Helping people with computers... one answer at a time.
If you're getting messages that you computer is infected, it might be. But you MUST be skeptical and extremely careful about the steps you take next.
My desktop background has disappeared and been replaced with some kind of warning, and I'm getting some kind of message that my computer is infected. I recall some kind of earlier message from Microsoft about "anti-virus" which I told it to go ahead and do, and now I can't get rid of these. What do I do?
•
The above question is actually a distillation of a friend's phone call, followed by what I discovered after a fair amount of research once he brought his computer to my home.
Yes, my friend's computer was infected by one of the latest nasty viruses to make the rounds.
Let's see what we can learn from the experience.
•
The first clue is a subtle one: "some kind of message from Microsoft". Unfortunately, I don't have an image of that message, but it's where I believe the problem went from bad to worse. He probably followed the instructions presented by that message.
Here's the deal: anyone can pop up a message that can be made to look like it came from Microsoft. Just like phishing attempts can make emails look like they came from your bank, it's actually very easy to create a pop-up message on your machine that looks very official and very important ... and totally bogus.
There are typically two types of these messages:
-
Browser Popups - these message are nothing more than web pages, or single images loaded from a web page, made to look like some kind of error or warning message. Most of the time they're easy to identify because a) they pop up as you're browsing, and b) the "title bar" across the top of the window includes the phrase "Internet Explorer". For example, even when visiting Google.com, the title bar still includes the browser name:
If you get a popup message that includes the browser name in the title bar, chances are you're simply looking at a web page designed to look like an error message, nothing more, nothing less. (Note that the address bar - with http://www.google.com in it in the image above - need not be present.)
-
Application Popups - these are more difficult to identify on sight, because they're generated from applications actually running on your machine. Applications can easily create popup messages or windows that look like anything they want them to. The worse news here is that if you're getting a bogus message from an application already on your machine - well, it's already on your machine; you're infected.
There's another aspect to identifying bogus messages on your machine, and it's frighteningly easy, and yet frighteningly easy for malware creators to fix should they ever get a clue.
Most malware messages suffer from very bad English, in both spelling and grammar.
Here's (most of) a desktop warning that was present on my friend's machine when I first saw it:
As almost any English speaker can see, the grammar is absolutely horrific in this case. It's clearly not written by an English speaker, and is thus highly suspect. No legitimate company should ever produce a message that awful.
Similarly, the popup warning that was appearing at the same time:
Again, horrible English, and totally bogus. OK, not totally bogus, in the sense that it's actually accurate: its very presence is the infection.
The problem is that clicking on these messages may cause more malware to be downloaded, or may take you to sites that offer to sell you a solution and either do, or perhaps don't, but collect your credit card information anyway.
So, what's the take-away from all this?
Be skeptical. Always.
If you get an error message you've never seen before and don't understand, don't blindly follow its instructions. Check it out first. Try to get a sense of where it came from. Try searching for the exact message text - Google and see what others might be saying. Ask someone. Learn the difference between a well-disguised web page and a real error message. Get familiar with your own anti-malware software so that you'll recognize it when you see it.
But be skeptical.
Particularly if the message is in broken English.
I'll address the specific steps and software I used to (hopefully) clean up this machine in a future article.
Article C3618 - January 12, 2009 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
January 18, 2009 12:40 PM
I guess I've been lucky. I haven't seen a single pop-up in many years.
The previous replies lead me to ask this perhaps naive question: how does one disconnect from/shut off/disable one's internet connection? I've never seen, as suggested above, a right-click option anywhere.
My connection is via cable. I suppose if I ever did want/need to disconnect from the internet I'd simply unplug my cable modem. Am I missing something?
19-Jan-2009
January 19, 2009 8:19 AM
Thanks Leo, now how do I get rid of it now that is on my computer.
20-Jan-2009
January 20, 2009 4:05 PM
If all of you haven't run into combofix, available at bleepingcomputer.com, it is a very good program for dealing with this particular virus. It is especially useful when you have problems getting anything at all to run. It can be run in safe mode.
February 4, 2009 8:32 AM
Malwarebytes worked to get rid of "MS Anti-Virus" on my son's computer. AVG had detected it but was unable to clean all the files. I ran Malwarebytes twice (with a disabled internet connection) and it caught everything lurking in the system files. Very effective.
June 10, 2009 9:28 AM
Okay I have the exact Warning background and pop up you pictured in this article. Been this way for months as nothing seems to get rid of it. I have tried several times to download malwarebytes as suggested to get rid of it but everytime it errors with a bunch of of error and invalid point windows itself then just diappears without working. What can I do?
11-Jun-2009