Forum Announcement

Welcome to the new CNET Forums! Please don't panic. You are not in the Twilight Zone, you are experiencing the new CNET forums platform! Please click here to read the details. Thanks!!

Spyware, Viruses, & Security

General discussion

The pop-up window that ruined my PC!

by Lee Koo (ADMIN) CNET staff/forum admin / November 20, 2009 6:22 AM PST
Question:

The pop-up window that ruined my PC!


Last summer, a screen popped up on my computer saying that my computer had all sorts of harmful files on it and said that it would scan and remove them. I clicked on "OK" and the software started running and it ruined my computer, blocking my Trend Micro PCillin Internet Security antivirus and preventing any upgrades. I had to get my computer guru to completely wipe out my hard drive and reinstall my applications and what files she could save. She then installed Malwarebytes Anti-Malware program the make sure the bad application was wiped out.

She told me to not shut down if this ever happened again, but to run Malwarebytes Anti-Malware and then Trend Micro before shutting down.

On Friday the 13th, a similar thing happened. The bad application said its name was "SWP2009" and offered itself for purchase. I could not delete or minimize it, but was able to shift its screen to where I was able to get to my Malwarebytes Anti-Malware icon. Malwarebytes Anti-Malware responded and started running. I did a complete scan and Anti-Malware found six rogue files. It deleted them and rebooted my computer. Everything seemed OK, but I ran Trend Micro to be sure. Trend found 13 items, which it deleted. All this took some 4 hours.

Has anyone else encountered similar rogue software? What else can be done? I thought my anti-malware and antivirus applications would stop this, but they didn't. Apparently it was connected to some Web site I opened. I'm running Windows XP Home.

--Submitted by Royce B.

Here are some featured member answers to get you started, but
please read all the advice and suggestions that our
members have contributed to this question.

Antivirus 2009 and its successors... --Submitted by Acaykath
http://forums.cnet.com/5208-6132_102-0.html?messageID=3179759#3179759

Beat those rogue anti-virus pop-ups, BEFORE they do any damage --Submitted by si
http://forums.cnet.com/5208-6132_102-0.html?messageID=3179777#3179777

Some basic safety tips will help --Submitted by gordios777-websites
http://forums.cnet.com/5208-6132_102-0.html?messageID=3181851#3181851

Has anyone else encountered similar rogue software? --Submitted by Watzman
http://forums.cnet.com/5208-6132_102-0.html?messageID=3179771#3179771

Malware masquerade --Submitted by davismccarn
http://forums.cnet.com/5208-6132_102-0.html?messageID=3179713#3179713

Don't believe pop-ups that you don't really know --Submitted by cdcjeff
http://forums.cnet.com/5208-6132_102-0.html?messageID=3179700#3179700

Thanks to all who contributed!

If you have any additional advice for Royce, please click on the reply link and submit it. Please be as detailed as possible when submitting your answer. Thank you!
Post a reply
Discussion is locked
You are posting a reply to: The pop-up window that ruined my PC!
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: The pop-up window that ruined my PC!
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
I had that too
by charlie7290 / November 20, 2009 9:06 AM PST

I was running Norton 360V3 and it clocked it straight away and binned it .
So Try Norton 360(its worth the money)
with spybot

Collapse -
PC INFECTIONS - POP UPS FROM NEFERIOUS SITES
by GEO2003 / November 20, 2009 9:37 AM PST
In reply to: I had that too

Yes it happened to family members laptops running XP home about two years ago. Back then I was using AVG but it never gave any notification of what was happening, it just allowed the download to complete.

Since then I have switched to AVAST Home 4.8 and it is an excellent Antivirus with 7 shields. One of them is dedicated to WEB TRAFIC, checking every packet.

So even if you get re-directed or mistype a URL address and end up on a infected site, AVAST stops it before it even reaches your drive.

Another option in AVAST is to run a complete and Thorough scan outside Windows so that no file is lock by Windows.

And this is my suggestion, if you have that option with your current antivirus I would suggest you run it outside Windows to make sure you get rid of any possible left overs.

