{"id":1816,"date":"2011-05-12T18:54:06","date_gmt":"2011-05-12T22:54:06","guid":{"rendered":"http:\/\/thundercloud.net\/infoave\/new\/?p=1816"},"modified":"2011-05-12T18:54:06","modified_gmt":"2011-05-12T22:54:06","slug":"when-a-rogue-security-program-gets-the-best-of-you-make-it-like-it-never-even-happened","status":"publish","type":"post","link":"https:\/\/www.thundercloud.net\/infoave\/new\/when-a-rogue-security-program-gets-the-best-of-you-make-it-like-it-never-even-happened\/","title":{"rendered":"When a rogue security program gets the best of you – make it like it never even happened"},"content":{"rendered":"

Here\u2019s a tip you won\u2019t remember until you need it. But this little tip can pull you out of some serious problems. There are several new rogue security programs on the Web, and they all follow the same M.O.<\/p>\n

First you see a warning that looks for all the world like a genuine Windows warning. The crooks are making so much money now, they can afford to hire top-notch graphic artists that can and do design very Microsoft-looking graphics, like these:\"A<\/p>\n

\"A<\/p>\n

\"A<\/p>\n

\"AA warning spawned by a rogue security program<\/p>\n<\/div>\n

All 4 of the pictures above, are actual examples of rogue security programs. They\u2019ll try to get you to purchase them in order to clean the problems they find \u2013 but the problems they find aren\u2019t real. Purchasing one of these rogues is, in essence, equivalent to buying spyware \u2013 and you may be offering up your credit card number, phone number and\/or home address to the crooks behind these scams. It\u2019s like a triple whammy.<\/p>\n

The four examples above are just a few of the many rogues which are currently being distributed on the web. There are new ones appearing every day, and most of the time the new ones are simply old ones with new names and updated user interfaces. Some of these rogues spawn full-page alerts (or popups) that always stay on top of all other windows, no matter what you do. These kind are particularly annoying because you can\u2019t access your browser, Windows Explorer or any other program because the rogue window is always on top. Some of these full page alerts and popups have no \u201cX\u201d in the top-right corner with which to close them, some do but the \u201cx\u201d does not work, while some work but only close the alert or popup window momentarily.. The above photos were taken from Microsoft Security Essentials after it detected a rogue trying to install itself on my Windows 7 laptop.<\/p>\n

You can get these rogues popups simply by visiting a web site. We wish we could give you a list of these sites but there isn\u2019t any way to do that. The sites distributing these rogues may be legitimate sites which have been duped into \u201cselling\u201d these rogues, they may sites which are owned by less-than-honest business people who are trying to make a quick buck by partnering with the crooks who make these rogue security products, or they maybe sites created by the crooks themselves. And even if we could give you a list of sites \u2013 it would change and grow every day \u2013 there\u2019s just no way to keep up up with them.<\/p>\n

But you don\u2019t need to know the sites, all you need to know is this: When a warning appears telling you that a virus or Trojan has been detected on your computer \u2013 DO NOT PANIC. Take a deep breath. Look carefully at the warning. Pay no attention to fancy Windows-like graphics. Look to see if the name of your security program(s) appear anywhere on that warning. If you use Avast \u2013 does it say Avast? If you use Microsoft Security Essentials, does it say that? If you use SUPERAntiSpyware \u2013 does it say SUPERAntiSpyware? You get the picture. If it\u2019s a rogue \u2013 it won\u2019t know what security software you have installed, but the alert usually will have a legitimate sounding name on it \u2013 like Windows Internet Security 2011 or similar. You\u2019re going to have to reach down and hold on \u2013 take a deep breath and use all your willpower so you don\u2019t click the \u201cScan and clean my computer now\u201d button. Remember, if you do click the scan and clean button on one of these rogues, you\u2019ll be installing it. And if you do actually install one of these rogues, you\u2019re going to have a lot more problems.<\/p>\n

