Adware infection linked to AVG AntiVirus site. Not detected by Kaspersky?

[colin_e]

OS: Windows 11 Pro 64bit
Kaspersky: Kaspersky Standard (5 device license)

Problem Description

A PC used by a family member has picked up a malware infection.

Symptoms:

• The user became concerned when the system suddenly started popping up notices saying "Virus infection detected". These notices claim to be from Windows Defender and/or "Windows WebAddvisor".
• These notices are persistent. It will pop up 3 at a time and if you try to dismiss them using the "X" close button, another one pops up immediately. I take this to mean malware code is running locally on the machine (the notices persist even if no browser is open).
• The "click here" link on the notices purports to take the user to the AVG Antivirus web site. The site that open looks legitimate (it appears to actually be the AVG site) but I know scammers are incredibly good at faking legitimate sites these days.
• The issue appears to be linked to a single user account at this point. The popups occur in one user account (the regular user of the machine), but not if I log in myself using my own user account.

Screenshot:

(screenshot attached)

Actions

1. I ran a full system scan in KAV but this found nothing
2. I have checked the list of running applications visually in Task Manager, and checked the normal Windows "auto start" locations in the file system and the registry, but I haven't seen anything that looks obviously bad. However I know malware authors are incredibly good at hiding their traces, so I had limited hope that this would yield results.

My concern at this point is that I believe we have a malware infection and I don't know where it is or what it's doing. I am also concerned that KAV doesn't seem able to detect and fix it.

Superficially, this appears to be just an irritating ad scam, however I don't like the idea of unwanted code running on the machine, because who know what it could be doing in the background.

 

[harlan4096]

Welcome to Kaspersky Community.

 

Please provide version of K. product installed.

 

That looks like just a fake / false infection pop-up warning coming from a site, just a site notification in Your browser, not a real infection.

 

The funny thing is that WebAdvisor it's a real product but from McAfee, not AVG.

 

If You are using MS Edge, check this:

 

https://support.microsoft.com/en-us/microsoft-edge/manage-website-notifications-in-microsoft-edge-0c555609-5bf2-479d-a59d-fb30a0b80b2b#:~:text=Select Settings > Cookies and site,select either Remove or Block

 

Similar steps can be done in all the browsers.

 

I would recommend installing an extension to avoid adds in browsers:

 

uBlock Origin -> FireFox

uBlock Origin Lite -> Chrome, MS Edge, Opera

[colin_e]

Hi, thanks for coming back to me.

>> Please provide version of K. product installed.

Hmm. I've been using KAV for years, but every couple of years they change the UI, and now I find this very basic question isn't so easy to find the answer for? Annoying that this information does not seem to exist in the main application UI (surely this can't be true?) HoweverI found it under the right-click context menu of the systray icon-

Kaspersky Standard 21.227.7.466 (a)
Virus database is up to date

>> That looks like just a fake / false infection pop-up warning coming from a site, just a site notification in Your browser, not a real infection.

Yes that does seem to be the case. They do quite a good job of mimicing OS notifications. I originally thought that the popups were independent of the browser, however I was mistaken.

This user uses Google Chrome as their default browser. A couple of days ago they noticed that their Chrome home page had changed from their personal set of preferred links to a generic set of home links (YouTube, Netflix etc.). I have checked and they have no Chrome extensions installed, so it seems this home page has been hacked or overridden and this is where the popups are being triggered.

Kinda worrying that the Chrome config can be changed in this way without the user realising.

Any hints on cleaning up the start page would be welcome. Worst case I can remove and reinstall Chrome, but i'm rather concerned if the same thing could happen again on a "driveby" basis, i.e. if this can happen just because the user visits the wrong web site.

[Berny]

@colin_e

14 minutes ago, colin_e said:

Adware

Also, did you check with AdwCleaner ?

 

[harlan4096]

Also, do a Chrome config reset, also check in Your Windows -> Control Panel -> Programs and Features, if there is a suspicious app installed.

[colin_e]

As far as I can tell this malware works by overriding the meaning of the "New Tab" address in chrome (chrome://newtab), replacing the real editable start page with a fake (non editable) copy of the default start page.

I found a useful comment on Reddit- Found a solution to the chrome://newtab yahoo/bing/etc search hijacker : r/chrome

Unfortunately it seems to spray bad links all over the users profile (mostly directed via Yahoo) so a profile reset or a clean reinstall of Chrome may be the only options.

Edited 13 minutes ago by colin_e
fix typo