Scam-Microsoft Security Alert

I have a client that continues to get a popup on her desktop -
Red Screen, White Script with Windows logo from "Windows Technical Support" with a security alert indicating that there were issues with your computer and to call Microsoft at a number and not shut down your computer. Her computer freezes and she has to do a hard shutdown to use her computer again. She has not allowed anyone on her computer as she is aware that this is a scam.

She has the newest Windows 10 and this is a laptop.

She has Malwarebytes Pro along with Windows Defender. Malwarebytes has quarantined the PUP spigot.generic google chrome on three different occasion but it has not reappeared since major scans in early December. I ran the full gamut at the end of January after she got the Security alert popup once again.

The scans I have run...some multiple times
Malwarebytes, SUPERAnitSpyware, Rkill, AdwCleaner, JRT, RogueKiller, Hitman Pro, Eset, Emsisoft, Dr.Web Cureit and Sophos and finally CCleaner.

She received the popup again today simply working in an Excel Spreadsheet.

My thought is to do a Refresh...if not that a Clean install. What do you suggest?
Thanks,
Mags
MagsOwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Once this starts, back up and fresh install is normally the best approach.

Download, install and run Process Explorer from Microsoft Sys Internals.

Look down the left side under Explorer for strange Alphanumeric processes.  Kill these but do not restart.

Run Malwarebytes again. Does it now find more?  Let if finish, clean up and restart.

That may get rid of the problem. If not, back up and reinstall..
0
AlanConsultantCommented:
Hi,

I would always recommend a complete wipe and reinstall.

Backup all her data, and I would suggest an image of the machine (just in case), then reformat, re-install Windows and apps, then bring back any data.

Even if you have run malware scans and they show nothing, I would still wipe and start from scratch.


Alan.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MagsOwnerAuthor Commented:
Okay John if I understand you correctly first
Download, install and run Process Explorer from Microsoft Sys Internals.

Look down the left side under Explorer for strange Alphanumeric processes.  Kill these but do not restart.

Run Malwarebytes again.

If that doesn't work can a Refresh work? I hate to have to reinstall all of her apps and re-activate them then reinstall files and folders from her back up with a Fresh install.

Trying to save time and her $.

Thanks
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

JohnBusiness Consultant (Owner)Commented:
Windows 10 Repair may keep latent viruses if MBAM does not get them all.

Windows Reset keeps data but deletes most applications. This could work but is almost as much work as a fresh install. That for sure will remove all the viruses.
0
MagsOwnerAuthor Commented:
Her most recent scans with MBAM have not detected anything.

Sounds like a Fresh install is our best option. Should I do that from her Recovery Disk which was created when she purchased her computer?
0
JohnBusiness Consultant (Owner)Commented:
Yes. Back up first and use the Recovery Disk
0
AlanConsultantCommented:
Hi Mags,

If you want to save her money, and give the most assurance of having a clean machine, then wipe and start again.

Once you have done that, image it as is with a clean setup, and if it ever happens again, restore the image, run updates, and you are away with almost no time (at keyboard) required, and little (or no depending on your contract) cost to the client.


Alan.
0
MagsOwnerAuthor Commented:
Okay John and Alan - I would probably do this remotely with her assistance. She has a cloud backup...I will do a backup to an external drive...faster reinstall.

Good Idea Alan - I've used Acronis to do full images before, may need an additional external drive or possibly cloud? Suggestions?
Thanks! I'll be talking with her tomorrow morning.
0
Christopher Jay WolffWiggle My Legs, OwnerCommented:
The newest attack vectors include fileless.  As Malwarebytes will admit, no one can catch everything.  So she may never find anything on her disk.  And fresh installations may not help.  Of course, they might though.

See if the user can retrace steps on what was being done at the time these incidents occurred.  Was a particular device used on the machine?  Was a particular procedure performed?  A particular URL visited?  A particular ad clicked on?  (BTW adblockers are good)

For more, see here below.
https://blog.malwarebytes.com/cybercrime/2016/03/fileless-infections-an-overview/

https://blog.malwarebytes.com/security-world/2018/02/safer-internet-day-2018/
1
AlanConsultantCommented:
Hi Mags,

I normally ask the client to buy an external HDD (if we are talking one or a few machines), and store the clean images on there.

You can backup also to a cloud storage, but given these are only backups with no data in them, not such a big deal.

I personally like to use a live Linux DVD and dd (disk dump) the drive to the HDD as an image file as it has always been 100% reliable for me over at least twenty years, but if you are more comfortable with something like Acronis, and you have the license(s) then that is fine too - whatever works for you.

Good luck!

