What can I do about "Fake App Attack: Fake AV Website 20"?

Hello - I've had NIS for many years, but this is the first time I've joined the community to post a question.

 

(Note:  I am not technically advanced when it comes to computers, so please excuse my lack of knowledge!)

 

For the last 7 days or so, I have been frequently getting a notice from NIS (the little warning window at the bottom right of the screen) saying that an intrusion has been blocked.  It is "Fake App Attack:  Fake AV Website 20".  At the same time, a pop-up window comes up in the middle of the page, and says "Microsoft Antivirus has found critical process activity on your PC  You need to clean your computer to prevent the system breakage."  This locks up my Internet Explorer and I have to use Task Manager to "end task" and get out of I.E. entirely.  (I have never pressed the "ok" button or even the "x" button on the pop-up window itself, of course.)

 

I've looked into this for 2 days now, and there have not been too many mentions on the internet of the "20" version of this -- I've seen a couple of other versions of the "Fake App Attack" being talked about a lot lately on malware discussion forums, especially one with the number "3" at the end - I don't know if they are related or not.

 

This is what I have been experiencing:  http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24300

 

Here's one mention of it on these boards, from a year and a half ago:  http://community.norton.com/t5/Norton-Internet-Security-Norton/Fake-App-Attack-Fake-Av-Website-20/td-p/710495

 

This is a mention on the Microsoft forum from a year and a half ago:  http://answers.microsoft.com/en-us/windows/forum/windows_other-security/fake-av-attack/0d331b1b-450f-4a76-a6d9-e63b627796c2

 

The pop-up box that I see is the same as the *second* box pictured in this thread (I do not see the first box that is pictured):  http://www.bleepingcomputer.com/forums/t/523050/infected-with-microsoft-essentials-alert/.

 

I have been getting this intrusion notice + pop-up + locking-up of IE several times a day for the past week, when looking at several different websites, all are mainstream, ordinary sites, mainly of major British newspapers (a variety of them).  I never click on ads, and I try not even to hover my cursor over any ads - the intrusion comes when my cursor is in a neutral place on the webpage.  It might wait 5-10 minutes after I visit a webpage before it occurs.  There does not seem to be a pattern in terms of the particular ads that are on the pages (not that I look much at internet ads).

 

A relative of mine who lives close by to me often visits the same websites that I do, and she also has NIS on her computer, but she has never seen this "Fake App Attack:  Fake AV Website 20" at all, even when she looks at the very same websites where I am experiencing the intrusions, the very same newspaper article webpages, etc.  I have checked her computer and looked at her NIS security history, and she doesn't have anything but "info" level notices, while I have all these "high risk" notices of these Fake App Attack intrusions!

 

Mine is a relatively new computer and I keep it pretty free of stuff - no Java, only one browser downloaded (IE 10, which is used always in InPrivate Browsing mode, medium-high security, with Active X filtering on, with only the NIS add-ons, no toolbars except for the required one that comes with Norton Internet Security, etc.)  Aside from having NIS protection, I run CCleaner about 5 times a day and run Malwarebytes once weekly.

 

After a week of the Fake App Attack:  Fake AV Website 20 intrusion attempts, I began to worry that it was something that had actually gotten inside my system, or was targeting my specific computer, so I immediately ran:

Malwarebytes full scan (found nothing)

Norton Internet Security full scan (which runs once a week anyway - found nothing)

Norton Power Eraser (found nothing)

CCleaner, plus I looked all over CCleaner at my installed programs, startup items etc. (found nothing)

Microsoft Safety Scanner downloaded from the internet (found nothing)

 

Then I looked around online and found some other malware checkers that were recommended by what seemed to be reputable sites.  I downloaded and ran the full scan on two of them:

SuperAntiSpyware full scan (found nothing)

AdwCleaner - found 4 things in the registry that I looked up online before doing anything to, but they seemed okay to delete -- unfortunately they didn't seem to be associated with malware anyway, and deleting them did not stop this intrusion/pop-up from appearing - it continues to appear.

 

Of the other malware checkers that I noticed were recommended on these various apparently-reputable sites (like bleepingcomputer and geekstogo), I downloaded one or two more of the exe's so I could have them on hand, but I did *not* use them to clean my computer, because of the strong warnings on the malware-removal volunteer sites about not getting too deep into this stuff unless guided by an expert.