Or you can download AVAST HOME FREE EDITION and run the complete scan with rootkit module turn on.

Using a different Antivirus for a second check is better because not all infections are picked up by one antivirus alone.

So using another one may cover what the first one missed.

I also recommend PC TOOLS THREAT FIRE ONLY.

Hope that helps, at least in making sure that all infections are gone.

Regards,
Geo

Collapse -
PC INFECTIONS - POP UPS
by GEO2003 / November 20, 2009 10:10 AM PST

By the way, keep in mind that hackers are programing all 3 buttons on the pop-ups - Install - Cancel - and the RED X to do the same thing.
Run the program.

Therefore in Windows XP, the safest way to get rid of this pop-ups, is to Ctrl-Alt-Del and as Windows exits to the log on screen choose - Start Task Manager and closed the Pop-ups.
In Vista and Windows 7, the security is improved and the Pop-ups can be closed safely within the Windows Enviroment.

If you are not using Internet Explorer 7 or 8 I would suggest you upgrade as this pop-ups run on their own memory space. IE 7 is better at protecting from this pop-ups but you have to turn on a setting that MS left open for users of Windows XP.

IE 7 - Right click on the IE icon, Select Run as Administrator - Go to the Tools - Select Internet Options - Click the Advance Tab.
Scroll all the way down and find the entry - ENABLE MEMORY PROTECTION TO MITIGATE ATTACKS - put a check on the box - click Apply or OK and closed the browser.

I know, MS screw up on this one for Windowx XP users, but they automatically turn it on for XP users on Internet Explorer 8.

So I would also suggest you that you move on to IE 8 if you like IE.

Regards,
Geo

Collapse -
Maybe not
by Dango517 / January 8, 2010 5:44 PM PST

"In Vista and Windows 7, the security is improved and the Pop-ups can be closed safely within the Windows Enviroment."

I've run Vista and now 7, nope.

Another way to avoid these is to log off. My wife has problems with tech. stuff so this is simple and most can log off. Grin If you can't remove these from the taskbar then log off.

As said before, do not press buttons on a "mystery" applet. If it showed up seemingly, out of nowhere then it more then likely trouble.

Rogue Variants are bad news for PC users:

http://en.wikipedia.org/wiki/Rogue_software

In many instances these can contain a host of mAlware and appear to be modular so the bad guys can plug various forms of meanness into your system very quickly, perhaps quicker then your security program company can create a definition to identify it. Meaning one version might have a virus, the next spyware, and the next both.

Report these and as a first line of defence use something like this:

http://www.siteadvisor.com/

Collapse -
Run outside windows?
by reffu42 / November 20, 2009 11:27 AM PST

You can't run a program outside windows unless windows is running from a virtual environment. When it says run outside windows it most likely means that it boots up right after the windows core components to prevent access by rogue programs loading up before anything else. To run a program outside the operating system its running on is like trying to run a toaster with the plug 5 feet from the wall.

Collapse -
THE TERM RUN OUTSIDE OF WINDOWS
by GEO2003 / November 21, 2009 2:01 AM PST
In reply to: Run outside windows?

You are correct in that the term I used is ssomewhat debatable, or maybe not completly clear for everyone. Depending on their experience.

But regardless, Any antivirus that has the capability to run a scan ouside of windows " ON THE NEXT REBOOT " can do so prior to the the EXECUTION OR LOADING - of ANY MAIN WINDOWS COMPONENTS / DRIVER / OR SYSTEM FILES.

Hence the ability to check all those files or folders that Windows would otherwise lock, where part of or some infections could be hiding..

Thank you,
Geo

Collapse -
reboot scan?
by fabianhow / December 4, 2009 10:21 AM PST

do you mean a boot-time scan? with any (good) security software, configuring a boot-time scan is possible. try entering the settings of your security software and look for an option along the lines of "scan before windows starts", "boot time scan" etc. if your security software doesn't have that option, dump it Wink and look for another that has one. or alternatively, try safe mode and run your scan from there. the program shouldn't start there (but it's very easy to do so), its worth a try.

cheers Grin

Collapse -
If You Accidently Find Yourself At A Rogue Website...
by KHAIMANG / December 7, 2009 11:02 AM PST
In reply to: reboot scan?

If You accidentally find yourself at a rogue website, DO NOT click on the "X" or "OK", etc. Instead, do the Ctrl+Alt+Delete maneuver instead
and use the Task Manager to end your browser's process. If you try and exit the page in any other way, well... your goose will be cooked.

Collapse -
Not necessarily
by Jeffin90620 / December 7, 2009 11:21 AM PST

I have killed the popup using the "X" gadget with no ill effects, although now that I know the possibilities, I will use <Ctrl><Alt><Del>.

Collapse -
Pops-up window
by Vickeych / January 9, 2010 2:12 PM PST

I will wholly stand for your opinion.

Collapse -
yes u can
by zedolon / October 12, 2010 11:45 PM PDT
In reply to: Run outside windows?

I can set a boot disc to run a Disc Operating System that I wrote myself or add one of the many other ones out in the data bank. boot it and access the drive and all the files without ever loading the poorly wrote windows OS... and have full control of all the memory and every single instruction excuteded. then boot windows in a((window)) without windows or any of the antivirus software out there even knowing. And if I can do it, so can others... I dont think only I can. however .. I may have miss-understood the topic and inderjected garble on your page space.....LOL Z edolon

Collapse -
Norton 360 - bad choice
by wayneepalmer / November 20, 2009 10:03 AM PST
In reply to: I had that too

360 is a system hog. It is unwieldy, sucks up cycles, takes forever to perform tasks and generally bites as a program. It causes as many problems as it solves.

360 is the Vista of Norton.

Go with Norton Internet Security 2009. It has about all the same features, it much easier to use, and is way less of an all-around pain in the butt. It has been highly recommended in a number of reviews as about the best paid-for anti-virus for the average user.

Collapse -
The number of attacks out there just keeps growing.
by TreknologyNet / December 4, 2009 11:08 AM PST
In reply to: I had that too

Back in its day, when I was put onto Spybot, it used to take about 20 mins to scan the computer--now it takes something like FIVE HOURS, and despite having all the security lockdowns in place, it still finds at least one fault on a daily basis. I'm at the point now where I'm prepared to do a complete reinstallation, because AVG9 keeps crashing!

Collapse -
GO MAC
by laguna_b / December 4, 2009 12:56 PM PST

I went Mac last Spring and I don't have to worry about all these things anymore....think of the hours saved!

Collapse -
GO mac
by dave69s / December 5, 2009 1:38 AM PST
In reply to: GO MAC

Now The Steve will get your liver next

Collapse -
liver?
by jolysmoke / December 5, 2009 7:32 AM PST
In reply to: GO mac

A tasteless remark. But the Russian mafia and People's Liberation Army are more likely to get yours if you stick to a PC, seeing the ease with which they seem to walk in and out of your PCs and copy anything they want, use your built-in cameras and microphones in Orwellian 1984 style to watch you and listen to what you have to say, and gather your identities and credit-cards to sell to some low-life highest bidder in the underworld. Then the buyer can arrange operations on your health insurance, holidays on your credit card. Why not your liver in the long run? And if you have any commercial technological inventions, rest assured that they have long gone east (and west!).
Btw, all this is in no way fantasy but has been in the news over the past few years for those who can read. Just who do you think sends you the Trojans that knock you down like ninepins? And why do they do it? Google the Russian Business Network and you will see that precisely they are responsible for all those fake AntiVirus you are all talking about on this thread.

Collapse -
So you thought it was the Russians!
by GeorgeGee69 / February 16, 2010 8:02 PM PST
In reply to: liver?

