6 Replies Latest reply: Nov 26, 2012 10:44 AM by unordinary RSS

    WARNING: Newbie Alert  - Fake System Scan


      I am having a rather challenging time navigating the McAfee community site looking for information. The ONLY information I have been able to find out about my computer's infection is from Google and asociated finds outside of this site. But since I am a long-paying subscriber of McAfee products I would prefer to get my intel/advice about my infection from the folks who make my the product I am using. Will one of you kindly provide some assitance?


      Here's the skinny:

      - It seems that I have some sort of hoax malware running on my laptop. I receive a pop-up message from "Microsoft Windows" that has a banner, "System Error. Hard disk failure detected."

      - I have performed both high and low level diagnostics on the drive. Each passes with 100% positive results (e.g. all good).

      - I have lost visibility of much of my desktop icons and the personalization of my desktop.

      - The error message provides buttons from which to select: one for a scan/repair and one to decline. I have not selected either option or button (nor will I).


      In searching places like Malwarebytes and other free A/V sites I have become generally convinced that my symptoms are the result of malware and NOT from any sort of system or hardware failure. These websites provide convincing steps on how to remove the malware -- both in the services and in the registry -- but I am not experienced at recovering from registry booboos and am afraid that my malware may be a variant of the ones descrbed in those forums. IOW, I don't want to follow a recipe to remedy malwareX (e.g. random.exe) when I am actually infected with a slight variant of malwareX (e.g. random1.exe) and therefore potentially inflict harm on myself.


      Additionally, I need to be able to discover which files/data stores have been hidden and then unhide or restore those files for normal use.


      I am quite surprised that there was some decent information available in the public domain but none that I have found (so far) in hours of searching McAfee.com. Am I too much of a newbie to figure this out or is there no information about this exploit in the world of McAfee? Your assistance will be appreciated.


      Finally, here are some specifics:

      * I run Win7 home premium

      * I have McAfee total protection 2012 installed, updated, and running on the laptop (it has always been set to auto update), but the malware appears to have disabled it or turned it off. The McAfee screen provides an "ATTENTION!" warning that the A/V is turned off but when I select "turn on" the window changes to a green/good status for one second then reverts back to a red danger color and is turned off again.

      * In that one second window when the A/V is on I have clicked the full scan button. After an hour of scanning the entire drive McAfee reports no susicious events or detections (then it is turned off again).

      * I have not yet run the McAfee Scan Plus utility. I am pretty well convinced of what the problem is so having a free utility tell me there is a problem is not nearly as helpful as leading me toward a safe cure.


      I confess to being a bit frustrated by the idea that I pay money to McAfee to protect my computers but I get infected anyway (these things do happen, I fully understand). And it is not McAfee that alerts me to the infection, it is my own detective work. And when I run a scan McAfee says, "all good." And when I contact McAfee they tell me, "Give me your credit card number and $90 and we'll remote into your computer to fix what we failed to prevent or even identify in the first place." And when I hassle the chat representative for a FAQ page or something to further my own investigation he relents from his $90 sales pitch and sends me an email with links to this community but all of my searching here has been frutiless.


      I just don't understand, but I am definitely willing to learn. My subscription is due to be renewed in two months and I have to seriously wonder how much worse the less expensive vendors can be. Hopefully that makes sense, not as a rant but as a reasoned statement of logic from a paying customer.




      Message was edited by: Hayton - added description to the subject line -  on 25/11/12 05:46:04 GMT
        • 1. Re: WARNING: Newbie Alert  - Fake System Scan

          one small update...


          since my original post i have:

          - booted the laptop into safe mode with networking

          - installed the scan plus utility from a clean/scanned USB drive

          - tried to launch/execute the scan plus utility (while having wired Internet access)

          - received the following error and been thwarted in starting the scan: "error initializing Updater interface"


          Should I not run scan plus in safe mode?


          So much for the websites claims: "One click installation!                  Effortless installation and starts working instantly" and "No delays!                  Seamlessly auto  updates and scans your computer in less than 2 minutes."






          Message was edited by: Hayton - added description to subject line -  on 25/11/12 05:47:07 GMT
          • 2. Re: WARNING: Newbie Alert  - Fake System Scan

            I wouldn't bother with the McAfee Security Scan Plus in this case. All that little program does is check to see if you've got the basic McAfee programs installed, then do a scan for malware in-memory and in your browser history & cookies.


            What you've got is one of those Fake-Alert pests. They often come via a Trojan download, so something you've recently installed may not have been what it seemed. Alternatively, you've been the victim of a drive-by attack. The latest Microsoft Security Intelligence Report has a section on these attacks, with a link to this page about them from the Glossary.


            Without more detail I can't say which one of these Fake-Alerts you've got. They're all basically the same anyway, and usually aren't too difficult to remove if you know which one it is. This particular one has been appearing quite a lot lately according to the buzz on other forums but I don't yet have a name for it. It seems to disable anti-virus and anti-malware programs, so there may be more to it than just a scareware program.


            What you may also have of course is other malware, downloaded along with this Fake-Alert. If you have a rootkit it might be difficult to remove, and then you might need McAfee Tech Support to help you. The paid-for support is really for the difficult cases, and/or where the user doesn't feel confident (for example) about going in and changing or deleting registry settings.


