Watch out for fake ‘Windows Defender’ scare

Topic

New Reply

PUBLIC DEFENDER By Brian Livingston My readers are reporting a new wave of fraudulent “security warnings” that freeze the screen, threaten to auto-del
[See the full post at: Watch out for fake ‘Windows Defender’ scare]

12 users thanked author for this post.

cesmart4122, Norio, rc primak, TechTango, fisher75, jburk07, WCHS, opti1, lmacri, PKCano, abbodi86, geekdom

Reply | Quote

Replies

People should pass a hardware, OS, software.. test in order to receive a license to buy/use a PC.

1 user thanked author for this post.

Norio

Reply | Quote

I have this and found a few more ways to get past it:

• press ESC to restore the browser tabs and controls. Then you can close the browser window, or the offending tab.
• Hold ALT and press F4 for every one of the pop up windows. Each press will close the “frontmost” window. Press in quick succession to close all pop ups and, ultimately, the browser. (This works as long as your system defaults to traditional function key operations; on some systems you may have to employ the key that shifts to the alternate function key activation.)

2 users thanked author for this post.

Still Anonymous, opti1

Reply | Quote

If you have daily backups set up for your computer, you can simply restore your system from a backup that was made before you got the infection.  You can be back in business in just a few minutes.  This seems like the way to go to me, or am I missing something?

Reply | Quote

Brian, This article is right on target and right on time.  I get computers from clients regularly to fumigate them.  The computers, not the clients.

I’ve usually used Ctrl-Alt-Delete and Task Manager to kill the browser used for these deceptively dangerous messages.  And a manual remove of the threat is often enough.

 

3 users thanked author for this post.

rc primak, opti1, dvhirst865

Reply | Quote

Out of curiosity, I Googled inurl:dothrakiz.com, and Google reported nothing. If that is a real web site, they really have got it well hidden.

Reply | Quote

Google search “dothrakiz website” without the quotes. Reject the Google Search suggestion of “dothraki website”. Look for the link to https://www.cubdomain.com/domains-registered-by-date/2021-11-19/9 Scroll through this list. It’s there.

-- rc primak

Reply | Quote

Timely, useful, and very much on target.  Thanks.

I’m in full agreement with @Ben Meyers about using TM to kill the offending browser instance, and would suggest that starting the browser in safe mode is the way to go for clearing cache/history, suggested revision to your text:  “Clear your cache and cookies, reset your browser, or uninstall/reinstall it. Start your browser in safe mode after your AV scan”.

DVH

1 user thanked author for this post.

Norio

Reply | Quote

Would CCleaner or Glary Utilities clear these caches?

-- rc primak

Reply | Quote

Don’t know about Glary Utilities but, if you have the proper options checked, CCleaner will.

FYI, it only includes options for S/W it detects as installed on your system so there won’t be any options “portable” versions.

1 user thanked author for this post.

rc primak

Reply | Quote

BleachBit is another good option for clearing cache and cookies.

Reply | Quote

I got this pop-up on my iPad, where I have ONLY the Safari browser working. First off, it says “Access to this PC”?? How could the warning be coming from Windows Defender, when the device isn’t even a Windows device???

The screen was frozen, so it wasn’t even possible to press any buttons or links. I restarted the iPad.

Was there any malware that got installed?? If so, how would I know?

Reply | Quote

‘Defender’ is a hoax’ you got that message from a visited site via Safari.

1 user thanked author for this post.

rc primak

Reply | Quote

Alex5723 wrote:

‘Defender’ is a hoax’ you got that message from a visited site via Safari.

I know that. All I am saying is that the hoax message, hoax that it was, didn’t even make sense, because the hoax message about about a PC and the device the message was on was an iOS.

Reply | Quote

Hoaxes are not designed to make sense. Hoaxes are designed to provoke an immediate reaction.  The hoax message is to fix this computer invasion now, now, now by clicking on this button that will solve all your problems.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

This is Windows-specific malware, AFAIK. I use Linux and have never seen anything like this. But Mac and iPad may be targets, as well as Android and Apple phones. Since this comes in through the web browser, I would not put it past the malicious parties to target Linux browsers as well. I just highly doubt they would successfully infect a device running Linux.  But assume NOTHING when it comes to malware!

