A day eaten by worms, and I recommend malwarebytes.org. How to close a malware popup offer.

View 841 Saturday, September 06, 2014

Edits and additions through Monday, September 8, 2014

“Transparency and the rule of law will be the touchstones of this presidency.”

President Barack Obama, January 31, 2009


Today was the day I was going to catch up, but at 2 PM I was still in my pajamas and hadn’t had lunch yet. I generally dress upstairs in my bathroom, so I have breakfast in my pajamas, so that wasn’t unusual; but about 10, when I was ready to go up to shower and dress, Roberta came to tell me of a tale of woe. Saturday she generally tries to Skype with one or another grandchild, and before she talked to one of them she had wanted to look up something about the education system, and she couldn’t do it. Her Internet browser exploded in advertisements, and she couldn’t even find Google. Clearly something had got into her system that ought not be there.

I went in to have a look. It was a mess all right. Something had changed the home page of both Internet Explorer and Firefox to Trovi, as well as the search engine. There were other problems. Control Panel showed me a number of programs I’d never heard of were installed. I removed several of them – Roberta couldn’t remember using them – but when it came to trovi and sizlysearch, the Microsoft operating system couldn’t remove them. Instead I was taken to a web browser page with one of those “are you human?” things to fill out which would take me to the Trove Uninstaller. God knows what that would do to her system, so I declined the offer. Task Manager showed me that several trovi and sizlesearch processes were running. I could close them, but seconds later they came back again.

Same with Internet Explorer and Firefox: I went in to remove all addins and extensions, but neither sizylsearch nor trovi could be disabled; the disable button was greyed out. There were a couple of other undisableable addins.

Since the search engines weren’t reliable as a means of finding out how to get rid of hijacked search engines, I asked my advisor team for advice, and also went up to my own systems to see what I could find. Online searches with uncontaminated systems told me that Trovi and Sizylsearch were notorious: not exactly malware, but certainly adware, and annoying. They also intentionally made it difficult to eliminate them, which moves them to malware status in my judgment.

Meanwhile, I had turned on Microsoft Security Essentials deep scan on Roberta’s machine. When I went back to her system the screen was dark. Nothing I could do with keyboard or mouse would get me a signal from it. Curiouser and curiouser. I pushed the hardware on/off button. A message about restoring windows appeared. That seemed a bit odd, but Windows came up all right, along with a Microsoft Security Essentials report that it had found WORM: Win32/GAMARUE and removed it. Looking that up advises me to scan any hard drive that her system has ever been connected with. That’s fairly easy since her machine isn’t part of the Chaos Manor networking system, and she doesn’t access other sites here. I also restarted Microsoft Security Essentials and told it to do a full deep scan. This took a while, but eventually it ran to completion having found no other malware.

Except there was: that is, if you count swizlesearch and trovi as malware. They were both still active, raining ads in new windows and generally being aggressive, enough so that her system was in essence unusable on the Internet. Also something about extreme weather was periodically giving us voice messages along with sponsoring commercials.

By now I had a consensus among both advisors and from my on line search: what I needed was malwarebytes.org and their scanner. I could not get Internet Explorer to go where I wanted it to. I couldn’t get internet Explorer even to open a new tab with a right click. Trovi really owned that program. I turned to Firefox. At least I could get a new tab, but I noted that Google was no longer available as a search engine.  I had to trick Firefox into going there by directly typing the full https://malwarebytes.org address into the address window – no search needed – and even then it popped up three more windows – not tabs, but new windows –  each offering technical expertise about malwarebytes.org but none of them having that address. They were pretenders hoping I’d go to them for help rather than malwarebytes.org.  I patiently closed each of those windows and the next ones that popped up,and some after that,  and by then the original window had got itself to the malwarebytes.org site. That site offers a free and a paid scan download. I chose free. That came down fast, and I ran the installation program. It updated itself, and began the scan; in seconds it had detected 19 threats. I looked at them (clicked details) and lo! sizlsearch had four entries, and Trovi had three. There were others including extreme weather reporting – it was that one which kept giving us sound messages along with sponsors – and some other stuff that I’d never seen before.I kept checking the scan progress, and it was finding a few every few minutes. Eventually it found 49, and announced the scan complete. I let the malwarebytes scanner quarantine them all, reset Roberta’s machine, said a few words of potent white magic, and when her system came up I opened Internet Explorer.

I was greeted by the Google home page, which is what Roberta uses. Trovi had hijacked that, but now Trovi was nowhere to be seen. Task manager showed that no trovi or sizyle processes were running, and now, several hours later, they are still gone. Of course we’re changing passwords just in case.

And I downloaded the malwarebytes.org scanner to this machine and ran it: it found one ancient file it wanted to quarantine, but nothing else. I’ll buy the professional edition and set it to scan all the other machines up here at intervals, since it catches stuff that Windows Security Essentials doesn’t believe is malware.. And it’s 4:30 in the afternoon.


A Republic if you can keep it.


So I still haven’t caught up. I have to pay bills, and there’s other stuff that didn’t get done while I was still in my pajamas at 2 PM. But I’ve dressed, showered, had my lunch, and I’ve put this in the day book, from where it will be easy enough to consult for writing into the column, and now it’s time to post this and pay the bills. I have some other stuff to write about, including the difference between a democracy, which the Framers of 1787 detested – “There never was a democracy that didn’t commit suicide…” – and a republic, which is what Franklin said they had created. “A republic. If you can keep it.”

