Someone's FISHING on my computer

Page 1 of 4 123 ... LastLast

  1. Posts : 78
    Windows 10 Pro

    Someone's FISHING on my computer

    Just got done reinstalling the OS and programs on my mothers computer. Spent weeks...
    The first day I have it at their home a screen iexplorer.exe started and displayed the following screen:
    Someone's FISHING on my computer-critical-alert.jpg

    Neither Internet Explorer or Edge are my default browser, but rather Firefox.

    Obviously I did not call the number, but opened task mgr and terminated iexplore.exe It did not appear again while I was there and neither Windows Defender or Superantispyware detect anything, at least while IE was not open to this page.
    A few days after I was home, my mother called. She had the same window open again. I accessed her computer via TeamViewer and terminated IE again. This time I installed Malwarebytes Antimalware and began a scan.
    During the scan the computer I encountered slow data transmission from teamviewer and eventually was disconnected due to a message about the router connection being off. (her computer) This happened a few times, so I never got a scan result.

    I may have her run the scan while I am not connected via TeamViewer.

    I also want to run SAS & MWBAM in safe mode but need to setup her computer to boot into safe mode.

    Also: Ran HijackThis and created a log, which did not appear to show anything bad..

    Logfile of Trend Micro HijackThis v2.0.5
    Scan saved at 7:00:30 PM, on 4/20/2017
    Platform: Unknown Windows (WinNT 6.02.1008)
    MSIE: Internet Explorer v11.0 (11.00.14393.0953)

    FIREFOX: 52.0.1 (x86 en-US)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\IncrediMail\Bin\IncMail.exe
    C:\Program Files (x86)\IncrediMail\Bin\ImApp.exe
    C:\Program Files (x86)\Portable\Watch 4 Idle(P)\W4I.exe
    C:\Program Files (x86)\Second Nature\Snsicon.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\ - Hotmail, Outlook, Skype, Bing, Latest News, Photos Videos
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = - Hotmail, Outlook, Skype, Bing, Latest News, Photos Videos
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = - Hotmail, Outlook, Skype, Bing, Latest News, Photos Videos
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = %11%\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files (x86)\IncrediMail\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [Second Copy] "C:\Program Files\Second Copy 9\SecCopy.exe"
    O4 - HKCU\..\Run: [W4I] C:\Program Files (x86)\Portable\Watch 4 Idle(P)\W4I.exe -a
    O4 - Startup: USBNavFix.lnk = C:\Windows\regedit.exe
    O4 - Global Startup: Snsicon.lnk = C:\Program Files (x86)\Second Nature\Snsicon.exe
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O18 - Protocol: tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
    O18 - Protocol: windows.tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
    O23 - Service: SAS Core Service (!SASCORE) - - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
    O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\SysWOW64\PSIService.exe
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Second Copy VSS Service x64 (ScVssService64) - Centered Systems - C:\Program Files\Second Copy 9\ScVssService64.exe
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: Stardock Start10 (Start10) - Stardock Software, Inc - C:\Program Files (x86)\Stardock\Start10\Start10Srv.exe
    O23 - Service: TeamViewer 12 (TeamViewer) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
    O23 - Service: @%SystemRoot%\system32\TieringEngineService.exe,-702 (TieringEngineService) - Unknown owner - C:\Windows\system32\TieringEngineService.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-320 (WdNisSvc) - Unknown owner - C:\Program Files (x86)\Windows Defender\NisSrv.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: Shadow Defender Service ({0CBD4F48-3751-475D-BE88-4F271385B672}) - SHADOWDEFENDER.COM - C:\Program Files\Shadow Defender\Service.exe

    End of file - 5999 bytes

    will run again while IE is posting the FAKE virus alert.

    Any suggestion for me that I have not thought of? First time with this intermittent FAKE virus alert thing!

    Thanks All


    P.S. If there is a better site that deals with sort of issue, I'd be grateful for the suggestion! Not that I don't trust you guys/gals
    Attached Thumbnails Attached Thumbnails Someone's FISHING on my computer-critical-alert.jpg  
      My Computer

  2. Posts : 78
    Windows 10 Pro
    Thread Starter

    Additional Note: On this visit to my mom's I also replaced a TimeWarner Modem with a new Modem/Router from the Co. that bought them out? Sooo, I do not know if the router issues in the above explanation are linked to the new device or the FISHING scam.

