Number: (855) 229-3504
I got through and some girl answered who is seemed like it was her first day. She just read the script and she kept pausing and saying stay on the line - took about 40 minutes before the payment was discussed.
I then got transferred to the billing department and he told me they were a 3rd party and not microsoft - you can check out their website - www.pnfix.com
I said I wasn’t comfortable paying someone who wasn’t microsoft so he offered to clean my PC first for free and then they would do the payment.
I said I was going to walk my dog and I just watched him for 30 minutes…
He installed gotoassist and anydesk and started running a defender virus scan…
then he loaded this address and put all the files on my desktop: www.tiny.cc/swc13
I ran them through virustotal and he installed keyloggers, trojans and backdoors
He installed a restore point right before - I guess he was going to try and hold me to ransom if I didn’t pay.
These are scumbags! - called me back on 833 425 7960 / 763 317 3092
833 number still getting picked up.
the junk is hosted on OneDrive. I reported the shared file to Microsoft, linking to VirusTotal’s scan results.
since Windows Defender wasn’t detecting anything, I also submitted it to Microsoft Security Intelligence (also linking to VirusTotal’s scan results) non-anonymously, so I’ll receive updates on it as they happen
tinycc URLs can be previewed by appending an equal sign to the URL.
furthermore, I reported the shortened URL to tinycc as abusive
Still answering the 833 number, but that’s not the number on the popup, so you can’t say you’re calling the popup number… I said I was at the store and needed to know which cards to buy. This seemed to work. On with them now.
Still answering on 833 425 7960
just took a look at some of the “utilities” in a sandbox. four of them simply extract and run batch scripts.
made with Advanced BAT to EXE Converter. it failed to actually deliver the payload, so it instead delivered the following line:
'C:\Users\WDAGUtilityAccount\AppData\Local\Temp\ytmp\tmp57162.bat' is not recognized as an internal or external command, operable program or batch file.
@echo off set ztmp=C:\Users\WDAGUtilityAccount\AppData\Local\Temp\ztmp set MYFILES=C:\Users\WDAGUtilityAccount\AppData\Local\Temp\afolder set bfcec=tmp6265.exe set cmdline= SHIFT /0 @echo off Title Network Security Shield cd.. Color F9 dir /s Color 0A cls echo Network Firewall Security Ver.184.108.40.206 Activated echo Auto Renewal Active Pause Exit
(the contents of the mentioned tmp6265.exe is simply “RCHELICOPTERFTW” in plain-text)
@shift /0 @echo off echo Would you like to scan your Email id ? pause echo Scanning ............. cd.. dir/s cls color 2 echo Inbox Secured echo Outbox Secured echo Draft Secured echo Archive Secured echo Spam Blocked echo Photos Secured echo Documents Secured pause cls echo Email Address Secured pause
IP Address Protextion.exe:
@shift /0 @echo off echo Checking your system infor, Please wating... systeminfo | findstr /c:"Host Name" systeminfo | findstr /c:"Domain" systeminfo | findstr /c:"OS Name" systeminfo | findstr /c:"OS Version" systeminfo | findstr /c:"System Manufacturer" systeminfo | findstr /c:"System Model" systeminfo | findstr /c:"System type" systeminfo | findstr /c:"Total Physical Memory" echo\ echo IP Settings Are : echo\ ipconfig | find "." | find /i /v "suffix" echo\ echo Ip Address Secured echo\ echo Press any Key to close this window. pause>nul
Malware Security.exe is simply a renamed Malwarebytes AdwCleaner 8.0.1
as for Network Security.exe, no idea if it actually does anything, but it alternately lists off the contents of System32 with the line “Installing network security and drivers…” apparently, it’s supposed to clear the screen before naming each file, considering each repeated line has 0-10 extra dots added sequentially at the end.
Still answering as “suppoat” on 833 425 7960, but have likely switched to a new popup number.
the 855-229-3504 number rings but no one answered when I called just now. The 833 number worked and they picked up.
I got through on the 833 line and they spoke to me for a couple minutes then hung up on me. I guess I’m not worthy.
I’m port-scanning PNFIX.com over Tor now. httpd reports itself as Apache. TCP stack behaves like Linux 2.6.x/3.x, so I’m not hopeful they’re running any ancient vulnerable services, but we’ll see.