MALWARE!

A family member clicked on a link in an email supposedly from Amazon.com
and got a screen saying "a serious malfunction has occurred in Windows
10 and Chrome, ca;ll this toll-free number etc....."

I unplugged the Ethernet cable and turned the power off. It showed a
screen "working on updates...don't turn your compouter off" and then
eventually went to the power-off state.

What should I do next?

I see some sites recommend booting into Safe Mode and trying to run an
anti-malware. Is there a boot disc I could make on my computer that
would have the tools to rescue that machine?

Thanks.

On 23/06/2016 18:15, Alek wrote:
A family member clicked on a link in an email supposedly from Amazon.com
and got a screen saying "a serious malfunction has occurred in Windows
10 and Chrome, ca;ll this toll-free number etc....."

I unplugged the Ethernet cable and turned the power off. It showed a
screen "working on updates...don't turn your compouter off" and then
eventually went to the power-off state.

What should I do next?

I see some sites recommend booting into Safe Mode and trying to run an
anti-malware. Is there a boot disc I could make on my computer that
would have the tools to rescue that machine?

Thanks.

Now this family member, was she using an Administrator account or an
account with elevated privileges when this happened? If the answer is
NO then I don't think any major damage has been done. All it requires
is to create another Standard USER and copy the old documents from the
old account to the new account and then delete the old account
completely. After doing that, rescan the machine just in case nothing
else is still lurking in the machine.

If, however, the family member was using an Administrator account then
clearly some other treatment is required for the infected virus!!!



--

Windows 10
https://app.box.com/representation/file_version_74032471857/image_2048/1.png?shared_name=jx7x8bblrf906i7ktrvu4kn89t48b43b

Wolf K wrote on 6/23/2016 1:40 PM:
On 2016-06-23 13:15, Alek wrote:
A family member clicked on a link in an email supposedly from Amazon.com
and got a screen saying "a serious malfunction has occurred in Windows
10 and Chrome, ca;ll this toll-free number etc....."

I unplugged the Ethernet cable and turned the power off. It showed a
screen "working on updates...don't turn your compouter off" and then
eventually went to the power-off state.

What should I do next?

I see some sites recommend booting into Safe Mode and trying to run an
anti-malware. Is there a boot disc I could make on my computer that
would have the tools to rescue that machine?

Thanks.

Ouch!

Yes there lots of bootable rescue disk out there. I recommend
Linux-based rescue tools, booting off a Linux disk/flash drive reduces
the risk of reinfection. Search on "linux-based windows rescue
antimalware disks". Here's one:

http://www.gfi.com/blog/top-5-free-r...admin-toolkit/

As soon as you are certain that the data files are OK, copy them onto an
external drive. 1TB drives are well under $100 Canadian these days, well
worth the money IMO. Data is really priceless. Systems and software can
always be rebuilt, data once destroyed is gone forever. Once you've
rescued the data, you may have to decide whether disinfection or rebuild
is the best way to go.

HTH

PS: Use external drives for backing up data, and imaging the whole
system. I recommend one for each machine in the house. Also, since data
is most precious, create 2nd partition on the HD, move all data
(documents, pictures, etc) to it, and set all your software to use it as
the working partition (for data storage). This reduces the odds that a
system infection will damage the data.

Thanks, Wolf. I have backups of all of her files.

I rebooted and the process appeared to be normal. ??? I logged in to her
account with no apparent problem. I ran MBAM and it found nothing!!! I'm
now running a full scan with BitDefender.

In article , , Alek
says...

A family member clicked on a link in an email supposedly from Amazon.com
and got a screen saying "a serious malfunction has occurred in Windows
10 and Chrome, ca;ll this toll-free number etc....."

I unplugged the Ethernet cable and turned the power off. It showed a
screen "working on updates...don't turn your compouter off" and then
eventually went to the power-off state.

What should I do next?

I see some sites recommend booting into Safe Mode and trying to run an
anti-malware. Is there a boot disc I could make on my computer that
would have the tools to rescue that machine?

Thanks.

I doubt you got infected at all. You (the other family member) were
probably one or two steps away from that. Had the link been clicked on
and the no doubt malicious download been run, the PC would *then* be
infected. The message itself is just phishing for that to happen.

And on the shutdown, it was just your (unlucky?) day that Windows
Updates really *did* need to be installed.

Run through: AdwCleaner, JRT.exe and Malwarebytes to be sure. You could
also run an offline virus check from MS's http://safety.live.com (Those
first three tools take minutes - the msert v.scan may take a few hours!
)

--
Duncan.