 

I found the excellent list of malware removal volunteers here:  http://community.norton.com/t5/Tech-Outpost/Malware-Removal-Forum-Recommendations/td-p/1059145 and I have perused all their forums in the last 2 days and tried to find specific mention of "Fake AV Website 20", which, on the whole, I could not find - although most of those sites do record recent clusters of "Fake App Attacks" that have different numbers at the end, normally "3" and not "20".

 

Before signing up at one of those sites and asking for a significant time commitment from one of their wonderful volunteers, I just thought I'd ask people here at Norton if what is happening with my computer seems to be something only external and simply due to my running into malicious ads by chance on those otherwise mainstream and upstanding websites, or if this thing is partially or fully *internal* in my own computer now, and therefore is something I must get rid of.

 

Questions:

-- Does it sound like my computer has a malware infection?

-- What would be the best course of action for me to take now?

-- While I'm getting these regular intrusion attempts (and whatever else is going on which perhaps NIS is not telling me about because it doesn't have the ability to "see" it), should I not use my computer to log into internet banking, credit card accounts, even email accounts?

-- Because I have *already* logged into some internet banking and email accounts in the last 7 days (after these intrusions started popping up, but before I realized that the intrusion attempts were not one-off and random events), do I need to log into those sites from another computer and change my passwords immediately?

 

If it would help for me to include a screenshot of either the pop-up as I experience it or the Norton Security History log or detail pages of these intrusion attempts, let me know.

 

My laptop:  Windows 7, 64 bit, IE 10.

  

Thank you in advance, good wishes to all

-Lynn22

Lynn22,

 

Are you by any chance running Microsoft Security Essentials in addition to NIS?  If so, that may be what's causing the issue.  I'd suggest removing Microsoft Security Essentials from the Programs and Features menu if indeed you have it.  As a matter of course, running two real-time security programs is not a good idea.  And from my experience, Microsoft Security Essentials doesn't play nice with other security suites.  That may be the simple fix, as it sounds like you're getting legitimate warnings or advisories from two separate sources.  Doesn't sound like malware infection to me in any case.

 

Regards,

Kelly


Kelly wrote:

Lynn22,

 

  Doesn't sound like malware infection to me in any case.

 

Regards,

Kelly


http://qmalwareremoval.freeforums.net/board/2/malware-removal-protected

I'm not sure how to quote a message, but Kelly asked, "Are you by any chance running Microsoft Security Essentials in addition to NIS"

 

Answer:

 

No, I am not.  I have never had Microsoft Security Essentials on my computer. 

 

The pop-up is not really from Microsoft Security Essentials, that name in the pop-up window is just a ruse.  It is not a legitimate warning, but it wants unsuspecting people to think so!

 

On my computer, I only run NIS and the on-demand-only free version of Malwarebytes.

 

I did run a different program from Microsoft -- the Microsoft Safety Scanner -- one time only, after I downloaded it yesterday, as a recommended tool to see if it could find something that none of the other scanners had found.

 

 


Krusty13 wrote:

Possibly a PUP  -  Potentially Unwanted Program, but there could be other problems brought in by that PUP.

 

Your best option is to sign up for help from one of the free malware removal sites.  Please do not try to remove this on your own as it can make things much more complicated.

 

You probably should not use this system until a removalist can assist and has pronounced your system as clean.


Dave


 

Ah-hah, I found out how to quote other people's comments.  :-)

 

 

Dear Dave/Krusty,

 

Thank you for your very quick response.

 

I had added a fourth question to my original post, after you read it and replied to it, and I'm wondering what your thoughts would be about that question? 

"-- Because I have *already* logged into some internet banking and email accounts in the last 7 days (after these intrusions started popping up, but before I realized that the intrusion attempts were not one-off and random events), do I need to log into those sites from another computer and change my passwords immediately?"

 

Thank you,

Lynn22

Lynn,

 

While I cannot say that is something you should immediately attend to, I'm not qualified in this area, it can't hurt and will give you some peace of mind.


Krusty13 wrote:

Kelly wrote:

Lynn22,

 

  Doesn't sound like malware infection to me in any case.

 

Regards,

Kelly


http://qmalwareremoval.freeforums.net/board/2/malware-removal-protected



Dear Dave/Krusty13,

 

I am not sure if that link was for Kelly's information or to direct me further,

 

but I already looked closely at that forum today,

after I saw that user "Delphinium" from this forum recommended Quads most highly (http://community.norton.com/t5/Tech-Outpost/Malware-Removal-Forum-Recommendations/td-p/1059145),

 

and the thing is that

1) Quads has been getting asked to help with a lot of these Fake App problems (the Fake App one with a 3 at the end), and has many help requests in his in-tray right now

2) he's been getting upset with some of these folks because they've already run some scans before asking for his help, and he has locked them out of his forum

 

I am afraid that I probably have already run some scans in the last 2 days that he would not approve of !  

