A persistent scareware dialog.

I have a client who had a scareware event with a threatening dialog that offered a number to call to "help him".  I disinfected, as I normally do, with Adwcleaner, Malwarebytes, and Hitmanpro64, which usually does a nice job eradicating the beasts.  Another has appeared that seems familiar, and so I'm concerned that I might have missed something   The dialog, which my client sent me, and I didn't myself experience, is attached.  

My question is how can I find the source of that dialog, or others of that ilk, and know that I've removed it, or not, using the above system or another.

Your insights are appreciated.
IMG_2917.mov
Mark LitinOwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew LeniartFreelance Journalist & IT ConsultantCommented:
The source of the dialogue will almost certainly be one or more of the following;

  • An infected web site that has been visited
  • A rogue popup that has been clicked
  • A link in an email that has been opened
  • An email's file attachment that has been clicked/opened/run
  • An infected USB stick could have been inserted to the machine

The warning is garbage - tell your client to ignore it until the following steps have been done.

To rectify...

1. Reboot into Safe Mode ( or Safe Mode with Networking if you have to do this remotely )
2. Press Windows+R
3. Type %temp% and hit enter
4. Delete everything in the Temp folder that opens
5. Rescan the entire drive with an updated copy of Malwarebytes using "Custom Scan" (not threat scan) and ensure "Root Kits" has been selected to also be scanned for. This will take some time
6. Perform a Deep Scan of the entire drive using an updated copy of whatever AV your client is using, also select Root Kits if his AV has that capability. Again, will take some time
7. Open clients browsers while still in safe mode and clear all history and cookies
8. Restart into Normal Windows Mode and see if the problem recurs again.

If it does, I'd be looking at your clients' surfing habits. I've found they often won't readily admit to sites they like to occasionally frequent ;-)

Hope that's helpful.

Regards, Andrew
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mark LitinOwnerAuthor Commented:
Thank, Andrew
0
Andrew LeniartFreelance Journalist & IT ConsultantCommented:
My pleasure Mark and you're very welcome. Please don't hesitate to post back if the above doesn't solve the problem for you.
0
Dr. KlahnPrincipal Software EngineerCommented:
Have you tried Spybot - Search and Destroy (free edition, don't pay for it), both scanning and running the Immunizer?  It finds things that virus scanners and Malwarebytes do not.

Spybot S
1
Mark LitinOwnerAuthor Commented:
No.  But I used SuperAntiSpyware.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Spyware

From novice to tech pro — start learning today.