Strange virus popup.

Sorry for the lack of detail but this has come second hand from my wife via a phone call.

She tells me that she had a phone call from someone with a strong accent. They sounded robotic but she couldn’t tell if they were a computer generated voice or just someone with Keanu Reeves style delivery. The voice told her that her computer has a virus. She asked how he/she knew that and the voice hung up.

An hour or two later she gets pop up windows while browsing news stories about Kate Middleton, she can’t tell me exactly what website she went to. The pop ups told her she has a virus and displayed what she thought were her My Documents, Shared Documents, etc folders, while listing various numbers of viruses found under each folder.

I told her to close Google Chrome and run an antivirus scan with Microsoft Security Essentials (after some frustration trying to figure out what antivirus she has installed.) The scan came up clean.

My gut feeling is that she stumbled onto a website with some shitty pop up ads that display generic windows style folders and try to get you to click a link to buy some scummy antivirus software. I think the phone call was just a coincidence.

Anyone else have any other ideas?

She’s running Windows 7.

I agree with you.

I concur with you and BigT.

ETA: Those popups are even more hilarious when you get them on a Mac, but they show you a Windows XP Explorer window. I was, shall we say, not fooled.

If it’s a home computer you may want to try Malwarebytes in safe mode.
I think MS Security Essentials is pretty good though, I’ve been using it for a couple of years.

I posted about this in my newsletter that goes to my customers. Places have taken to cold calling lists of “known computer users” and basically trying to play a live version of “your computer is infected” and for just $49.95 we will fix it.

It is a scam, they do not know if your computer is infected. The only way they would know for sure would be if they were spreading the virus in question and it was calling home to them. That still would not get them a phone number to call you.

The phone call may have nothing to do with the later popup, which may not actually be a virus. If your wife was browsing by using Google search results this may have been an htaccess file hijack. I had this recently when I tried to go to moviespoiler via Google and was instantly redirected to a fake virus popup site. It turned out to be nothing to do with my computer, the server at moviespoiler had its htaccess file redirected. (It took them a few days to fix it).

There’s a way to test for this. If it’s an htaccess hijack you’ll be able to get to the site by entering it directly in your address bar, ie it’s only using the Google result which will get you redirected. In that case there’s no virus at your end, it’s the server at the other end which is affected. (Be careful though, if all your Google results end up in redirects then it’s likely that the vrus is at your end).

I have encountered this web pop-up that looks like it is running a virus scan on your computer and coming up with all kinds of horrible infections that need to be cleaned right now just click this button – my computer is clean; it’s not really scanning my computer, it’s trying to get me to go to a web site. The worst instances of this won’t let me close the window. We have had warnings about this scam at work, and it’s popped up a few times on my home computer too. Insidious.

Yes, that’s the one. You need to kill the Firefox process to exit. Often when you restart FF it will reopen your old tabs and take you straight back to the malware site, but if you kill and restart again you’ll get the option to start with your home page.

The malware screen you see is identical to the one that the System Tool virus shows (probably the same people). The actual virus is much worsa as it won’t let you run any executables. (MalwareBytes in Safe Mode will clean it out though).

MalwareBytes won’t find anything if you’re simply the victim of an htaccess hijack, as there’s nothing to find. It’s the website that you tried to reach which has the problem. In this case the solution is to report the redirect to Google and get to the website you want by directly entering its address until they fix things. (The site itself will be perfectly safe, it’s only their Google result which has been altered).

I have seen this same popup and killed it with ALT-f4