Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
3357 Views 6 Replies Latest reply: Nov 26, 2012 10:44 AM by unordinary RSS
unordinary Newcomer 4 posts since
Nov 24, 2012
Currently Being Moderated

Nov 24, 2012 11:46 PM

WARNING: Newbie Alert  - Fake System Scan

I am having a rather challenging time navigating the McAfee community site looking for information. The ONLY information I have been able to find out about my computer's infection is from Google and asociated finds outside of this site. But since I am a long-paying subscriber of McAfee products I would prefer to get my intel/advice about my infection from the folks who make my the product I am using. Will one of you kindly provide some assitance?

 

Here's the skinny:

- It seems that I have some sort of hoax malware running on my laptop. I receive a pop-up message from "Microsoft Windows" that has a banner, "System Error. Hard disk failure detected."

- I have performed both high and low level diagnostics on the drive. Each passes with 100% positive results (e.g. all good).

- I have lost visibility of much of my desktop icons and the personalization of my desktop.

- The error message provides buttons from which to select: one for a scan/repair and one to decline. I have not selected either option or button (nor will I).

 

In searching places like Malwarebytes and other free A/V sites I have become generally convinced that my symptoms are the result of malware and NOT from any sort of system or hardware failure. These websites provide convincing steps on how to remove the malware -- both in the services and in the registry -- but I am not experienced at recovering from registry booboos and am afraid that my malware may be a variant of the ones descrbed in those forums. IOW, I don't want to follow a recipe to remedy malwareX (e.g. random.exe) when I am actually infected with a slight variant of malwareX (e.g. random1.exe) and therefore potentially inflict harm on myself.

 

Additionally, I need to be able to discover which files/data stores have been hidden and then unhide or restore those files for normal use.

 

I am quite surprised that there was some decent information available in the public domain but none that I have found (so far) in hours of searching McAfee.com. Am I too much of a newbie to figure this out or is there no information about this exploit in the world of McAfee? Your assistance will be appreciated.

 

Finally, here are some specifics:

* I run Win7 home premium

* I have McAfee total protection 2012 installed, updated, and running on the laptop (it has always been set to auto update), but the malware appears to have disabled it or turned it off. The McAfee screen provides an "ATTENTION!" warning that the A/V is turned off but when I select "turn on" the window changes to a green/good status for one second then reverts back to a red danger color and is turned off again.

* In that one second window when the A/V is on I have clicked the full scan button. After an hour of scanning the entire drive McAfee reports no susicious events or detections (then it is turned off again).

* I have not yet run the McAfee Scan Plus utility. I am pretty well convinced of what the problem is so having a free utility tell me there is a problem is not nearly as helpful as leading me toward a safe cure.

 

I confess to being a bit frustrated by the idea that I pay money to McAfee to protect my computers but I get infected anyway (these things do happen, I fully understand). And it is not McAfee that alerts me to the infection, it is my own detective work. And when I run a scan McAfee says, "all good." And when I contact McAfee they tell me, "Give me your credit card number and $90 and we'll remote into your computer to fix what we failed to prevent or even identify in the first place." And when I hassle the chat representative for a FAQ page or something to further my own investigation he relents from his $90 sales pitch and sends me an email with links to this community but all of my searching here has been frutiless.

 

I just don't understand, but I am definitely willing to learn. My subscription is due to be renewed in two months and I have to seriously wonder how much worse the less expensive vendors can be. Hopefully that makes sense, not as a rant but as a reasoned statement of logic from a paying customer.

 

-andrew

 

Message was edited by: Hayton - added description to the subject line -  on 25/11/12 05:46:04 GMT
  • Hayton Volunteer Moderator 4,599 posts since
    Sep 27, 2010
    Currently Being Moderated
    2. Nov 25, 2012 11:35 PM (in response to unordinary)
    Re: WARNING: Newbie Alert - Fake System Scan

    I wouldn't bother with the McAfee Security Scan Plus in this case. All that little program does is check to see if you've got the basic McAfee programs installed, then do a scan for malware in-memory and in your browser history & cookies.

