|
Problem description: My dad's Dell desktop has been encountering an extremely annoying browser exploit that seems to affect only IE. Unfortunately, IE 11 is the only browser I can get him to use. I cannot replicate the issue in Chrome. At irregular intervals, whatever he is browsing (which is msn.com or Facebook 90% of the time) in IE 11 gets hijacked to a page that claims Your Windows 10 Build Is Expired On (date), has obvious spelling errors like "Device Maneger" on it, trumpets a phone number to Kindly Call to fix the problem and locks up the browser session. The most recent one used the URL http://online-license-validation.info/vn1/windows/ie/01 . You can dispose of it easily by killing IE via Task Manager or even just clicking OK and then "Do not let this page create further pages" or however it's phrased, but it tends to recur frequently and it's driving me nuts that I can't eradicate or immunize against it. The LAN Settings page looks normal, Automatically Detect Settings is checked, nothing to indicate that IE has been hijacked through some proxy server. Attempted fixes: He has Malwarebytes Premium 3 running, and that doesn't catch it or block it. I have scanned with MWB, AdwCleaner, Junkware Removal Tool, HitmanPro and found nothing unusual. He has been pretty good in recent months about not stumbling into spyware. A HijackThis log is here: http://pastebin.com/AM6qRdzK Recent changes: Not that I know of. -- Operating system: Windows 10 64-bit System specs: Dell desktop, Intel Core i3-4160 @ 3.6GHz, 4GB RAM, garden-variety volkscomputer Location: US I have Googled and read the FAQ: Yes. I've Googled, checked BleepingComputer, searched for the URL and the phone number it spams, and I'm not finding results. I can't believe he's the only one who's getting this.
|
#
?
Mar 7, 2017 17:15
|
|
|
|
| # ? Apr 23, 2024 15:42 |
|
|
Do a scan using WDO: https://support.microsoft.com/en-us/help/17466/windows-defender-offline-help-protect-my-pc
|
|
#
?
Mar 7, 2017 22:47
|
|
|
Win10 has a pretty easy reset feature or is that not a possibility?
|
|
#
?
Mar 8, 2017 03:11
|
|
|
I ran WD Offline this morning, it came up clean. Showing no results in Quarantined or Detected. I'm hesitant to reset anything because (a) I'm not sure that MS has come up with a reset yet that won't actually disturb anything and (b) it may or may not help.
|
|
#
?
Mar 9, 2017 16:07
|
|
|
Did you dig into the LAN settings to verify that there is no proxy server set up? Did you check to see what DNS server is showing on the network connection itself?
|
|
#
?
Mar 9, 2017 23:04
|
|
|
CaptainSarcastic posted:Did you dig into the LAN settings to verify that there is no proxy server set up? Did you check to see what DNS server is showing on the network connection itself? Resurrecting this because it just came back again. Yes, there is no proxy set up in IE or any of the other browsers. Automatically Detect Settings is checked but nothing else. The DNS server settings for TCP/IPv4 are also set for obtaining settings automatically, not a set IP. I got a call from my dad saying "it's doing it again." Last time it was hijacking IE to online-license-validation.info/whatever. This time, it's the following:  Once again, I can use Task Manager to kill IE, then restart IE and it does not reoccur immediately. This is not drive-encryption ransomware or anything seriously nasty; this is a browser exploit, far as I can tell. I don't think from the browser history that he was visiting dog porn sites or anything particularly out there. Looking again: DNS looks fine. Proxy server looks fine. IE add-ins look decent:  IE browser history shows these suspicious entries, nothing else out of place:  He is smart enough not to call the number and ask for assistance. But I just want to figure out a way to keep these from popping up if he insists on using IE. EDIT: Looking in the Installed Programs list, nothing unusual there. delfin fucked around with this message at 01:32 on Mar 24, 2017 |
|
#
?
Mar 24, 2017 01:29
|
|
|
I'm curious if a scan using http://www.bleepingcomputer.com/download/tdsskiller/ finds anything. But you've used a lot of scanning programs and this one seems persistent. It's been a few weeks so you might try the latest versions of those programs (if they've been updated). But it's getting to the point where I'd be considering a full format.
|
|
#
?
Mar 24, 2017 22:06
|
|
|
Flatten and reinstall is my next reluctant move, yes. What's remarkable to me is that if I go in and go to the same basic links he goes to in IE -- MSN, his Facebook feed, etc. -- I generally can't reproduce the exploit. I can sit there hammering at it for an hour or two and not get locked up. I go home, he gets on the computer on his own, I get a phone call saying "it's back." Which suggests to me that he's browsing somewhere... troubling but it's not showing up on his history, or he is simply magnetic to this stuff. But if I flatten it and it comes back, that's at least a sign for him that the fault lies somewhere within that.
|
|
#
?
Mar 24, 2017 22:54
|
|
|
Nuke and pave is probably the safest idea at this point. You're also getting close to the point where it will be the most effective use of your time, as opposed to digging through every process running and trying other bootable rescue disks that may or may not identify the root cause of the exploit.
|
|
#
?
Mar 24, 2017 22:57
|
|
|
Welp, I tried TDSSkiller, RKill, and another round of the other apps. Still no malware sightings. So I used Reset This PC and Delete My Personal Files to apply a fresh coat of Windows 10. Dad got on the computer once I was done, opened IE 11, and within five minutes had the same annoying talking exploit. It can be closed via Task Manager, it pays attention to Do Not Allow This Page To Create More Pages or however it's phrased, but it's recurring. Then I read this: https://arstechnica.com/security/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/ which fits the pattern nicely, although thankfully he is getting Mostly Harmless stuff and not cryptolocker. I encouraged him to try Microsoft Edge, describing it to him as "basically IE 12" to get him to try it, and we'll see if that helps at all.
|
|
#
?
Mar 26, 2017 00:19
|
|
|
|
| # ? Apr 23, 2024 15:42 |
|
|
delfin posted:Then I read this: https://arstechnica.com/security/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/ In that earlier screenshot I see you've got that version of ABP for IE installed, try seeing if something's hosed with the filter lists/they are out of date. Unless they suddenly changed ad providers on those websites, malicious ads should still be getting blocked by it. E: Have you tried disabling all those Classic IE things? I notice there's still one enabled. Geemer fucked around with this message at 01:04 on Mar 26, 2017 |
|
#
?
Mar 26, 2017 01:01
|
|
