My desktop background has disappeared and been replaced with some
kind of warning, and I'm getting some kind of message that my computer
is infected. I recall some kind of earlier message from Microsoft about
"anti-virus" which I told it to go ahead and do, and now I can't get
rid of these. What do I do?
The above question is actually a distillation of a friend's phone
call, followed by what I discovered after a fair amount of research once
he brought his computer to my home.
Yes, my friend's computer was infected by one of the latest nasty
viruses to make the rounds.
Let's see what we can learn from the experience.
]]>
The first clue is a subtle one: "some kind of message from Microsoft". Unfortunately, I don't have an image of that message, but it's where I believe the problem went from bad to worse. He probably followed the instructions presented by that message.
Here's the deal: anyone can pop up a message that can be made to look like it came from Microsoft. Just like phishing attempts can make emails look like they came from your bank, it's actually very easy to create a pop-up message on your machine that looks very official and very important ... and totally bogus.
There are typically two types of these messages:
-
Browser Popups - these message are nothing more than web pages, or single images loaded from a web page, made to look like some kind of error or warning message. Most of the time they're easy to identify because a) they pop up as you're browsing, and b) the "title bar" across the top of the window includes the phrase "Internet Explorer". For example, even when visiting Google.com, the title bar still includes the browser name:
If you get a popup message that includes the browser name in the title bar, chances are you're simply looking at a web page designed to look like an error message, nothing more, nothing less. (Note that the address bar - with http://www.google.com in it in the image above - need not be present.)
-
Application Popups - these are more difficult to identify on sight, because they're generated from applications actually running on your machine. Applications can easily create popup messages or windows that look like anything they want them to. The worse news here is that if you're getting a bogus message from an application already on your machine - well, it's already on your machine; you're infected.
There's another aspect to identifying bogus messages on your machine, and it's frighteningly easy, and yet frighteningly easy for malware creators to fix should they ever get a clue.
Most malware messages suffer from very bad English, in both spelling and grammar.
Here's (most of) a desktop warning that was present on my friend's machine when I first saw it:
As almost any English speaker can see, the grammar is absolutely horrific in this case. It's clearly not written by an English speaker, and is thus highly suspect. No legitimate company should ever produce a message that awful.
Similarly, the popup warning that was appearing at the same time:
Again, horrible English, and totally bogus. OK, not totally bogus, in the sense that it's actually accurate: its very presence is the infection.
The problem is that clicking on these messages may cause more malware to be downloaded, or may take you to sites that offer to sell you a solution and either do, or perhaps don't, but collect your credit card information anyway.
So, what's the take-away from all this?
Be skeptical. Always.
If you get an error message you've never seen before and don't understand, don't blindly follow its instructions. Check it out first. Try to get a sense of where it came from. Try searching for the exact message text - Google and see what others might be saying. Ask someone. Learn the difference between a well-disguised web page and a real error message. Get familiar with your own anti-malware software so that you'll recognize it when you see it.
But be skeptical.
Particularly if the message is in broken English.
I'll address the specific steps and software I used to (hopefully) clean up this machine in a future article.
My strategy is – I know which anti-malware software I have installed and I follow warnings from that software only. No other pop-up/warning will make me follow its instructions no matter where it came from or in which important company’s name it is given. At the best a warning may prompt me to run a scan of my known installed software.
13-Jan-2009
The best is when I get a web pop up that tells me that microsoft recomends I use some piece of bogus windows software to scan my Linux machine.
I had a terrible incident relative to “infections” a few months ago. Thought it had to do with a couple of sites I had visited ….and maybe it did. Nevertheless, called a few “techies” and they all wanted me to bring in my laptop so they could repair ….duh! I’m 75 and don’t have a lot of dough ….so, ruled out those options. Someone (can’t recall who) told me about a “Spybot” thing. I’m surely not 100% digitalized, at least not yet, but decided to find that site and see if the suggestions were simple enough for this old dog to understand and could be helpful. I was amazed at the simplicity. Removed all the crap that was showing and computer is working well. I did learn a lesson, at least I think I did. I promise never again to visit the “Transvestite Teenage Nuns in Drag” website. Just kidding.
I just want to say that all malware software will not remove this virus. I have had to download 3 different apps to remove the popup trojan. Although PCTools found the problem, after a reboot the problem retuned. Spybot’s web site redirected me to Stopzilla which is NOT free. Symantec missed this completely. Finally Spybot removed the popups..so far.
Have you actually tested any apps to see their effectiveness?
While many infection pop-ups may contain bad grammar, some are very well written and look quite real. In fact Leo made a slight grammar error in his comments. I quote:
Try searching for the exact message text Google and see what others might be saying.
And quite likely I have made a grammar error or two in this comment. Poor grammar is often a sign but should not be the only criteria. The comment by Rahul mehta is a very good strategy to follow.
14-Jan-2009
I have used Malwarebytes to remove this virus. The alias for this can be Windows Anti Virus 2008, 2009. Malwarebytes is free and can be found at malwarebytes.org
I was attcked yesterday and downloaded the file because of the Mocrosoft Shield. I had enough sense to save it and then did some looking around. I found out I had done the right thing in saving it and deleted it. I then ran defendernfrom Vista and am clean. My Point is that It was a microsoft shield .Watch out!
14-Jan-2009
I understand that a recent issue of the Microsoft Malicious Program Removal Tool was specifically intended to remove these viruses.
