A persistent scareware dialog.

I have a client who had a scareware event with a threatening dialog that offered a number to call to "help him".  I disinfected, as I normally do, with Adwcleaner, Malwarebytes, and Hitmanpro64, which usually does a nice job eradicating the beasts.  Another has appeared that seems familiar, and so I'm concerned that I might have missed something   The dialog, which my client sent me, and I didn't myself experience, is attached.  

My question is how can I find the source of that dialog, or others of that ilk, and know that I've removed it, or not, using the above system or another.

Your insights are appreciated.
Mark LitinOwnerAsked:
Who is Participating?
Andrew LeniartSenior EditorCommented:
The source of the dialogue will almost certainly be one or more of the following;

  • An infected web site that has been visited
  • A rogue popup that has been clicked
  • A link in an email that has been opened
  • An email's file attachment that has been clicked/opened/run
  • An infected USB stick could have been inserted to the machine

The warning is garbage - tell your client to ignore it until the following steps have been done.

To rectify...

1. Reboot into Safe Mode ( or Safe Mode with Networking if you have to do this remotely )
2. Press Windows+R
3. Type %temp% and hit enter
4. Delete everything in the Temp folder that opens
5. Rescan the entire drive with an updated copy of Malwarebytes using "Custom Scan" (not threat scan) and ensure "Root Kits" has been selected to also be scanned for. This will take some time
6. Perform a Deep Scan of the entire drive using an updated copy of whatever AV your client is using, also select Root Kits if his AV has that capability. Again, will take some time
7. Open clients browsers while still in safe mode and clear all history and cookies
8. Restart into Normal Windows Mode and see if the problem recurs again.

If it does, I'd be looking at your clients' surfing habits. I've found they often won't readily admit to sites they like to occasionally frequent ;-)

Hope that's helpful.

Regards, Andrew
Mark LitinOwnerAuthor Commented:
Thank, Andrew
Andrew LeniartSenior EditorCommented:
My pleasure Mark and you're very welcome. Please don't hesitate to post back if the above doesn't solve the problem for you.
Dr. KlahnPrincipal Software EngineerCommented:
Have you tried Spybot - Search and Destroy (free edition, don't pay for it), both scanning and running the Immunizer?  It finds things that virus scanners and Malwarebytes do not.

Spybot S
Mark LitinOwnerAuthor Commented:
No.  But I used SuperAntiSpyware.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.