Severe Infection and laptop frozen

[_JimmyB]

My laptop has received the following error..:  

This system has been frozen pending remediation of malicious software.  Please contact <phone number> with any questions regarding this.

I’ve wiped the hard disk clean and reinstalled windows 10 fresh w/o network.  Booted into safe mode and installed malwarebytes and IObit Malware Fighter 7 PRO.  Scanned with both and found no threats.  Ran windows defender which was clean.

Then when I went back into normal (non-safe mode) I received the exact same error..!

Frustrated..!

James Bennett

[David H. Lipman]

 

Similar to these ?

I have created a ¹series of videos generated from these kinds of fraud sites for the purposes of recognition and education.  They are all  videos from real web sites.  ALL are FRAUDS.

All these have one thing in common and they have nothing to do with any software on your PC.   They are all nefarious web sites meant to defraud you of money. The objective is to, falsely, goad you to make the phone call and pay for some service contract for an incident that never happened or buy some software.  In the case of Tech Support scammers, they may continue to charge your Credit Card for other services, remote into your computer and do real damage and/or exfiltrate your personal data and they may use the information they obtain from you to commit additional frauds.
MalwareScam.wmv
MalwareScam-1.wmv
MalwareScam-2.wmv
MalwareScam-3.wmv
MalwareScam-4.wmv
MalwareScam-5.wmv
MalwareScam-6.wmv

I have also created a PDF ScreenShow of a myriad of FakeAlert screens - FakeAlert-Screens.pdf  /  Flash Version

They are all a kind of malicious advertisement ( aka; malvertisement ).

Using Task Manager and Killing the;  Edge, IExplorer, Chrome, Firefox, etc, processes is very effective once you are affected by these FakeAlerts.  Right now, to block it means Malwarebytes needs to know the URL to block.   If you can provide the URL it can be added to the list for Malwarebytes sites to block.

Submissions of suspect and malicious URLs can be performed in; Newest IP or URL Threats after reading;  READ ME: Purpose of this forum

Malwarebytes has created new Browser Add-Ons called Malwarebytes Browser Guard for Chrome and Firefox to mitigate FakeAlerts and other frauds.

Browser Add-On references:   Malwarebytes Browser Guard
Malwarebytes Browser Guard Extension for Chrome
Malwarebytes Browser Guard Extension for Firefox

 

Reference:                                                    
US FBI PSA - Tech Support Fraud
US FTC Consumer Information -  Tech Support Scams
US FTC - Tech Support Operators Agree to Settle Charges by FTC and the State of Ohio
US FTC - FTC and Federal, State and International Partners Announce Major Crackdown on Tech Support Scams
Malwarebytes' Blog - Search on - "tech support scams"
Malwarebytes' Blog - "Tech support scams: help and resource page"

---

1.  Also located at "My Online Security" - Some videos of typical tech support scams

 

Edited October 5, 2019 by David H. Lipman

[_JimmyB]

Thanks David for responding sir.

So it does appear to be “Malvertisement” that appears as it is in the form of http format and only shows up once I connect to the internet.  There is no way, to my understanding, to get to “Task Manager” when the Malvertisement appears.  I’m completely frozen..!

Even when I reboot and enter into safe mode that message appears and I’m completely frozen..! 
 

I can walk through my steps again to wipe clean and reinstall and go into safe mode.  But what do I do then..???

I’d appreciate any assistance from you or anyone that reads this forum thread.

James Bennett

[David H. Lipman]

Yes.  I have seen literally a few thousand and I have found malvertising URLs that will guarantee or almost guarantee a malvertisemt every time you "hit" that URL. 

These Microsoft HTML.FakeAlerts are specially crafted to "abuse" the browser and draw an ever increasing amount of resources.  That dogs down the computer to what appears to be quite detrimental.  Sometimes you have no choice but the hit the reset button.  Other times you just have to have patience for your "Ctrl-Alt-Del" Hot Key sequence to get its change so you can kill the browser process.  This abuse of Browser coding is done to lend credulity to their scam.

