
# Database: 2024-03-04.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 04-15-2024
# Duration: 00:00:10
# OS: Windows 10 (Build 19045.4291)
# Scanned: 32096
# Detected: 37


* [ Services ] *

No malicious services found.

* [ Folders ] *

No malicious folders found.

* [ Files ] *

No malicious files found.

* [ DLL ] *

No malicious DLLs found.

* [ WMI ] *

No malicious WMI found.

* [ Shortcuts ] *

No malicious shortcuts found.

* [ Tasks ] *

No malicious tasks found.

* [ Registry ] *

No malicious registry entries found.

* [ Chromium (and derivatives) ] *

No malicious Chromium entries found.

* [ Chromium URLs ] *

No malicious Chromium URLs found.

* [ Firefox (and derivatives) ] *

No malicious Firefox entries found.

* [ Firefox URLs ] *

No malicious Firefox URLs found.

* [ Hosts File Entries ] *

No malicious hosts file entries found.

* [ Preinstalled Software ] *

Preinstalled.HPAudioSwitch Folder C:\Program Files (x86)\HP\HPAUDIOSWITCH
Preinstalled.HPAudioSwitch Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D89A4FF-B039-4DC8-826A-EFB0DF1DFC37}
Preinstalled.HPAudioSwitch Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HPAudioSwitch
Preinstalled.HPAudioSwitch Task C:\Windows\System32\Tasks\HPAUDIOSWITCH
Preinstalled.HPCleanFLC Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|HPSEU_Host_Launcher
Preinstalled.HPCleanFLC Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run|HPSEU_Host_Launcher
Preinstalled.HPCleanFLC Registry HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|HPSEU_Host_Launcher
Preinstalled.HPCleanFLC Registry HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run|HPSEU_Host_Launcher
Preinstalled.HPCleanFLC Registry HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|HPSEU_Host_Launcher
Preinstalled.HPCleanFLC Registry HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run|HPSEU_Host_Launcher
Preinstalled.HPRegistrationService Folder C:\ProgramData\HP\HP REGISTRATION SERVICE
Preinstalled.HPSupportAssistant Folder C:\HP\SUPPORT
Preinstalled.HPSupportAssistant Folder C:\ProgramData\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK
Preinstalled.HPSupportAssistant Folder C:\Users\mvand\AppData\Roaming\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK
Preinstalled.HPSupportAssistant Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSupportAssistant Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSupportAssistant Registry HKLM\Software\Classes\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSupportAssistant Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Classes\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSureConnect Folder C:\Program Files\HPCOMMRECOVERY
Preinstalled.HPSureConnect Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{6468C4A5-E47E-405F-B675-A70A70983EA6}
Preinstalled.HPTouchpointAnalyticsClient Folder C:\ProgramData\HP\HP TOUCHPOINT ANALYTICS CLIENT
Preinstalled.HPTouchpointAnalyticsClient Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{E5FB98E0-0784-44F0-8CEC-95CD4690C43F}
Preinstalled.SonyPlayMemoriesHome File C:\Users\Public\Desktop\PlayMemories Home Help.lnk
Preinstalled.SonyPlayMemoriesHome File C:\Users\Public\Desktop\PlayMemories Home.lnk
Preinstalled.SonyPlayMemoriesHome Folder C:\Program Files (x86)\SONY\PLAYMEMORIES HOME
Preinstalled.SonyPlayMemoriesHome Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|PMBVolumeWatcher
Preinstalled.SonyPlayMemoriesHome Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Run|PMBVolumeWatcher
Preinstalled.SonyPlayMemoriesHome Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{AEB04E0E-0A28-4014-A96A-282E43B7227B}
Preinstalled.WildTangentGamesBundle Folder C:\Program Files (x86)\WILDGAMES
Preinstalled.WildTangentGamesBundle Folder C:\Program Files (x86)\WILDTANGENT GAMES
Preinstalled.WildTangentGamesBundle Folder C:\Program Files (x86)\WILDTANGENT GAMES\SHORTCUTPROVIDER
Preinstalled.WildTangentGamesBundle Folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WILDTANGENT GAMES
Preinstalled.WildTangentGamesBundle Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\WildTangent wildgames Master Uninstall
Preinstalled.WildTangentGamesBundle Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{80831F60-19D7-43B3-A60C-5CAF8C478DF6}
Preinstalled.WildTangentGamesBundle Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{A39303AB-4898-4F12-BAA0-0B8630F86DB4}



########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########
 
#8 ·
Hi, Mark. No problem for the delay.

The results are good. Nothing bad detected.

Please, work with the computer for a couple of days and let me know if anything is fine. I'll be waiting from you, so I can give you instructions to remove the tools we used and reset the restore points.
 
M
#9 ·
Dr. M:

That's good to hear! We'll use the laptop over the next few days and I will reply as requested with results.

In the meantime, if you can bear with one other question: What are you guys recommending for security and antivirus/antimalware these days? I have had great results with Avast for several years, but I've heard concerning things about it lately, and their constant "hey, we found a serious problem, but you have to pay us even more to resolve it" popups during/after scans is really annoying me. Any thoughts would be appreciated.

Thanks so much for your help with this problem!

Mark
 
#10 ·
Mark,

Security programs are definitely a personal decision. Also, it has to do with personal experience. Like you, you tried Avast and you created a personal opinion. Personally, I prefer the built-in Windows antivirus, Microsoft Defender. It's really good and I don't see a reason to look for a 3rd party antivirus. I also have the paid version of Malwarebytes. They work well together.
 
#11 ·
Hi, Mark.

I didn't hear from you the last 5 days.

If everything is fine with your computer...

The following tool will remove the tools we used as well as reset system restore points:

Download KpRm by kernel-panik and save it to your desktop.
  • Right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please copy and paste its contents in your next reply.

Note: If there is a warning about this tool, go on to download it, since it is a false/positive. Choose More info and continue from there.
 
M
#13 ·
Dr. M,

I apologize for failing to get back to you sooner. Thank your for marking the thread solved. We've been using the laptop normally for the past week and have had not further sign of trouble.

Be assured I truly appreciate your great work and dedication to helping us get this mess cleaned up. Thanks also for the removal instructions--I'll do that as soon as I can get the laptop away from my wife. ;)

Mark
 
Tech Support Guy
posts
9.9M
members
873K
Since
1998
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking