Saturday, November 6, 2010

Be Cautious of Windows Security Alerts

I've shared a lot of information in the past about the dreaded Windows Antivirus program.  It's a malware program that has been infecting many of my client's computers over the last couple of years.  While the characteristics are the same, the rogue program keeps changing names and getting better at evading removal.

We know that it get's on people's computer while they're surfing the internet. All they have to do is click a link to an infected page and suddenly they find themselves confronted with several pop-up windows telling them their computer is infected. 

The problem is that it's impossible to narrow down the web site that is infected, because .... well, countless web pages are infected.  Today, I was doing research for my genealogy web site and was searching for genealogical societies in Pennsylvania when I stumbled across an infected site.  I thought I would share exactly what happens next so that you can take proper steps to remove the rogue program before it infects the rest of the computer.

So as I mentioned earlier, I was searching Google for "genealogical societies in Pennsylvania" when I stumbled across the search result below.


Now if I had been paying better attention, I never would have clicked on the link because several things stood out as red flags just looking at it. But I was in my 4th hour of research by that point, hungry, and blurry eyed, so I just clicked away!  Big mistake!

Looking at the image above, two things stand out (circled in red) that I should have paid closer attention to before clicking the link.  The first one is the yellow exclamation point (top right).  This was Norton warning me that this site is not safe.   The second red flag is the actual link of the site (also circled).  I'm searching genealogical societies and the link starts out: italiaclubprive.com.  That should have been a huge flag if I had been paying better attention.

None the less, I missed the red flags and clicked the link.  Next I was confronted with the following warning message.




Having seen the Windows Antivirus more times than I can count, I recognized this warning message immediately and tried to Cancel it.  As expected, that caused several more pop-up messages warning me my computer was infected and that I should click OK to fix the problem.  Every time I canceled the prompts, I was hit with more and stuck in an endless loop of warning messages.







After several cancellations, I eventually got to the Windows Security Alert window shown below (confirming my hunch that this was indeed the dreaded Windows Antivirus).


At this point, there was only one way to get out of the endless loop of warning messages.  I had to close my internet browser.  But of course, the only way to do this now, was to open the Windows Task Manager, find my browser in the list of processes, highlight it and click END PROCESS.

If you're not familiar with the Windows Task Manager., hit CNTRL - ALT - DEL on your keyboard (holding all 3 keys down together) to call it up.  Then click the PROCESSES tab and find your browser in the list (Firefox, Internet Explorer, etc.).  Single left-click it to highlight it, then click the END PROCESS button.  If done correctly, your internet browser should close. 

After my browser was closed, I wanted to make sure the rogue program was off my computer.  So I opened my favorite malware program (Malwarebytes Antimalware), updated it and then ran the quick scan.  Sure enough it found 3 infections listed as "Rogue.Security Toolbar".  I click the appropriate prompts to let Malwarebytes remove the program and then rebooted the computer when prompted.  Then I ran Malwarebytes again just to verify the rouge program was gone from my computer (and it was). 

You might be wondering why Norton didn't remove it.  Well, the quick answer is that I didn't ask Norton to.  I let Malwarebytes remove it instead since I knew it could handle it from previous experience.  If you recall, Norton did try and warn me when I was looking at the search listing in Google and I ignored it.  

This particular rogue program isn't a true virus in the way other viruses work.  This program is very malicious and tries to extort money from you by scaring you into believing your computer is so infected with Trojan viruses that you must let this rogue program remove them now (for a fee of course).

Malwarebytes Antimalware specializes in these types of programs so I trust and use it to remove them.  None the less, the problem is solved and hopefully you'll be better equipped to handle the attack yourself if ever you're ever confronted with it.

No comments:

Post a Comment