Virus from microsoft, popup - (855) 229-3504

ScammerRevolts · May 20, 2020, 9:08pm

Number: (855) 229-3504

popup link:

adompares.directory

Larry_Peach · May 21, 2020, 1:09am

I got through and some girl answered who is seemed like it was her first day. She just read the script and she kept pausing and saying stay on the line - took about 40 minutes before the payment was discussed.

I then got transferred to the billing department and he told me they were a 3rd party and not microsoft - you can check out their website - www.pnfix.com

I said I wasn’t comfortable paying someone who wasn’t microsoft so he offered to clean my PC first for free and then they would do the payment.
I said I was going to walk my dog and I just watched him for 30 minutes…

He installed gotoassist and anydesk and started running a defender virus scan…
then he loaded this address and put all the files on my desktop: www.tiny.cc/swc13
I ran them through virustotal and he installed keyloggers, trojans and backdoors

He installed a restore point right before - I guess he was going to try and hold me to ransom if I didn’t pay.

These are scumbags! - called me back on 833 425 7960 / 763 317 3092

markel_m45 · May 21, 2020, 4:54pm

833 number still getting picked up.
Nasty cockroaches.

KinCryos · May 21, 2020, 8:42pm

the junk is hosted on OneDrive. I reported the shared file to Microsoft, linking to VirusTotal’s scan results.
since Windows Defender wasn’t detecting anything, I also submitted it to Microsoft Security Intelligence (also linking to VirusTotal’s scan results) non-anonymously, so I’ll receive updates on it as they happen

tinycc URLs can be previewed by appending an equal sign to the URL.
furthermore, I reported the shortened URL to tinycc as abusive

markel_m45 · May 22, 2020, 5:43pm

Still answering the 833 number, but that’s not the number on the popup, so you can’t say you’re calling the popup number… I said I was at the store and needed to know which cards to buy. This seemed to work. On with them now.

markel_m45 · May 23, 2020, 4:33pm

Still answering on 833 425 7960

KinCryos · May 23, 2020, 8:11pm

just took a look at some of the “utilities” in a sandbox. four of them simply extract and run batch scripts.

ANTI HACKING.exe:
made with Advanced BAT to EXE Converter. it failed to actually deliver the payload, so it instead delivered the following line:

'C:\Users\WDAGUtilityAccount\AppData\Local\Temp\ytmp\tmp57162.bat' is not recognized as an internal or external command, operable program or batch file.

Banking Security.exe:

@echo off
set ztmp=C:\Users\WDAGUtilityAccount\AppData\Local\Temp\ztmp
set MYFILES=C:\Users\WDAGUtilityAccount\AppData\Local\Temp\afolder
set bfcec=tmp6265.exe
set cmdline=
SHIFT /0
@echo off
Title Network Security Shield
cd..
Color F9
dir /s
Color 0A
cls
echo Network Firewall Security Ver.6.3.4.2 Activated
echo Auto Renewal Active
Pause
Exit

(the contents of the mentioned tmp6265.exe is simply “RCHELICOPTERFTW” in plain-text)

Email Security.exe:

@shift /0
@echo off
echo Would you like to scan your Email id ?
pause
echo Scanning .............
cd..
dir/s
cls
color 2 
echo Inbox Secured 
echo Outbox Secured 
echo Draft Secured
echo Archive Secured
echo Spam Blocked
echo Photos Secured
echo Documents Secured
pause
cls
echo Email Address Secured 
pause

IP Address Protextion.exe:

@shift /0
@echo off 
echo Checking your system infor, Please wating...
systeminfo | findstr /c:"Host Name" 
systeminfo | findstr /c:"Domain" 
systeminfo | findstr /c:"OS Name" 
systeminfo | findstr /c:"OS Version" 
systeminfo | findstr /c:"System Manufacturer" 
systeminfo | findstr /c:"System Model" 
systeminfo | findstr /c:"System type" 
systeminfo | findstr /c:"Total Physical Memory" 
echo\
echo IP Settings Are :
echo\
ipconfig | find "." | find /i /v "suffix"
echo\
echo Ip Address Secured
echo\
echo Press any Key to close this window.
pause>nul

Malware Security.exe is simply a renamed Malwarebytes AdwCleaner 8.0.1

as for Network Security.exe, no idea if it actually does anything, but it alternately lists off the contents of System32 with the line “Installing network security and drivers…” apparently, it’s supposed to clear the screen before naming each file, considering each repeated line has 0-10 extra dots added sequentially at the end.

markel_m45 · May 25, 2020, 3:27pm

Still answering as “suppoat” on 833 425 7960, but have likely switched to a new popup number.

Brian · May 25, 2020, 8:07pm

the 855-229-3504 number rings but no one answered when I called just now. The 833 number worked and they picked up.

Brian · May 25, 2020, 11:18pm

I got through on the 833 line and they spoke to me for a couple minutes then hung up on me. I guess I’m not worthy.