Jump to content

Microsoft Spoof Infection


Recommended Posts

I was advised in another forum to post this incident here.

I am using Malwarebytes Anti-malware Premium. There were no alerts from Anti-malware or the antivirus.

Here is my report from the other forum.

My setup:
 

Windows 10 Home 1607 x64 - Firefox ESR 45.4.0 - OpenDNS with Security options On - Avast free - Malwarebytes anti-malware premium - Malwarebytes anti-exploit

While browsing Facebook, I clicked on a link about the passing of Jane Fonda, which triggered a couple of center page popups and an audio which alerted that Windows had detected an infection that could be sending out personal information.  I don't remember all of the specifics.

The audio instructs to call Microsoft at the number provided to be walked through the fix or repair or whatever.
It goes on to say that if the message is closed before making the call, Microsoft will be forced to "disable your computer".

I did not listen to the whole message.

All attempts to close or cancel the dialog box fail.  The browser tab could not be closed.  I closed the browser.

When I checked the browser history, after reboot, there was a very long list of entries beginning with the following, all named Microsoft Official Support:

http://microsoft.com-00005.info/?num=305-902-4549
http://microsoft.com-00005.info/?num=
http://microsoft.com-00005.info/msie1.php
http://microsoft.com-00005.info/0
http://microsoft.com-00005.info/01
http://microsoft.com-00005.info/012
http://microsoft.com-00005.info/0123
http://microsoft.com-00005.info/01234
http://microsoft.com-00005.info/012345
http://microsoft.com-00005.info/0123456
http://microsoft.com-00005.info/01234567
http://microsoft.com-00005.info/012345678
http://microsoft.com-00005.info/0123456789
http://microsoft.com-00005.info/012345678910
http://microsoft.com-00005.info/01234567891011
http://microsoft.com-00005.info/0123456789101112
http://microsoft.com-00005.info/012345678910111213
http://microsoft.com-00005.info/01234567891011121314
http://microsoft.com-00005.info/0123456789101112131415

 

It continued on like this for a little more than one minute.  There were several HUNDRED of these in the browser history, with each one incremented in the same manner from the previous address.

After a restart, I ran a full scan with Malwarebytes anti-malware, Avast and Adwcleaner.
AdwCleaner tagged a single line in Firefox prefs.js related to a SpeedDial link to a ghacks.net article:
http://www.ghacks.net/2012/02/02/why-i-switched-to-the-duck-duck-go-search-engine/
This is a legitimate link.  Everything else was clean.

 

Edited by celee
disabled active URLs and turned it into code
Link to post
Share on other sites

Hello and Welcome!  Thanks for reporting those, most likely its one of the many scams that are out there trying to get you to call the number so they can connect to your computer and take your money.

Similar to these ?

MalwareScam.wmv

MalwareScam-1.wmv

MalwareScam-2.wmv

MalwareScam-3.wmv

MalwareScam-4.wmv

MalwareScam-5.wmv

MalwareScam-6.wmv

Link to post
Share on other sites

Your welcome, more than likely you are fine and there is nothing to worry about, but if you want to make sure, then you can seek help from one of the experts to help you scan your computer to make sure there is nothing lurking in the background. If you would like to have an expert check your computer please see below.

So, for expert assistance, I suggest that you please follow the advice in this pinned topic: Available Assistance For Possibly Infected Computers.

It explains the options for free, expert help -->>AND<<-- the suggested, preliminary steps to expedite the process.
A malware analyst will assist you with looking into your issue.

Thank you

Link to post
Share on other sites

The site shown is created by iYogi and they are behind many of these sites which are detected as a HTML.FakeAlert.

Often with iYogi sites you need a specific URL or a specific URL and referral from another site to see the fraud content such as the one I created a video from demonstrated in MalwareScam-5.wmv

If you browse the sub-forum Newest IP or URL Threats  you will find my topics labeled "HTML.FakeAlert" enumerating such fraud sites to be included in Malwarebytes' software to block access to them.

Edited by David H. Lipman
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.