Helping people with computers... one answer at a time.

If you're getting messages that you computer is infected, it might be. But you MUST be skeptical and extremely careful about the steps you take next.

My desktop background has disappeared and been replaced with some kind of warning, and I'm getting some kind of message that my computer is infected. I recall some kind of earlier message from Microsoft about "anti-virus" which I told it to go ahead and do, and now I can't get rid of these. What do I do?

The above question is actually a distillation of a friend's phone call, followed by what I discovered after a fair amount of research once he brought his computer to my home.

Yes, my friend's computer was infected by one of the latest nasty viruses to make the rounds.

Let's see what we can learn from the experience.

The first clue is a subtle one: "some kind of message from Microsoft". Unfortunately, I don't have an image of that message, but it's where I believe the problem went from bad to worse. He probably followed the instructions presented by that message.

Here's the deal: anyone can pop up a message that can be made to look like it came from Microsoft. Just like phishing attempts can make emails look like they came from your bank, it's actually very easy to create a pop-up message on your machine that looks very official and very important ... and totally bogus.

"... anyone can pop up a message that can be made to look like it came from Microsoft."

There are typically two types of these messages:

  • Browser Popups - these message are nothing more than web pages, or single images loaded from a web page, made to look like some kind of error or warning message. Most of the time they're easy to identify because a) they pop up as you're browsing, and b) the "title bar" across the top of the window includes the phrase "Internet Explorer". For example, even when visiting Google.com, the title bar still includes the browser name:

    IE's Title Bar when visiting Google.com

    If you get a popup message that includes the browser name in the title bar, chances are you're simply looking at a web page designed to look like an error message, nothing more, nothing less. (Note that the address bar - with http://www.google.com in it in the image above - need not be present.)

  • Application Popups - these are more difficult to identify on sight, because they're generated from applications actually running on your machine. Applications can easily create popup messages or windows that look like anything they want them to. The worse news here is that if you're getting a bogus message from an application already on your machine - well, it's already on your machine; you're infected.

There's another aspect to identifying bogus messages on your machine, and it's frighteningly easy, and yet frighteningly easy for malware creators to fix should they ever get a clue.

Most malware messages suffer from very bad English, in both spelling and grammar.

Here's (most of) a desktop warning that was present on my friend's machine when I first saw it:

Malware-created desktop warning

As almost any English speaker can see, the grammar is absolutely horrific in this case. It's clearly not written by an English speaker, and is thus highly suspect. No legitimate company should ever produce a message that awful.

Similarly, the popup warning that was appearing at the same time:

Malware-created popup status message

Again, horrible English, and totally bogus. OK, not totally bogus, in the sense that it's actually accurate: its very presence is the infection.

The problem is that clicking on these messages may cause more malware to be downloaded, or may take you to sites that offer to sell you a solution and either do, or perhaps don't, but collect your credit card information anyway.

So, what's the take-away from all this?

Be skeptical. Always.

If you get an error message you've never seen before and don't understand, don't blindly follow its instructions. Check it out first. Try to get a sense of where it came from. Try searching for the exact message text - Google and see what others might be saying. Ask someone. Learn the difference between a well-disguised web page and a real error message. Get familiar with your own anti-malware software so that you'll recognize it when you see it.

But be skeptical.

Particularly if the message is in broken English.

I'll address the specific steps and software I used to (hopefully) clean up this machine in a future article.

Article C3618 - January 12, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

23 Comments
Rahul mehta
January 12, 2009 2:08 PM

My strategy is - I know which anti-malware software I have installed and I follow warnings from that software only. No other pop-up/warning will make me follow its instructions no matter where it came from or in which important company's name it is given. At the best a warning may prompt me to run a scan of my known installed software.

This is very good advice. Many people are not aware of what's installed on their machine (it's preinstalled, for example), so they may not recognize legitimate messages from legitimate software. It's worth taking the time to understand and familiarize yourself with what you have.
- Leo
13-Jan-2009

Fred Love
January 12, 2009 8:19 PM

The best is when I get a web pop up that tells me that microsoft recomends I use some piece of bogus windows software to scan my Linux machine.

Bob King
January 13, 2009 8:44 AM

I had a terrible incident relative to "infections" a few months ago. Thought it had to do with a couple of sites I had visited ....and maybe it did. Nevertheless, called a few "techies" and they all wanted me to bring in my laptop so they could repair ....duh! I'm 75 and don't have a lot of dough ....so, ruled out those options. Someone (can't recall who) told me about a "Spybot" thing. I'm surely not 100% digitalized, at least not yet, but decided to find that site and see if the suggestions were simple enough for this old dog to understand and could be helpful. I was amazed at the simplicity. Removed all the crap that was showing and computer is working well. I did learn a lesson, at least I think I did. I promise never again to visit the "Transvestite Teenage Nuns in Drag" website. Just kidding.