A really childish rant, but you are entitled to it. Do you know that EVERY UK connection to the WWW has to go through 7 BT monitoring computers, (definately NOT Macs lol), BT is a private company. Add to this all the CCTV ( with facial recognition cameras around our towns city's and roads, (hence the illegality of full tinted windscreens), our mobile phones are all chipped and GPS enabled to within 3m, every call and txt and picture must be "stored" by your ISP, ( private company), for 7 years. Do I need to mention the details obtained through your credit card,, medical records? All of this information is stored by private companies and freely available at a price or free to your government! Your paranoid fears of the "Russian" mafia wanting your details only encourages more intrussive and investigation by our governments to collect and collate information for their own ends! You only have to look at the several hundred new laws enacted in the pretense of "for our own protection" to realise its a world wide lie! You not only have to be able to read you also have to understand what is being written to see through the facade of protection on offer, and 1984 is long gone my friend. Look at current topics weeding there way into society, uthanasia, arrests without reasons, books replaced by web mis-information, child birth restrictions the list goes on and is updated quickly as it is integrated into our society. You fear the Russian Mafia? Look into your own back-yard because it is your children who will be suffering in the new age of the American Empire through your naivety and lack of social uderstanding at this time. So you continue with your insular Mac existance and keep your self deception festering in your pious ignorance!

Collapse -
So you thought it was the British Government!
by jolysmoke / April 28, 2010 5:56 PM PDT

For those with fewer paranoid delusions about Her Majesty's Government being the creator of rogue antivirus programs, I submit just one of many reports in my archives showing AV firms pointing the finger at the Russian 'partnerka' and specifically mentioning rogue AV as one of their distribution products. It may be an eye-opener for some. For others it will just be further proof that the world press generally and the respectable AV producers in particular are all in the pay of HMG. (Actually not the Government I live under and pay taxes to, despite the brilliant detective work of Mr Gee!). Incidentally it also gives information on the attempt to plant Trojans on Macs by the Russian mafia by using a fake video Codec, so don't suggest I am blissfully unaware of the fact that the Russians are tempted by macs. It's just that they were not all that successful and the drying up of new Mac Trojans suggests they have concluded that themselves. Read my many other contributions on this very thread too.

http://www.sophos.com/security/technical-papers/samosseiko-vb2009-paper.pdf


For those interested in how important identity theft now is in the motivation behind malware distribution, I pass on the following links to read up on:

http://www.pandasecurity.com/homeusers/media/press-releases/viewnews?noticia=9811

http://www.pandasecurity.com/homeusers/media/press-releases/viewnews?noticia=9601

Perhaps HMG will now release Robert Mugabe's thugs upon the general population of GB and USA as a vengeance for such revelations, Mr McGee....?

Collapse -
(NT) Shortsightedness of the Mac Brigade
by GeorgeGee69 / January 12, 2010 5:55 AM PST
In reply to: GO MAC
Collapse -
RE: GO MAC
by KHAIMANG / February 16, 2010 12:59 AM PST
In reply to: GO MAC
Collapse -
re: the pop-up window that ruined my PC
by Marcia Lynn Hunt / November 20, 2009 9:09 AM PST

I had a similar problem. For weeks a window kept appearing that looked like a microsoft message telling me that I had horrible viruses and to let it scan my computer. I ignored it as my computer was running fine and my antivirus program hadn't reported issues. One day the window popped up and got on my nerves. Without thinking I clicked yes when it asked to scan my computer. I immediately regretted the choice as I hadn't researched the window/message via the internet as I normally do to see if it was legitimate. Of course it was a malware program that stopped me from accessing any program on my hard drive and prevented me from getting onto the internet. I rebooted again and noticed a safe mode choice. I selected it. Got to the control panel where I selected a restore point from a month before when the message didn't appear and rebooted. I was proud of myself as this solved the problem very simply. I have never been plagued by it again. I don't know if this would have helped in your case but it might. I was thrilled not to have to reformat the hard drive.

Collapse -
Are you using Internet Explorer?
by bjnovack / November 20, 2009 9:16 AM PST

If so, then simply changing to a more secure browser may cure the problem for good. Even better would be to install mozilla firefox with the noscript add-on to block scripting except when you want it to run.

IE, especially if you never shut ActiveX down, is very insecure.

