Hello Again,
It has been a while since I have had a PC on the bench. A neighbor called last night and said he had been hacked. The screen showed a message from MS with an 866 number to call. He did and the "agent" had him do some things in DOS I assume since he said the screen went Black.

Some history, the wife went onto either a Facebook or YouTube site with a bunch of numbers to play some kind of game, he could not define exactly what it was.

I am getting this Win 10 tower tomorrow. I plan on booting in Safe mode and running CCleaner, Malwarebytes and Privatizer. Three apps to 'clean' the disk that I am familiar with. I have also downloaded the latest Win 10 ISO from MS just incase I have to reload the OS.

First question, is the 866 number really MS? Second, your opinions on any other process I should run to make sure the hack is removed before a total reload of the OS.

Regards,
Dan Kahn

I'm not an expert, but I don't believe MS, sends messages like this. In fact, I'm positive they don't.

I was under that impression also but I just wanted to verify the 866 number was a scam. If the owner has the full number I think I'll do a search to see if anything pops up.
Thanks,
Dan

If it boots to a screen requiring a password, please take a picture and post it here, I may be able to help.

I got the PC yesterday and it did turn ON but it took a long time to boot. This is an HP Pavilion 6. It has a second partition with a WIN10 OS. Luckily I did not have to reload the OS.
There was a DOS tab on the Start Menu. Opening it showed an ALARM with Trojan and a note for a bank.
The owner has already changed his password for all personal web sites.
Prior to this hack the owner, on my suggestion, purchased Webroot. That was running in the background along with MS Defender.

I updated and ran CCleaner. I also installed the free version of MalwareBytes. It found 10 PUP's. Also installed and ran Privazer, this found a lot of "stuff".
There were some drivers that needed updating and I took care of that.
I informed the owner that it might be a good idea to purchase MalwareBytes soon as a precaution. I will leave that up to him.
I am also suggesting he activate OneDrive as a backup.

I am confused that Defender and Webroot did not flag this virus.

Any suggestions that I might do before returning this PC to him?

Regards,
Dan Kahn

Quote:

I am confused that Defender and Webroot did not flag this virus.

What virus? Did your scans catch any viruses? Probably not, because this type of attack is known as a browser hijack. It exploits features built into the browsers.

2 things to do:

Disable notifications from all browsers. Start - Settings - System - Notifications & actions, scroll down and turn off notifications from all web browsers that are listed there.

Install the free Malwarebytes Browser Guard if it's available for the browsers in use.

Not knowing just what was done by the user...
Not knowing just what was done by "MS"...


My thought would be to nuke everything & start over again.


Reinstall Windows.
Reinstall your programs.

And take it from there.

Well I did all the scans and installed Malware Bytes. All seem good until we tried to log onto his email. Seems the mail server password was corrupted. Not a big deal, just called the isp and had them reset the pw.

I suggested that owner purchase the full Malware Bytes for a Just In Case since the scans did not find anything substantial.

Thanks for all the replies.
Regards,
Dan Kahn