    ALSO: Just ran CCleaner to remove all browser cookies
    Setting up system to boot in Safe Mode
    will run Superantispyware & Windows Defender in safe mode

    Incidentally: Malwarebytes finished in "Normal Mode" on 2 Drives/3 partitions with no detection's. Running MS Windows Defender on same, and will report. Then on to Superantispyware in Safe Mode.
    MWBAM seems to have been the culprit when it comes to slowing the system over TeamViewer as MS Windows Defender runs great. Can do other tasks simultaneously.

    When I open IE myself, it opens to MS's default webpage. Thinking of removing IE from system as I have both Firefox and Edge.
    Last edited by WinTenUser; 21 Apr 2017 at 15:00.
      My Computer

  3. Posts : 27
    Windows 10 Pro V 1803 Build 17134.556

    I had a similar issue with Edge browser. I came across the following and it worked like a charm. Hopefully this may be of help to you.
    To be able to process the loop when hijacking your home page or tabs, malware constantly communicates to its server. This also gives the hijacker to execute whatever script is used for the loop. Thus, you must cease the communication between Microsoft Edge and the remote malware server.
    1. Unplug your Ethernet or LAN connector if you are on a wired network.
    2. Turn off your Wi-Fi Modem or Disconnect your if your Wireless access PC is connected on a wireless network.
    3. Close Edge browser. If this is not possible, repeatedly hit Esc on the keyboard or click OK/Cancel button on the hijacker window.
    4. Activate Airplane mode.

    • Click your Network/Internet Settings icon on the taskbar (bottom right of your screen).
    • Settings window will open. Choose Network and Internet.
    • Look at the left column and click on Airplane mode.
    • Turn on Airplane mode using the control on the right panel.

    5. Launch Edge Browser and close the offending tab.
    6. Restart Windows 10 (do not open Microsoft Edge browser).
    7. Go to your Favorites folder. Typically it is on this location: C:\Users\[Username]\Favorites\
    8. Under the favorite folder, double-click on any URL and it will open-up with Microsoft Edge, assuming it is your default browser.
    9. As the browser hijacker is still present on Microsoft Edge browser, you will still see it as an added tab. DO NOT CLICK on the hijacker tab.
    10. Click X on the offending tab to close it.
    11. Click “More actions” at the top right corner of the browser.
    12. Select Settings from the drop-down list.
    13. Under Settings, please go to Clear browsing data.
    14. Click on Choose what to clear button.
    15. Please select necessary data and click on Clear to apply changes.
      My Computer

  4. Posts : 78
    Windows 10 Pro
    Thread Starter

    merkxr said:
    I had a similar issue with Edge browser. I came across the following and it worked like a charm. Hopefully this may be of help to you...
    Seems like your fix really applies to closing the Edge Browser and removing cookies. Essentially I have done this already, manually. And since the issue seems intermittent, it makes it difficult to say if what I did thus far was helpful.

    Scanning with multiple progs in Normal & Safe Mode seems to be the best path forward for now. When these methods are done with no issues, I will have to just wait for the next occurrence, if one happens. If no virus/malware was found and the issue continues I will look into the most recent installs of programs I added..... unless someone had a smarter idea!!

    Oddly, this "virus alert" opened IE by itself. I wasn't even searching the internet and had never used IE since its install(was using Edge.)

    Thanks merkxr
      My Computer

  5. Posts : 16,278

    I have some suggested scans for you to run. I am on my way out the door and will post back later.
      My Computer

  6. Posts : 78
    Windows 10 Pro
    Thread Starter

    MS Windows Defender did not find anything...
    Ran Superantispyware in safemode:
    Found 29 tracking cookies...

    SUPERAntiSpyware Scan Log
    SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    Generated 04/21/2017 at 05:25 PM

    Application Version : 6.0.1240
    Database Version : 13571

    Scan type : Complete Scan
    Total Scan Time : 00:06:16

    Operating System Information
    Windows 10 Home 64-bit (Build 10.00.14393)
    UAC Off - Administrator

    Memory items scanned : 460
    Memory threats detected : 0
    Registry items scanned : 59802
    Registry threats detected : 0
    File items scanned : 19452
    File threats detected : 29

