Helping people with computers... one answer at a time.

Spyware uses almost every trick in the book to get onto your machine. Making a web page pop-up that *looks* like it has a Cancel button is just one.

My daughter got an offer at a song lyrics website that had a pop-up, and as always she clicked 'cancel' to get rid of it, then it came back that she had accepted the offer because clicking 'cancel' was to accept the offer! Now we are having problems with the computer, especially application hangs. Did we download spyware or adware inadvertently? So how can we remedy the situation? Just an FYI, I cannot believe what tactics some of these websites will go to to gain access to your PC. Shame on them!

Shame on them, indeed.

Yes, I think it's very likely that your daughter - trying to do the right thing - inadvertently allowed spyware onto your machine.

And yes, sometimes a cancel button isn't a cancel button at all.

While it's possible to tell the difference, it's not always easy.

Quick, without spending a lot of time studying them, if one of these just popped up at you would you be able to tell which is real and which is fake?

At first blush they're very, very similar. In fact, if you saw either one without the other to compare to, you might never even question it.

"It may look like there are "Yes" and "No" buttons, but in fact the page could be authored in such a way that both mean yes ..."

But question it you should, because that's exactly what spyware authors are counting on.

The first is an actual Windows XP confirmation dialog.

The second is an example of a fake. It's not a confirmation dialog at all, but a web page that has been carefully crafted to look like a confirmation dialog.

Now here's where it gets more devious. Since it's a web page, the author of that page can pretty much have it do anything no matter where you click. It may look like there are "Yes" and "No" buttons, but in fact the page could be authored in such a way that both mean yes, or that even clicking anywhere on that popup at all could mean yes.

So you're surfing along, you get this popup where the obvious answer is "No", you click "No" and the popup treats it as if you'd clicked "Yes", or does something that's completely unrelated - like direct you to porn, or initiate a download of spyware.

It's the later scenario that is the most troubling, and in fact the reason that spyware vendors do this at all.

Let's say that the popup didn't ask about deleting "All Your Work", but rather said something like "A virus has been detected, would you like to remove it?"

By posing as a Windows confirmation dialog, the spyware attempts to gain your trust. You think it's Windows asking you something, you click on the button and then it asks you something again - like "are you sure you want this download?". And because you think it's Windows asking, and because it had asked a reasonable question to begin with, you say yes again.

And you've just allowed spyware to be installed.

Shame on them, indeed.

There are many more scenarios that might not be as obvious, but this is one of the most basic: popups that attempt to fool you into thinking that they're not popups at all, but important messages from your system.

What can you do to avoid this?

It boils down to a three-pronged approach. And even though it shouldn't really be necessary, two of those prongs boil down to learning what to watch out for.

  • Technology: A good anti-spyware package with its real time protection enabled is a good start. So is making sure that you have a popup blocker enabled (fortunately they're now built into most web browsers).

  • Visual Characteristics: Look at those two dialogs above again and you'll see that the title bars - the blue areas at the top of each - are different in several ways. The most telling, perhaps, is that in the fake dialog you can see my browser - Mozilla Firefox - attempting to identify itself. More accurately system alerts typically do not have icons, and almost never have the Maximize button (the center of the three buttons on the far right of the title bar). There may be more characteristics you'll also come to see as "suspicious" over time as you start to notice more of these attempts at fakery.

  • Behavioral Characteristics: Perhaps the most important, and the most reliable, is to develop a sense for when popups like this are unexpected, and therefore suspicious. After you surf the web for a bit and use your computer for a bit certain behaviours will start to stand out. Visiting a new web page, for example, by itself shouldn't result in a "virus detected" warning - since that's not when virus detection happens. When you download something, yes, that's when your anti-virus tool's real time protection would kick in, but just visiting a new page should not trigger this type of notification. Again, over time you'll get a sense for what's reasonable, and when.

I also realize that you started this by saying "my daughter" ... and that of course makes these last two items so much more difficult. Without knowing her age or expertise, it might not even be reasonable to expect her to learn these types of nuances (and they are admittedly nuances).

That's when you rely most heavily on your anti-spyware software, good local network security, and of course a good backup regimen to help recover when the inevitable happens.

Which leads to the final point.

What do you do once you've got spyware?

Sadly the news isn't much better than it is for viruses.

  • Try your up-to-date anti-spyware and other anti-malware tools to see if they can remove the infection.

  • Try a System Restore to a point prior to the infection.

  • Look for manual removal instructions out on the web specific to the infection you have.

Failing any of that there are only two approaches that are absolutely guaranteed to remove the spyware:

  • Restore from a full-image backup taken prior to the infection.

  • Backup, reformat and reinstall.

Fortunately in many cases, there are tools out there that can remove most common spyware, though it may require a little searching.

Article C3936 - November 27, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

17 Comments
Steve
November 28, 2009 12:59 AM

To close the dialogue without clicking Accept or Cancel hold down the Alt Key and press F4.
Should work on most windows/popups.

