Summary: Spyware uses almost every trick in the book to get onto your machine. Making a web page pop-up that *looks* like it has a Cancel button is just one.
My daughter got an offer at a song lyrics website that had a pop-up, and as always she clicked 'cancel' to get rid of it, then it came back that she had accepted the offer because clicking 'cancel' was to accept the offer! Now we are having problems with the computer, especially application hangs. Did we download spyware or adware inadvertently? So how can we remedy the situation? Just an FYI, I cannot believe what tactics some of these websites will go to to gain access to your PC. Shame on them!
•
Shame on them, indeed.
Yes, I think it's very likely that your daughter - trying to do the right thing - inadvertently allowed spyware onto your machine.
And yes, sometimes a cancel button isn't a cancel button at all.
While it's possible to tell the difference, it's not always easy.
•
Quick, without spending a lot of time studying them, if one of these just popped up at you would you be able to tell which is real and which is fake?
At first blush they're very, very similar. In fact, if you saw either one without the other to compare to, you might never even question it.
But question it you should, because that's exactly what spyware authors are counting on.
The first is an actual Windows XP confirmation dialog.
The second is an example of a fake. It's not a confirmation dialog at all, but a web page that has been carefully crafted to look like a confirmation dialog.
Now here's where it gets more devious. Since it's a web page, the author of that page can pretty much have it do anything no matter where you click. It may look like there are "Yes" and "No" buttons, but in fact the page could be authored in such a way that both mean yes, or that even clicking anywhere on that popup at all could mean yes.
So you're surfing along, you get this popup where the obvious answer is "No", you click "No" and the popup treats it as if you'd clicked "Yes", or does something that's completely unrelated - like direct you to porn, or initiate a download of spyware.
It's the later scenario that is the most troubling, and in fact the reason that spyware vendors do this at all.
Let's say that the popup didn't ask about deleting "All Your Work", but rather said something like "A virus has been detected, would you like to remove it?"
By posing as a Windows confirmation dialog, the spyware attempts to gain your trust. You think it's Windows asking you something, you click on the button and then it asks you something again - like "are you sure you want this download?". And because you think it's Windows asking, and because it had asked a reasonable question to begin with, you say yes again.
And you've just allowed spyware to be installed.
Shame on them, indeed.
There are many more scenarios that might not be as obvious, but this is one of the most basic: popups that attempt to fool you into thinking that they're not popups at all, but important messages from your system.
What can you do to avoid this?
It boils down to a three-pronged approach. And even though it shouldn't really be necessary, two of those prongs boil down to learning what to watch out for.
-
Technology: A good anti-spyware package with its real time protection enabled is a good start. So is making sure that you have a popup blocker enabled (fortunately they're now built into most web browsers).
-
Visual Characteristics: Look at those two dialogs above again and you'll see that the title bars - the blue areas at the top of each - are different in several ways. The most telling, perhaps, is that in the fake dialog you can see my browser - Mozilla Firefox - attempting to identify itself. More accurately system alerts typically do not have icons, and almost never have the Maximize button (the center of the three buttons on the far right of the title bar). There may be more characteristics you'll also come to see as "suspicious" over time as you start to notice more of these attempts at fakery.
-
Behavioral Characteristics: Perhaps the most important, and the most reliable, is to develop a sense for when popups like this are unexpected, and therefore suspicious. After you surf the web for a bit and use your computer for a bit certain behaviours will start to stand out. Visiting a new web page, for example, by itself shouldn't result in a "virus detected" warning - since that's not when virus detection happens. When you download something, yes, that's when your anti-virus tool's real time protection would kick in, but just visiting a new page should not trigger this type of notification. Again, over time you'll get a sense for what's reasonable, and when.
I also realize that you started this by saying "my daughter" ... and that of course makes these last two items so much more difficult. Without knowing her age or expertise, it might not even be reasonable to expect her to learn these types of nuances (and they are admittedly nuances).
That's when you rely most heavily on your anti-spyware software, good local network security, and of course a good backup regimen to help recover when the inevitable happens.
Which leads to the final point.
What do you do once you've got spyware?
Sadly the news isn't much better than it is for viruses.
-
Try your up-to-date anti-spyware and other anti-malware tools to see if they can remove the infection.
-
Try a System Restore to a point prior to the infection.
-
Look for manual removal instructions out on the web specific to the infection you have.
Failing any of that there are only two approaches that are absolutely guaranteed to remove the spyware:
-
Restore from a full-image backup taken prior to the infection.
-
Backup, reformat and reinstall.
Fortunately in many cases, there are tools out there that can remove most common spyware, though it may require a little searching.
Article C3936 - November 27, 2009
Hi, The only really safe way to close these Popup without harm is to close the window thru ALT + F4 keys sequence. there is no guessing as to where or how to click, the window is cancel period.
Posted by: Marcel at December 1, 2009 10:34 AMI was recently "attacked" by a very genuine looking Cyber Security offer on my work computer. I tried to reject it but it still got onto my system somehow. Any further attempt to use Internet Explorer to access a regular work related site,met with a notice saying "This site has been reported to Microsoft as suspicious ......recommend its use be discontinued". Spybot Search & Destroy was used to find and remove it.
Posted by: Tony at December 1, 2009 6:36 PMI see several ways to deal with suspect sites in the above comments. Which one is best/safest?
Posted by: metta hansen at December 1, 2009 7:06 PMcommon sense works well - before clicking or allowing pop-ups. but pop-ups should not even come up most of the time. try playing with security/pop-up settings in firefox (or whichever browser).
if i get a pop-up i click red cross (explorer window) or alt+F4 either way its gone.
Posted by: josh at December 2, 2009 6:00 AMI find the best way to get rid of these popups is to open task manager, find the popup and kill them that way. No restart of the computer needed (as suggested by Dave)
Posted by: Nathan at May 17, 2010 11:45 AM