Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tech support phishing scam


  • Please log in to reply
10 replies to this topic

#1 tns1

tns1

  • Members
  • 6 posts
  • ONLINE
  •  
  • Local time:06:31 PM

Posted 11 December 2017 - 06:42 PM

This is meant to be a reply to "My Avast scans freeze" by kschwi

 

I also have that same tech support phishing hijacker, but on 7pro. It seems to pop up once a week with no adverse behavior other than taking control of the browser window. Easy to dismiss with task manager. It showed up shortly after installing the latest firefox 57 and the latest noscript extension. The mainrdrct....fastly.net url is the same, but each time there may be differences such as the ip address shown in the popup. No affiliation (eg microsoft) is shown. Refreshing the browser usually works for hijackers but not this one. Likewise scans with msse, mbam, mbar, adwcleaner, eset find no problems. It is simple to block the domain in the hosts file, but I'd like to learn the cause.



BC AdBot (Login to Remove)

 


m

#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,514 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:31 PM

Posted 11 December 2017 - 07:15 PM

Hello tns1,

I have moved your topic from the log forum to the Am I Infected forum. The Log forum is for those receiving 1 on 1 assistance with infections that need more than the basic tools. Members are not able to reply to topics posted in that forum other than their own topic.

~ OB :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Unworn_Kilt

Unworn_Kilt

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:31 PM

Posted 13 December 2017 - 01:25 AM

Hello and Welcome!

 

 

Apologies for the delay in getting to you. Your topic was showing as having a response which usually means it's been dealt with.

 

To start off, let's have a look and see what's going on using a simple tool first.

 

I should let you know that I'm just a normal member like you, not a Trained Malware Removal Expert. I have been working with computers since about 1976.

 

I'd like you to follow the instructions below please and post back the contents of any log in your Reply.......

 

 

 

 

First:......

 

Download a copy of a program called RKill (Courtesy of Grinler at Bleeping Computer) which is available at the links below:

(This program attempts to stop any running malware processes so other tools may function efficiently, plus a few other things.)

 

Save it to your Desktop so you can easily locate it.

 

(If one won't run, download the other. Malware sometimes recognises RKill.exe and tries to interfere with it.)

 

 

RKill.exe                              <<== Try this first.

 

RKill as iExplore.exe         <<== Try this one if option one doesn't work.

 

  • Right Click RKill and Select "Run As Administrator."
  • Soon after a Black Box will appear while RKill Runs. (This is normal. RKill may appear to hang. It's just working.)
  • When the RKill has finished it will Open a Report in Notepad.
  • RKill will also save a copy of its log to your Desktop called "RKill.log"
  • After RKill has run successfully Don't Restart your computer until the other tool(s) have run.
  • Please Copy and Paste the contents of the Report into your Next Reply.
  • If the RKill will not run in Normal Windows Mode, Restart in Safe Mode and Repeat the above Steps.

 

NOTES:

Please Ignore any warnings from about RKill containing Viruses or Trojans etc. If necessary, shut down or temporarily disable your Antivirus while RKill runs. Don't forget to Re-enable your Anti-Virus once RKill completes, unless I ask otherwise.

 

If RKill still won't run, please Post back here and advise me.(After trying both versions and Safe Mode.) Please note any Error messages or other useful information and Include it in your Reply.

 

 

 

 

 

Download and run the ESET Free Online Virus Scanner from:  HERE

(Please note that the Instructions may vary from time to time with version changes etc.)

  • Turn off your antivirus program. See here how to do this.
  • Accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Now click on Advanced Settings and make sure that the option Clean threats automatically is NOT checked, and select the following:
    • Enable detection of potentially unsafe applications
    • Enable detection of suspicious applications
    • Scan archives
    • Enable Anti-Stealth Technology
    • Click on the Change button and select only Operating Memory, Autostart Locations and drive(s) C:\D:\ etc., to be scanned
    • Click Start to begin the Scan.
  • The ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite a while.
  • When the scan completes, a list of found threats will open automatically (if any malicious files are found).
  • Push the SAVE to TEXT FILE button and save the file to your desktop using a unique name, such as ESETScan+Date.txt. Include the contents of this report in your next reply.
  • Push the CLEAN button.
  • Click Back, then Finish to exit ESET Online Scanner.

 

Let me know if you encounter any problems.

 

 

I'm in Australia, so the chances are there will be time zone differences.

I'll get back to you as quickly as I can.

 

If you don't hear back from me after 24 hours, please Personal Message me.

If you don't hear back after 48 hours, please Personal Message another Helper or Moderator.

 

Please remember we are Volunteers, so, please try to be a little patient.

We have other tasks and jobs that sometimes delay us here.

 

 

Cheers,

 

 

 

Kilt   :thumbup2: 


Edited by Unworn_Kilt, 13 December 2017 - 01:41 AM.

PLEASE NOTE

 

I am only a Standard Member,  NOT a Trained Malware Removal Expert. If you have ANY concerns regarding any advice I may give, please contact a Member of Staff before making changes.

 

Thanks!