            If you browse around the different sections here you'll find lots of discussion threads about Fake AV programs (which are related to the Fake System Scan one you describe) in the Top Threats section. I must say the Fake System Scan infections have been dying away lately as the criminal gangs switch to ransomware (the infamous Police Trojan).


            As a first step to fixing this infection, try the following -


            First, download and run RKill from BleepingComputer. This should kill off any malware processes currently running on your system. Then run Stinger, which detects most of the existing Fake AV variants. If that turns up nothing, run Malwarebytes (free version) which is our second-opinion-of-choice. If that doesn't find anything then go for broke and download the Microsoft Safety Scanner.


            Last, if you know any of your files have been hidden there's an 'unhide' utility available from BleepingComputer. (As of right now there's a problem that causes SiteAdvisor to block the download link. I'll try to find an alternative if the block isn't rescinded; I don't see why the block is in place).


            Message was edited by: Hayton on 25/11/12 05:47:31 GMT


            Message was edited by: Hayton on 26/11/12 05:35:56 GMT
            • 3. Re: WARNING: Newbie Alert  - Fake System Scan

              I've moved this from Main section's General Discussion to Top Threats since the malware infection is the primary subject matter.

              • 4. Re: WARNING: Newbie Alert  - Fake System Scan

                Thank you, Hayton. Your answer was appropriately detailed and quite helpful. I very much appreciate it. It appears that the information you provded was the "correct answer," but I did not want to click that button just yet because I am still struggling with how to navigate and best use this website to solve my malware problem myself.


                I feel like you have just given me a fish as well provided some tips on how to fish, but I am far from being a fisherman. I am concerned that I will be right back here pleading for help the next time I have an issue like this. [It's not a matter of pride. I just hate to be a bother to good people such as yourself when I may be able to address something myself by tapping into exisitng online resources.]


                Maybe my expectations are out of kilter here, but it seems to me that I should be able to enter some key text or search criteria on the mcafee site and find information that leads me to the latest discussion about my computer's symptoms (naturally this excludes 0 days and other very recent/new attacks). Are my expectations too lofty? I would like to think that a paid service provider like McAfee would be better able to help paying customers support themselves than would free sites like malwarebytes and bleepingcomputer.


                Something as simple as finding my own post, which you had moved to "top threats," was a 15 minute challenge even after I had an email from you directing me to look in the "top threats" category. I am a newbie to McAfee but not to the web and not a total newbie to the world of malcode. If I can't figure out how to find my own post after a hint and 15 minutes of searching then something is... amiss.


                I am totally open to the idea that it's just me -- that is a fair possibility. If so, can someone help me figure out how to be a better fisherman in this community/space? If not, is there a way to get word to the managing moderators to make the site more robustly searchable as well as user friendly? I wouldn't complain as loudly if I hadn't thought that McAfee let me down three times in this one exercise AND it was the good citizens of cyberspace bailed me out {again, all this is in the context of being a McAfee paid subscriber}.


                Thanks again for your most helpful contribution. Please let me know if you would like the logs/info from my A/V slaying activity, either from rkill or stinger.





                • 5. Re: WARNING: Newbie Alert  - Fake System Scan

                  (Apologies for a strange typo in my reply to you. I have no idea what I meant to type in that first line. "selents"? I substituted "programs" instead.)


                  Much as it pains me to say this, trying to find explanatory information on the McAfee site can sometimes be darn near impossible (being careful there not to fall foul of the profanity filter ... )


                  The information is usually there somewhere, but tends to be located in areas that you have to hunt for, and isn't always home-user-friendly (McAfee is business-oriented when it comes to being helpful). It falls to us on these forums to try to provide pointers to where (or where else) to get the information. There is a search box at the top right where you can enter keywords, but that only searches for posts here in the user forums (or Community, if you wish). Even I resort to Google sometimes to find where in the McAfee maze something is located. Unfortunately we here don't have any say in how the website is designed or how it operates. We can perhaps get something on the Community site altered, but that's about it.


                  One piece of news : what you have (or had) on your system is known to Microsoft as Win32/FakeSysdef -

                  "A rogue security software family that claims to discover nonexistent hardware defects related to system memory, hard drives, and overall system performance, and charges a fee to fix the supposed problems".


                  Since that name covers a whole family of these malware programs the best way to familiarise yourself with them is to browse through the Microsoft description and Encyclopedia entry (always my first port of call).


                  See http://blogs.technet.com/b/mmpc/archive/2011/08/10/msrt-august-11-fakesysdef.asp x

                  and http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win 32/FakeSysdef


                  McAfee knows it by the memorable name of  "Generic.dx!unc!C90B8E4BF169", which is why you would have a hard time finding it in a search of the website


                  As for moving you to Top Threats .... we could do with a handy sitemap, I guess.

                  • 6. Re: WARNING: Newbie Alert  - Fake System Scan

                    Thanks so much, Hayton! I appreciate all the time you took to answer each of my concerns/interests. You did a remarkably good job of conveying a lot of meaning with just a few words.


                    Obviously it is good to be rid of the fake system error malcode on my computer, but I am equally appreciative of the better understanding I have of what to expect and how to navigate the McAfee site.


                    Is there a webmaster link/contact to which you can forward the suggestion for a site map? It's not a priority, I just thought I would ask.


                    BTW, thanks for explaining 'selents.'   I read that a couple times and wondered if that might be the British spelling of another English word.


                    Again, THANKS for the wonderful help!