Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Has anyone run into a browser highjack to axalisaiti.com?


  • Please log in to reply
5 replies to this topic

#1 Naught McNoone

Naught McNoone

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Great White North
  • Local time:02:03 PM

Posted 04 April 2016 - 11:35 AM

I recently got a call from a friend about a Windows 7 computer that had "locked up" and could not close IE.

 

Upon arriving, the owner had already done a hardware re-boot, so I did not get to read the screen.

 

His said that when he tried to open a new tab, instead of going to Google, it went to another webpage, and a warning popped up on the screen saying that he had a computer virus, and to call tech support immediately.  It conveniently provided the phone number for him to call.  He could not close the browser, clear the message, or use his desktop.

 

Of course, he called me, instead.

 

Upon re-opening IE, it asked me to restore the previous session, to which I said no.  After checking his browser history, the last page opened was "axalisaiti.com".

 

I used a Xubuntu boot stick and FireFox to visit the site, and here is the actual message that pops up:

 

SECURITY ALERT. 
 
SUSPICIOUS ACTIVITY OF INTRUSIONS DETECTED, WHICH IS TRYING TO REDIRECT YOU TO A VIRUS ATTACK SITE. 
 
THIS MAY HAPPEN DUE TO NOT HAVING OBSOLETE VIRUS PROTECTED SHIELD. 
 
TO COMPLETE DIAGNOSE AND FIX, PLEASE CALL WINDOWS SUPPORT HELPLINE AT 1-855-486-0354 IMMEDIATELY. 
KINDLY ENSURE YOU DO NOT RESTART YOUR COMPUTER TO PREVENT DATA LOSS. 
 
HAVING SUCH KIND OF WARNINGS REPEATEDLY MAY COMPROMISE YOUR CREDIT-DEBIT CARD OR ONLINE BANKING INFORMATIONS. 
 
GET ALL FIXED RIGHT NOW BY CALLING CERTIFIED TECHNICIAN AT 1-855-486-0354. 
 
WE AIM TO HAVE YOU SAFE INTERNET BROWSING
 

 

I immediately did an update on his AV program, and did a full system scan.

Nothing came up.

Also, CryptoPrevent is installed on the system.

 

IE appears to be working normally now, and I deleted the link from the browser history.

 

So, my question is, has anyone run into this particular highjack before?

If so, was it anything more than a re-direct?

Or did something else get installed on the PC, without our knowing it?

 

Cheers!

 

Naught McNoone

 

 

Addendum:  Whois data on the web site - 

 

Domain Name: AXALISAITI.COM 
Registry Domain ID: 2017599187_DOMAIN_COM-VRSN 
Registrar WHOIS Server: whois.enom.com 
Registrar URL: www.enom.com 
Updated Date: 2016-03-31T03:32:07.00Z 
Creation Date: 2016-03-31T10:32:00.00Z 
Registrar Registration Expiration Date: 2017-03-31T10:32:00.00Z 
Registrar: ENOM, INC. 
Registrar IANA ID: 48 
Reseller: NAMECHEAP.COM 
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited 
Registry Registrant ID: 
Registrant Name: WHOISGUARD PROTECTED 
Registrant Organization: WHOISGUARD, INC. 
Registrant Street: P.O. BOX 0823-03411 
Registrant City: PANAMA 
Registrant State/Province: PANAMA 
Registrant Postal Code: 00000 
Registrant Country: PA 
Registrant Phone: +507.8365503 
Registrant Phone Ext: 
Registrant Fax: +51.17057182 
Registrant Fax Ext: 
Registrant Email: Email Masking Image@WHOISGUARD.COM 
Registry Admin ID: 
Admin Name: WHOISGUARD PROTECTED 
Admin Organization: WHOISGUARD, INC. 
Admin Street: P.O. BOX 0823-03411 
Admin City: PANAMA 
Admin State/Province: PANAMA 
Admin Postal Code: 00000 
Admin Country: PA 
Admin Phone: +507.8365503 
Admin Phone Ext: 
Admin Fax: +51.17057182 
Admin Fax Ext: 
Admin Email: Email Masking Image@WHOISGUARD.COM 
Registry Tech ID: 
Tech Name: WHOISGUARD PROTECTED 
Tech Organization: WHOISGUARD, INC. 
Tech Street: P.O. BOX 0823-03411 
Tech City: PANAMA 
Tech State/Province: PANAMA 
Tech Postal Code: 00000 
Tech Country: PA 
Tech Phone: +507.8365503 
Tech Phone Ext: 
Tech Fax: +51.17057182 
Tech Fax Ext: 
Tech Email: Email Masking Image@WHOISGUARD.COM 
Name Server: NS1.WEBHOST.GE 
Name Server: NS2.WEBHOST.GE 
DNSSEC: unSigned 
Registrar Abuse Contact Email: Email Masking Image@enom.com 
Registrar Abuse Contact Phone: +1.4252982646 
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ 
Last update of WHOIS database: 2016-03-31T03:32:07.00Z 
 