 

 

** Walk Softly and Carry a Big Stick **

 

 

 


#4 Unworn_Kilt

Unworn_Kilt

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:31 PM

Posted 13 December 2017 - 01:34 AM

We'll dig a little deeper after we get the ESET results back in.

 

I assume, given your above comments that they should be a null result?


PLEASE NOTE

 

I am only a Standard Member,  NOT a Trained Malware Removal Expert. If you have ANY concerns regarding any advice I may give, please contact a Member of Staff before making changes.

 

Thanks!

 

 

** Walk Softly and Carry a Big Stick **

 

 

 


#5 tns1

tns1
  • Topic Starter

  • Members
  • 6 posts
  • ONLINE
  •  
  • Local time:06:31 PM

Posted 13 December 2017 - 02:14 PM

Eset found one item that has been on the system for a few years. I doubt it has anything to do with the issue, but cleaned it anyway.

I use the MVPS hosts file (unmodified).

 

 

 

Rkill 2.9.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/13/2017 07:27:30 AM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

 * Schedule Stopped. [PUP/GEN]

1 service stopped!

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1 localhost
  ::1 localhost #[IPv6]
  0.0.0.0 fr.a2dfp.net
  0.0.0.0 m.fr.a2dfp.net
  0.0.0.0 mfr.a2dfp.net
  0.0.0.0 ad.a8.net
  0.0.0.0 asy.a8ww.net
  0.0.0.0 static.a-ads.com
  0.0.0.0 abcstats.com
  0.0.0.0 a.abv.bg
  0.0.0.0 adserver.abv.bg
  0.0.0.0 adv.abv.bg
  0.0.0.0 bimg.abv.bg
  0.0.0.0 ca.abv.bg
  0.0.0.0 track.acclaimnetwork.com
  0.0.0.0 accuserveadsystem.com
  0.0.0.0 www.accuserveadsystem.com
  0.0.0.0 achmedia.com
  0.0.0.0 csh.actiondesk.com
  0.0.0.0 ads.activepower.net

  20 out of 13150 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 12/13/2017 07:28:24 AM
Execution time: 0 hours(s), 0 minute(s), and 53 seconds(s)
 

 

eset log:

C:\Users\T\Downloads\Downloads\Games\Systemshock\SYSTEMSHOCK-Portable-v1.2.2.7z    Win32/PrcView potentially unsafe application    
 



#6 Unworn_Kilt

Unworn_Kilt

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:31 PM

Posted 14 December 2017 - 08:07 PM

My apologies for the delay.

 

I was caught up on a rather serious case & the notification system doesn't seem to be functioning correctly.

 

I'm back with you now.

 

Have you followed the steps here?

 

Web Bar Removal Guide

 

If you wish, ensure you save any logs created and paste them back in here.

 

Personally, I believe it is possible the MVPs Hosts file may be contributing to the problem.

I had to read up on it for a recent case & it could be masking a malicious URL in my opinion.

 

I suggest you search the MVPs Hosts file for the malicious URL and remove it if found.

 

 

Please let me know how you get on.

 

 

 

Kilt   :thumbup2: 


PLEASE NOTE

 

I am only a Standard Member,  NOT a Trained Malware Removal Expert. If you have ANY concerns regarding any advice I may give, please contact a Member of Staff before making changes.

 

Thanks!

 

 

** Walk Softly and Carry a Big Stick **

 

 

 


#7 tns1

tns1
  • Topic Starter

  • Members
  • 6 posts
  • ONLINE
  •  
  • Local time:06:31 PM

Posted Yesterday, 01:16 AM

I have no visible toolbar addon, but I went through all the cleaning anyway. Other than removing tracking cookies:

rkill - nothing found

mbam - nothing found

adwcleaner - nothing found

hitmanpro - 1 suspicious file removed: vuescan2.exe, a 3rd party printer driver, had a bad authenticode . It also complained about one hosts line: "0.0.0.0 bat.bing.com", but rather than just edit the one line it removed all entries. I restored the hosts file. I don't use bing, and this site plants tracking cookies so  I left it blocked. The hosts file does not contain the suspect url (or domain).

 

None of the cleaning convinces me the problem is fixed. The problem is fairly recent, and what was cleaned is old/inactive. 

 

One thing I should mention is that I have three antivirus products running at once on this PC: msse, mbam, superantispyware. I see no performance hit, but I have read that conflicts can exist.



#8 Unworn_Kilt

Unworn_Kilt

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:31 PM

Posted Yesterday, 01:38 AM

G'day again,

 

 

 

Thanks for running through those steps. I'm glad we grabbed at few "unfriendlies."

 

 

I don't see a major problem with running the software you have installed.

A Layered approach to Security can be a good thing. I wouldn't run mutiple anti-virus scanners in realtime,

It's a good idea to run one antivirus program and one realtime anti-malware program. Maybe set SAS to demand scanning only.

There's a remote possibility that having MBAM and SAS running together (only if "realtime protection" is activated on both)

that you could potentially have a conflict, however, I don't think it too likely.

 

The item that ESET found was actually, according to research I did, a Trojan in the Win32\Sality family. I'm glad that's gone.