Which I did innocently yesterday after seeing the programs recommended on other forums --

 

So I was thinking of asking on Geekstogo or BleepingComputer for help with this.

Hi, lynn22. Any of the other sites delphinium has recommended, will serve you well.

 

They are free, and have trained volunteers who will help you clean your system.

Hello - I've had NIS for many years, but this is the first time I've joined the community to post a question.

 

(Note:  I am not technically advanced when it comes to computers, so please excuse my lack of knowledge!)

 

For the last 7 days or so, I have been frequently getting a notice from NIS (the little warning window at the bottom right of the screen) saying that an intrusion has been blocked.  It is "Fake App Attack:  Fake AV Website 20".  At the same time, a pop-up window comes up in the middle of the page, and says "Microsoft Antivirus has found critical process activity on your PC  You need to clean your computer to prevent the system breakage."  This locks up my Internet Explorer and I have to use Task Manager to "end task" and get out of I.E. entirely.  (I have never pressed the "ok" button or even the "x" button on the pop-up window itself, of course.)

 

I've looked into this for 2 days now, and there have not been too many mentions on the internet of the "20" version of this -- I've seen a couple of other versions of the "Fake App Attack" being talked about a lot lately on malware discussion forums, especially one with the number "3" at the end - I don't know if they are related or not.

 

This is what I have been experiencing:  http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24300

 

Here's one mention of it on these boards, from a year and a half ago:  http://community.norton.com/t5/Norton-Internet-Security-Norton/Fake-App-Attack-Fake-Av-Website-20/td-p/710495

 

This is a mention on the Microsoft forum from a year and a half ago:  http://answers.microsoft.com/en-us/windows/forum/windows_other-security/fake-av-attack/0d331b1b-450f-4a76-a6d9-e63b627796c2

 

The pop-up box that I see is the same as the *second* box pictured in this thread (I do not see the first box that is pictured):  http://www.bleepingcomputer.com/forums/t/523050/infected-with-microsoft-essentials-alert/.

 

I have been getting this intrusion notice + pop-up + locking-up of IE several times a day for the past week, when looking at several different websites, all are mainstream, ordinary sites, mainly of major British newspapers (a variety of them).  I never click on ads, and I try not even to hover my cursor over any ads - the intrusion comes when my cursor is in a neutral place on the webpage.  It might wait 5-10 minutes after I visit a webpage before it occurs.  There does not seem to be a pattern in terms of the particular ads that are on the pages (not that I look much at internet ads).

 

A relative of mine who lives close by to me often visits the same websites that I do, and she also has NIS on her computer, but she has never seen this "Fake App Attack:  Fake AV Website 20" at all, even when she looks at the very same websites where I am experiencing the intrusions, the very same newspaper article webpages, etc.  I have checked her computer and looked at her NIS security history, and she doesn't have anything but "info" level notices, while I have all these "high risk" notices of these Fake App Attack intrusions!

 

Mine is a relatively new computer and I keep it pretty free of stuff - no Java, only one browser downloaded (IE 10, which is used always in InPrivate Browsing mode, medium-high security, with Active X filtering on, with only the NIS add-ons, no toolbars except for the required one that comes with Norton Internet Security, etc.)  Aside from having NIS protection, I run CCleaner about 5 times a day and run Malwarebytes once weekly.

 

After a week of the Fake App Attack:  Fake AV Website 20 intrusion attempts, I began to worry that it was something that had actually gotten inside my system, or was targeting my specific computer, so I immediately ran:

Malwarebytes full scan (found nothing)

Norton Internet Security full scan (which runs once a week anyway - found nothing)

Norton Power Eraser (found nothing)

CCleaner, plus I looked all over CCleaner at my installed programs, startup items etc. (found nothing)

Microsoft Safety Scanner downloaded from the internet (found nothing)

 

Then I looked around online and found some other malware checkers that were recommended by what seemed to be reputable sites.  I downloaded and ran the full scan on two of them:

SuperAntiSpyware full scan (found nothing)

AdwCleaner - found 4 things in the registry that I looked up online before doing anything to, but they seemed okay to delete -- unfortunately they didn't seem to be associated with malware anyway, and deleting them did not stop this intrusion/pop-up from appearing - it continues to appear.

