Helping people with computers... one answer at a time.

An unfortunately common attack vector for malware is via malicious or hacked websites. I'll look at the signs, and the steps you need to take.

I went to a website and the moment I got there, my computer started to tell me that I had virus. I know I did not except for this advertising; I have antivirus and antispyware and it still got in. I found it and put the program in the all users application data. After I removed it and restored to an earlier date, it was gone. I went back to the same site and nothing happened. So, my question is how did it install the program on my computer and why did it not do it the second time I went back to the same site?

First, I want to let you know that you were lucky; this approach to malicious infection is incredibly devious and, sadly, often successful.

I also want to say that if you restored from a backup to get rid of it, that's excellent. Unfortunately, other manual approaches to getting rid of malware - including system restore - are not guaranteed to always remove all traces.

Let's review what probably happened.

It's A Trap!

It's pretty easy to make something that looks like a very legitimate Windows alert or error message that tells you "OMG! YOU'RE INFECTED! CLICK OK TO FIX IT!".

OMG You're Infected! Not.

(I've used a very simple example - actual malware often replicates very complex and official looking alert dialogs and message boxes.)

Of course, if you click on OK rather than dismissing the warning, the fake message box is crafted to take that as a request to download and install malware. In fact, a fake message box can be crafted so that anything that you might do to close it, including clicking the "x" at the upper right or typing ALT+F4 to exit, actually instructs your browser to download and install malware.

Various approaches, including limited user accounts, or Windows User Account Control, can help thwart the attempt or minimize the damage, but on systems where security is lax, this is one way that malware purveyors get on to your machine.

A very common type of malware that does this is often referred to as "hostage-ware", because once installed, it demands payment to download software that will supposedly remove the malware.

Don't. Not only will you have given your credit card information to one of the bad guys, but often, the "fix" simply doesn't.

Avoiding The Trap

Naturally, the common advice is to avoid websites where you know that this might happen.

Unfortunately, as we'll see in a moment, that's easier said than done. Even websites that you can trust can be hacked and this is a common result.

No, as dramatic as it might seem, the only secure way to move on when this type of unexpected and malicious warning pops up is to kill or "End Task" the browser:

End Task the Browser

By that, I mean right-click on the clock, click on Task Manager, and, in the applications list, right-click on your browser and click on End Task. Repeat for any additional instances of the browser that you find in this list.

This forceful exit causes your browser to stop running immediately and, as a result, doesn't give the malicious software an opportunity to do anything more beyond displaying that message.

Disappearing Traps?

I won't ask why you went back. My first bit of advice would, of course, be don't go back. At least, not until you get some assurances from someone or somewhere else that the site has been fixed or that a typo took you to the wrong site.

As I mentioned above, this technique for distributing malware is one of the approaches that hackers take when they hack into an otherwise legitimate website.

Naturally, you want to be able to trust trustworthy sites. By and large, you can. But every so often, a good site might find itself in this position of inadvertently offering up malware. You can bet that they'll run to fix it as fast as they can when they find out, but in the mean time, visitors could get infected.

So, perhaps, by the time you came back, that's exactly what had happened. The site had been repaired.

The typo scenario is also a common one. It's not unusual to typo a domain name when entering it into your address bar. Hackers know this and often set up fake sites on these typo-domains that spread malware, act as phishing sites, or more.

It's an argument for using services like OpenDNS, which can be configured to block many of these sites, or other tools which auto-correct common typos.

So, it's also possible that your "return" wasn't a return at all, but rather a visit to the real site where perhaps a typo-site caused your original problem.

One thing that I'm fairly certain of: hackers aren't likely to say "Oh, we already infected this machine once, let's leave it alone this time". Smile

Article C4788 - April 9, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

16 Comments
Me
April 12, 2011 8:16 AM

In Firefox, it might try to restore tabs on restart. If that happens just kill the process again.

Ian Skinner
April 12, 2011 8:17 AM

Another possibility for the sometimes on sometimes off attack would be advertising based malicious code.

I.E. The first visit displayed a compromised advertisement, but the subsequent one did not.

RJ
April 12, 2011 9:36 AM

I hate these viruses Somtimes Crtl+delete doesnt even work, there are some malware that will lock the task manager. Leo if my task manager gets locked by malware how can I stop it from download

JP
April 12, 2011 9:46 AM

What about finishing the clean-up with a Malawarebytes sweep to destroy the attacking virus?

Steuart B
April 12, 2011 11:25 AM

I've seen many variations of this type of attack that disable access to task manager, replace msconfig with a false copy, infect your restore points, disable access to safe mode, and block access to MalwareBytes and its website. It slid right past Norton and McAfee as recently as a few weeks ago. Bit Defender blocked part of it only after the infection took root. Given time this thing will shut down every user capability except paying for the hostage-ware. I suggest disconnecting the cable if you're hardwired, or killing the wi-fi connection rather than trying to rely on task manager. The faster you can kill your Internet link when the false warning pops up the better the chance of quick recovery.