The important thing to remember FakeAlerts ( as seen in my ScreenShow and/or videos ) emanate from the Internet.  As such it is not about what software is on your PC but about what web sites you visit and one's browsing habits.  For example there are certain porn sites that have a greater propensity to exhibit a FakeAlert.  If you are on Windows, a Microsoft FakeAlert.  If you are on an Apple iPhone or MAC, you will see an Apple FakeAlert.  Then there are sites that don't care who they do business with when it comes to advertisement revenue.  Or when one marketing company outsources to another.  Then the malvertisement may be rotated in or randomly displayed.  As I have explained in other discussions I have seen fake Mozilla Firefox malvertisements emanating from the Weather Channel web site.

There was a case where members visited AllMusic.com and on rare occasions they got a Microsoft FakeAlert.  The reports were few and reproducing it was difficult but finally I was able to coax a Microsoft FakeAlert from a visitation. It was all discussed in This Thread.  Reference: Post #20

Therefore, think about your Browsing habits.  If its reproducible, we can get it blocked.  Using Malwarebytes Browser Guard can help mitigate the receipt and actions of a FakeAlert.

 

Edited October 5, 2019 by David H. Lipman

[_JimmyB]

David...   Every time I press CTRL- Alt and delete all at the same time to access task manager the task manager screen shows up for a second and then goes away quickly. I can see that Internet Explorer is running.

How do we get the screen to stay present so that I can stop process on IE..?

James

[David H. Lipman]

I don't know.  I have not seen that.  Maybe if you click on the running icon in the task bar you can bring the Task Manager Window to the forefront.  The thing about Killing  IEXPLORE.EXE process in the Task manager is that there will be several and with some, new IEXPLORE.EXE processes will be created. One has to be persistent to kill all of them.

I suggest using Mozilla FireFox combined with Malwarebytes Browser Guard instead of IE if this is a recurring issue and you have not identified the web site that initiates the FakeAlert to avoid it.

 

 

[_JimmyB]

David...

The only thing I can do is right click on the html page that appears.  A page does show up and stay present.  There are a list of things that I can choose.  They are..: Select all; All Accelerators; Create shortcut; Add to favorites; View source; Inspect Element; Encoding; Print; Print preview; Refresh and Properties.  When I select Properties I see the following URL Address:  file:///C:/ProgramData/wcttempoff.html

How do I delete that file..?

James

[David H. Lipman]

What is the Phone number you left out in Post #1 ?

You can't just use the mouse and choose the file ( Highlight the file ) and hit the Delete key ?

I am bringing on another person:  PING @AdvancedSetup

[_JimmyB]

 

1-833-342-9237 is the phone number.  See attached pic.

As stated, I am “completely” frozen.  No mouse unless I Ctrl-alt-del then it will work.

I do not understand what you mean by “You can't just use the mouse and choose the file ( Highlight the file ) and hit the Delete key ?”.  When, how, where..???

James Bennett 

[David H. Lipman]

The presence of a HTML file may indicate that this is not a HTML.FakeAlert but actually may be a Win32.FakeAlert.  Web sites don't drop HTML files in %ProgramData% .   That is why I have brought in another person so he can do a Log Analysis process with you.

 

[_JimmyB]

After some research on the name of the html file I found the following..:

Pop-up says: "This machine is not in compliance with Under Armour security standards. Please contact the Global Service Desk at +1 ***-***-**** to enable your machine"
I've managed to trace the file to: c:/program data/wcttempoff.html.

For those who face the same issue, but can't achieve the same result in negotiations on laptop unlocking, there is a way-around that blocking pop-up. Once the fresh OS is installed, make sure not to connect to the internet. 
After system is booted, go ahead to the Windows/system32   and/or windows/syswow64. 
find files rpcnet.exe, rpcnet.dll, rpcnetp.exe, rpcnetp.dll. delete them. after that, with a notepad, create 4 empty documents, name them as those files that were deleted, apply read only, move them to the folder files were deleted from (I've also changed all the rights to "deny" for all users). 
After this, feel free to connect to web, install drivers, and updates. Pop-up won't bother You.

I’m going to try this above now...

