Helping people with computers... one answer at a time.
An unfortunately common attack vector for malware is via malicious or hacked websites. I'll look at the signs, and the steps you need to take.
I went to a website and the moment I got there, my computer started to tell me that I had virus. I know I did not except for this advertising; I have antivirus and antispyware and it still got in. I found it and put the program in the all users application data. After I removed it and restored to an earlier date, it was gone. I went back to the same site and nothing happened. So, my question is how did it install the program on my computer and why did it not do it the second time I went back to the same site?
First, I want to let you know that you were lucky; this approach to malicious infection is incredibly devious and, sadly, often successful.
I also want to say that if you restored from a backup to get rid of it, that's excellent. Unfortunately, other manual approaches to getting rid of malware - including system restore - are not guaranteed to always remove all traces.
Let's review what probably happened.
It's pretty easy to make something that looks like a very legitimate Windows alert or error message that tells you "OMG! YOU'RE INFECTED! CLICK OK TO FIX IT!".
(I've used a very simple example - actual malware often replicates very complex and official looking alert dialogs and message boxes.)
Of course, if you click on OK rather than dismissing the warning, the fake message box is crafted to take that as a request to download and install malware. In fact, a fake message box can be crafted so that anything that you might do to close it, including clicking the "x" at the upper right or typing ALT+F4 to exit, actually instructs your browser to download and install malware.
Various approaches, including limited user accounts, or Windows User Account Control, can help thwart the attempt or minimize the damage, but on systems where security is lax, this is one way that malware purveyors get on to your machine.
A very common type of malware that does this is often referred to as "hostage-ware", because once installed, it demands payment to download software that will supposedly remove the malware.
Don't. Not only will you have given your credit card information to one of the bad guys, but often, the "fix" simply doesn't.
Naturally, the common advice is to avoid websites where you know that this might happen.
Unfortunately, as we'll see in a moment, that's easier said than done. Even websites that you can trust can be hacked and this is a common result.
No, as dramatic as it might seem, the only secure way to move on when this type of unexpected and malicious warning pops up is to kill or "End Task" the browser:
By that, I mean right-click on the clock, click on Task Manager, and, in the applications list, right-click on your browser and click on End Task. Repeat for any additional instances of the browser that you find in this list.
This forceful exit causes your browser to stop running immediately and, as a result, doesn't give the malicious software an opportunity to do anything more beyond displaying that message.
I won't ask why you went back. My first bit of advice would, of course, be don't go back. At least, not until you get some assurances from someone or somewhere else that the site has been fixed or that a typo took you to the wrong site.
As I mentioned above, this technique for distributing malware is one of the approaches that hackers take when they hack into an otherwise legitimate website.
Naturally, you want to be able to trust trustworthy sites. By and large, you can. But every so often, a good site might find itself in this position of inadvertently offering up malware. You can bet that they'll run to fix it as fast as they can when they find out, but in the mean time, visitors could get infected.
So, perhaps, by the time you came back, that's exactly what had happened. The site had been repaired.
The typo scenario is also a common one. It's not unusual to typo a domain name when entering it into your address bar. Hackers know this and often set up fake sites on these typo-domains that spread malware, act as phishing sites, or more.
It's an argument for using services like OpenDNS, which can be configured to block many of these sites, or other tools which auto-correct common typos.
So, it's also possible that your "return" wasn't a return at all, but rather a visit to the real site where perhaps a typo-site caused your original problem.
One thing that I'm fairly certain of: hackers aren't likely to say "Oh, we already infected this machine once, let's leave it alone this time".
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.