Alan.
0
MagsOwnerAuthor Commented:
Just a thought for my information...Since this is a scam alert what if she simply continues to shut down and restart her computer when it pops up? It happens about every 2-3 weeks. Consequences?
0
JohnBusiness Consultant (Owner)Commented:
Try looking at Process Explorer (and also look at Autoruns) for stuff that is starting up that needs to be deleted.
1
MagsOwnerAuthor Commented:
Will do, thanks John.
0
nobusCommented:
check also her mails for unwanted, or spam; specially these with an attachment
if this is recent - a system restore can help also
0
MagsOwnerAuthor Commented:
Will do Nobus on her email...this has unfortunately been going on for months...no restore point to go back to. She has been very careful with her email and surfing. But as we all know...no guarantees!
0
MagsOwnerAuthor Commented:
Getting ready to run Autoruns now.
0
MagsOwnerAuthor Commented:
John...nothing strange in Explorer in Autoruns. I will look at everything. Shall I send over a log?
0
JohnBusiness Consultant (Owner)Commented:
First run Process Explorer and look again under the Explorer line for strange processes. If nothing there the logs won't help much,

But try full AV scans and the if nothing found, see if / how frequent the pop ups are coming
0
dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.Commented:
Check the applications she has installed.  Google their names and see if virus or malware is associated with them.  Quite possibly something she has installed.
Check all browser extensions in all browsers she has installed.  Consider creating a new profile for each browser and using that instead of present profile.
0
MagsOwnerAuthor Commented:
Okay thanks John. I ran my usual AV scans back in December then when it popped up again at the end of January I ran extensive AV scans. The alert then popped back up on yesterday...so two weeks between popups.

Checking out Startup. FMAPP Application is showing but with no Publisher...it is a Lenovo Think Pad.  Concerns? Should I disable it from Startup?
0
MagsOwnerAuthor Commented:
dbrunton I just saw a posted to reset all browsers...I'll see if she has a Google profile.
0
JohnBusiness Consultant (Owner)Commented:
See if you can disable this. Run Autoruns in admin mode. Find it and delete it
0
MagsOwnerAuthor Commented:
dbrunton I already checked installed programs and checked again...nothing unusual.
0
MagsOwnerAuthor Commented:
John I'm not seeing FMAPP Application in Autoruns
0
JohnBusiness Consultant (Owner)Commented:
See if you can delete it from the Startup folder and see if it is running in Process Explorer. Then finally remember that if it is well hidden and embedded that (as we said before) back up and reinstall Windows.
0
MagsOwnerAuthor Commented:
Okay, Done all I can think of and your suggestions. I will have her let me know if it pops up again. If so, it looks like a fresh OS install.

One last thing, as asked above.
Since this is a scam alert what if she simply continues to shut down and restart her computer when it pops up? It happens about every 2-3 weeks. Consequences?
0
JohnBusiness Consultant (Owner)Commented:
If the alert is completely ignored, then it is just sitting in there as a virus. Completely ignoring it means no consequences for the user in question.
0
MagsOwnerAuthor Commented:
So if I understand correctly John...with this kind of a popup if she does not react to it, call the number and allow someone on her computer her computer should not become compromised.
0
JohnBusiness Consultant (Owner)Commented:
It would be no further compromised but you need to get rid of the pop up.  And if all attempts fail, reinstall.
0
MagsOwnerAuthor Commented:
Okay...thanks everyone - so much great help! I'll let you know if it pops up or if what was done finally resolves it...crossing my fingers!
Thanks,
Mags
0
JohnBusiness Consultant (Owner)Commented:
You are very welcome and I was happy to help.
0
AlanConsultantCommented:
Hi Mags,

In terms of whether there is harm in leaving it, the issue is that you can never really know what it is doing, or could do.

Some malware can be reprogrammed / re purposed over time (especially if it is periodically connecting to remote resources) to move from the scam that this one is trying to pull, to become, for example, a member of a bot-net that is part of a DDoS attack, or one that attempts to ex-filtrate credit card numbers from the machine it is on.

I would never ever leave a machine with malware on it.


Alan.
0
nobusCommented:
me neither - if a couple of scans does not remove all  -i fresh install
0
MagsOwnerAuthor Commented:
Let me know if this is where I post something when I have additional information for my question.

Okay, it appears it is a browser redirect not a popup on her computer. She just got the message again today...see below

Google Chrome Redirect Scam message
The things I know to do in Google Chrome are
Reset
Clear browsing data - all time
run CCleaner

I could also do a complete uninstall and reinstall of Google Chrome in the control panel or should I run Google's uninstaller? Are there settings in App Data or anywhere else (the registry?) other than Program folders that need to be removed?

Anything else? Malware scans have been run.
Thanks,
Mags
0
AlanConsultantCommented:
Hi Mags,

I would suggest starting a new question, referencing this one - more people will see it.

Having said that, does she get the same issue with Edge / Internet Explorer (going to the same site)?

Alan.
0
MagsOwnerAuthor Commented:
Will do Alan...thanks for letting me know best protocol.

She only uses Chrome and it happens at different times...not just going to one site but I will look at the history.
Mags
0
AlanConsultantCommented:
If it is happening with IE / Edge too, then it is not a Chrome specific issue.

Alan.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.