    Adware.Tracking Cookie
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\K4NII77T.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\K4NII77T.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\KXYLUKF3.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\KXYLUKF3.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\8ET1BYNT.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\8ET1BYNT.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\9X6BEKW1.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\9X6BEKW1.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\IMYN03IP.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\IMYN03IP.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\3N2FW68B.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\3N2FW68B.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\CMYKD5X4.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\CMYKD5X4.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\FZ83WGYK.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\FZ83WGYK.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\XLMRZTHR.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\XLMRZTHR.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\XXV5DH25.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\XXV5DH25.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\3CDPDJM1.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\3CDPDJM1.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\YABD4JB7.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\YABD4JB7.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\33P8FZDO.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\33P8FZDO.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\O9IDHMOQ.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\O9IDHMOQ.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\L1IBJXRC.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\L1IBJXRC.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\VE9YCY0A.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\VE9YCY0A.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\JGUXRZGP.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\JGUXRZGP.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\8UZGDS8L.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\8UZGDS8L.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\XK2WV39Y.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\XK2WV39Y.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\O02EC9MO.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\O02EC9MO.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\437PB8WO.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\437PB8WO.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\DGP19X1L.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\DGP19X1L.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\IA42V3AT.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\IA42V3AT.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\KC39SIQX.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\KC39SIQX.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\G6BTJBMG.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\G6BTJBMG.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\QXBCMVFS.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\QXBCMVFS.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\J05C2389.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\J05C2389.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\LBCB7PW3.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\LBCB7PW3.cookie [ / ]
    C:\Users\Sheila\AppData\Local\Microsoft\Windows\INetCookies\Low\91Y14GG2.cookieC:\Users\Sheila\AppDa ta\Local\Microsoft\Windows\INetCookies\Low\91Y14GG2.cookie [ / ]

    End of Log

    I also have Windows Systernals Suite of programs on the computer and can use any of them...not too versed on their use though.

      My Computer

  7. Posts : 16,278

    Okay I am back. Will put something together for you now.
      My Computer

  8. Posts : 16,278

    Okay. No one really uses HJT anymore, so I'm not even going to try and parse that log.

    Please download and run the following scans, in the order listed, and post the logs. Everything here is free or offers a free version.

    Create a Restore Point.

    RKill Download
    (download now @ bleeping computer)

    Downloads - AdwCleaner - ToolsLib

    RKILL again

    Malwarebytes | Junkware Removal Tool

    Run on ALL the browsers: select internet cache, Internet History, Cookies, Download History, Session, Recently Types URLs, Saved Form Information, Index.dat files, etc...everything except passwords (if she saves them in her browsers, which she shouldn't, as it's not safe).
    Include System:Temporary files and Multimedia: Adobe Flash Player, Silverlight

    Now go into installed programs in Ccleaner, remove any toolbars, coupon printers, system tweakers, and any other junk programs you may find.

    Now go into Ccleaner>Tools>Startup and look in each tab for suspicious startup entries and disable them.
    Then go into Browser Plugins and disable anything suspicious looking.
    Then into the registry cleaner, check everything EXCEPT Help Files, run the cleaner, clear it all out, saving the changes first. Run it again to make sure there's nothing left to clean.

    Reset all browsers (all of them, not just the ones that are being used).
    Reset Chrome settings to default - Chrome Help

    Refresh Firefox - reset add-ons and settings | Firefox Help

    How to Reset Your Web Browser To Its Default Settings

    Reset Microsoft Edge to Default in Windows 10 - Windows 10 Browsers Email Tutorials

    Open an admin Command Prompt (or admin PowerShell):
    ipconfig /flushdns

    Change the DNS servers on her NICs to Open DNS
    See post #23 here:
    Protect Your Privacy - Page 3 - Solved - Windows 10 Forums

    Create another restore point - call it "clean"

    Back into Ccleaner>Tools>System Restore
    Delete all restore points except the last two you just made.

    If all is well, after a couple days, remove the first restore point you created before the cleaning process.
      My Computer

  9. Posts : 16,278

    Open Control Panel, go to Flash and make sure it is up-to-date; do the same with Java.

    Check in Ccleaner>Installed programs and make sure older versions are not still installed (yes, sometimes they don't get uninstalled, and these vulnerabilities are exploited online).

    For a final all-clear, run ESET Online Scanner.
    Free Virus Scan | Online Virus Scan from ESET ESET
    Select "Scan Now"
      My Computer

  10. Posts : 78
    Windows 10 Pro
    Thread Starter

    simrick said:
    Okay. No one really uses HJT anymore, so I'm not even going to try and parse that log.

    Please download and run the following scans...etc
    Wow, lot's of stuff. I will do my best. I actually did a bunch of this. but will repeat.

    Can you explain the Change the DNS servers on her NICs to Open DNS (its purpose)

    Thanks for the details!

      My Computer


  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 21:40.
Find Us

Windows 10 Forums