Mark
November 28, 2009 7:08 AM

I used to click on the cancel button in the middle of the pop-up simply assuming that it meant what it said. Luckily in those cases it only opened another web-site offering a fak antivirus program or something similar. But if you click on the X in the upper right hand corner, that will really cancel the window as that X is put there by Windows (or what ever OS you are using, Mac puts it on the left)

Mark
November 28, 2009 8:32 AM

Shortly after my last comment here I got on of those pop-ups. I use the Web of Trust www.mywot.com plug-in which gives a user rating of web-sites.In the case of aa website having a poor rating, the web site opens witn a warning that it is a site reated insecure by MYWOT users. When that happens I simply clost that tab or window. I highly recommend it.

Luka
November 28, 2009 9:00 AM

Like Mark said, safest thing is to close the pop-up via X, not clicking buttons. Or have good pop-up blocker.

As far as virus warnings go I tend to ignore windows that simply pop up out of nowhere. I know which anti-virus program I use and how that program informs me when it detected something. Anything else it's likely fake. If by any chance it's a real warning then my anti-virus program will pick it up and deal with it anyway.

R. Moose
November 28, 2009 1:11 PM

Be careful of just clicking on the X... there are some popups that are overlays and/or chromeless windows that have it that even if you click the X it still will act like an 'accept' action. I find it better to just close the browser tab or window.

led
November 29, 2009 8:53 PM

I also wanted to add that the best thing to do in downloading is to visit trusted sites and avoid those we dont really know in that way we are avoiding programs that might infiltrate our system aside from having a spyware blockers  installed in your pc

Peter W
December 1, 2009 8:52 AM

I found it amusing / ironic that whilst reading this page I got Leo's 'op-up' asking me if I wanted the newsletter!! :-)

billzfantazy
December 1, 2009 9:02 AM

I wouldn't risk clicking the "X" safest bet is doing a ctrl alt del & closing from the task manager.

Eric
December 1, 2009 9:45 AM

use Ctrl+W or the "x" on the browser Tab and then you do not have to click anything within the open Tab

Dave Markley
December 1, 2009 9:48 AM

As I do pc repair for a living, I've often seen spyware and virus' attack this way. One of the worst is the '360 Virus', in which the pop-up looks almost exactly like a Nortan 360 Internet Security screen. Clicking on "no", or even the red "X" in the top right corner will download the 360 Virus, which can wipe out your pc in no time. What I do when I get such a pop-up is to just reboot the computer (without closing the browser). Do not click anywhere on the pop-up at all, as any part of it can be programmed to download a virus.

Marcel
December 1, 2009 10:34 AM

Hi, The only really safe way to close these Popup without harm is to close the window thru ALT + F4 keys sequence. there is no guessing as to where or how to click, the window is cancel period.

Tony
December 1, 2009 6:36 PM

I was recently "attacked" by a very genuine looking Cyber Security offer on my work computer. I tried to reject it but it still got onto my system somehow. Any further attempt to use Internet Explorer to access a regular work related site,met with a notice saying "This site has been reported to Microsoft as suspicious ......recommend its use be discontinued". Spybot Search & Destroy was used to find and remove it.

metta hansen
December 1, 2009 7:06 PM

I see several ways to deal with suspect sites in the above comments. Which one is best/safest?

josh
December 2, 2009 6:00 AM

common sense works well - before clicking or allowing pop-ups. but pop-ups should not even come up most of the time. try playing with security/pop-up settings in firefox (or whichever browser).

if i get a pop-up i click red cross (explorer window) or alt+F4 either way its gone.

Nathan
May 17, 2010 11:45 AM

I find the best way to get rid of these popups is to open task manager, find the popup and kill them that way. No restart of the computer needed (as suggested by Dave)

Richard
January 23, 2011 2:26 AM

Yes is the answer. The thing is, the popups are hand coded, as part of the javascript and it's very very easy to create a popup box where both the yes and no buttons do the same thing. However, the top right hand "x" can't be hand coded and is hard coded into java itself. Clicking on that will close the dialog box.

Richard Tanfield-Johnson
Web Designer @ IT-Green

Udi
December 23, 2011 4:40 AM

I just faced the problem with chrome (which I always thought had a built in pop-up blocker).
Anyways, there was no red button in the upper corner for me to close it down.
So I tried to close the tab with the cross (x) on the tab... Even that did not work...the pop-up did not allow me to close the tab... it was of an annoying company (mackeeper or something like that) telling me to clean my mac... Hell NO!!!

But I found a solution to get rid of that nonsense:

I dragged the tab away from all other tabs. So it openened as in a single new window.... and tadaa!!! there was the red button in the left upper corner.... Gone was the SPAM pop-up...
hope it works in other browsers as well...

cheers

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.