My daughter got an offer at a song lyrics website that had a pop-up, and as
always she clicked ‘cancel’ to get rid of it, then it came back that she had
accepted the offer because clicking ‘cancel’ was to accept the offer! Now we
are having problems with the computer, especially application hangs. Did we
download spyware or adware inadvertently? So how can we remedy the situation?
Just an FYI, I cannot believe what tactics some of these websites will go to to
gain access to your PC. Shame on them!
Shame on them, indeed.
Yes, I think it’s very likely that your daughter – trying to do the right
thing – inadvertently allowed spyware onto your machine.
And yes, sometimes a cancel button isn’t a cancel button at all.
While it’s possible to tell the difference, it’s not always easy.
Quick, without spending a lot of time studying them, if one of these just popped up at you would you be able to tell which is real and which is fake?
At first blush they’re very, very similar. In fact, if you saw either one without the other to compare to, you might never even question it.
But question it you should, because that’s exactly what spyware authors are counting on.
The first is an actual Windows XP confirmation dialog.
The second is an example of a fake. It’s not a confirmation dialog at all, but a web page that has been carefully crafted to look like a confirmation dialog.
Now here’s where it gets more devious. Since it’s a web page, the author of that page can pretty much have it do anything no matter where you click. It may look like there are “Yes” and “No” buttons, but in fact the page could be authored in such a way that both mean yes, or that even clicking anywhere on that popup at all could mean yes.
So you’re surfing along, you get this popup where the obvious answer is “No”, you click “No” and the popup treats it as if you’d clicked “Yes”, or does something that’s completely unrelated – like direct you to porn, or initiate a download of spyware.
It’s the later scenario that is the most troubling, and in fact the reason that spyware vendors do this at all.
Let’s say that the popup didn’t ask about deleting “All Your Work”, but rather said something like “A virus has been detected, would you like to remove it?”
By posing as a Windows confirmation dialog, the spyware attempts to gain your trust. You think it’s Windows asking you something, you click on the button and then it asks you something again – like “are you sure you want this download?”. And because you think it’s Windows asking, and because it had asked a reasonable question to begin with, you say yes again.
And you’ve just allowed spyware to be installed.
Shame on them, indeed.
There are many more scenarios that might not be as obvious, but this is one of the most basic: popups that attempt to fool you into thinking that they’re not popups at all, but important messages from your system.
What can you do to avoid this?
It boils down to a three-pronged approach. And even though it shouldn’t really be necessary, two of those prongs boil down to learning what to watch out for.
Technology: A good anti-spyware package with its real time protection enabled is a good start. So is making sure that you have a popup blocker enabled (fortunately they’re now built into most web browsers).
Visual Characteristics: Look at those two dialogs above again and you’ll see that the title bars – the blue areas at the top of each – are different in several ways. The most telling, perhaps, is that in the fake dialog you can see my browser – Mozilla Firefox – attempting to identify itself. More accurately system alerts typically do not have icons, and almost never have the Maximize button (the center of the three buttons on the far right of the title bar). There may be more characteristics you’ll also come to see as “suspicious” over time as you start to notice more of these attempts at fakery.
Behavioral Characteristics: Perhaps the most important, and the most reliable, is to develop a sense for when popups like this are unexpected, and therefore suspicious. After you surf the web for a bit and use your computer for a bit certain behaviours will start to stand out. Visiting a new web page, for example, by itself shouldn’t result in a “virus detected” warning – since that’s not when virus detection happens. When you download something, yes, that’s when your anti-virus tool’s real time protection would kick in, but just visiting a new page should not trigger this type of notification. Again, over time you’ll get a sense for what’s reasonable, and when.
I also realize that you started this by saying “my daughter” … and that of course makes these last two items so much more difficult. Without knowing her age or expertise, it might not even be reasonable to expect her to learn these types of nuances (and they are admittedly nuances).
Which leads to the final point.
What do you do once you’ve got spyware?
Sadly the news isn’t much better than it is for viruses.
Try your up-to-date anti-spyware and other anti-malware tools to see if they can remove the infection.
Try a System Restore to a point prior to the infection.
Look for manual removal instructions out on the web specific to the infection you have.
Failing any of that there are only two approaches that are absolutely guaranteed to remove the spyware:
Restore from a full-image backup taken prior to the infection.
Backup, reformat and reinstall.
Fortunately in many cases, there are tools out there that can remove most common spyware, though it may require a little searching.