     

    What you've got is one of those Fake-Alert pests. They often come via a Trojan download, so something you've recently installed may not have been what it seemed. Alternatively, you've been the victim of a drive-by attack. The latest Microsoft Security Intelligence Report has a section on these attacks, with a link to this page about them from the Glossary.

     

    Without more detail I can't say which one of these Fake-Alerts you've got. They're all basically the same anyway, and usually aren't too difficult to remove if you know which one it is. This particular one has been appearing quite a lot lately according to the buzz on other forums but I don't yet have a name for it. It seems to disable anti-virus and anti-malware programs, so there may be more to it than just a scareware program.

     

    What you may also have of course is other malware, downloaded along with this Fake-Alert. If you have a rootkit it might be difficult to remove, and then you might need McAfee Tech Support to help you. The paid-for support is really for the difficult cases, and/or where the user doesn't feel confident (for example) about going in and changing or deleting registry settings.

     

    If you browse around the different sections here you'll find lots of discussion threads about Fake AV programs (which are related to the Fake System Scan one you describe) in the Top Threats section. I must say the Fake System Scan infections have been dying away lately as the criminal gangs switch to ransomware (the infamous Police Trojan).

     

    As a first step to fixing this infection, try the following -

     

    First, download and run RKill from BleepingComputer. This should kill off any malware processes currently running on your system. Then run Stinger, which detects most of the existing Fake AV variants. If that turns up nothing, run Malwarebytes (free version) which is our second-opinion-of-choice. If that doesn't find anything then go for broke and download the Microsoft Safety Scanner.

     

    Last, if you know any of your files have been hidden there's an 'unhide' utility available from BleepingComputer. (As of right now there's a problem that causes SiteAdvisor to block the download link. I'll try to find an alternative if the block isn't rescinded; I don't see why the block is in place).

     

    Message was edited by: Hayton on 25/11/12 05:47:31 GMT

     

    Message was edited by: Hayton on 26/11/12 05:35:56 GMT

    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,599 posts since
    Sep 27, 2010
    Currently Being Moderated
    3. Nov 24, 2012 11:48 PM (in response to unordinary)
    Re: WARNING: Newbie Alert - Fake System Scan

    I've moved this from Main section's General Discussion to Top Threats since the malware infection is the primary subject matter.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,599 posts since
    Sep 27, 2010
    Currently Being Moderated
    5. Nov 26, 2012 12:02 AM (in response to unordinary)
    Re: WARNING: Newbie Alert - Fake System Scan

    (Apologies for a strange typo in my reply to you. I have no idea what I meant to type in that first line. "selents"? I substituted "programs" instead.)

     

    Much as it pains me to say this, trying to find explanatory information on the McAfee site can sometimes be darn near impossible (being careful there not to fall foul of the profanity filter ... )

     

    The information is usually there somewhere, but tends to be located in areas that you have to hunt for, and isn't always home-user-friendly (McAfee is business-oriented when it comes to being helpful). It falls to us on these forums to try to provide pointers to where (or where else) to get the information. There is a search box at the top right where you can enter keywords, but that only searches for posts here in the user forums (or Community, if you wish). Even I resort to Google sometimes to find where in the McAfee maze something is located. Unfortunately we here don't have any say in how the website is designed or how it operates. We can perhaps get something on the Community site altered, but that's about it.

     

    One piece of news : what you have (or had) on your system is known to Microsoft as Win32/FakeSysdef -

    "A rogue security software family that claims to discover nonexistent hardware defects related to system memory, hard drives, and overall system performance, and charges a fee to fix the supposed problems".

     

    Since that name covers a whole family of these malware programs the best way to familiarise yourself with them is to browse through the Microsoft description and Encyclopedia entry (always my first port of call).

     

    See http://blogs.technet.com/b/mmpc/archive/2011/08/10/msrt-august-11-fakesysdef.asp x

    and http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win 32/FakeSysdef

     

    McAfee knows it by the memorable name of  "Generic.dx!unc!C90B8E​4BF169", which is why you would have a hard time finding it in a search of the website

     

    As for moving you to Top Threats .... we could do with a handy sitemap, I guess.


    Volunteer Moderator  Leeds, UK
    No PM's please

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points