In article ,
, Dave Doe says...

In article , , Alek
says...

A family member clicked on a link in an email supposedly from Amazon.com
and got a screen saying "a serious malfunction has occurred in Windows
10 and Chrome, ca;ll this toll-free number etc....."

I unplugged the Ethernet cable and turned the power off. It showed a
screen "working on updates...don't turn your compouter off" and then
eventually went to the power-off state.

What should I do next?

I see some sites recommend booting into Safe Mode and trying to run an
anti-malware. Is there a boot disc I could make on my computer that
would have the tools to rescue that machine?

Thanks.

I doubt you got infected at all. You (the other family member) were
probably one or two steps away from that. Had the link been clicked on
and the no doubt malicious download been run, the PC would *then* be
infected. The message itself is just phishing for that to happen.

And on the shutdown, it was just your (unlucky?) day that Windows
Updates really *did* need to be installed.

Run through: AdwCleaner, JRT.exe and Malwarebytes to be sure. You could

Google 'em and just get 'em from bleepingcomputer website - it's easier.
Malwarebytes, get from malwarebytes.org - *don't* install the trial
(uncheck that option on one of the final install screens).

--
Duncan.

Alek wrote:
A family member clicked on a link in an email supposedly from Amazon.com
and got a screen saying "a serious malfunction has occurred in Windows
10 and Chrome, ca;ll this toll-free number etc....."

I unplugged the Ethernet cable and turned the power off. It showed a
screen "working on updates...don't turn your compouter off" and then
eventually went to the power-off state.

What should I do next?

I see some sites recommend booting into Safe Mode and trying to run an
anti-malware. Is there a boot disc I could make on my computer that
would have the tools to rescue that machine?

Thanks.

Since you're shut down now, on your next startup you could
boot this. This is an offline AV scanner, that uses signatures
but cannot use heuristics (behavioral analysis, watch how
code is "hooking" things it should not hook).

http://support.kaspersky.com/8092

If you were still running, you could try MBAM. This
includes both signature and behavior. There are several
versions, but you want the "one-shot scanner", not the
"real-time protection Pro" and not the "30-day trial of Pro".
You're not after the addition of yet another AV, just
want to use the scanner portion, in the same way as the
8092 is a one-shot scanner and not a complete AV product
as such.

https://en.wikipedia.org/wiki/Malwarebytes

For adware (which this might well be, and not a virus),
you can use Adwcleaner.

http://www.bleepingcomputer.com/download/adwcleaner/

At one time, ransomware was pretty slow to act, and
encrypted files one at a time. If it was ransomware,
then a fast shutdown could reduce the set of endangered
files. But ransomware has also been known to encrypt the
$MFT, which makes files inaccessible in a matter of
seconds. So they're working on their "response time",
to make them just as dangerous as any other kind
of infection. If ransomware hits, you don't want
your backup drive to be online at the same time.

There is no good guaranteed solution for ransomware.
While backups are obviously an answer, you have to
avoid getting the ransomware on the backup drive.

Since the bad guys also have the above tools on their
desktop, they're always one step ahead of these products.

*******

For the trivial stuff, sometimes cleaning the browser
cache folder, disconnecting the network cable, start
the browser and work on it (run it in Safe Mode, use
the browser Reset Procedure), might work. Chrome has
its own copy of Flash (PPAPI), so your exposure to
Flash exploits is marginally better than a regular
browser with user-managed Flash updates. But sometimes
they're a little slow asserting the "vulnerable" flag
on the plugin, and preventing the user from using Flash.

Chrome is a favorite target for the bad guys. On the
one hand, it's popular and has a large percentage
of market share. On the other hand, Chrome is hardened.
But as you can imagine, never hard enough. Even with
process isolation, stuff gets through. And then Chrome
gets a black eye. I've just decided to avoid Chrome,
for no particularly rational reason, and it's
possibly because of all the attack reports. Even
though it might be the best design.

Good luck (you'll need it),

Paul

On 6/23/2016 1:15 PM, Alek wrote:
A family member clicked on a link in an email supposedly from Amazon.com
and got a screen saying "a serious malfunction has occurred in Windows
10 and Chrome, ca;ll this toll-free number etc....."

I unplugged the Ethernet cable and turned the power off. It showed a
screen "working on updates...don't turn your compouter off" and then
eventually went to the power-off state.

What should I do next?

I see some sites recommend booting into Safe Mode and trying to run an
anti-malware. Is there a boot disc I could make on my computer that
would have the tools to rescue that machine?