The data in this whois database is provided to you for information 
purposes only, that is, to assist you in obtaining information about or 
related to a domain name registration record. We make this information 
available "as is," and do not guarantee its accuracy. By submitting a 
whois query, you agree that you will use this data only for lawful 
purposes and that, under no circumstances will you use this data to: (1) 
enable high volume, automated, electronic processes that stress or load 
this whois database system providing you this information; or (2) allow, 
enable, or otherwise support the transmission of mass unsolicited, 
commercial advertising or solicitations via direct mail, electronic 
mail, or by telephone. The compilation, repackaging, dissemination or 
other use of this data is expressly prohibited without prior written 
consent from us.   
 
We reserve the right to modify these terms at any time. By submitting 
this query, you agree to abide by these terms. 
Version 6.3 4/3/2002
 
Information Updated: Mon, 4 Apr 2016 12:10:56 UTC


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:03 PM

Posted 04 April 2016 - 12:42 PM

FWIW:  When sucb occurs on my system, I just shut down the system, reboot, then run TFC to eliminate any excess-baggage temporary Internet files.

 

I would think that trying to catalog malware and unwanted downloads...by website...would be an arduous task.  IMO, malware today often has little to do with what particular website was visited...but has more to do with what defenses are present on the system.

 

Louis



#3 Naught McNoone

Naught McNoone
  • Topic Starter

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Great White North
  • Local time:02:03 PM

Posted 04 April 2016 - 01:11 PM

. . .  run TFC . . . 

 

Louis,

 

Thank you for your comment.

 

Other than clearing the browser cache, there is not much more I do at this point.

 

I am not a Windows user.  I have be using Linux for the past 10 years or so.

 

When I used Xubuntu and Firefox to access the site, none of the scripts that locked up the Windows worked, and I was able to close the tab, and exit Firefox without any issue.

 

That being said, what does TFC stand for?  :scratchhead:

 

I am trying to find what it was that triggered the redirect, so I can put preventative measures in place.

 

Cheers!

 

Naught



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:03 PM

Posted 04 April 2016 - 03:51 PM

TFC (Temp File Cleaner) is a cleaning utility created by Old Timer which will clear out all temp folders (temp, IE temp, Java, FF, Opera, Chrome, Safari) for all user accounts, including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. TFC is a stand-alone tool...meaning it does not require installation.

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more.

TFC - Temp File Cleaner by OldTimer

After using TFC, you should reboot the computer to ensure a complete clean of any in-use temp files. TFC will STOP Explorer and ALL other running apps BEFORE performing its routines and it is normal for the computer to be slow to boot after running TFC cleaner.

Note: The first version of TFC was released in 05/28/09. TFC was last updated by OldTimer 6/23/12...that was version 3.1.9.0 which supported Windows XP/Vista/Windows 7. TFC has become outdated to some extent as the Windows operating system has continued to be updated with critical security patches. As time has passed, there have been more reports of various issues with running TFC to include unexpected freezing, hanging, unresponsiveness, etc. especially on newer operating systems so I would not recommend using it on Windows 8 or above. If you have problems using it, then consider an alternative like CCleaner.

BTW, you may want to read Beware of Phony Tech Support Scams
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Norseman143

Norseman143

  • Members
  • 300 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 04 April 2016 - 03:59 PM

Better known as "Microsoft scammers"

 

I have watched several videos on Youtube, from people who like to mess with the scammers and it was interesting and sometimes funny

 

Most of them are from India and all seem to have very American sounding names and have a very hard time pronouncing "W"

 

It sounds like Doub Blew Doub Blew Doub Blew......its funny

 

Anyway Firefox has some anti malware written into it that helps block a lot of those kinds of scamware, so thats probably why you didnt see it

 

People should ask themselves, why would the real Microsoft, put nagware on someones PC in the first place?



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:03 PM

Posted 04 April 2016 - 04:06 PM

As I note in the previous link... the warning alert may claim to be affiliated with Microsoft or Windows Support. Microsoft does not contact users via web page messages, phone or email and instruct them to call tech support to fix your computer.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users