 

Of the other malware checkers that I noticed were recommended on these various apparently-reputable sites (like bleepingcomputer and geekstogo), I downloaded one or two more of the exe's so I could have them on hand, but I did *not* use them to clean my computer, because of the strong warnings on the malware-removal volunteer sites about not getting too deep into this stuff unless guided by an expert.

 

I found the excellent list of malware removal volunteers here:  http://community.norton.com/t5/Tech-Outpost/Malware-Removal-Forum-Recommendations/td-p/1059145 and I have perused all their forums in the last 2 days and tried to find specific mention of "Fake AV Website 20", which, on the whole, I could not find - although most of those sites do record recent clusters of "Fake App Attacks" that have different numbers at the end, normally "3" and not "20".

 

Before signing up at one of those sites and asking for a significant time commitment from one of their wonderful volunteers, I just thought I'd ask people here at Norton if what is happening with my computer seems to be something only external and simply due to my running into malicious ads by chance on those otherwise mainstream and upstanding websites, or if this thing is partially or fully *internal* in my own computer now, and therefore is something I must get rid of.

 

Questions:

-- Does it sound like my computer has a malware infection?

-- What would be the best course of action for me to take now?

-- While I'm getting these regular intrusion attempts (and whatever else is going on which perhaps NIS is not telling me about because it doesn't have the ability to "see" it), should I not use my computer to log into internet banking, credit card accounts, even email accounts?

-- Because I have *already* logged into some internet banking and email accounts in the last 7 days (after these intrusions started popping up, but before I realized that the intrusion attempts were not one-off and random events), do I need to log into those sites from another computer and change my passwords immediately?

 

If it would help for me to include a screenshot of either the pop-up as I experience it or the Norton Security History log or detail pages of these intrusion attempts, let me know.

 

My laptop:  Windows 7, 64 bit, IE 10.

  

Thank you in advance, good wishes to all

-Lynn22


Krusty13 wrote:

 

Krusty13/Dave!  Off-tangent a little, but if you reply on my thread again tonight, I noticed that it's possibly going to be your five-thousandth post!  :-)

 

Lynn,

 

That link was more for Kelly's benefit, just to show this problem is quite prevalent at the  moment.

 

As F4E has said, either of those sites will be able to assist you but you will need to be patient.  There is a queue for assistance where ever you decide to go, but please stick with whomever you choose as all of these sites have rules about seeking help elsewhere.

 

Dave


Krusty13 wrote:

Lynn,

 

That link was more for Kelly's benefit, just to show this problem is quite prevalent at the  moment.

 

As F4E has said, either of those sites will be able to assist you but you will need to be patient.  There is a queue for assistance where ever you decide to go, but please stick with whomever you choose as all of these sites have rules about seeking help elsewhere.

 

Dave


 

Dave/Krus,

 

Wheee!  5000  :-)    That's a great level of contribution to the community, congratulations Krusty13!

 

 

=====

I wasn't concerned about the time that I might have to wait to get assistance from Quads, I was more thinking I wouldn't want to add to his workload right now, because he mentioned in one recent thread that he's got a lot going on -- and also he had a short fuse with a couple of the folks who had run some programs before appealing to him for help, and I wouldn't want to add to his frustration level at the moment, because what he does is so useful, charitable, and valuable! 

If this is a low-level thing I can ask for help with from any of several organizations, maybe one day I'll have a really big issue that I might want to appeal to Quads specifically for help with, and so I'll save my request!  :-)

 

Yes, I would only ask for help from one of the places -- I've gotten a feeling for how they work in the last 2 days of lurking around them and trying to find clues to my Fake App Attack 20.

Don’t be tempted to try some of the fixes on your own. Sometimes malicious apps have ties to things that are necessary components of Windows. That can happen during a removal as well, but they will be able to get you up and running again.


delphinium wrote:
Sometimes malicious apps have ties to things that are necessary components of Windows.

Thank you for this pointer, which I did not know about. 

 

And for your great list of volunteer-staffed recovery sites!

An update-

 

I decided last night that before I appealed to a malware-removal forum, I should make a thorough external backup today in case something went wrong during the fix.  I still haven't done that yet because of some non-computer-related issues that came up today and knocked me way off schedule.

 

Last night I also thought about what I possibly could have downloaded that might have brought in a PUP (not that I understand PUPs too well, but I think I get the gist of what they are).

 

The last things I downloaded, besides the normal updates to Ccleaner, Malwarebytes, Adobe, and Windows in January, were at the end of December when I tried out a VPN for a 3-day trial it offers, and I downloaded the VPN's program, which brought along with it an Open VPN program that was automatically installed in tandem. 