If you make a mistake and become infected or click a link that causes you to be infected, it\u2019s important that you don\u2019t panic. You can recover from this type of attack, but you need to stay calm and not do anything crazy like click \u201cPurchase \u2026.. now\u201d, or \u201cClean your computer now\u201d, or \u201cActivate now\u201d.<\/p>\n

A number of these newer rogues are ingenious in their design. Their popups cover your entire screen when you start your computer. And you\u2019ll have no way to minimize or close it \u2013 they give you one easy choice. The choice you\u2019ll have is to buy the rogue security program by clicking the button on the popup which says \u201cBuy now and clean your computer\u201d, or similar. It can be very frustrating to users \u2013 many of whom don\u2019t know how to get this popup off their screens. You can\u2019t use ALT F4 to close it. There is no X in the top right corner, there is no icon on your taskbar to right-click and close \u2013 and sometimes you can\u2019t see your task bar at all anyway.<\/p>\n

If this happens to you \u2013 and it will happen to some of you sooner-or-later \u2013 there is a very simple solution. But you have to remember it and you have to remember not to panic. Here is the simple solution:<\/p>\n

1. Shut your computer down. The only way you\u2019ll be able to shut down is by turning off your computer using the power switch. You won\u2019t be able to shut down normally because your start button will be covered by the popup. (Some of the rogue\u2019s cover everything but the taskbar and the start button \u2013 but when you click anything on the taskbar, the rogue popup reappears as soon as you click \u201cStart\u201d or anything else.)<\/p>\n

2. Turn the power button on and keep tapping the F8 key while Windows is booting. This will open your Safe Mode options. Choose \u201cSafe Mode with Command Prompt\u201d. This is the only option you should use in this scenario. The reason? Because it doesn\u2019t start Windows Explorer \u2013 it opens a Window CMD window \u2013 the black and spooky \u201cDOS window\u201d. Have no fear.<\/p>\n

3. When the command window opens \u2013 and this can take some time, so be patient \u2013 you\u2019ll see something like C:WindowsSystem32><\/p>\n

When you see C:WindowsSystem32> type rstrui.exe and press the Enter key.<\/p>\n

Sit back, grab some coffee \u2013 or if you\u2019re really nervous, grab a double shot of Irish whiskey- and wait. It may take 5 or 6 minutes before you see anything change. But take heart, it will change. You\u2019ll see Windows System Restore dialog appear. And when it does, you\u2019re almost home. Choose a restore point at least 48 hours prior to the time you started having problems and initiate a System Restore. It will take a few minutes and then your computer will reboot. When Windows boots, your rogue security program will be gone, no more popups, no more trouble \u2013 it will be like nothing ever happened.<\/p>\n

And the best thing is \u2013 you won\u2019t lose any emails, photos, music files, or documents, etc. The only thing you\u2019ll lose is any program(s) you\u2019ve installed since the restore point you chose.<\/p>\n

This tip can be used for many other problems too. Safe Mode with Command Prompt does not even load the Windows shell \u2013 but it does load the Windows system files. The key is RSTRUI.EXE which you can access from Safe Mode with Command Prompt, and then go back in time like the problem you had never even happened.<\/p>\n","protected":false},"excerpt":{"rendered":"

Here\u2019s a tip you won\u2019t remember until you need it. But this little tip can pull you out of some serious problems. There are several new rogue security programs on the Web, and they all follow the same M.O. First you see a warning that looks for all the world like a genuine Windows warning. The crooks are\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[1158,1125,1157,14],"_links":{"self":[{"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/posts\/1816"}],"collection":[{"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/comments?post=1816"}],"version-history":[{"count":2,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/posts\/1816\/revisions"}],"predecessor-version":[{"id":1818,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/posts\/1816\/revisions\/1818"}],"wp:attachment":[{"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/media?parent=1816"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/categories?post=1816"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/tags?post=1816"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}