Friday, June 24, 2005
Removing rogue pop-ups
Question : Every time I'm on the Internet I get pop-up wallpaper messages from "http://www.advnt>O1-sfondi Desktop-Micro...". With that the connection to the Internet is disconnected. How can I remove this pop-up?
Answer : Rogue pop-ups are typical symptoms of virus or Trojan infection. Here's a basic guide on what happens, how it happens, and how they can be stopped.
There are generally two types of malware: those that run as separate programs, and those that "attach" to a browser and operate from there. The first category is the standalone malware program. These programs usually start when the operating system starts, and continue running throughout the computing session. This is done by exploiting the various ways operating systems allow for programs to start up when the operating system starts.
For instance, in Windows, the file can be placed in the Startup directory. Any programs placed here will be executed when Windows starts. A Trojan can quite conceivably place a program in that directory. This will result in the program starting up when Windows starts; and quite possibly remain resident throughout any computing session.
This will (also quite conceivably) enable it to capture data being sent to or received by the system. This means, of course, that a malicious program can capture sensitive data such as passwords and personal information.
At this point, some people might be thinking, "But we only use sites that support SSL (secure sockets layer), so our data is safe". We'd like to address this assumption. To do that, we'll have to study SSL, and how it attempts to make data transfer safer for everyone.
SSL is a protocol that facilitates secure transmission of data. It works this way: a user first visits a site capable of supporting the SSL protocol. Such sites are different from "normal" Web sites in that they start with "https://" instead of "http://". Any time one sees "https://" in the browser's address bar, one can be reasonably certain that the particular Web page supports SSL.
As an example, try typing "http://mail.yahoo.com" ( without the quotes ) in the browser's address bar. This will display Yahoo's "normal" sing-in page. However, if "https://mail.yahoo.com" is typed in, the secured sign-in page will load. Both pages look the same; the only difference is that with the SSL (https://) page, some or all of the data that a user types in will be encrypted. This keeps it (somewhat) obscured from people on the Internet who may have an interest in obtaining the data.
Let's look a little more closely at how SSL works: the user types in the data, the browser encrypts it and then sends it off to its ultimate destination. The encryption only happens after the data is typed in. Suppose a program is able to somehow intercept the keystrokes before the browser receives them. What will happen then? Data sent to the "secure site" will be no more se- cure than any other "normal" site.
The point we're trying to make here is that SSL only secures data transmission over the Internet. If the data is somehow intercepted before it can be encrypted, then it will still be compromised. So using an SSL site is not a guarantee that anything anyone types in is secure. It only provides some measure of protection over the Internet.
If a Trojan that intercepts keystrokes is running on a PC, it's completely possible for the data to be intercepted before it's encrypted. As such, it's a bit of a misconception to say that if one uses an SSL-capable site, the data one enters will be completely secure. It is true that, once it is encrypted, data entered into a page that uses SSL is somewhat safer than data entered into a "normal" Web page, but as the old saying goes, There's many a slip 'twixt cup and lip.
The second category is the "browser helper object", or BHO. These BHOs basically act as extensions to the browser and extend the functionality of it. BHOs do many useful things (Microsoft uses one for Windows Update). These objects are actually placed on a server on the Web site. When a browser loads a page, it may ask to install something. In Internet Explorer, this is done via a yellow band near the top of the browser.
As for actually removing it, we'll have to look at what's installed on that PC and then maybe we can offer some advice on what needs to be removed. If you could send us a log from the Hijackthis program, we would be in a better position to advise.
Based on what we have right now, the best advice we can offer is to run a malware scanner. This might clear it up. If it doesn't, however, we'll need to have that log before we can proceed any further with this.
Answer : Rogue pop-ups are typical symptoms of virus or Trojan infection. Here's a basic guide on what happens, how it happens, and how they can be stopped.
There are generally two types of malware: those that run as separate programs, and those that "attach" to a browser and operate from there. The first category is the standalone malware program. These programs usually start when the operating system starts, and continue running throughout the computing session. This is done by exploiting the various ways operating systems allow for programs to start up when the operating system starts.
For instance, in Windows, the file can be placed in the Startup directory. Any programs placed here will be executed when Windows starts. A Trojan can quite conceivably place a program in that directory. This will result in the program starting up when Windows starts; and quite possibly remain resident throughout any computing session.
This will (also quite conceivably) enable it to capture data being sent to or received by the system. This means, of course, that a malicious program can capture sensitive data such as passwords and personal information.
At this point, some people might be thinking, "But we only use sites that support SSL (secure sockets layer), so our data is safe". We'd like to address this assumption. To do that, we'll have to study SSL, and how it attempts to make data transfer safer for everyone.
SSL is a protocol that facilitates secure transmission of data. It works this way: a user first visits a site capable of supporting the SSL protocol. Such sites are different from "normal" Web sites in that they start with "https://" instead of "http://". Any time one sees "https://" in the browser's address bar, one can be reasonably certain that the particular Web page supports SSL.
As an example, try typing "http://mail.yahoo.com" ( without the quotes ) in the browser's address bar. This will display Yahoo's "normal" sing-in page. However, if "https://mail.yahoo.com" is typed in, the secured sign-in page will load. Both pages look the same; the only difference is that with the SSL (https://) page, some or all of the data that a user types in will be encrypted. This keeps it (somewhat) obscured from people on the Internet who may have an interest in obtaining the data.
Let's look a little more closely at how SSL works: the user types in the data, the browser encrypts it and then sends it off to its ultimate destination. The encryption only happens after the data is typed in. Suppose a program is able to somehow intercept the keystrokes before the browser receives them. What will happen then? Data sent to the "secure site" will be no more se- cure than any other "normal" site.
The point we're trying to make here is that SSL only secures data transmission over the Internet. If the data is somehow intercepted before it can be encrypted, then it will still be compromised. So using an SSL site is not a guarantee that anything anyone types in is secure. It only provides some measure of protection over the Internet.
If a Trojan that intercepts keystrokes is running on a PC, it's completely possible for the data to be intercepted before it's encrypted. As such, it's a bit of a misconception to say that if one uses an SSL-capable site, the data one enters will be completely secure. It is true that, once it is encrypted, data entered into a page that uses SSL is somewhat safer than data entered into a "normal" Web page, but as the old saying goes, There's many a slip 'twixt cup and lip.
The second category is the "browser helper object", or BHO. These BHOs basically act as extensions to the browser and extend the functionality of it. BHOs do many useful things (Microsoft uses one for Windows Update). These objects are actually placed on a server on the Web site. When a browser loads a page, it may ask to install something. In Internet Explorer, this is done via a yellow band near the top of the browser.
As for actually removing it, we'll have to look at what's installed on that PC and then maybe we can offer some advice on what needs to be removed. If you could send us a log from the Hijackthis program, we would be in a better position to advise.
Based on what we have right now, the best advice we can offer is to run a malware scanner. This might clear it up. If it doesn't, however, we'll need to have that log before we can proceed any further with this.
