Earlier this evening while surfing with Firefox I got a 'Warning Your System Is Infected So With Virus Doctor Will Scan It ' spyware scam popup.
I knew better than to click 'OK'. That would start it. I knew better than to click the 'Close {X)' button, because that would start it.
I closed Firefox, but that didn't remove the popup. Finally, I took a chance on doing an Alt-4 close, and it started.
At this point, I'm not sure what I typed, or clicked, but a menu came up, 'Do you want to navigate away from this page?' and I did. I hope it worked. (If I hadn't been in panic mode, I might have thought of doing a Control-Alt-Delete/Windows Manager and ending the process there; but I was and I didn't.)
Nonetheless, here's a prediction:
One day, sooner or later, the spyware spam criminals will create a popup which will begin or continue working even after disconnecting (or even running Windows Manager); the only thing which will stop it, seemingly, will be to manually shut down the computer . . . because using Start, Turn Off Computer will also cause it to work -- but when the system is rebooted . . . the scam popup will reappear. The only way ever to get rid of it will be to remove the hard disc, have it physically destroyed, buy a brand-new pc, and start over from scratch. Forget about backing up files. If you try it, that'll run the scam too.
An alternative to buying a new pc would be destroying the Internet, but for most people, that would be too difficult.
It would be a good idea to run a Malwarebytes or Superantispyware scan to get rid of anything this might have left.
If you don't know these, get the Free versions which don't run in the background but only on command, install them, update them and run them as a full scan -- although that can take time so there is probably no harm in running a quick scan first?
Wayne,
Not just a good idea to run Malwarebytes, but essential. The probability is when you said YES to navigating away from this page, you installed some kind of malware. As you said, Control Alt Delete would have been the better way to exit.*
* Or run Process Explorer and use it to stop running processes.
http://www.download.com/Process-Explorer/3000-2094_4-10223605.html
I did do a quick scan soon afterward with Malwarebytes, which reported no problems. Of course, I haven't updated it in two or three days so I need to do that and re-run the scan just in case.
I've never heard of Process Explorer; I'll look into it.
>> Earlier this evening while surfing with Firefox I got a 'Warning Your System Is Infected So With Virus Doctor Will Scan It ' spyware scam popup. I knew better than to click 'OK'. That would start it. <<
Alas, I didn't make a record of my surfing then, so I can't say what the sequence was. I do know I wasn't looking for porn at the time. . .
However, I have AVG as the resident anti-virus program, and Avira (which is not resident) ; plus AdAware, A-squared, Avira, Malwarebytes and Spybot for other things. The trial for Trojan Remover expired, but fast scan still runs shortly after boot: it keeps reporting a hidden file named 'xxyyvTJA' that can't be found because it may have already been renamed; unfortunately, I can't find any information that I took care of it before TR expired. However, I searched for that file via Google, and the only hit I could find was to an anti-malware program--which I can't recall the name of offhand--which claimed that it was among the malware which All Other Programs But Itself could find. Further inquiries indicated that (1) The 'free' ver$ion wa$ for $can$ only; repair$ required the premium model . (2) Some commenters suspected it tended to show 'false positives' and (my words) omg-user-you-have-all-these-bad-files-on-your-pc-that-only-OUR-software-can-remove results.
Needless to say, I realize these comments went far astray from your inquiry. Ah! almost forgot: I've run Malwarebytes twice in the last two days--the last earlier this morning and with the most recent update--and it found no malicious files. I just hope it would find the mysterious xxyvTJA under whatever name it has if it was a problem.
This is a followup to the previous reply to Peter Creasy:
I Googled 'xxyyvtja' again, and discovered only four references: two were non-English, and the others linked to 'Prevx,' which is the program I couldn't recall the name of. Below is a partial copy of its information; I'll leave it to anyone who wishes to seek out the web site:
Your PC is infected. The file called XXYYVTJA.DLL is considered unsafe and there may be other infections on your PC. [I hadn't run a scan, btw]
You should urgently check your PC and remove any malicious software including XXYYVTJA.DLL as soon as possible. The free version of Prevx CSI will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.
Now, here's the scary and disturbing part.
THERE IS NO, REPEAT, NO OTHER REFERENCE TO 'XXYYVTJA' ANY WHERE ELSE ON THE WEB.
Compare that, if you will, to thousands, nay, tens and hundreds of thousands of cites you can find to just about any malware, virus, trojan, worm, what-have-you via search engines, along with advice about how to get rid of them; hell, think of how much advice there is in this forum about what sofware is most usable for this virus or trojan etc. and that one. But all anti-malware programs are helpless against 'xxyyvtja.' Spybot Can't Find It; Avira Can't Find It, Norton Can't Find It; Kapersky Can't Find It; Malwarebytes Can't Find It; Microsoft Can't Find It. Only 'Prevx' can find it (along with thousands of other malicious files that only it can find.)
Should I be somewhat concerned?
>> ... short of space
Oh, ok! It's been taken care of: I moved several files to cds and dvds, then got SAS, installed and ran it. Needless to say, it found a lot of tracking cookies--all such programs find a lot of tracking cookies--but it also found nine items in the registry. Of course, there's no way of knowing whether they've been there, undetected by, for example, Malwarebytes; or if they had just been picked up and SAS happened to catch them. Come to think of it, to my knowledge, no anti-malware program specifies in its reports when a suspicious file was acquired so one might get an idea regarding the circumstances(unless that's a feature of commercial versions only), so I suppose these programs must be treated like hand-washing: done at every opportunity and after handling any Internet.
There seems little doubt that Malwarebytes and Superantispyware are usefully complementary. Over in the Norton Forums someone had their desktop and internet access taken over by malware
<< ... phony anti-spyware program "Privacy Components". It has displaced the Windows desktop with its own page. I can access my programs only by going through Windows Task Manager (on Windows Home Premium). >>
Superantispyware did not pick it up for removal but Malwarebytes did and returned the PC to as it was before -- I'd been afraid that it might remove the malware but leave a mess behind it.
So far as I know the main difference between Free and Paid is that the Paid runs continuously in the background which is not really desirable when you have other AV and Security software running. But I've not delved into that -- others here should know more.
Firefox 3 here along with Kaspersky AV have caught quite a lot of these FWIW. The user would have to make quite an effort to become infected.
If indeed your problem was cookies, then perhaps a cookie manager like Cookie Monster would be of some help.