While I was dressing I thought about the concept of “fair play” and “fair game”.  In the old honor system, some people were outside it: they were not treated as honorable opponents, they were “treated as wolves are.” This was the sentence passed by the Roman Senate on the surviving members of the Catalinarian rebellion.  To be regarded and treated as wolves are.  I suppose we are too civilized for this, and we are bound to treat our barbarian enemies as if they were entitled to be treated as we do other men, but it makes you think.  Especially when they behead journalists and stone young girls for not marrying whom they are supposed to marry. Now of course I was thinking about the creators of trovi and sizylesearch and how we ought to think of them: they use Internet freedom to get as close to the malware line as they possibly can – there is some evidence that at least one of those started with the best of intentions – but end up costing thousands of people hours of time, adding up to more hours than there are in a long life; all wasted on countering their efforts.  That’s sort of the equivalent of murder. But I haven’t time to think all this through.  Another time.


But first I have to catch up. Beginning with paying the bills.

For those interested in travel and what we carried in the year 2000, see http://www.jerrypournelle.com/reports/jerryp/adventure2000.html


Rick Hellewell, my security advisor, says


It looks like Sizlsearch is installed as part of a ‘you must install video software to view that movie’ kind of thing. Which should never be done. Prompts such as that are never to be trusted. If you think you need a video player, go to the source (Adobe Flash Player, I suppose) manually, never via a link or a message while browsing.

And, although Malwarebytes has a good reputation (as does Tom’s Hardware site), not sure that having two antivirus programs is a good idea.

But no anti-virus program will protect against a user installing an ‘add-on video player’, which is almost always a vector for installing malware.

I’d also recommend, after a power-off restart, a re-run of any malware scanner programs, just to make sure that things are safe.


Regarding two scanners, I can see they might interfere with each other, as each looks at the other’s data base.  An interesting experiment, and I do silly things so you don’t have to…

But note what Rick is saying. If you try to open a movie of the grandchildren, and up pops an offer to give you free software to view that movie with, don’t do it.  Leave the offer on screen and get someone who knows about this stuff to look at it. And be careful how you close that screen.  I generally close the whole browser rather than click anywhere in a potential malware screen, because just because it looks like a “close this window” place to click, you don’t know what it’s actually connected to.  Or at least I don’t. 

As to the programs needed to view that video, chances are you already have programs that will open that movie, and you only need to know how to do that,  But do not let accept the offer of free movie viewing software from some friendly but unknown site, and do not give unknowns permission to install stuff on your computer. And do not trust it simply because a once reliable publication says you can.  I’ve told you that twice before.  What I tell you three times is true.

And I am reminded that I should tell you that malwarebytes is not a primary anti-virus and worm defense.  Microsoft Security Essentials remains essential.  But MSE does not remove some of the annoyingware that can make you crazy. Malwarebytes.org will do that. Use them both.


The California Sixth Grade Reader http://www.amazon.com/dp/B00LZ7PB7E/ref=as_li_tf_til?tag=chaosmanor-20&camp=14573&creative=327641 contains the stories and introductions from the original official California 6th Grade Reader in 1916. Similar readers, most of them containing the same stories as the California reader, were in use in well over half the other states. I had a Sixth Grade reader with most – nearly all – the same poems and stories in a country school, two grades to a room, in Capleville, Tennessee in 1943. These are the stories that Americans all had read, and formed part of the common American culture.  I have added a few introductions and a foreword directed to those who will be reading this book, and with a lot of help from readers and my advisors we have published it as an electronic Book. It is available on Amazon and readable in the free Kindle Apps for most tablets, PC’s, and smart phones like iPhone.  My six year old grand daughter likes some of the stories, particularly the one about Beethoven and the Moonlight Sonata.  


On closing malware popups:

Rick Hellewell, our security guy, says

A "normal" popup window will have the usual "x" in the upper right corner of the window, so you use that to close the errant window.

A popup window can be created without the ‘x’, or can disable the ‘x’ normal function. Or they can put a ‘fake’ ‘x’ button that actually does something else. So you may have to use another method.

If the popup window has the ‘focus’ (is the ‘active’ window), then you can try Alt+F4 to close it. Or you can look at the taskbar (usually the bottom of the screen) where you might find the indicator of multiple browser instances. You can then find the ‘bad’ instance, and right-click that instance to close it.

If that doesn’t work (sometimes new popups can be spawned), then you might need to go into the Task Manager (right-click the Task Bar, then select Start Task Manager; in Windows 8 I believe you can hit the Window button, then just type in Task Manager to start it). From there, you might see multiple instances of your browser program, and you can force stop it.

If still persistent, a last resort is a full shutdown/restart might be needed. And, after that, perhaps a malware scan might be in order.

This page has pictures and instructions on the process: http://www.wikihow.com/Close-an-Internet-Pop-Up .


Eric adds:

When in doubt I go to task manager and kill the browser entirely. "Nuke it from orbit. It’s the only way to be sure."


When in doubt use task manager.


And thanks for the sales spike in the California Sixth Grade Reader http://www.amazon.com/dp/B00LZ7PB7E/ref=as_li_tf_til?tag=chaosmanor-20&camp=14573&creative=327641



Freedom is not free. Free men are not equal. Equal men are not free.




Bookmark the permalink.

Comments are closed.