Gary Lyon
January 13, 2009 9:12 AM

I just want to say that all malware software will not remove this virus. I have had to download 3 different apps to remove the popup trojan. Although PCTools found the problem, after a reboot the problem retuned. Spybot's web site redirected me to Stopzilla which is NOT free. Symantec missed this completely. Finally Spybot removed the popups..so far.
Have you actually tested any apps to see their effectiveness?

Jake Smith
January 13, 2009 9:15 AM

While many infection pop-ups may contain bad grammar, some are very well written and look quite real. In fact Leo made a slight grammar error in his comments. I quote:

Try searching for the exact message text Google and see what others might be saying.

And quite likely I have made a grammar error or two in this comment. Poor grammar is often a sign but should not be the only criteria. The comment by Rahul mehta is a very good strategy to follow.

You are of course quite correct, but the examples that I used have such horrific grammar that it should be obvious that they're bogus.
- Leo
14-Jan-2009
Fran Lumb
January 13, 2009 10:25 AM

I have used Malwarebytes to remove this virus. The alias for this can be Windows Anti Virus 2008, 2009. Malwarebytes is free and can be found at malwarebytes.org

Thom Harvey
January 13, 2009 10:27 AM

I was attcked yesterday and downloaded the file because of the Mocrosoft Shield. I had enough sense to save it and then did some looking around. I found out I had done the right thing in saving it and deleted it. I then ran defendernfrom Vista and am clean. My Point is that It was a microsoft shield .Watch out!

I think you might be missing a key point of the article. There is no such thing as a "Microsoft Sheild", and hence it's likely not Microsoft at all, but some malware author trying to trick you by faking a "Microsoft something".
- Leo
14-Jan-2009

Glen Lakes
January 13, 2009 11:26 AM

I understand that a recent issue of the Microsoft Malicious Program Removal Tool was specifically intended to remove these viruses.

Dave Galpin
January 13, 2009 12:29 PM

I have had lots of experience with the so called warning "your computer may be infected, please run windows antivirus 2008" popup, mostly after the the fact, when a friend or family member screams for help. Recently I got the 2009 version after doing a google search on arthritis, I run AVG antivirus and both it and windows said this was a safe site in the results column. As soon as I opened a link for said search I got the dreaded popup. Here's what I did, first and foremost ... DO NOT touch anything on the screen!!! Even trying to close it by hitting the "X" button can launch this beast. I immediately shut off my internet or disable it (right click and select disable). Then "ctrl+alt+del" and end process of the culprit as well as explorer. Then I re-enabled my connection and install malware (which I had on a mem stick) and ran it. It removed the minute traces left behind and I have been clean since. I had heard you can get this virus from a legitimate site that had somehow become infected but this was the first time it has happened to me personally. MALWARE BYTES is my recomendation for this particular virus (both 2008 & 2009 Version of it)works well, easy to use.

Robert Schrubbe
January 13, 2009 7:42 PM

I have my pop up blocker turn on in enternet options. I hardly get any. Sounds like I did the right thing. Its under privacy tab.

Martin Edmunds
January 14, 2009 1:15 AM

Definitly don't click ANYTHING ON THE SCREEN shut down and run spybot and lavasoft or superantispyware in safe mode no internet connection as some these trjans reinvent their registry details ok

Terry Hollett
January 14, 2009 5:52 AM

Sometimes you have to click on the little warning bubble, with internet disabled of course, to see where it tries to take you so you will know what infection you are dealing with. Especially if you need the instructions to delete the infection manually because all of your security products fail.

Paul Seifert
January 14, 2009 4:38 PM

Yes, be very careful If any of those warnings come up, and I have found the following to be an excellent way to get rid of them:
1. restart in "safe mode w/ networking"
2. open Internet and go to www.malwarebytes.org"
3. D/L malwarebytes program and install AND update it.
4. disconnect from the network if you are on a cable/dsl connection.
5. TURN OFF system restore.
6. run full scan with malwarebytes program.
7. remove everything it finds.
8. restart in normal mode and run the malwarebytes again. DO NOT CONNECT TO INTERNET YET!
9. When scan is complete and nothing more is to be removed, then shut down, reconnect network, start the system.
This will get rid of all the malware on the system.

I guess some people have nothing better to do that mess up other peoples systems.....