Collapse -
Firewall your computer
by mangesh_mk / November 20, 2009 9:16 AM PST

Hi,

First, get yourself a better anti-virus software. Something that updates itself every few hours. This ensures that the virus definitions database on your PC is updated and you can hope to be better protected. Second install a firewall. A firewall will prevent any software from interacting with your PC without you being aware of it. This is the kind of pop-up window you will love. Just be sure that it is your Firewall pop-up befoee you click on the OK button. Lastly, a lot of pop-ups with malicious codes have the 'OK' as well as the 'CANCEL' button programmed to do the same thing. Infect your computer. Even the 'X'(Close) button at the top corner is programmed to do exactly the same. The best option here is to use ALT+F4 to close the window instead of clicking it close. Again, the page is programmed in such a way that the moment you close the window, another pops up. If by repeatedly pressing ALT+F4 doesn't work, the best thing to do is simply hard boot / restart your PC. That's the safest. All the best

Collapse -
malware masquerading as antivirus / infection alerts
by josephdez / November 20, 2009 9:24 AM PST

many of the programes that offer to scan your PC ( or even force you to scan your PC) are in fact installing rogue viruses or trojans,
ie malware doctor, I am submitting these responses by others who know better than I do....
Best Answer - Chosen by Voters
These fake anti-virus/anti-spyware programs are becoming a very common problem! Here are steps to get rid of this rogue infection once and for all.

SHORT VERSION:
1 Use another computer to download Malwarebytes from www.malwarebytes.org
2 Rename the downloaded file to something like HELP.exe
3 Transfer the renamed file to a thumb drive or CD.
4 Boot the infected computer to SAFEMODE
5 Install the renamed file from the flash drive or CD.
6 Run the program.

LONG VERSION:
Info on this type of infection from bleepingcomputer.com:

This is a new rogue anti-spyware program. Like its predecessors, this program is installed and advertised through the use of Trojans that display fake security alerts on your computer. These security alerts state that your computer is infected and that you should click on them in order to download software that will protect you. Once you click on these alerts, the Trojan will automatically download and install the program on your computer.

This program has only one purpose and that is to trick you into thinking you are infected so that you purchase it. Please ignore any warnings that this program may display and instead use the free program below to remove this program and any associated malware.

You MAY be able to download, install and run Malwarebytes anti-malware program from www.malwarebytes.org, or you may need to use a clean computer to download the program from www.malwarebytes.org and copy it to a flash drive or CD. Then transfer the install file to the infected computer and install and run.

Occasionally you will not be able to run this program without being in SAFE MODE. To get there, reboot your computer and tap the F8 key, repeatedly until a menu comes up. You want to choose SAFE MODE WITH NETWORKING.

If you still are unable to run this program, you may need to RENAME the downloaded file to something like HELP.EXE before you transfer it to the infected computer or you may be able to RUN the program directly from the flash drive.

Collapse -
Don't Believe Pop-ups That You Don't Really Know
by cdcjeff / November 20, 2009 9:25 AM PST

This is the new favorite destructive "virus" for bad guys trying to extort money from PC users... you go to a website you have never visited and unbeknownst to you it installs a stealth program behind the scenes. Then it starts sending pop-ups that are designed to look legitimate, telling you that you have a virus or spyware or malware, and to click the button to download a piece of software to help clean the problem. At the same time it changes your system to prevent all the normal methods to find and delete the program causing the fake pop-up warnings.
The best way to solve this problem is to use the System Restore feature of Windows XP (not sure about Vista and Windows 7 yet). To get to System Restore, go to Start>Programs>Accessories> System Tools. Then follow the screens to select a date before the ?virus? was introduced to your system. System Restore must be turned on prior to this problem occurring. You can do so from the System Restore tab of the System program in the Control Panel.

Collapse -
Forgot...
by cdcjeff / November 20, 2009 9:32 AM PST

You might need to boot to safe mode before running system restore since some of these pop-up malware viri will disable your control panel or otherwise make it impossible to get anything done.

