Your post needs more attention than I can provide, but from looking at the screenshots you provided, I suspect you may have malware issues. In the 2nd screenshot, the MSE Alert has a mispelled word in the top portion. The next questionable item is what is shown at the bottom of the screenshot...where it is asking if you want to run a particular type of security program, and the list of "supposed infections" that is displayed in the screen. This type of behavior is often seen with fake anti-malware programs.
There are others here who can provide more explicit directions on how best to proceed with your issue.
Message was edited by: spc3rd on 11/17/13 7:16:58 AM EST
Thank you for replying, I know that that is a fake security pop up and have found many mentions of it on google. I will give a bit more info, the first one image (which i recreated by going in his history) says message from web page and we dont even have microsoft security essentials. I presume that if he had called me then I would be safe, but he pressed ok then the siteadvisor pop up (not pictured) appeared a split second before the second image (thats when he called me over) I pressed block (on the siteadvisor pop up) so has that stopped anything getting on the machine? or has the fact that he pressed ok and/or thesecond image image appearing mean that some thing has got on?
Or does the fact that these pop up appeared at all mean that I already have malware?
There was nothing in downloads on IE or PC, I ran superantispyware- that just found usual tracking cookies, ran malwarebytes (through chameleon in case of corruption) it didnt find anything
Also nothing in the mafee logs
1 of 1 people found this helpful
The chances are you are OK, but clicking anything on these weird popups can initiate malware invasion so to be absolutely sure I recommend you run a Hijackthis session and post the log as instructed lower down the last link in my signature below on one of the forums that specialize in such things. Those specialist forums will advise you best.
Thanks, can i ask some questions, could going back to a system restore point help? and should siteadvisor events show in the main macafee logs?
1 of 1 people found this helpful
You could but make sure you update afterwards and then temporarily turn off System Restore to delete the affected restore point. I don't think SA keeps logs but Technical Support might know.
Thanks for the reply, I'm just running some scans at the moment - I've already run (in safe mode with networking) McAfee, stinger and McAfee rootkit remover. I also reinstalled and ran (in safe mode) malwarebytes. I have also ran cleaner and super anti spyware all have found nothing.
Do you think GetSusp maybe worth a try?. Thanks again
Edit; also windows defender found nothing
It's the download that does the damage, and in this case the download was blocked and failed to execute.
"security_cleaner.exe" is confirmed as malware - see the VirusTotal report
It was blocked by SiteAdvisor because McAfee detects it as "Ransom-FEB!880B836588FD"
Microsoft are aware of this, not least because the malware spoofs a MSE warning -
The screenshot shows that this is coming from "tophersheybearso.com". I thought at first that domain name was fake - Google turns up no records for it at all. In fact, the domain was registered today - 16 hours ago according to urlvoid (http://www.urlvoid.com/scan/tophersheybearso.com).
So it is likely that it was registered with the sole intent of spreading malware.
The IP address is 18.104.22.168, and both the domain name and the IP address should be reported as malicious. For details see
There is a connection to this Turkish domain - http://whois.domaintools.com/turkrdns.com - according to the 'Resolve Host' entry on the first of those domaintools links. See also the IPVoid report for that address - http://www.ipvoid.com/scan/22.214.171.124/
And if the urlquery report is anything to go by that domain has now reached the end of its useful life and been abandoned - "File not found" according to the site screenshot.
Message was edited by: Hayton on 17/11/13 20:52:47 GMT
Thank you, that's a relief as I didn't know blocking it was enough or if it had already got on so you have set my mind at ease.
I have also just finished running hitman pro (recommended on the Microsoft forums) and ESET which both found nothing.
Ive had a chat to my son and he won't do that again (at least he called me when he did) he's usually very careful ,he knows to only go on sites that have a green tick (as this one did) should I report it to site adviser or is it too late now? (or is there no point as pictures and ads can get "hijacked" on any site).