I recently got a call from a friend about a Windows 7 computer that had "locked up" and could not close IE.
Upon arriving, the owner had already done a hardware re-boot, so I did not get to read the screen.
His said that when he tried to open a new tab, instead of going to Google, it went to another webpage, and a warning popped up on the screen saying that he had a computer virus, and to call tech support immediately. It conveniently provided the phone number for him to call. He could not close the browser, clear the message, or use his desktop.
Of course, he called me, instead.
Upon re-opening IE, it asked me to restore the previous session, to which I said no. After checking his browser history, the last page opened was "axalisaiti.com".
I used a Xubuntu boot stick and FireFox to visit the site, and here is the actual message that pops up:
SUSPICIOUS ACTIVITY OF INTRUSIONS DETECTED, WHICH IS TRYING TO REDIRECT YOU TO A VIRUS ATTACK SITE.
THIS MAY HAPPEN DUE TO NOT HAVING OBSOLETE VIRUS PROTECTED SHIELD.
TO COMPLETE DIAGNOSE AND FIX, PLEASE CALL WINDOWS SUPPORT HELPLINE AT 1-855-486-0354 IMMEDIATELY.
KINDLY ENSURE YOU DO NOT RESTART YOUR COMPUTER TO PREVENT DATA LOSS.
HAVING SUCH KIND OF WARNINGS REPEATEDLY MAY COMPROMISE YOUR CREDIT-DEBIT CARD OR ONLINE BANKING INFORMATIONS.
GET ALL FIXED RIGHT NOW BY CALLING CERTIFIED TECHNICIAN AT 1-855-486-0354.
WE AIM TO HAVE YOU SAFE INTERNET BROWSING
I immediately did an update on his AV program, and did a full system scan.
Nothing came up.
Also, CryptoPrevent is installed on the system.
IE appears to be working normally now, and I deleted the link from the browser history.
So, my question is, has anyone run into this particular highjack before?
If so, was it anything more than a re-direct?
Or did something else get installed on the PC, without our knowing it?
Addendum: Whois data on the web site -
Domain Name: AXALISAITI.COM
Registry Domain ID: 2017599187_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.enom.com
Registrar URL: www.enom.com
Updated Date: 2016-03-31T03:32:07.00Z
Creation Date: 2016-03-31T10:32:00.00Z
Registrar Registration Expiration Date: 2017-03-31T10:32:00.00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Registry Registrant ID:
Registrant Name: WHOISGUARD PROTECTED
Registrant Organization: WHOISGUARD, INC.
Registrant Street: P.O. BOX 0823-03411
Registrant City: PANAMA
Registrant State/Province: PANAMA
Registrant Postal Code: 00000
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: Email Masking Image@WHOISGUARD.COM
Registry Admin ID:
Admin Name: WHOISGUARD PROTECTED
Admin Organization: WHOISGUARD, INC.
Admin Street: P.O. BOX 0823-03411
Admin City: PANAMA
Admin State/Province: PANAMA
Admin Postal Code: 00000
Admin Country: PA
Admin Phone: +507.8365503
Admin Phone Ext:
Admin Fax: +51.17057182
Admin Fax Ext:
Admin Email: Email Masking Image@WHOISGUARD.COM
Registry Tech ID:
Tech Name: WHOISGUARD PROTECTED
Tech Organization: WHOISGUARD, INC.
Tech Street: P.O. BOX 0823-03411
Tech City: PANAMA
Tech State/Province: PANAMA
Tech Postal Code: 00000
Tech Country: PA
Tech Phone: +507.8365503
Tech Phone Ext:
Tech Fax: +51.17057182
Tech Fax Ext:
Tech Email: Email Masking Image@WHOISGUARD.COM
Name Server: NS1.WEBHOST.GE
Name Server: NS2.WEBHOST.GE
Registrar Abuse Contact Email: Email Masking Image@enom.com
Registrar Abuse Contact Phone: +1.4252982646
Last update of WHOIS database: 2016-03-31T03:32:07.00Z
The data in this whois database is provided to you for information
purposes only, that is, to assist you in obtaining information about or
related to a domain name registration record. We make this information
available "as is," and do not guarantee its accuracy. By submitting a
whois query, you agree that you will use this data only for lawful
purposes and that, under no circumstances will you use this data to: (1)
enable high volume, automated, electronic processes that stress or load
this whois database system providing you this information; or (2) allow,
enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via direct mail, electronic
mail, or by telephone. The compilation, repackaging, dissemination or
other use of this data is expressly prohibited without prior written
consent from us.
We reserve the right to modify these terms at any time. By submitting
this query, you agree to abide by these terms.
Version 6.3 4/3/2002
Information Updated: Mon, 4 Apr 2016 12:10:56 UTC