2 Replies Latest reply: Jan 21, 2010 10:02 PM by gmomens RSS

    Fake and different Antivirus popups and software scans run every 2-3 days

      Every 2 to 3 days starting on January 01, 2010 I have been getting fake virus scans and different pop up warnings while on the Internet.

      The first time the fake virus scan came up I clicked the remove button and then McAfee immediately came up and said that the site is known for viruses, so nothing got downloaded from virus site to my computer.  Each time the fake pop ups or scan comes up it tries to fool me into downloading a virus from a different virus site.   


      Some of the history files That I copied down are as follows and they are reported on the McAfee web site as virus sites when I Googled it:







      I can not find any program on the computer and no program is listed on (run >msconfig >startup tab).  I updated and ran a full McAfee scans several times but McAfee  could not find anything.  I looked all over and I can not find any new program installed on my computer.


      How do I get rid of these pop ups and fake scanns that occurs every 2 to 3 days???

      The updated McAfee virus software does not detect a virus and everything is reported green and good.

        • 1. Re: Fake and different Antivirus popups and software scans run every 2-3 days



          We're constantly adding detection and repair to our update files for these types of malware. Can you firstly try updating with today's DAT file and then run a full scan of the machine, then if nothing is found please report back and we can make some further recommendations.



          • 2. Re: Fake and different Antivirus popups and software scans run every 2-3 days


            Thank you for your response.

            This virus is on my new Sony Laptop with Windows 7 that I got on Christmas.

            I updated McAfee and ran a full virus scan again and it did not find any thing wrong.

            I looked in the startup programs (runàmsconfigàstartup) and there was no weird program running. I also disabled McAfee and ran McAfee form the McAfee online site at  http://us.mcafee.com/root/runapplication.asp?appid=73

            Yesterday the computer went to upmostly.com by its self and tried to load an infected pdf file.  The way I found out is because I got an error message from internet explorer stating that it could not open the pdf file on internet explore.  I looked at the history and then did a goggle search and found that it was trying to display the rogue virus checker again.  This is what I found on malwarebytes.org



            rogue delivered via PDF exploit

            I haven't had time to pull this one apart, but here's something from wireshark.

            upmostly.com /upkvusa/index.php
            upmostly.com /upkvusa/js/common.js
            upmostly.com /upkvusa/cone.php
            upmostly.com /upkvusa/newload.php?ids=MDAC
            upmostly.com /upkvusa/newload.php?ids=MDAC
            upmostly.com /upkvusa/pdfadmnplay.php
            upmostly.com /upkvusa/files/sicksheep.pdf
            upmostly.com /upkvusa/konec.php

            Time goes by, then, without user interaction, we get

            windows-antivirus.net /check
            windows-antivirus.net /loads2.php?r=57.3

            I suspect the initial link is spammed. I saw it in conjunction with yahoo email traffic. I was able to infect a VM by visiting that initial link, but it takes awhile.


            Getting a different named/numbered exe at every download from below which MBAM hits.

            Runs as a random named exe at each install. Waited for a while for the rogue to come up but only showed up after a reboot and it was my favourite in being http://www.malwarebytes.org/forums/index.php?s=33ec04e5e0b535c0592a0240548e19a6& showtopic=36875&pid=185957&st=0&#entry185957.

            How do I remove this virus if I do not even know what kind of virus it is or where it is on the computer?  It is like the computer is possessed.  Please help me get this virus off my computer.  Thank you!




            Message was edited by: gmomens on 1/21/10 10:02:16 PM CST