We have all either experienced first hand or read here in the forums about those alarming windows that pop up while you are browsing that try to frighten you into downloading a program to cure the viruses and spyware it claims to have discovered on your computer. Responding correctly to this unnerving threat can keep you from getting infected. Brian Krebs has posted an article today on his Washington Post Security Fix blog about What To Do When Scareware Strikes. I’m sure many here will find it helpful and informative.
Anyone know him well enough to get Norton Forums added?
If you still need help, consult a forum: Computer help forums such as BleepingComputer.com and DSLReports' Security Cleanup forum can be a lifesaver (BleepingComputer often has step-by-step instructions for removing specific scareware threats, such as this one designed to help victims of PolicePro, the rogue anti-virus product du jour).
Scareware is not as bad as Ransomware
Quads
Quads wrote:Scareware is not as bad as Ransomware
Quads
I also agree with Quads here; "Scareware" just shows Threats that are on your computer, but dealing money, i.e. Ransonware, for example, will be more frightening to the User.
True but these guys are sending people to other forums.
I believe Sendofjive wants people to be advised to come here
Many of the rogue antivirus infections we see here are the results of people not knowing better and clicking in the malicious pop-up. I’m just hoping that people will read Mr. Krebs advice and not get infected in the first place.
SendOfJive wrote:
Many of the rogue antivirus infections we see here are the results of people not knowing better and clicking in the malicious pop-up. I'm just hoping that people will read Mr. Krebs advice and not get infected in the first place.
That's one reason to have N.I.S. 2007 and Newer, which includes Phishing Protection. Just remember, though, that Norton may not Detect all the Fake Web Sites, but will Detect quite alot of them.
And just remember that Norton AntiVirus 2009/2010 does not have a Firewall, so this is possible where customers are Infected because they are un-aware that Norton AntiVirus 2009/2010 does not have a Firewall.
At the Time of Writing, Norton 2010 Products were Not Released.
The article says to close IE with task manager. Would Cntl F4 work as well or is task manager safer?
Floating_Red,
To quote from the article:
Respectfully, anti-phishing and firewalls will not protect you from this type of threat. This is one case where an informed user offers the best defense.
Typically, they are the result of scripts stitched into legitimate, hacked Web sites, or into banner ads that scam artists stealthily submit to some online ad networks.
alt + F4? This is Safer than trying to get the T.M. to Open as, during that time, the Threat, Mis-Leading Application, could have caused more damage; plus, most Threats now prevent T.M. from Opening, so it's good to get in to the habit of using alt and F4 - plus, it could stop Infection.
SendOfJive wrote:Floating_Red,
To quote from the article:
Respectfully, anti-phishing and firewalls will not protect you from this type of threat.
Typically, they are the result of scripts stitched into legitimate, hacked Web sites, or into banner ads that scam artists stealthily submit to some online ad networks.
But Intrusion Prevention and Auto-Protect will, and Scanning, i.e. Manual Scanning...
Car825:
I have found that the best way to stop something is to pull the connection to the internet first. I also use Control F4 because it snaps everything closed. If you have three tabs open and use Alt F4 it asks you if you want to close all tabs. Clicking on anything is ill-advised.
Remain off the internet until you have dumped your browser cache, and temp files, and run enough scans to convince yourself that you are bug free. Then you can hook back up to the net, and update the antivirus scanners, and do it again. It takes the better part of six hours on my machine.
With ransomeware, you don't want to kill it until you find out what it has done, or you may not be able to reverse it.
Floating_Red wrote:alt + F4? This is Safer than trying to get the T.M. to Open as, during that time, the Threat, Mis-Leading Application, could have caused more damage; plus, most Threats now prevent T.M. from Opening, so it's good to get in to the habit of using alt and F4 - plus, it could stop Infection.
Do you have to rush to close the window or should you take your time and make sure it is done right. In other words, is there a time component to this? Can the popup do any damage while you are deciding what to do if you don't click anything?
Hi,
You want to Close the pop-up as quickly as possible, but you also want to make sure you know what you are doing, so you don't make the situation worse; however, should this pop-up just be on your Browser, it won't actually be installed on your computer, whereas, if it is on your computer, you will want to get a Full System Scan Completed with your Norton Product, and/or Malwarebytes' Anti-Malware. The longer you leave any Threat on your computer, the more damage it can do. And even although you have a pop-up, the Threat could be causing damage while you are sitting there watching the pop-up or "Product" work, e.g. Nortel Antivirus. Just because the pop-up appears, does not mean the Product will stop. Usually, though, when you see the "Product" Launch, that will be the Final Stage of the Threats activity; the next one will probably be asking you to "Buy" a "Subscription", which, of course, you should not "Buy"...
There have been a number of posts here recently from people asking for help in removing rootkits and scareware. How confident should I be that NIS09 will stop these threats?
right click anywere in blue system tray, left click on task manager in popup window, click on end task in task manager
Great article sendofjive! Very informative.
car825,
Keep in mind that no security program is perfect and all of the people in these forums who have been infected with a threat NIS cannot detect/remove together represent (my guestimate) less than .001% of all norton users worldwide (especially if you count both personal and corporate computers running symantec/norton products).
NIS09 is a very good security program and will do its best to keep your computer from becoming infected. As I believe floatingred pointed out before, alot of times if the scareware is occuring inside your browser you are not yet infected, at first it is just a show. This actually happened to me about a week or two ago. A site I navigated to had a malicious banner ad that essentially played a video designed to make me believe my computer was being infected and at the end of the sequence get me to download a fake AV program.
That is why it is called scareware. It is meant to scare you into infecting your own computer by mistake. The hacker pulling the strings want you to do all of the work for him/her.
I think symantec's slogan for Norton 2010 Products should be:
Next-Generation Security Product - Today!
A while back (after I downloaded Internet Explorer 8), I created a one-click "Kill Internet Explorer" script that does the same thing as closing the process in Task Manager, except that all you need to do is click on the icon for the script. The reason I created it was to close Internet Explorer when it locked up, but it can also be used to QUICKLY close IE in an emergeny such as this (where malware is attempting to infect you computer). The script is written in the AutoIt language and it only contains one line. Just download AutoIt (free program) and compile the script and call it "Kill Internet Explorer.exe". Then put it in your Quick Launch area. Here is the script:
ProcessClose("iexplore.exe")
Coincidentally, yesterday after reading the posts in this topic, while viewing a page at the NY Times site I got my first pop up scare ware, tried Ctrl F4 and Alt F4 nothing happened except the My Computer window appeared with a scan bar running. I immediately physically disconnected from the internet and ran a full system scan with NIS 2009 16.7.2.11; the only item found was a tracking cookie. Figured I was good to go and didn’t do anything else.
Today I again was viewing pages at the NY Times and got another pop up scare ware, again no joy with either Ctrl F4 or Alt F4, disconnected cable and ran a quick scan with SUPERAntiSpyware, un-updated. The results surprised me, see attached screen shots.
SUPERAntiSpyware required a restart to complete and on restart the screen came where I had to use the last known good configuration. After restart connected to internet, updated SUPERAntiSpyware, ran full scan and came up clean.
Restarting Firefox shows “My computer online scan” in the history for today but not for yesterday.
The NY Times main page had seemed for the last few weeks to running oddly but now it appears to be working fine.
I like to thank the forum posters as I probably would not have physically disconnected if I had not read that recommendation in these posts.
Window XP SP3, all updates
NIS 2009 16.7.2.11
Firefox 3.5.3