Linux cleanup is similar to Windows cleanup, if anything might happen. Except, I am much more willing to run a clean install of my Linux distros than my Windows OSes. I find it much easier to get back up and running under Linux, provided the correct precautions are taken before anything malicious happens. Software reinstallation for example, can be much more centralized in Linux — one-stop shopping if you save the markings from your software manager. Linux has Bleachbit for cleaning the kinds of things which can mess up web browsers.

-- rc primak

Reply | Quote

You can use Ctrl-W on Firefox to close the active tab. I have no way of testing it when it’s in the malware locked condition. Otherwise, remember the tap position, use Alt-Ctrl-Del to kill Firefox, restart, and immediately, close that tab.

 

Reply | Quote

I remember years ago using a program call Sandboxie, that would stop this kind of malware from getting its claws into your PC. You just had to close the browser and would start fresh again when re opening your browser. Looks like this program is still around, but I have not used it for quite some time.

Reply | Quote

Depending on where the popover message screens come from, sandboxing the browser would not necessarily prevent the computer from being unable to function. And making the screen go away would still require killing all processes which are operating within the infected sandbox.  You would still have to clean up all of this, and to do that, you need to be able to get rid of the full-screen popover message.

-- rc primak

Reply | Quote

Users of macOS are receiving similar messages. I am not responding to the ones I receive.

1 user thanked author for this post.

rc primak

Reply | Quote

I don’t understand.  People must be clicking on bad links and visiting some website to pick up this infection.  In nearly 30 years of using Windows I have never been infected.  The article didn’t explain how machines are getting infected.  I’d wager that 90% are from visiting pörn sites.

I’ve used Comodo firewall and AV for many years.  I also use an old version of FF as my primary browser where scripts are auto blocked until I allow them to run using NoScript.

Reply | Quote

This is good stuff, although I’m going to differ on nuance of a couple of the suggested steps:

• Write down as many browser tabs as you can remember.

You may also be able to get some of that info with the Windows Snipping tool or Snip and Sketch, although if you have more tabs open than are visible on the screen, you won’t get everything.

• If you had to shut down, restart Windows but don’t open your browser.

At least, don’t open your primary browser.  Although it’s OK to prefer to do everything in Chrome, Firefox or anything else, there’s nothing that requires you to do that, and there are times when you need to interact through a different browser. This is one of those times.  Whatever alternate you have, make sure that you’ve reviewed it and tuned settings to your preferences, as if you were using that as your normal browser.  That way, when you’re using the alternate in an emergency, you know that it’s configured for your preferences. There’s nothing wrong with using something like Edge for a one-off thing, but it is worth making sure you’ve reviewed all of Edge’s preferences (especially security and privacy).

With Firefox, there is an option to use multiple profiles (where you set it to allow which profile you want on startup).  In this situation, launch Firefox and choose the alternate profile.  As with an alternate browser, you need to have the alternate profile configured and tuned to personal taste (although perhaps not as extensively).

• Run Windows Defender or your preferred antivirus program.
• Clear your cache and cookies, reset your browser, or uninstall/reinstall it.

Good steps to do, but I would use the reverse order, of clearing data first.  If this exploit is blocking your ability to get to config settings, then you won’t be able to clear content from inside the browser.  CCleaner works well for this (although you should not choose the registry cleaning options), as does BleachBit (which does not offer cleaning).

If the problem persists after clearing cache and cookies, then move on to AV scanning.

I also recommend against uninstall/reinstall of browser, at least for Firefox.  With Firefox, the only reason to do that is if you have concrete reason to believe that program binaries or the Windows registry has been compromised.  Since the time of Windows Vista, that’s unusual, and performance issues are almost always specific to data in the user profile.  If you have a second profile, that’s a fast confirmation that problems are profile-specific.

Also, it’s worth noting that if you uninstall Firefox, there is an option to choose whether or not to delete user data (that is, your profile(s)).  If you delete your profiles, then you lose all your personal data (especially config preferences, bookmarks, history, stored passwords, etc.)  If the problem is in your profile and you don’t delete the profile, then the problem will persist, and a reinstall accomplishes nothing.

With Chromium-based browsers, there is a single profile where user data is stored, although I don’t know the geography well enough to suggest where to find data.  But the same principle applies that if you kill content in the profile, then you also remove your personal data, as well.

Reply | Quote