The VPN trial went fine, but I hadn't decided yet whether to subscribe to it or not, so I left its program on my computer without using it after the end of the trial period (trial period ended in December). 

The VPN was one that I'd seen recommended on several sites, and is apparently one of the better and more-trustworthy ones -- but of course who can really know what to trust, and anything can be tampered with too, I suppose.

 

So last night I uninstalled the VPN's program, which magically took off the Open VPN program at the same time without my having to uninstall that separately, to see if that would change anything.

And I don't know if it's simply a coincidence, but in the last 24 hours I haven't received the intrusion of "Fake App Attack" at all  Today I've spent substantial time on the sites that for the last week have regularly produced the Fake App Attack within 8 minutes of my being on them - but there have been no Norton warning slidey boxes, no pop-up windows, no freezing of my IE windows.

 

The VPN I tried out is based in Europe, and the intrusion attempts, according to my Norton history, came from IP addresses which apparently originate from an adjacent country in Europe.  This was one of the IP addresses:  http://urlquery.net/report.php?id=9357217 . 

 

I guess it's possible that this specific VPN program and/or the Open VPN program somehow were tied to the intrusion? 

Even if they were innocent themselves, could their programs have altered my Norton protection in some way that enabled something else to wriggle its way in several times a day, every day for the past week, even though I didn't have their programs open and I was just connecting to my local ISP in the normal way?

Does this mean if I want to subscribe to a VPN, I should avoid that particular one (which otherwise seemed fine, and has been mentioned in various places as one of the better ones)?

Are there review sites or security sites that recommend good VPNs that people here would suggest I have a look at, to find a trustworthy VPN?

 

If I don't get any intrusion notices for the next day or two, while I continue to visit the sites that the intrusion notices had been regularly popping up on, should I still ask a malware removal site to look at my computer?

 

I uninstalled the VPN program last night, before I read Delph's warning today that some malware gloms onto some good elements that should be in the computer, and these good things can get torn asunder when the malware is removed. 

Last night I also uninstalled the SuperAntiSpyware and ADWcleaner programs (which I had only installed the day before) - maybe I shouldn't have done either... oh dear.  :-0

Lynn,

 

You're tying to solve this on your own.  :smileyindifferent:

I guess it’s possible that this specific VPN program and/or the Open VPN program somehow were tied to the intrusion? Even if they were innocent themselves, could their programs have altered my Norton protection in some way that enabled something else to wriggle its way in several times a day, every day for the past week, even though I didn’t have their programs open and I was just connecting to my local ISP in the normal way? It wouldn’t necessarily be something wriggling in. Good possibility that something was already on your machine trying to wriggle out and phone home. Norton calls both situations intrusion attempts. Could even be the VPN software checking for trial period.


Krusty13 wrote:

Lynn,

 

You're tying to solve this on your own.  :smileyindifferent:



Aww, Krus, please don't be upset with me!    :-(     :-)

 

I honestly didn't think on Sunday night that uninstalling the VPN would do anything but be neutral or helpful.

 

A lifetime's practice of muddling through various tricky computer situations by relying only on one's own maintenance and troubleshooting efforts - out of necessity - isn't easily brought to a standstill when one's computer gets possible malware and one realizes for the first time that there is volunteer help available!

I'm not upset with you, Lynn.

 

Can I point out that I did say in my first reply to you, "Please do not try to remove this on your own as it can make things much more complicated"?

 

 


delphinium wrote:
It wouldn't necessarily be something wriggling in. Good possibility that something was already on your machine trying to wriggle out and phone home. Norton calls both situations intrusion attempts.
Could even be the VPN software checking for trial period.

Oh, I see... I didn't realize that Norton used "intrusion" for an attempted breach of the defences from either direction.  Good to know.

 

I am not sure the basis for the "Fake AV Website 20" intrusion and redirecting pop-up telling me to run a fake Microsoft scan was as innocent as a VPN software checking on its trial period!  :-) 

Some of the names of the sites that Norton said were behind the intrusions were pretty dodgy, like windowsprotects2014.nl, windowsdefenceproject2014.nl, zerosystemproject.nl (despite the .nl suffix, the IPs were registered in France).

 

--

I've been away from my computer all day, until now. Will do my thorough backup this evening and decide whether to approach geekstogo or bleepingcomputer for help.  

 

I'll keep this thread updated with my progress, in case it could help others in the future who might be being besieged by "Fake AV Website 20".