15 years back or so my grandma had a Mac given to her from her business. When she retired they gave it to her. About 5 years or so, it was getting to where nothing would run anymore (Firefox mostly). I picked up a cheap used PC from Amazon and set her up with Linux Mint, and I tricked it out to look similar to her mac.
Yesterday I received a call from her that there was some strange error on her screen and it was not allowing her to boot. She said there was a large white window with a Windows Defender SmartScreen message on it. Thought to myself 'Huh?' Her neighbor took these pics and sent them to me (even with a smartphone, they can't seem to get a clear pic ).
Then while on the phone with me, her Login box appeared and she was able to login. But then she was presented with another screen, and she still could not do anything. See attached.
You can still see the taskbar at the top with the green 'M' on the left. Clearly she had visited some page, clicked on something, or received an email that she opened, which started this whole thing.
I used to be able to remotely connect using NoMachine or Teamviewer, but her ISP forced her to IPv6 a month ago, and she has no IPv4 address, while mine is the exact opposite. I am assuming that is the reason I cannot remote to her PC anymore, so I may be forced to go over there to troubleshoot.
Does anyone know how I can troubleshoot this issue? I'd hate to format her HDD and start her all over.
[Solved] Grandma is being held hostage (possible browser hijack?)
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
[Solved] Grandma is being held hostage (possible browser hijack?)
Last edited by LockBot on Fri Jul 28, 2023 10:00 pm, edited 3 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
- Midnight True
- Level 7
- Posts: 1549
- Joined: Wed Jul 20, 2022 3:23 am
- Location: Southern and Southwestern area of Mato
- Contact:
Re: Grandma is being held hostage (possible browser hijack?)
Hi and Welcome to the Forum
if i may ask, why firefox icon is not highlighted? it should be highlighted if it is active and in focus
if you did NOT allow auto log in of your user password then i think the issue is only with the browser ... please try in the terminal
Code: Select all
whoami
but if your username does appear ... its mostlikely issue with your browser, i recommend to delete the existing data in your browser ... in Firefox Settings ---> Privacy and Security ---> Cookies and Site Data ---> Clear Data
Moreover, please check if there is any unknown add-ons that got installed without your knowledge and then remove them
if your grandma use a youtube or gmail account, i recommend to check it here https://haveibeenpwned.com/ if it was compromised ... if Yes, then i highly suggest to change password and enable 2 Factor Authentication
Lastly, please send the output of this command
Code: Select all
inxi -Fxxxmprz
Re: Grandma is being held hostage (possible browser hijack?)
I have never heard of an ISP forcing their customers onto IPv6 when IPv4 is the standard. If you can boot into a live session usb please post the results of the following command..Why it's showing windows defender is weird if only LM is installed. It maybe because your grandma has inadvertently clicked OneDrive, I always uninstall anything from Microsoft. With teamviewer I would steer away from that now as they no longer support the free version, and the reset password option does not work. I use RustDesk, it works on all O/S and it is similar to teamviewer, but 100x faster you can get it here..You may need to clear the browser history and the cache, if that still fails then if you created a timeshift snapshot then I would suggest to restore timeshift to a previous working system. If you didn't do a snapshot, then save all her data and important files and then do a fresh install.
http://rustdesk.com/
http://rustdesk.com/
Code: Select all
inxi -Fxz
Re: Grandma is being held hostage (possible browser hijack?)
A while back there was a trend for malware loader links that when clicked would open what purported to be a normal screen showing a page - usually a virus warning or malware alert or something of that nature. Some of them were very realistic and were frameless browser windows. The idea was that when the OK or whatever button was clicked the payload would be installed and much fun followed.
If this machine only has LM installed then I'd suggest that is what may be occurring here. If she is using Firefox does she by any chance have a Firefox Account. If so, then with the login for that and access to her email you would be able to test on a local live system or VM by logging in to her Firefox and seeing if there's anything nasty in the history.
If it is one of those then it begs the question whether any payload has been delivered.
If this machine only has LM installed then I'd suggest that is what may be occurring here. If she is using Firefox does she by any chance have a Firefox Account. If so, then with the login for that and access to her email you would be able to test on a local live system or VM by logging in to her Firefox and seeing if there's anything nasty in the history.
If it is one of those then it begs the question whether any payload has been delivered.
- Pjotr
- Level 24
- Posts: 20132
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: Grandma is being held hostage (possible browser hijack?)
Try this:
https://easylinuxtipsproject.blogspot.c ... html#ID7.1
(item 7.1)
When successful, nuke the infected backup:
Those Windows Defender popups are priceless, by the way.
https://easylinuxtipsproject.blogspot.c ... html#ID7.1
(item 7.1)
When successful, nuke the infected backup:
Code: Select all
rm -v -R ~/.mozillabackup
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: Grandma is being held hostage (possible browser hijack?)
I heard Comcast was reportedly doing this to alot of their customers, however last night I decided to trek over there and she's showing IPv4 now as well as IPv6.
But I did discover the culprit. It was a Fullscreen page that was easily taken care of with me hitting ESC and then closing the tab. I scanned her with clamav and also cleared her firefox profile.
Not sure how it was surviving a reboot, but its possible she was not doing a full recycle.
Thanks for the advice, I will be listing these for any potential future issues she may encounter.
- Midnight True
- Level 7
- Posts: 1549
- Joined: Wed Jul 20, 2022 3:23 am
- Location: Southern and Southwestern area of Mato
- Contact:
Re: Grandma is being held hostage (possible browser hijack?)
I recommend adding these on firefox:
- https://addons.mozilla.org/en-US/firefo ... ck-origin/ and setting to
medium mode
https://github.com/gorhill/uBlock/wiki/ ... edium-mode would help regarding ads, thus minimizing chance grandma clicking on one of this- https://addons.mozilla.org/en-US/firefo ... -redirect/ to prevent redirection of URLs
- (optional) https://addons.mozilla.org/en-US/firefo ... r-youtube/ for youtube over-all quality customization