It would be a good idea to go over your passwords and change them. Also check bank statements for any unusual transactions.

Thankfully it's one of the lesser Trojans in this instance.

 

Regarding the Tech Support Scam, what other details are you able to give me. Did they contact you and access you PC remotely, or,

is it just the browser Pop-Up?

 

Are you able to give any details of what's on the Pop-Up please?

 

Watch the computer for a few days and see if the Pop-Up comes back. Let me know here or via PM if it does.

 

Please bear in mind that I'm in Australia, so our times may be out of synch a little.

 

There are other tools we can run if the problem persists, however,  think monitoring it for now should be okay.

 

 

 

Perhaps we'll run one more scan now:

 

 

 

Download Malwarebytes Anti-Rootkit (MBAR) to your desktop.

 

From Here: Malwarebytes Anti-Rootkit

  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"
  • "system-log.txt"



NOTE. If you see This version requires you to completely exit the Anti Malware application message right click on the Malwarebytes Anti-Malware icon in the system tray and click on Exit.

 

 (My Thanks to Broni, Bleeping Computer Advisor for the use of the above, mostly pilfered, MBAR Notes.

 

 

Please post back your results when you are done.


PLEASE NOTE

 

I am only a Standard Member,  NOT a Trained Malware Removal Expert. If you have ANY concerns regarding any advice I may give, please contact a Member of Staff before making changes.

 

Thanks!

 

 

** Walk Softly and Carry a Big Stick **

 

 

 


#9 tns1

tns1
  • Topic Starter

  • Members
  • 6 posts
  • ONLINE
  •  
  • Local time:06:31 PM

Posted Yesterday, 01:58 PM

The item that ESET found was actually, according to research I did, a Trojan in the Win32\Sality family. I'm glad that's gone.

 

This is surprising since that .7z was a GOG.com game purchase. They have aways been very anti-drm anti-virus anti-crapware. If I download it again, I'll give it a good scan.
 

 

Regarding the Tech Support Scam, what other details are you able to give me. Did they contact you and access you PC remotely, or, is it just the browser Pop-Up?

 

Similar to the post by kschwi: https://www.bleepingcomputer.com/forums/t/664833/my-avast-scans-freeze-at-41/#entry4395377

 

just a re-direct and pop-up from mainrdrct.global.ssl.fastly.net/in/advv12612612/
The browser history log also show adverrd.global.ssl.fastly.net/?rsid=15A2EAF0DBE258

 

I have no permission to post images to this thread.

 

 

Thinking about possible conflicts between the three anti-virus programs, I selective shutdown/closed them so each could scan independantly. mbam found nothing again, but sas found and cleaned the following:

SAS:
Trojan.Agent/Gen-Sasfis
    C:\USERS\T\APPDATA\LOCAL\TEMP\VSDEL.EXE
    C:\Windows\Prefetch\VSDEL.EXE-2EAABFFB.pf

Either there was a conflict between programs before or a new signature was added in the short time I ran these last. Only msse is running real-time.


Edited by tns1, Yesterday, 03:55 PM.


#10 Unworn_Kilt

Unworn_Kilt

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:31 PM

Posted Today, 09:32 AM

G'day again Mate,

 

 

I'm going to have to give this some thought. I could throw you a bunch of tools to run, but I've come across the "Global" infectors previously. They're not pleasant generally. They occasionally use an as yet unresolved mechanism to survive a full flattening and system rebuild.

 

Do you mind if I ask a) what type of phone do you run?(android or Iphone?) ,and, b ) Would you mind searching your contacts list for any contact contaning the word "*global*" just straight global should do. Please advise me of your findings.

 

If I were you, I'd shut down all but one A/V solution, run with both A/M solutions. I'm glad SAS caught the Trojan.

 

I'd be having a very good look over those banking details. Also consider changing your credit card numbers and any banking details you've used online. when I get a second, I'll paste in a link for you regarding appropriate action guidelines. In the meantime, take care. I'll see what I can dig up.

 

 

 

Cheers,

 

 

 

Kilt  :thumbup2: 


Edited by Unworn_Kilt, Today, 09:52 AM.

PLEASE NOTE

 

I am only a Standard Member,  NOT a Trained Malware Removal Expert. If you have ANY concerns regarding any advice I may give, please contact a Member of Staff before making changes.

 

Thanks!

 

 

** Walk Softly and Carry a Big Stick **

 

 

 


#11 tns1

tns1
  • Topic Starter

  • Members
  • 6 posts
  • ONLINE
  •  
  • Local time:06:31 PM

Posted Today, 08:49 PM

Do you mind if I ask a) what type of phone do you run?(android or Iphone?) ,and, b ) Would you mind searching your contacts list for any contact contaning the word "*global*" just straight global should do. Please advise me of your findings.

 

 

iphone, android and windows phones, but no "global" in the contacts. I would need an explanation of the mechanism for a cross-platform infection before I would take that seriously. I also have a network connected WebOS TV, blueray player, and VOIP box that could be leveraged for exploits but it would take some serious time, skill, and coincidence to make that happen. OTOH, I did update my router FW since there was a recent patch for the 'KRACK' exploit.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users