Hello - I've had NIS for many years, but this is the first time I've joined the community to post a question.
(Note: I am not technically advanced when it comes to computers, so please excuse my lack of knowledge!)
For the last 7 days or so, I have been frequently getting a notice from NIS (the little warning window at the bottom right of the screen) saying that an intrusion has been blocked. It is "Fake App Attack: Fake AV Website 20". At the same time, a pop-up window comes up in the middle of the page, and says "Microsoft Antivirus has found critical process activity on your PC You need to clean your computer to prevent the system breakage." This locks up my Internet Explorer and I have to use Task Manager to "end task" and get out of I.E. entirely. (I have never pressed the "ok" button or even the "x" button on the pop-up window itself, of course.)
I've looked into this for 2 days now, and there have not been too many mentions on the internet of the "20" version of this -- I've seen a couple of other versions of the "Fake App Attack" being talked about a lot lately on malware discussion forums, especially one with the number "3" at the end - I don't know if they are related or not.
This is what I have been experiencing: http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24300
Here's one mention of it on these boards, from a year and a half ago: http://community.norton.com/t5/Norton-Internet-Security-Norton/Fake-App-Attack-Fake-Av-Website-20/td-p/710495
This is a mention on the Microsoft forum from a year and a half ago: http://answers.microsoft.com/en-us/windows/forum/windows_other-security/fake-av-attack/0d331b1b-450f-4a76-a6d9-e63b627796c2
The pop-up box that I see is the same as the *second* box pictured in this thread (I do not see the first box that is pictured): http://www.bleepingcomputer.com/forums/t/523050/infected-with-microsoft-essentials-alert/.
I have been getting this intrusion notice + pop-up + locking-up of IE several times a day for the past week, when looking at several different websites, all are mainstream, ordinary sites, mainly of major British newspapers (a variety of them). I never click on ads, and I try not even to hover my cursor over any ads - the intrusion comes when my cursor is in a neutral place on the webpage. It might wait 5-10 minutes after I visit a webpage before it occurs. There does not seem to be a pattern in terms of the particular ads that are on the pages (not that I look much at internet ads).
A relative of mine who lives close by to me often visits the same websites that I do, and she also has NIS on her computer, but she has never seen this "Fake App Attack: Fake AV Website 20" at all, even when she looks at the very same websites where I am experiencing the intrusions, the very same newspaper article webpages, etc. I have checked her computer and looked at her NIS security history, and she doesn't have anything but "info" level notices, while I have all these "high risk" notices of these Fake App Attack intrusions!
Mine is a relatively new computer and I keep it pretty free of stuff - no Java, only one browser downloaded (IE 10, which is used always in InPrivate Browsing mode, medium-high security, with Active X filtering on, with only the NIS add-ons, no toolbars except for the required one that comes with Norton Internet Security, etc.) Aside from having NIS protection, I run CCleaner about 5 times a day and run Malwarebytes once weekly.
After a week of the Fake App Attack: Fake AV Website 20 intrusion attempts, I began to worry that it was something that had actually gotten inside my system, or was targeting my specific computer, so I immediately ran:
Malwarebytes full scan (found nothing)
Norton Internet Security full scan (which runs once a week anyway - found nothing)
Norton Power Eraser (found nothing)
CCleaner, plus I looked all over CCleaner at my installed programs, startup items etc. (found nothing)
Microsoft Safety Scanner downloaded from the internet (found nothing)
Then I looked around online and found some other malware checkers that were recommended by what seemed to be reputable sites. I downloaded and ran the full scan on two of them:
SuperAntiSpyware full scan (found nothing)
AdwCleaner - found 4 things in the registry that I looked up online before doing anything to, but they seemed okay to delete -- unfortunately they didn't seem to be associated with malware anyway, and deleting them did not stop this intrusion/pop-up from appearing - it continues to appear.
Of the other malware checkers that I noticed were recommended on these various apparently-reputable sites (like bleepingcomputer and geekstogo), I downloaded one or two more of the exe's so I could have them on hand, but I did *not* use them to clean my computer, because of the strong warnings on the malware-removal volunteer sites about not getting too deep into this stuff unless guided by an expert.
I found the excellent list of malware removal volunteers here: http://community.norton.com/t5/Tech-Outpost/Malware-Removal-Forum-Recommendations/td-p/1059145 and I have perused all their forums in the last 2 days and tried to find specific mention of "Fake AV Website 20", which, on the whole, I could not find - although most of those sites do record recent clusters of "Fake App Attacks" that have different numbers at the end, normally "3" and not "20".
Before signing up at one of those sites and asking for a significant time commitment from one of their wonderful volunteers, I just thought I'd ask people here at Norton if what is happening with my computer seems to be something only external and simply due to my running into malicious ads by chance on those otherwise mainstream and upstanding websites, or if this thing is partially or fully *internal* in my own computer now, and therefore is something I must get rid of.
Questions:
-- Does it sound like my computer has a malware infection?
-- What would be the best course of action for me to take now?
-- While I'm getting these regular intrusion attempts (and whatever else is going on which perhaps NIS is not telling me about because it doesn't have the ability to "see" it), should I not use my computer to log into internet banking, credit card accounts, even email accounts?
-- Because I have *already* logged into some internet banking and email accounts in the last 7 days (after these intrusions started popping up, but before I realized that the intrusion attempts were not one-off and random events), do I need to log into those sites from another computer and change my passwords immediately?
If it would help for me to include a screenshot of either the pop-up as I experience it or the Norton Security History log or detail pages of these intrusion attempts, let me know.
My laptop: Windows 7, 64 bit, IE 10.
Thank you in advance, good wishes to all
-Lynn22