Windows 10: Someone's FISHING on my computer

Just got done reinstalling the OS and programs on my mothers computer. Spent weeks...
The first day I have it at their home a screen iexplorer.exe started and displayed the following screen:




Neither Internet Explorer or Edge are my default browser, but rather Firefox.

Obviously I did not call the number, but opened task mgr and terminated iexplore.exe It did not appear again while I was there and neither Windows Defender or Superantispyware detect anything, at least while IE was not open to this page.
A few days after I was home, my mother called. She had the same window open again. I accessed her computer via TeamViewer and terminated IE again. This time I installed Malwarebytes Antimalware and began a scan.
During the scan the computer I encountered slow data transmission from teamviewer and eventually was disconnected due to a message about the router connection being off. (her computer) This happened a few times, so I never got a scan result.

I may have her run the scan while I am not connected via TeamViewer.

I also want to run SAS & MWBAM in safe mode but need to setup her computer to boot into safe mode.

Also: Ran HijackThis and created a log, which did not appear to show anything bad..

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 7:00:30 PM, on 4/20/2017
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.14393.0953)

FIREFOX: 52.0.1 (x86 en-US)
Boot mode: Normal

Running processes:
C:\Windows\System32\TiltWheelMouse.exe
C:\Program Files (x86)\IncrediMail\Bin\IncMail.exe
C:\Program Files (x86)\IncrediMail\Bin\ImApp.exe
C:\Program Files (x86)\Portable\Watch 4 Idle(P)\W4I.exe
C:\Program Files (x86)\Second Nature\Snsicon.exe
C:\Users\Sheila\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\MSN.com - Hotmail, Outlook, Skype, Bing, Latest News, Photos Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com - Hotmail, Outlook, Skype, Bing, Latest News, Photos Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com - Hotmail, Outlook, Skype, Bing, Latest News, Photos Videos
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = %11%\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files (x86)\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Second Copy] "C:\Program Files\Second Copy 9\SecCopy.exe"
O4 - HKCU\..\Run: [W4I] C:\Program Files (x86)\Portable\Watch 4 Idle(P)\W4I.exe -a
O4 - Startup: USBNavFix.lnk = C:\Windows\regedit.exe
O4 - Global Startup: Snsicon.lnk = C:\Program Files (x86)\Second Nature\Snsicon.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O18 - Protocol: windows.tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\SysWOW64\PSIService.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Second Copy VSS Service x64 (ScVssService64) - Centered Systems - C:\Program Files\Second Copy 9\ScVssService64.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Stardock Start10 (Start10) - Stardock Software, Inc - C:\Program Files (x86)\Stardock\Start10\Start10Srv.exe
O23 - Service: TeamViewer 12 (TeamViewer) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\TieringEngineService.exe,-702 (TieringEngineService) - Unknown owner - C:\Windows\system32\TieringEngineService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-320 (WdNisSvc) - Unknown owner - C:\Program Files (x86)\Windows Defender\NisSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: Shadow Defender Service ({0CBD4F48-3751-475D-BE88-4F271385B672}) - SHADOWDEFENDER.COM - C:\Program Files\Shadow Defender\Service.exe

--
End of file - 5999 bytes



will run again while IE is posting the FAKE virus alert.

Any suggestion for me that I have not thought of? First time with this intermittent FAKE virus alert thing!

Thanks All

Brian

P.S. If there is a better site that deals with sort of issue, I'd be grateful for the suggestion! Not that I don't trust you guys/gals

:)

 

after disabling cortana i find it is still running in the back ground is there any way to prevent this from happening?

Long ago someone much much wiser than I chose to teach a man to fish instead of just giving him a fish. Would that have insulted you?

 

"HELP PLEASE" GPS Marine Signals for my 61001 Nokia Navigater?

"SOMEONE HELP PLEASE"

I have a Nokia 61001 Navigater Mobile.

Is it possible? To enter GPS Sites for fishing into my

Nokia 61001?

Someone did say it is possible who already own's one.Unfortunately,I lost his telephone number.

Any help would be most appreciated,

Regards,

.

 

Additional Note: On this visit to my mom's I also replaced a TimeWarner Modem with a new Modem/Router from the Co. that bought them out? Sooo, I do not know if the router issues in the above explanation are linked to the new device or the FISHING scam.

ALSO: Just ran CCleaner to remove all browser cookies
Setting up system to boot in Safe Mode
will run Superantispyware & Windows Defender in safe mode

3:59PM
Incidentally: Malwarebytes finished in "Normal Mode" on 2 Drives/3 partitions with no detection's. Running MS Windows Defender on same, and will report. Then on to Superantispyware in Safe Mode.
MWBAM seems to have been the culprit when it comes to slowing the system over TeamViewer as MS Windows Defender runs great. Can do other tasks simultaneously.

When I open IE myself, it opens to MS's default webpage. Thinking of removing IE from system as I have both Firefox and Edge.

 

I had a similar issue with Edge browser. I came across the following and it worked like a charm. Hopefully this may be of help to you.
To be able to process the loop when hijacking your home page or tabs, malware constantly communicates to its server. This also gives the hijacker to execute whatever script is used for the loop. Thus, you must cease the communication between Microsoft Edge and the remote malware server.
1. Unplug your Ethernet or LAN connector if you are on a wired network.
2. Turn off your Wi-Fi Modem or Disconnect your if your Wireless access PC is connected on a wireless network.
3. Close Edge browser. If this is not possible, repeatedly hit Esc on the keyboard or click OK/Cancel button on the hijacker window.
4. Activate Airplane mode.

• Click your Network/Internet Settings icon on the taskbar (bottom right of your screen).
• Settings window will open. Choose Network and Internet.
• Look at the left column and click on Airplane mode.
• Turn on Airplane mode using the control on the right panel.

5. Launch Edge Browser and close the offending tab.
6. Restart Windows 10 (do not open Microsoft Edge browser).
7. Go to your Favorites folder. Typically it is on this location: C:\Users\[Username]\Favorites\
8. Under the favorite folder, double-click on any URL and it will open-up with Microsoft Edge, assuming it is your default browser.
9. As the browser hijacker is still present on Microsoft Edge browser, you will still see it as an added tab. DO NOT CLICK on the hijacker tab.
10. Click X on the offending tab to close it.
11. Click “More actions” at the top right corner of the browser.
12. Select Settings from the drop-down list.
13. Under Settings, please go to Clear browsing data.
14. Click on Choose what to clear button.
15. Please select necessary data and click on Clear to apply changes.

 

Seems like your fix really applies to closing the Edge Browser and removing cookies. Essentially I have done this already, manually. And since the issue seems intermittent, it makes it difficult to say if what I did thus far was helpful.

Scanning with multiple progs in Normal & Safe Mode seems to be the best path forward for now. When these methods are done with no issues, I will have to just wait for the next occurrence, if one happens. If no virus/malware was found and the issue continues I will look into the most recent installs of programs I added..... unless someone had a smarter idea!!

Oddly, this "virus alert" opened IE by itself. I wasn't even searching the internet and had never used IE since its install(was using Edge.)

Thanks merkxr

 

Hi.
I have some suggested scans for you to run. I am on my way out the door and will post back later.

 

MS Windows Defender did not find anything...
Ran Superantispyware in safemode:
Found 29 tracking cookies...

SUPERAntiSpyware Scan Log
SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 04/21/2017 at 05:25 PM

Application Version : 6.0.1240
Database Version : 13571

Scan type : Complete Scan
Total Scan Time : 00:06:16

Operating System Information
Windows 10 Home 64-bit (Build 10.00.14393)
UAC Off - Administrator

Memory items scanned : 460
Memory threats detected : 0
Registry items scanned : 59802
Registry threats detected : 0
File items scanned : 19452
File threats detected : 29

Adware.Tracking Cookie
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\K4NII77T.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\K4NII77T.cookie [ /advertising.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\KXYLUKF3.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\KXYLUKF3.cookie [ /sp1.convertro.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\8ET1BYNT.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\8ET1BYNT.cookie [ /adotmob.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\9X6BEKW1.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\9X6BEKW1.cookie [ /adfarm1.adition.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\IMYN03IP.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\IMYN03IP.cookie [ /taboola.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\3N2FW68B.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\3N2FW68B.cookie [ /scorecardresearch.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\CMYKD5X4.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\CMYKD5X4.cookie [ /adsrvr.org ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\FZ83WGYK.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\FZ83WGYK.cookie [ /adscale.de ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\XLMRZTHR.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\XLMRZTHR.cookie [ /atwola.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\XXV5DH25.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\XXV5DH25.cookie [ /rubiconproject.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\3CDPDJM1.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\3CDPDJM1.cookie [ /convertro.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\YABD4JB7.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\YABD4JB7.cookie [ /mookie1.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\33P8FZDO.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\33P8FZDO.cookie [ /w55c.net ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\O9IDHMOQ.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\O9IDHMOQ.cookie [ /mediaplex.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\L1IBJXRC.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\L1IBJXRC.cookie [ /nexage.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\VE9YCY0A.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\VE9YCY0A.cookie [ /ad.360yield.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\JGUXRZGP.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\JGUXRZGP.cookie [ /adtechus.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\8UZGDS8L.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\8UZGDS8L.cookie [ /go.sonobi.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\XK2WV39Y.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\XK2WV39Y.cookie [ /cdn.at.atwola.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\O02EC9MO.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\O02EC9MO.cookie [ /3lift.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\437PB8WO.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\437PB8WO.cookie [ /dotomi.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\DGP19X1L.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\DGP19X1L.cookie [ /at.atwola.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\IA42V3AT.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\IA42V3AT.cookie [ /adingo.jp ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\KC39SIQX.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\KC39SIQX.cookie [ /pubmatic.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\G6BTJBMG.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\G6BTJBMG.cookie [ /turn.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\QXBCMVFS.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\QXBCMVFS.cookie [ /nexac.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\J05C2389.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\J05C2389.cookie [ /switchadhub.com ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\LBCB7PW3.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\LBCB7PW3.cookie [ /bidswitch.net ]
C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\91Y14GG2.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\91Y14GG2.cookie [ /teads.tv ]
============
End of Log
============

I also have Windows Systernals Suite of programs on the computer and can use any of them...not too versed on their use though.

 

Okay I am back. Will put something together for you now.

 

Okay. No one really uses HJT anymore, so I'm not even going to try and parse that log.

Please download and run the following scans, in the order listed, and post the logs. Everything here is free or offers a free version.

Create a Restore Point.

RKILL
RKill Download
(download now @ bleeping computer)

ADWCleaner
Downloads - AdwCleaner - ToolsLib
(reboots)

RKILL again

JRT
Malwarebytes | Junkware Removal Tool

Ccleaner
Run on ALL the browsers: select internet cache, Internet History, Cookies, Download History, Session, Recently Types URLs, Saved Form Information, Index.dat files, etc...everything except passwords (if she saves them in her browsers, which she shouldn't, as it's not safe).
Include System:Temporary files and Multimedia: Adobe Flash Player, Silverlight

Now go into installed programs in Ccleaner, remove any toolbars, coupon printers, system tweakers, and any other junk programs you may find.

Now go into Ccleaner>Tools>Startup and look in each tab for suspicious startup entries and disable them.
Then go into Browser Plugins and disable anything suspicious looking.
Then into the registry cleaner, check everything EXCEPT Help Files, run the cleaner, clear it all out, saving the changes first. Run it again to make sure there's nothing left to clean.

Reset all browsers (all of them, not just the ones that are being used).
Reset Chrome settings to default - Chrome Help

Refresh Firefox - reset add-ons and settings | Firefox Help

How to Reset Your Web Browser To Its Default Settings

Reset Microsoft Edge to Default in Windows 10 - Windows 10 Browsers Email Tutorials


Open an admin Command Prompt (or admin PowerShell):
Code: ipconfig /flushdns[/quote] Enter

Change the DNS servers on her NICs to Open DNS
See post #23 here:
Protect Your Privacy - Page 3 - Solved - Windows 10 Forums


Create another restore point - call it "clean"

Back into Ccleaner>Tools>System Restore
Delete all restore points except the last two you just made.

If all is well, after a couple days, remove the first restore point you created before the cleaning process.

 

Open Control Panel, go to Flash and make sure it is up-to-date; do the same with Java.

Check in Ccleaner>Installed programs and make sure older versions are not still installed (yes, sometimes they don't get uninstalled, and these vulnerabilities are exploited online).

For a final all-clear, run ESET Online Scanner.
Free Virus Scan | Online Virus Scan from ESET ESET
Select "Scan Now"

 

Wow, lot's of stuff. I will do my best. I actually did a bunch of this. but will repeat.

Can you explain the Change the DNS servers on her NICs to Open DNS (its purpose)

Thanks for the details!

Brian

 

Yes, please, and be sure to post the logs for me.
Changing the DNS servers to Open DNS will force her NIC to use them for all internet requests (and not her ISP's DNS servers). OpenDNS actively blocks all known bad sites. You don't need to add the Marc's Updater part unless you create an account with OpenDNS to modify the blocking settings.

 

That makes sense. She doesn't visit many sites, but it's a good safeguard.
Will get on this tomorrow!

Thanks

Will post logs

Brian

 

If you want to post the list of installed programs (using Ccleaner) feel free and I'll have a look at that as well.






Cheers Brian. *Thumbs