I have had lots of experience with the so called warning “your computer may be infected, please run windows antivirus 2008” popup, mostly after the the fact, when a friend or family member screams for help. Recently I got the 2009 version after doing a google search on arthritis, I run AVG antivirus and both it and windows said this was a safe site in the results column. As soon as I opened a link for said search I got the dreaded popup. Here’s what I did, first and foremost … DO NOT touch anything on the screen!!! Even trying to close it by hitting the “X” button can launch this beast. I immediately shut off my internet or disable it (right click and select disable). Then “ctrl+alt+del” and end process of the culprit as well as explorer. Then I re-enabled my connection and install malware (which I had on a mem stick) and ran it. It removed the minute traces left behind and I have been clean since. I had heard you can get this virus from a legitimate site that had somehow become infected but this was the first time it has happened to me personally. MALWARE BYTES is my recomendation for this particular virus (both 2008 & 2009 Version of it)works well, easy to use.
I have my pop up blocker turn on in enternet options. I hardly get any. Sounds like I did the right thing. Its under privacy tab.
Definitly don’t click ANYTHING ON THE SCREEN shut down and run spybot and lavasoft or superantispyware in safe mode no internet connection as some these trjans reinvent their registry details ok
Sometimes you have to click on the little warning bubble, with internet disabled of course, to see where it tries to take you so you will know what infection you are dealing with. Especially if you need the instructions to delete the infection manually because all of your security products fail.
Yes, be very careful If any of those warnings come up, and I have found the following to be an excellent way to get rid of them:
1. restart in “safe mode w/ networking”
2. open Internet and go to http://www.malwarebytes.org“
3. D/L malwarebytes program and install AND update it.
4. disconnect from the network if you are on a cable/dsl connection.
5. TURN OFF system restore.
6. run full scan with malwarebytes program.
7. remove everything it finds.
8. restart in normal mode and run the malwarebytes again. DO NOT CONNECT TO INTERNET YET!
9. When scan is complete and nothing more is to be removed, then shut down, reconnect network, start the system.
This will get rid of all the malware on the system.
I guess some people have nothing better to do that mess up other peoples systems…..
I too got the “Windows 2008 antivirus spyware, lickily for me I was very familar with Microsofts software & knew what I had. So I uninstalled & deleted it. Since I got the free Avast Antivirus software I have been able to stop all attacks, I also got another freeby called SpywareBlaster which I’ve been using for a few years now. Thanks Leo for all the good information & all the people who contribute! TW
This type of virus is “real time” which means it’s occurring while your veiwing it. It’s very unlikely that its been hanging around on your HD waiting for the right moment to pop up (although I’ve seen some that do). If you’ve taken Leo’s advice and been doing regular backups of your PC then getting rid of the virus is simple and painless. Disconnect from the internet, open your backup program and do a complete system restore. I keep a complete backup of my entire system on an external HD. It takes about thirty minutes to replace 30 GB. It beats spending an evening trying to remove a virus that might leave leftovers. I recommend Acronis True Image.
I got this virus, more than once, while surfing sites that featured… (shall we say: “ladies of the night”).
Many people on this forum said that Malwarebytes worked well to remove it from their systems. But it didn’t work so well for me. I still had traces and vague remnants even after running malwarebytes. (I feared those remnants could resuscitate the virus.)
Fortunately, however, I have a clone of my harddrive (in a perfect state). So I wiped out my harddrive, and then recloned it, using Acronis True Copy.
It was a drastic method, but it’s the only method I could use to wipe out this “beast”. It’s a particularly nasty virus, I must say.
PS:
In fact this particular virus is so nasty, and so reoccuring on the Internet that I now only use Ubuntu when I am surfing to the more shady and dangerous web-sites.
I installed Ubuntu onto a flash-drive. When I want to surf to dangerous sites, I simply boot the flash drive and use it.
To be honest I much prefer windows to ubuntu, but Ubuntu is a great operating-system to use if you like to surf dangerous websites from time to time.
For simple instructions on installing Ubuntu onto a flash drive google: “ubuntu pen drive”.
Interestingly, Ubuntu can also join a Windows workgroup, so if you download any files while doing your dangerous surfing, you can transfer them over your workgroup network to a windows machine, and then scan them on the windows machine.
By the way: I really have to say that in all my years of surfing the Internet, I’ve never seen a virus like this one. It really just bowls over Windows — and windows seems defenseless against it. That’s why the only real option I have found so far is to use Ubuntu (booted off a flash drive) when I am knowingly taking risks on the Internet.
This is my solution to the XP-Antivirus 2008-2009
Trojans.
And it has popped up on my screen more
then 20 times in the course of a month.
Not once has it gotten into my computer.
Comodo-firewall/antivirus/comodo-antimalware.
And have removed these 2 trojans from other
peoples computers using malwarebytes.org.
And leo i look forward to your Emails every
week as i learn a lot from your infinite
and wise experiences.
You are top notch in my book.
2 thumbs up to you my friend.
I guess I’ve been lucky. I haven’t seen a single pop-up in many years.
The previous replies lead me to ask this perhaps naive question: how does one disconnect from/shut off/disable one’s internet connection? I’ve never seen, as suggested above, a right-click option anywhere.
My connection is via cable. I suppose if I ever did want/need to disconnect from the internet I’d simply unplug my cable modem. Am I missing something?
19-Jan-2009
Thanks Leo, now how do I get rid of it now that is on my computer.
20-Jan-2009
If all of you haven’t run into combofix, available at bleepingcomputer.com, it is a very good program for dealing with this particular virus. It is especially useful when you have problems getting anything at all to run. It can be run in safe mode.
Malwarebytes worked to get rid of “MS Anti-Virus” on my son’s computer. AVG had detected it but was unable to clean all the files. I ran Malwarebytes twice (with a disabled internet connection) and it caught everything lurking in the system files. Very effective.
Okay I have the exact Warning background and pop up you pictured in this article. Been this way for months as nothing seems to get rid of it. I have tried several times to download malwarebytes as suggested to get rid of it but everytime it errors with a bunch of of error and invalid point windows itself then just diappears without working. What can I do?
11-Jun-2009