Snert
April 12, 2011 11:36 AM

I've had this happen - Blammo!
"E-Scan has detected spyware on your computer. Scanning for threats." Immediately several showed up where I was positive there couldn't be any.
I had to shut down my machine to stop it; dynamite it, so to speak, Using the "OFF" switch in the rear; nothing else worked.
I ran a full scan using ALL my Good Guys stuff with negative results.

Joyce
April 12, 2011 12:05 PM

This type of malware infects all the computers in my home on a daily basis. Most of the time, I can get to the task manager and end the task immediately before the malware installs itself. Other times, I cannot. In fact, first my desktop was sent to be repaired because restore to previous date, starting in safe mode, etc. would not work and I couldn't get on the internet or run any of the 3 spyware/virus programs I have on my computer. Next, my laptop ended up the same way. I would like to find someone who can answer the question, "How do I stop this from happening?"

On a daily basis? Wow. I would notice which websites you visit that make this happen and then stop visiting them. Period.
Leo
12-Apr-2011

Brad
April 12, 2011 12:39 PM

Joyce:
'This type of malware infects all the computers in my home on a daily basis.

I'd suggest,then, that the original instance of infection has YET to be cleared from at least one (or all) of your home machines.

Note Steuart B.'s comment. Some of these 'hostage-ware' instances run VERY deep, and MAY require a reload..from scratch.

IF, in fact, all of your machines HAVE been successfully 'cleaned' and you indeed are RE-infected '..on a daily basis', the way you stop it from happening is by NOT continuing to go to the website that is causing the problem in the first place.

Nick Lesage
April 12, 2011 2:39 PM

In my retirement job of helping (mostly) older folk with computers I fix this problem several times a month. My routine is to remove the HDD and install it as a slave on a spare PC, and to run MBAM. Then, after reinstalling the HDD I ensure that security settings are OK, using a system restore if need be. Total charged time is 1 hour.

Juan
April 12, 2011 2:59 PM

A lot of those pesky malicious software are indeed from crooks bent on getting your personal info (bank account #) and so on, but a lot of them are tweakers wanting to get a hold of some fast cash to support their drug habit. I know cause I've known of at least 3 of them, and they have admitted this to me.

Dennis Bauer
April 12, 2011 3:55 PM

Hi Leo, you won't remember but i sent an email end of last year 2010 about this same thing happing, exactly same thing, you told me it was a program on my computer was the problem, this is happing more and more lately, at the moment the website youtubedownload altervista.org is doing it, i click on it and MBAM stops the infection. I contacted a friend in this same town and they clicked on it and the same thing happened, every one assumes your going to porn sites and wont help, and it's not the case, there will be more and more of this i think because there is a lot of smart IT people out of work, i dont think it just druggies and crooks. I dont think the antivirus/spyware people can keep up with it, it's doing the net a lot of harm, thankyou Leo, look foward to your email's every week,
Best Wishes

Joyce
April 13, 2011 8:12 AM

I have disinfected all computers, and it continues to happen, not just daily, but often several times a day. It's not just one site doing it. I can be researching something in google and it will happen before even going to the site to read the article. I have a repairman coming out next week with a new modem and router (both of which date back to our first getting DSL). I am hoping he can resolve the problems.

I'll simply as this: how do you KNOW that a computer has been truly disinfected? Answer: unless you reformatted and reinstalled Windows and all applications from scratch, you do not. Once infected there are no guarantees that tools of any sort can completely clean the machine.

Leo
14-Apr-2011
Joyce
April 27, 2011 7:00 AM

I replied earlier about being infected daily. You recommended not going to those sites. My repairman said my computer was badly infected, that there were residuals left on the computer after running all the antimalware, virus programs I could think of to get rid of what was infecting my machine. He said it can happen to anyone at anytime visiting all sorts of sites, like looking up recipes, which I do a lot! My husband looks up Christian sites. So the answer no to visit certain sites doesn't work. Since he has disinfected my machine (and he did NOT reformat my hard drive) I have not had a virus. I did have him install a new secured modem/wireless network at the same time.

Dave duChene
April 27, 2011 7:55 AM

Good article. Sent it to my entire list of contacts. I have to deal with this problem several times a month. This information will help.
Dave

Constantine
July 29, 2011 11:19 PM

I do not know if this will help but in Firefox there is an excellent add-on that is called NoScript.
What it does is prevent the execution of any script form a page you visit unless they are authorised. That means no ads, no flash player etc. unless explicitly authorised.

So far, for me, it has been a great help with reducing warnings of the kind mentioned in the article. It is however, like any line of defense, just one line of defense. Antivirus, antimalware etc. are all part of the picture.

jpChris
August 5, 2011 1:16 PM

I doubt anyone is reading this far back, but, what I do when I get "one of those . . ." is to unplug my modem and then kill the process in Task Manager. That way nothing can be downloaded.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.