Thanks.

While this occurred with Chrome, I have seen a similar webpage with
Firefox. This one wants you to download and emergency Firefox patch to
"prevent" problems

It is my understanding the the page for Firefox came from website
recently registered by guy from Plano, Texas. While I have seen this
before, apparently the guy is working had to infect computers.

Alek wrote on 6/23/2016 2:18 PM:
Wolf K wrote on 6/23/2016 1:40 PM:
On 2016-06-23 13:15, Alek wrote:
A family member clicked on a link in an email supposedly from Amazon.com
and got a screen saying "a serious malfunction has occurred in Windows
10 and Chrome, ca;ll this toll-free number etc....."

I unplugged the Ethernet cable and turned the power off. It showed a
screen "working on updates...don't turn your compouter off" and then
eventually went to the power-off state.

What should I do next?

I see some sites recommend booting into Safe Mode and trying to run an
anti-malware. Is there a boot disc I could make on my computer that
would have the tools to rescue that machine?

Thanks.

Ouch!

Yes there lots of bootable rescue disk out there. I recommend
Linux-based rescue tools, booting off a Linux disk/flash drive reduces
the risk of reinfection. Search on "linux-based windows rescue
antimalware disks". Here's one:

http://www.gfi.com/blog/top-5-free-r...admin-toolkit/

As soon as you are certain that the data files are OK, copy them onto an
external drive. 1TB drives are well under $100 Canadian these days, well
worth the money IMO. Data is really priceless. Systems and software can
always be rebuilt, data once destroyed is gone forever. Once you've
rescued the data, you may have to decide whether disinfection or rebuild
is the best way to go.

HTH

PS: Use external drives for backing up data, and imaging the whole
system. I recommend one for each machine in the house. Also, since data
is most precious, create 2nd partition on the HD, move all data
(documents, pictures, etc) to it, and set all your software to use it as
the working partition (for data storage). This reduces the odds that a
system infection will damage the data.

Thanks, Wolf. I have backups of all of her files.

I rebooted and the process appeared to be normal. ??? I logged in to her
account with no apparent problem. I ran MBAM and it found nothing!!! I'm
now running a full scan with BitDefender.

Bitdefender full scan found nothing. Guess we were lucky!! Now to make
an image of drive C:.

Thanks to all for the suggestions.

Dave Doe wrote on 6/23/2016 2:30 PM:
In article ,
, Dave Doe says...

In article , , Alek
says...

A family member clicked on a link in an email supposedly from Amazon.com
and got a screen saying "a serious malfunction has occurred in Windows
10 and Chrome, ca;ll this toll-free number etc....."

I unplugged the Ethernet cable and turned the power off. It showed a
screen "working on updates...don't turn your compouter off" and then
eventually went to the power-off state.

What should I do next?

I see some sites recommend booting into Safe Mode and trying to run an
anti-malware. Is there a boot disc I could make on my computer that
would have the tools to rescue that machine?

Thanks.

I doubt you got infected at all. You (the other family member) were
probably one or two steps away from that. Had the link been clicked on
and the no doubt malicious download been run, the PC would *then* be
infected. The message itself is just phishing for that to happen.

And on the shutdown, it was just your (unlucky?) day that Windows
Updates really *did* need to be installed.

Run through: AdwCleaner, JRT.exe and Malwarebytes to be sure. You could

Google 'em and just get 'em from bleepingcomputer website - it's easier.
Malwarebytes, get from malwarebytes.org - *don't* install the trial
(uncheck that option on one of the final install screens).

Already have MBAM Pro installed.

In article
Alek wrote:

A family member clicked on a link in an email supposedly from Amazon.com
and got a screen saying "a serious malfunction has occurred in Windows
10 and Chrome, ca;ll this toll-free number etc....."

I unplugged the Ethernet cable and turned the power off. It showed a
screen "working on updates...don't turn your compouter off" and then
eventually went to the power-off state.

What should I do next?


I think the email phishing link was unrelated to the update. I'd
bet this was a Windows update waiting for a reboot.

If in doubt oull the power cord. Don't just use the menu. Had you
done that, things would have gone black immediately.

Good to hear all is well.

Look at that email and learn to recognize fake from real.

Nomen Nescio wrote on 6/23/2016 9:54 PM:
In article
Alek wrote:

A family member clicked on a link in an email supposedly from Amazon.com
and got a screen saying "a serious malfunction has occurred in Windows
10 and Chrome, ca;ll this toll-free number etc....."