Tony Williams
January 14, 2009 5:34 PM

I too got the "Windows 2008 antivirus spyware, lickily for me I was very familar with Microsofts software & knew what I had. So I uninstalled & deleted it. Since I got the free Avast Antivirus software I have been able to stop all attacks, I also got another freeby called SpywareBlaster which I've been using for a few years now. Thanks Leo for all the good information & all the people who contribute! TW

Mike Parsley
January 14, 2009 5:59 PM

This type of virus is "real time" which means it's occurring while your veiwing it. It's very unlikely that its been hanging around on your HD waiting for the right moment to pop up (although I've seen some that do). If you've taken Leo's advice and been doing regular backups of your PC then getting rid of the virus is simple and painless. Disconnect from the internet, open your backup program and do a complete system restore. I keep a complete backup of my entire system on an external HD. It takes about thirty minutes to replace 30 GB. It beats spending an evening trying to remove a virus that might leave leftovers. I recommend Acronis True Image.

Velocity Wave
January 15, 2009 12:07 AM

I got this virus, more than once, while surfing sites that featured... (shall we say: "ladies of the night").

Many people on this forum said that Malwarebytes worked well to remove it from their systems. But it didn't work so well for me. I still had traces and vague remnants even after running malwarebytes. (I feared those remnants could resuscitate the virus.)

Fortunately, however, I have a clone of my harddrive (in a perfect state). So I wiped out my harddrive, and then recloned it, using Acronis True Copy.

It was a drastic method, but it's the only method I could use to wipe out this "beast". It's a particularly nasty virus, I must say.

Velocity Wave
January 15, 2009 12:17 AM

PS:
In fact this particular virus is so nasty, and so reoccuring on the Internet that I now only use Ubuntu when I am surfing to the more shady and dangerous web-sites.

I installed Ubuntu onto a flash-drive. When I want to surf to dangerous sites, I simply boot the flash drive and use it.

To be honest I much prefer windows to ubuntu, but Ubuntu is a great operating-system to use if you like to surf dangerous websites from time to time.

For simple instructions on installing Ubuntu onto a flash drive google: "ubuntu pen drive".

Interestingly, Ubuntu can also join a Windows workgroup, so if you download any files while doing your dangerous surfing, you can transfer them over your workgroup network to a windows machine, and then scan them on the windows machine.

By the way: I really have to say that in all my years of surfing the Internet, I've never seen a virus like this one. It really just bowls over Windows -- and windows seems defenseless against it. That's why the only real option I have found so far is to use Ubuntu (booted off a flash drive) when I am knowingly taking risks on the Internet.

fastfreddie1959
January 15, 2009 8:00 PM

This is my solution to the XP-Antivirus 2008-2009
Trojans.
And it has popped up on my screen more
then 20 times in the course of a month.
Not once has it gotten into my computer.
Comodo-firewall/antivirus/comodo-antimalware.

And have removed these 2 trojans from other
peoples computers using malwarebytes.org.
And leo i look forward to your Emails every
week as i learn a lot from your infinite
and wise experiences.
You are top notch in my book.
2 thumbs up to you my friend.

Duane
January 18, 2009 12:40 PM

I guess I've been lucky. I haven't seen a single pop-up in many years.

The previous replies lead me to ask this perhaps naive question: how does one disconnect from/shut off/disable one's internet connection? I've never seen, as suggested above, a right-click option anywhere.

My connection is via cable. I suppose if I ever did want/need to disconnect from the internet I'd simply unplug my cable modem. Am I missing something?

Physically unplugging is typically the most practical, but you can also right-click on the network connection icon in Control Panel -> Networks and click on "Disable".
- Leo
19-Jan-2009
Roberta
January 19, 2009 8:19 AM

Thanks Leo, now how do I get rid of it now that is on my computer.

Ever case is different, but you can read what I did in: How did you clean up your friend's infected machine?
- Leo
20-Jan-2009

Jonathan Miran
January 20, 2009 4:05 PM

If all of you haven't run into combofix, available at bleepingcomputer.com, it is a very good program for dealing with this particular virus. It is especially useful when you have problems getting anything at all to run. It can be run in safe mode.

Guin
February 4, 2009 8:32 AM

Malwarebytes worked to get rid of "MS Anti-Virus" on my son's computer. AVG had detected it but was unable to clean all the files. I ran Malwarebytes twice (with a disabled internet connection) and it caught everything lurking in the system files. Very effective.

Rhiannon
June 10, 2009 9:28 AM

Okay I have the exact Warning background and pop up you pictured in this article. Been this way for months as nothing seems to get rid of it. I have tried several times to download malwarebytes as suggested to get rid of it but everytime it errors with a bunch of of error and invalid point windows itself then just diappears without working. What can I do?

Ultimately you may be faced with a complete reinstall of windows and all applications. Another alternative is to take the hard drive to another machine that's not infected and run malwarebytes on it there.
- Leo
11-Jun-2009

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.