Friends Windows 10 Laptop Edge got hit with a call this number hijacker

[DaveLembke]

So my one friend contacted me that they got hit by a pop up telling them to call a phone number and it was Microsoft. I told them to hold on and let me remote into them with teamviewer since we use this as a means to show each other remotely what we are doing with character builds for video games etc. So I was able to run taskmgr and kill edge. And then start edge back up and it brings you back to this hijacker. I then killed it again in task manager. I then brought up command prompt and ran an instruction to call edge to run but to "www.google.com" this way i can bypass the hijacker that was taking the focus of edge and not allowing any browser use. I was able to get to google this way and then download and install Firefox and told it NOT to get any info from edge. I then from firefox was able to download and install malwarebytes. Ran malwarebytes and it found 16 problems with 2 detections for the hijacker. Told malwarebytes to go and fix the problems.

Malwarebytes then wanted to reboot. No problem, so i rebooted her system remotely.

Her system came back up and I remoted back into it. Ran another scan and everything shows clean. However edge the minute you go to launch it, it flashes quick and disappears so edge is dead.

Launched firefox and firefox runs with no troubles.

She said she prefers firefox anyways and will just use that, BUT, I dont like how edge is dead and was wondering if there is a way to fix this for her remotely?

When she got her new laptop I remoted in and created the system recovery media for her and so worst case scenario I walk her through a full system recovery using the USB stick that I created for her when she boots off that. However she doesnt want to do a full system restore if she doesnt have to because she has data on it and its customized, so I figured I'd check into a way to fix edge. So not sure if there is a repair tool for edge or if its more involved. I was thinking i got lucky in installing firefox before malwarebytes tombstoned edge by removal of the hijacker. 

[SuperDave]

I'm not sure if this will work on Win 10 but did you try turning Edge off and on in Control Panel?

[DaveLembke]

Didnt try that, I will give that a shot. Thanks for your suggestion to fix edge.

[soybean]

I'm not sure if this will work on Win 10 but did you try turning Edge off and on in Control Panel?

You're referring to the settings for default programs, right?

[SuperDave]

Go to Control Panel, Add/Remove programs and you should be able to turn it off and then back on on the left-hand side. Reboot after you turn it off and then turn it back on after the reboot.

[soybean]

Go to Control Panel, Add/Remove programs and you should be able to turn it off and then back on on the left-hand side.

Windows 10 does not have Add/Remove program; it has Programs and Features (and so does Windows 7).  And, Windows 10 does not have an option to "turn off " Edge.   As stated in my previous post, the default browser can be changed from Edge to another browser.  A reference: http://www.thewindowsclub.com/change-default-browser-program-windows-10

[Geek-9pm]

This might be of interest:
https://www.bing.com/videos/search?q=how+to+remove%2fdisable+windows+edge+browser%3f&qpvt=How+to+remove%2fdisable+Windows+Edge+browser%3f+&FORM=VDRE
It will show links to You Tube videos.
Like this:
https://www.bing.com/videos/search?q=how+to+remove%2fdisable+windows+edge+browser%3f&qpvt=how+to+remove%2fdisable+windows+edge+browser%3f&view=detail&mid=9385607832274C92DB0F9385607832274C92DB0F&FORM=VRDGAR

 

[SuperDave]

And, Windows 10 does not have an option to "turn off " Edge.

It does on my laptop.

[BC_Programmer]

It does on my laptop.

Where are you seeing the option? I thought it existed and was going to rebut Soybean myself but could not find an option on any of my Win10 systems to allow Edge to be turned off so decided I was mistaken.



Speaking of the Topic, my Mom was hit by a Microsoft Scammer I think a month or two ago. I pop over and learn that she had gotten a message that her system was infected and to call a 1-800 number. But afterwards she  thought it was a scam but thought they might have done something to it. I took a look and they had installed a Remote Access Trojan in the form of an unsecured TeamViewer (Which I suppose is right now every copy of TeamViewer because of the exploit?). If I understand correctly they got her to install it, remotely controlled her system, set it up for unsecured access later, then opened command prompt and did some dir /s and netstat commands and typed in stuff like "These are all virus" as a description. When they started pushing her to pay them she  suspected that they were scammers and hung up, and then they started "doing things" on the laptop and didn't know how to stop the laptop from being controlled so she forced it off (She was proud of herself for remembering when I told her she could hold the power button for 5 seconds to force it off), and she hadn't turned it on in the few hours since.

I think they were about to install some more nefarious malware but were stopped by the forced power off, and subsequently by my removal of TeamViewer entirely.

[DaveLembke]

I took a look and they had installed a Remote Access Trojan in the form of an unsecured TeamViewer (Which I suppose is right now every copy of TeamViewer because of the exploit?)

  WOOOOOOOWWW

Now I am gonna dig into this with her right away. Wasnt aware of this security issue was for to connect to a persons system they need the ID of the computer to connect to and then key which is a alphanumeric, sometimes just numeric. On my systems I only have teamviewer running as a stand alone, its not installed so I have to tell it to start and run once and personal use etc. Maybe at her end she installed it vs run once.

Thank you for sharing this info BC. Now eager to get onto her system tonight to check into this.

She didnt see anyone remoted into her system, but your moms situation sounds EXACTLY like my friends. I think the safe thing to do at this point will be to walk her through over the phone to use the system recovery media that I helped her create and make this system fresh. Then make sure that she is instructed to only have Teamviewer set up to run once each time she uses that with me this way the ability to connect only happens when she wants me to help her vs a service that runs idle waiting for anyone to connect.

The passwords they are talking about are not per-session pins but account passwords for accounts in the service i.e. on their site. Those can't be randomized per session.

Her and I only use the random pins which require a phone call to each other to tell the other what the pin is to connect, but still going to make sure she is set up to have it only run once vs installed and service idle which will make her more secure.

Read up on this here: http://arstechnica.com/security/2016/06/teamviewer-says-theres-no-evidence-of-2fa-bypass-in-mass-account-hack/

[soybean]

I recently (only 4 days ago) encountered the scammer situation where a box popped up on my screen with boxes for phone # and name, as I recall, accompanied by a voice telling me something bad had occurred, or was about to occur, in my computer and that I should allow them to call me so that they could help me resolve this.  My description might be inaccurate since I was in a bit of panic mode and forced a shutdown to prevent a continuation of the attack.

I have TeamViewer installed - have had it installed on this computer for many months - but do not believe TeamViewer was in anyway a factor in this attempted malicious attack.  If the scammers were going to ask me to install or open TeamViewer, we had not reached that point yet.  I suspect the attack was launched by me visiting a malicious website with popups that appear to be ads and I made the mistake of clicking on a popup that launched the attack.  And, I suspect I arrived at the malicious website by clicking a junk ad on Facebook.  But, I had many tabs open in my browser when the attack hit and my suspicion might be incorrect.

[DaveLembke]

More info after phone call to her this afternoon. So she said she was playing number games at this website and then a pop up happened with 1-800 number and it also had audio as soybean stated. When this happened she panicked and contacted me right away to remote into her system which I did and killed the hijacker in its tracks with what i said in the first post here.

Website she plays number games is this one: http://wellgames.com/free_online/digitz/
She also had facebook open at same time but nothing else going on. And in the middle of playing Digitz she got this pop up that took over edge browser. She claimed she didnt install anything new, didnt agree to any other pop up boxes. To her it popped up out of nowhere, and then she contacted me to assist because her computer was only 2 weeks old and just got hit by this.