I unplugged the Ethernet cable and turned the power off. It showed a
screen "working on updates...don't turn your compouter off" and then
eventually went to the power-off state.

What should I do next?


I think the email phishing link was unrelated to the update. I'd
bet this was a Windows update waiting for a reboot.

If in doubt oull the power cord. Don't just use the menu. Had you
done that, things would have gone black immediately.

Good to hear all is well.

Look at that email and learn to recognize fake from real.

It wasn't me!!!

"Alek" wrote in message ...

A family member clicked on a link in an email supposedly from Amazon.com
and got a screen saying "a serious malfunction has occurred in Windows
10 and Chrome, ca;ll this toll-free number etc....."

I unplugged the Ethernet cable and turned the power off. It showed a
screen "working on updates...don't turn your compouter off" and then
eventually went to the power-off state.

What should I do next?

I see some sites recommend booting into Safe Mode and trying to run an
anti-malware. Is there a boot disc I could make on my computer that
would have the tools to rescue that machine?

Thanks.

I'll bet it said it was 268D3 and that is was infecting the network and
therefore if it wasn't fixed by calling the MS number 844-576-0461 the
computer would be 'screwed' permanently, or similar to protect the Network.
If you call it, it sounds like an East Indian guy answers and claims he is a
MS certified tech. Sure he is. I was helping a friend out.
For more info on it, just Google 268D3 .
I believe it is basically a PUP and to shut the window, you most likely need
to use the Task Manager. Using Ctrl+F4 did nothing.
--
Buffalo

On Fri, 24 Jun 2016 15:47:08 -0600
"Buffalo" wrote:

"Alek" wrote in message ...

A family member clicked on a link in an email supposedly from
Amazon.com and got a screen saying "a serious malfunction has
occurred in Windows 10 and Chrome, ca;ll this toll-free number
etc....."

I unplugged the Ethernet cable and turned the power off. It showed a
screen "working on updates...don't turn your compouter off" and then
eventually went to the power-off state.

What should I do next?

I see some sites recommend booting into Safe Mode and trying to run
an anti-malware. Is there a boot disc I could make on my computer
that would have the tools to rescue that machine?

Thanks.

I'll bet it said it was 268D3 and that is was infecting the network
and therefore if it wasn't fixed by calling the MS number
844-576-0461 the computer would be 'screwed' permanently, or similar
to protect the Network. If you call it, it sounds like an East Indian
guy answers and claims he is a MS certified tech. Sure he is. I was
helping a friend out. For more info on it, just Google 268D3 .
I believe it is basically a PUP and to shut the window, you most
likely need to use the Task Manager. Using Ctrl+F4 did nothing.

Mind you I called the number to confirm, am I a moron?

"Buffalo" wrote in message ...

On Fri, 24 Jun 2016 15:47:08 -0600
"Buffalo" wrote:

"Alek" wrote in message ...

A family member clicked on a link in an email supposedly from
Amazon.com and got a screen saying "a serious malfunction has
occurred in Windows 10 and Chrome, ca;ll this toll-free number
etc....."

I unplugged the Ethernet cable and turned the power off. It showed a
screen "working on updates...don't turn your compouter off" and then
eventually went to the power-off state.

What should I do next?

I see some sites recommend booting into Safe Mode and trying to run
an anti-malware. Is there a boot disc I could make on my computer
that would have the tools to rescue that machine?

Thanks.

I'll bet it said it was 268D3 and that is was infecting the network
and therefore if it wasn't fixed by calling the MS number
844-576-0461 the computer would be 'screwed' permanently, or similar
to protect the Network. If you call it, it sounds like an East Indian
guy answers and claims he is a MS certified tech. Sure he is. I was
helping a friend out. For more info on it, just Google 268D3 .
I believe it is basically a PUP and to shut the window, you most
likely need to use the Task Manager. Using Ctrl+F4 did nothing.

Mind you I called the number to confirm, am I a moron?

Yes, Burp&Fart, you ARE a MORON!!!
Learn to read and comprehend !!! At least to the 3rd grade level.
Sad!
--
Buffalo

On 06/23/16 10:15, Alek so wittily quipped:
A family member clicked on a link in an email supposedly from Amazon.com
and got a screen saying "a serious malfunction has occurred in Windows
10 and Chrome, ca;ll this toll-free number etc....."

a) don't click on links in e-mail, especially not in a microsoft browser
b) don't use HTML mail, which often hides the *REAL* link by making it
look as a legit link to whatever site it claims to be

(don't use HTML in news readers, either, same reason)