Home »
Viruses and Malware
»
Malware Detection
Summary: If you're getting messages that you computer is infected, it might be. But you MUST be skeptical and extremely careful about the steps you take next.
|
My desktop background has disappeared and been replaced with some kind of warning, and I'm getting some kind of message that my computer is infected. I recall some kind of earlier message from Microsoft about "anti-virus" which I told it to go ahead and do, and now I can't get rid of these. What do I do? |
The above question is actually a distillation of a friend's phone call, followed by what I discovered after a fair amount of research once he brought his computer to my home.
Yes, my friend's computer was infected by one of the latest nasty viruses to make the rounds.
Let's see what we can learn from the experience.
•
The first clue is a subtle one: "some kind of message from Microsoft". Unfortunately, I don't have an image of that message, but it's where I believe the problem went from bad to worse. He probably followed the instructions presented by that message.
Here's the deal: anyone can pop up a message that can be made to look like it came from Microsoft. Just like phishing attempts can make emails look like they came from your bank, it's actually very easy to create a pop-up message on your machine that looks very official and very important ... and totally bogus.
There are typically two types of these messages:
Browser Popups - these message are nothing more than web pages, or single images loaded from a web page, made to look like some kind of error or warning message. Most of the time they're easy to identify because a) they pop up as you're browsing, and b) the "title bar" across the top of the window includes the phrase "Internet Explorer". For example, even when visiting Google.com, the title bar still includes the browser name:
If you get a popup message that includes the browser name in the title bar, chances are you're simply looking at a web page designed to look like an error message, nothing more, nothing less. (Note that the address bar - with http://www.google.com in it in the image above - need not be present.)
Application Popups - these are more difficult to identify on sight, because they're generated from applications actually running on your machine. Applications can easily create popup messages or windows that look like anything they want them to. The worse news here is that if you're getting a bogus message from an application already on your machine - well, it's already on your machine; you're infected.
There's another aspect to identifying bogus messages on your machine, and it's frighteningly easy, and yet frighteningly easy for malware creators to fix should they ever get a clue.
Most malware messages suffer from very bad English, in both spelling and grammar.
Here's (most of) a desktop warning that was present on my friend's machine when I first saw it:
As almost any English speaker can see, the grammar is absolutely horrific in this case. It's clearly not written by an English speaker, and is thus highly suspect. No legitimate company should ever produce a message that awful.
Similarly, the popup warning that was appearing at the same time:
Again, horrible English, and totally bogus. OK, not totally bogus, in the sense that it's actually accurate: its very presence is the infection.
The problem is that clicking on these messages may cause more malware to be downloaded, or may take you to sites that offer to sell you a solution and either do, or perhaps don't, but collect your credit card information anyway.
So, what's the take-away from all this?
Be skeptical. Always.
If you get an error message you've never seen before and don't understand, don't blindly follow its instructions. Check it out first. Try to get a sense of where it came from. Try searching for the exact message text - Google and see what others might be saying. Ask someone. Learn the difference between a well-disguised web page and a real error message. Get familiar with your own anti-malware software so that you'll recognize it when you see it.
But be skeptical.
Particularly if the message is in broken English.
I'll address the specific steps and software I used to (hopefully) clean up this machine in a future article.
Related:
I've received a popup telling me I'm infected and recommending a download to fix it. Should I? Messages that indicate you have a problem and recommend a specific download as a solution are immediately suspect. There's typically a safer solution.
Internet Safety: How do I keep my computer safe on the internet? Internet Safety is difficult and yet critical. Here are the seven key steps to internet safety - steps to keep your computer safe on the internet.