Collapse -
Malware
by pegpluscol / November 20, 2009 11:37 PM PST
In reply to: Forgot...

They say there's a sucker born every second. May I go a little further to imply that they are even 'born again'. I was looking for a registry cleaner after being harrassed by one I paid for. So I went on line to find one that may harrass me to a lesser extent. Lo and behold, I find a FREE registry cleaner. My common sense, (emphasis on common) told me that 'you get nothing for free and very little for a sixpence' (Very old saying from the days of sterling and yore) So I opted for it. This thing went mad. It filled my screen with scrolling lists of errors in registry. After a loooong while, when I was just about to cancel, up comes another BIG warning in RED. 'There are 756 serious errors in your registry. Press (something or other) to list these. Up comes a whole lot of mumbo jumbo that would even stymie lord Gates. I smelt a rat and immediately erased the damned thing because the previous day my ex-registry cleaner told me that all is now well. Be warned.

Collapse -
XP restore is an option
by Jiri_AVG AVG Staff / November 22, 2009 4:23 PM PST

.. but I've already seen few malware that resist (they mark themselves as restorable). So my suggestion would be:

- unplug PC from network/Internet; if your PC is networked with other computers, make sure to isolate the one infected (check others to be 100% sure)
- try the System Restore function (as many described here)
- if the problem doesn't fade away (icons in system tray, desktop and pop-ups persist), check your PC with some online scanner and maybe also the malwarebytes application, that might help

this kind of malware is usually a trojan horse, so be careful when going online from that computer, since some additional threats may be downloaded into your computer.

All-in-all, every malware is highly specific (sometimes just with minor functional changes), hence it is very difficult to provide one exact path, that would work (apart from reinstalling computer, of course Happy ).

If all the advices didn't help, try sending us a screenshot to check what kind of popup gets displayed, maybe also list of running processes would be handy.

Jiri

Collapse -
Look for strange names
by lordryoko / December 4, 2009 10:22 AM PST

The task manager is your friend, use it. When the window pops up, its because a file has already been planted in your system and is running. When the window pops up, as has been said before, don't click anything on that window, instead bring up the task manager (Ctrl+Alt+Del or right click on the task bar) and look for a file that looks strange. It sounds silly but most of these have file names with numbers or all capital letters or just pretty weird. Click on the file and then click 'End Process', it will give you a warning and you click end process. From time to time it's good to look and see what files are running on your computer. Don't mess around too much with it though, although most problems that you will do can be restored by a simply reboot. By the way processes not to end will be explorer (although this can be useful sometimes), svchost, rundll32, winlogon, services and winint. There maybe some others depending on what you are running but those are the main ones. Good programs that I have used are Ultimate Troubleshooter and Tuneup Utilities. They both can tell you what is running, along with a description of it's purpose and what file will be run at bootup (of windows not bios). This can also help you get rid of unwanted files. Spybot is free and good too. Hope this helped.

Collapse -
Disconnect your online...forget system restore
by fantasyva / November 23, 2009 1:57 AM PST

System restore always seems to be the first thing compromised after a hack attack. The BEST thing to do at the start of any attack is to isolate your computer and take it offline. Turn off your modem, pull your DSL do whatever you have to do to get offline. Then you can take your time to do whatever you need to do to remove any harmful programming.
By the way, I know this is an open thread, but do you Mac posters get paid by Apple? Really, it's annoying for someone to post that they have a pc problem that they need advise on and have to scroll through inappropriate content relating to Macs. Maybe y'all could start a separate thread.
Also btw I disagree that malware and viruses are random acts. I believe a lot of them are generated by software companies selling antispyware and it wouldn't be far fetched to think that some of it might be generated by anyone competing with the pc platform.
It isn't wise for anyone to be too dependent on computers. I have heard of no prosecution that allows for users like us to be compensated when programs crash our computers. We need to look at why not, and whatever happened to consumer protection in the US anyway?

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Tech Tip

Tired of your tricky Wi-Fi password?

Stop trying to memorize a complicated sequence of numbers and letters. Learn how to change the default password.