James

[AdvancedSetup]

Please try to run scans on the system. If it won't allow the scans to run please try to start in Safe Mode and run them. If it sill won't then let me know.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

• If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes 3 installed yet please download it from here and install it.
• Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan Now.
• When finished, please click Clean & Repair.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

[_JimmyB]

Ron...

Thanks for the plan.

I went ahead and wiped the disk clean again and reinstalled Win10.

Created a second account called James-Local as I need it to be able to run things in Safe Mode.

I booted into Safe Mode with Networking.

Here I installed Marwarebytes 3 premium trial - pulled updates - ran scan...  I noticed you wanted me to select "threat scan" then click "start scan" but there isn't a "threat scan" option to select.  please advise...

Anyway, I am attaching my exported scan .txt file.

 

James

Malwarebytes_exp_scan_summary.txt

[_JimmyB]

Ron...

I also downloaded and installed ran updates on IObit Malware Fighter 7.2 Pro...  -  Scan was clean

Ran Windows Defender with updates -  Scan was clean

 

James

[_JimmyB]

Ron...

Moving onto Step 2 now.

 

James

[_JimmyB]

Ron...

Here's the IObit Malware Fighter 7.2 Pro scan report..:

IObit Malware Fighter

OS: Windows 10
Version: 7.2.0.5748
Engine Version:7.0.0.247
Database Version: 1905
BDVersion: 7.82530(10/08/2019 03:42:29 GMT)
Scan Mode: Manual
Scan Type: Smart Scan
Time Elapsed: 00:05:32
Objects Scanned: 110630
Threats Detected: 0
Save Time: 10/8/2019 6:31:16 AM
Scan Status: Completed

|Name|Type|Description|ID|Hash|

[_JimmyB]

Ron...

Ok I went and downloaded/installed AdwCleaner onto my laptop and ran a scan.  There were 27 items found of which I processed "Quarantine".  Restarted the laptop as requested...

James

[_JimmyB]

Ron...

I ran AdwCleaner again after the restart and am showing clean.  Pls see report..:

# -------------------------------
# Malwarebytes AdwCleaner 7.4.1.0
# -------------------------------
# Build:    09-05-2019
# Database: 2019-10-03.2 (Cloud)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    10-08-2019
# Duration: 00:00:12
# OS:       Windows 10 Pro
# Scanned:  35164
# Detected: 0

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.

AdwCleaner_Debug.log - [40557 octets] - [08/10/2019 06:36:09]
AdwCleaner[S00].txt - [4185 octets] - [08/10/2019 06:37:02]
AdwCleaner[C00].txt - [3881 octets] - [08/10/2019 06:37:58]
AdwCleaner[S01].txt - [1510 octets] - [08/10/2019 06:45:36]
AdwCleaner[C01].txt - [1698 octets] - [08/10/2019 06:46:03]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S02].txt ##########

[_JimmyB]

Moving onto Step 3...

Will get back to you later this evening as I need to head into work now.

James

[_JimmyB]

Ron...

This morning when I jumped back onto my laptop I noticed that Malwarebytes ran a scan and found several threats so I ran a quarantine of them and exported the log of which is attached.  Please kindly review and suggest or comment.

I'm going to restart the laptop and move into step 3 now...

James

Malwarebytes_scan_w_quarantine_10092019.txt

[_JimmyB]

Ron...

Ok, I've just completed step 3.  Please find the 2 files created during the scan...

James

Addition.txt FRST.txt

[_JimmyB]

Ron...

Okay I noticed that the scan tool wanted it run from the admin acct so I re-ran.  Pls find the attachments created.

James

Addition.txt FRST.txt

[AdvancedSetup]

Sorry for the delay @_JimmyB

Why are you booting the computer to Safe Mode? Why not run it in Normal Mode?

 

[_JimmyB]

Because every single time that I go into “Normal” mode and connect to the internet the message appears locking my entire computer...

Thus the reason that I opened this trouble issue within the blog.  I’ve never experienced such a lock-down virus/malware ever.  Usually I just wipe clean and install the OS and I’m back up and running.  This time no..!  So after 8 attempts with some movement with each try I’ve gotten here.

James

[_JimmyB]

So my question is...  should ai now boot to “Normal” mode without connecting to the internet and run the same scans..?  Or..?

James