Article C3618 - January 12, 2009
I too got the "Windows 2008 antivirus spyware, lickily for me I was very familar with Microsofts software & knew what I had. So I uninstalled & deleted it. Since I got the free Avast Antivirus software I have been able to stop all attacks, I also got another freeby called SpywareBlaster which I've been using for a few years now. Thanks Leo for all the good information & all the people who contribute! TW
Posted by: Tony Williams at January 14, 2009 5:34 PMThis type of virus is "real time" which means it's occurring while your veiwing it. It's very unlikely that its been hanging around on your HD waiting for the right moment to pop up (although I've seen some that do). If you've taken Leo's advice and been doing regular backups of your PC then getting rid of the virus is simple and painless. Disconnect from the internet, open your backup program and do a complete system restore. I keep a complete backup of my entire system on an external HD. It takes about thirty minutes to replace 30 GB. It beats spending an evening trying to remove a virus that might leave leftovers. I recommend Acronis True Image.
Posted by: Mike Parsley at January 14, 2009 5:59 PMI got this virus, more than once, while surfing sites that featured... (shall we say: "ladies of the night").
Many people on this forum said that Malwarebytes worked well to remove it from their systems. But it didn't work so well for me. I still had traces and vague remnants even after running malwarebytes. (I feared those remnants could resuscitate the virus.)
Fortunately, however, I have a clone of my harddrive (in a perfect state). So I wiped out my harddrive, and then recloned it, using Acronis True Copy.
It was a drastic method, but it's the only method I could use to wipe out this "beast". It's a particularly nasty virus, I must say.
Posted by: Velocity Wave at January 15, 2009 12:07 AMPS:
In fact this particular virus is so nasty, and so reoccuring on the Internet that I now only use Ubuntu when I am surfing to the more shady and dangerous web-sites.
I installed Ubuntu onto a flash-drive. When I want to surf to dangerous sites, I simply boot the flash drive and use it.
To be honest I much prefer windows to ubuntu, but Ubuntu is a great operating-system to use if you like to surf dangerous websites from time to time.
For simple instructions on installing Ubuntu onto a flash drive google: "ubuntu pen drive".
Interestingly, Ubuntu can also join a Windows workgroup, so if you download any files while doing your dangerous surfing, you can transfer them over your workgroup network to a windows machine, and then scan them on the windows machine.
By the way: I really have to say that in all my years of surfing the Internet, I've never seen a virus like this one. It really just bowls over Windows -- and windows seems defenseless against it. That's why the only real option I have found so far is to use Ubuntu (booted off a flash drive) when I am knowingly taking risks on the Internet.
Posted by: Velocity Wave at January 15, 2009 12:17 AMThis is my solution to the XP-Antivirus 2008-2009
Trojans.
And it has popped up on my screen more
then 20 times in the course of a month.
Not once has it gotten into my computer.
Comodo-firewall/antivirus/comodo-antimalware.
And have removed these 2 trojans from other
Posted by: fastfreddie1959 at January 15, 2009 8:00 PMpeoples computers using malwarebytes.org.
And leo i look forward to your Emails every
week as i learn a lot from your infinite
and wise experiences.
You are top notch in my book.
2 thumbs up to you my friend.
I guess I've been lucky. I haven't seen a single pop-up in many years.
The previous replies lead me to ask this perhaps naive question: how does one disconnect from/shut off/disable one's internet connection? I've never seen, as suggested above, a right-click option anywhere.
My connection is via cable. I suppose if I ever did want/need to disconnect from the internet I'd simply unplug my cable modem. Am I missing something?
19-Jan-2009
Thanks Leo, now how do I get rid of it now that is on my computer.
20-Jan-2009
If all of you haven't run into combofix, available at bleepingcomputer.com, it is a very good program for dealing with this particular virus. It is especially useful when you have problems getting anything at all to run. It can be run in safe mode.
Posted by: Jonathan Miran at January 20, 2009 4:05 PMMalwarebytes worked to get rid of "MS Anti-Virus" on my son's computer. AVG had detected it but was unable to clean all the files. I ran Malwarebytes twice (with a disabled internet connection) and it caught everything lurking in the system files. Very effective.
Posted by: Guin at February 4, 2009 8:32 AMOkay I have the exact Warning background and pop up you pictured in this article. Been this way for months as nothing seems to get rid of it. I have tried several times to download malwarebytes as suggested to get rid of it but everytime it errors with a bunch of of error and invalid point windows itself then just diappears without working. What can I do?
11-Jun-2009