What is Scareware?

I recently had to cure a scarewware problem that would not let me into Windows or Safe Mode. It was Privacy Center. I stopped it with Task Manager then used New task to invoke Restore from c:\windows\system32\restore\rstrui.exe. This should work for most people because they would be unable to use their PC while Privacy Center is on board, so one doesn't have to go back too far. However, I still found it in Add/Remove called PC and even after removing found a 3 meg folder in Programs. There were a couple of references to PC in the register but none of the many programs mentioned by others on the net. Very persistent.

Talk about scareware! I answered an ad in a reputable newsletter for Registry Cleaner Pro. Free scan and fix at least some of the problems it finds, free. They found nearly 500 problems, but said they could fix none without my buying the product. Well, over half were only tracking cookies, and there were some other categories I recognized as no big deal.
But I could not get their page off my screen. No close button. No other button that worked to move on out, tho I'm sure their buy now button worked. My Start button had been deactivated, so I couldn't shut down properly. Mousetrapped. Buy or Die.

Cut the power. Booted up again, and there they were again, my friends from registry cleaner pro and their unwashable window. Cut the power again, same result. Now getting desperate. Only other button I hadn't tried was "Scan," which I had activated at the beginning to, well, scan.
It started scanning all over again. Wouldn't stop until it was done, 15+ minutes later. But this time when I refused the offer again, it closed the window and put me into desktop. Wow! Rebooted, and, agony!, their page again! Did the scan trick again and half an hour later back to desktop.
Went into Find and started deleting their files. Some wouldn't delete. Went into Control Panel, Uninstall and there it was. Deleted with prejudice. Never gave them OK to install to begin with and I'll be taking Zone Alarm to visit the woodshed. Emailed RCPro about the problem with their software. They replied, telling me how to get it off the startup menu with msconfig (which doesn't work with W2000 and it wasn't just the start program I wanted it off) and told me I needed to improve my uninstall skills so I would not be using their paid-only customers board to send them incoherent emails that took me hours to compose.
My question: I know what scareware is, but is this what's called, 'insultware'?

You just gave people instructions on how to get infected. You NEVER click the X. That X will start the malware installation. You can not click any part of the pop up. I cant believe you told them to do that.It may work on some of them. But not on the worse ones. You either use task manager, if you can find it on there. But the safest and most reliable way is to reboot your computer. That is a pain in the rear, but it is virtually fool proof. If you can get rid of it by closing your browser. Then that is ok too. And if it won't work. Then that is a bad sign. That malware maker can make that X do anything they want it to. Now why would they make it get rid of their rogue program? Should people really find out the hard way, if their pop up is safe to click the X on? I think not. I build and repair a lot of computers. So I know what I'm talking about. My custom built computer stays clean as a whistle.

EDITOR'S NOTE: No, the little red "X" in the upper right hand part of the window will NOT activate anything. It's not part of the "content" of the window -- it's a window control on a browser window, and cannot be usurped. The only thing it will do is close the window. Now granted, sometimes there is a fake "X" *inside* the window, and clicking that can be trouble.

I'm one of those "computer savvy" friends that people call when they fall prey to these scare tactics. I cannot even count how many times I have told friends NOT to click on any of these "security warnings," or how many times I have had to fix their problems after they have clicked on these so-called announcements. It is a shame that every day people cannot get on line to check their e-mail or do some research or just for a little relaxation with games without being bombarded with such low-handed tactics. Obviously these perpetrators have a mind worth using, why not use it in a legitimate way to make money instead of scaring people into spending their money?

This area is a pet peeve of mine. Even legitimate programs, with a primary remedy function being the registry, cause me to raise an eyebrow. For instance, run program "A," and it will show 4 errors of type "a" and 100 of type "b." It suggests that if you upgrade to the paid version that you can fix 200 other errors. If you "fix" the initial errors and run the program again, you'll see yet more errors. If you run another competing program, you'll see yet more errors. There is no way to know whether it is doing anything; with the exception of emptying the Trash, everything is a leap of faith. You're dependent on the advice of "professional" - and hopefully unpaid (by the software maker) - reviewers.

Ditto on the comments Bob. I actually had a problem from one of your links, Paretologic.
I still find it popping up in obscure places as I try to speed up my computer. Guess I will have to rely on my present stuff. I was even stopped by my 'Vipre' on a trusted site that was offering an update to revo uninstaller. I'll have to check back on that.Thanks....Ray

Bob, you're almost guilty of the same thing! You need to stop having that ad appear out of nowhere to sign up for your newsletter, and then when you click it to close, it leaves a popup ad for Netflix or some such thing. Get rid of that stuff. I understand the need for advertising, but you're better than that.

EDITOR'S NOTE: John, you're comparing big apples to small oranges. First of all, the newsletter slide-in will only appear once every 14 days -- unless you're blocking cookies. Then you'll get it every time. And if you subscribe, you'll never see it again. Second, the Netflix ad has no connection to my popup. It just happens to appear in the same place on your screen (but not on mine). You'd see it regardless of whether the newsletter signup form appears or not. And it's frequency is controlled by cookies as well. You're not blocking cookies, are you? That whole "cookies are evil" thing is so 1990s...

In late Aug 2008, my computer became infected with Antivirus XP 2008. I was researching info about Vista and went to a legitimate website I've used many times before. All I did was open the website and I became infected. It was that fast. My wallpaper changed to a "warning", the Desktop Tab had been deleted from the Display dialog box, etc. I had good success removing the problem by following the instructions at bleepingcomputer.com (which used a free scan from malwarebytes.org). The scan from malwarebytes.org is also effective at detecting several other common rogue programs.

http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008

http://www.malwarebytes.org/

Bleepingcomputer has another tool called ComboFix which is similar to HijackThis, now owned by Trend Micro.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

ComboFix and HijackThis usually require the assistance of trained personnel to interpret the results and figure out which registry entries can be safely removed. Trend Micro has another stand alone tool called HouseCall that might also work. But once infected the only absolutely sure method to guarantee all of the rogue program is removed is a reformat and reinstall of the OS.

Posted by: ABD 04 Jun 2009

To ABD: When I found that W2000 did not have MSCONFIG I went to another O/S and copied the file and pasted it into W2000. It works great as always.

bleepingcomputer.com is handy. Antivirus2009 is malicious - kills AVG, AdAware, Spybot, etc, but replaces them with icons that look the same but do nothing. It hijacks IE and firefox and provides what looks like search results in all the major engines that are positive reviews of AV2009. I normally google the name at the top of the window I can't get rid of, from an uninfected machine, to find removal instructions...

And just a note - not trying to be contrary, as Bob is a pretty smart cookie - but some js-based popups do not have a windows style window frame with an 'x' in the upper right hand corner, and therefore a malware could (and has - I've seen them) draw a window that looks like a normal Windows frame with an 'x', but actually have it to other things. As a matter of fact, the newsletter slide-in window mentioned previously doesn't have a normal windows style frame and windows provided 'x', either...

EDITOR'S NOTE: You're correct that some DHTML popups and slide-ins can draw their own window frame and include a simulated red X. But even clicking that, the "damage" would be limited to what Javascript can do on the local machine. Whch isn't much, beyond changing the elements on the current page. Unless the machine was already seriously compromised, I don't think that JS can launch a program or initiate an install without user interaction. If I am wrong, I'd love to know, and will happily eat a well-deserved slice of humble pie. :-)