[Solved] Grandma is being held hostage (possible browser hijack?)

[z-vap]

15 years back or so my grandma had a Mac given to her from her business. When she retired they gave it to her. About 5 years or so, it was getting to where nothing would run anymore (Firefox mostly). I picked up a cheap used PC from Amazon and set her up with Linux Mint, and I tricked it out to look similar to her mac.

Yesterday I received a call from her that there was some strange error on her screen and it was not allowing her to boot. She said there was a large white window with a Windows Defender SmartScreen message on it. Thought to myself 'Huh?' Her neighbor took these pics and sent them to me (even with a smartphone, they can't seem to get a clear pic ).



Then while on the phone with me, her Login box appeared and she was able to login. But then she was presented with another screen, and she still could not do anything. See attached.



You can still see the taskbar at the top with the green 'M' on the left. Clearly she had visited some page, clicked on something, or received an email that she opened, which started this whole thing.

I used to be able to remotely connect using NoMachine or Teamviewer, but her ISP forced her to IPv6 a month ago, and she has no IPv4 address, while mine is the exact opposite. I am assuming that is the reason I cannot remote to her PC anymore, so I may be forced to go over there to troubleshoot.

Does anyone know how I can troubleshoot this issue? I'd hate to format her HDD and start her all over.

[Midnight True]

You can still see the taskbar at the top with the green 'M' on the left.

Hi and Welcome to the Forum

if i may ask, why firefox icon is not highlighted? it should be highlighted if it is active and in focus

Does anyone know how I can troubleshoot this issue? I'd hate to format her HDD and start her all over.

if you did NOT allow auto log in of your user password then i think the issue is only with the browser ... please try in the terminal

Code: Select all

whoami

your original username should be the one to appear ... if not then your system is mostlikely got hacked and you need to reinstall and check your router or home network for any backdoors

but if your username does appear ... its mostlikely issue with your browser, i recommend to delete the existing data in your browser ... in Firefox Settings ---> Privacy and Security ---> Cookies and Site Data ---> Clear Data
Moreover, please check if there is any unknown add-ons that got installed without your knowledge and then remove them

if your grandma use a youtube or gmail account, i recommend to check it here https://haveibeenpwned.com/ if it was compromised ... if Yes, then i highly suggest to change password and enable 2 Factor Authentication

Lastly, please send the output of this command

Code: Select all

inxi -Fxxxmprz

so that more knowledgeable members of the forum will have more information about your system

[kato181]

I have never heard of an ISP forcing their customers onto IPv6 when IPv4 is the standard. If you can boot into a live session usb please post the results of the following command..Why it's showing windows defender is weird if only LM is installed. It maybe because your grandma has inadvertently clicked OneDrive, I always uninstall anything from Microsoft. With teamviewer I would steer away from that now as they no longer support the free version, and the reset password option does not work. I use RustDesk, it works on all O/S and it is similar to teamviewer, but 100x faster you can get it here..You may need to clear the browser history and the cache, if that still fails then if you created a timeshift snapshot then I would suggest to restore timeshift to a previous working system. If you didn't do a snapshot, then save all her data and important files and then do a fresh install.
http://rustdesk.com/

Code: Select all

inxi -Fxz

[bin]

A while back there was a trend for malware loader links that when clicked would open what purported to be a normal screen showing a page - usually a virus warning or malware alert or something of that nature. Some of them were very realistic and were frameless browser windows. The idea was that when the OK or whatever button was clicked the payload would be installed and much fun followed.

If this machine only has LM installed then I'd suggest that is what may be occurring here. If she is using Firefox does she by any chance have a Firefox Account. If so, then with the login for that and access to her email you would be able to test on a local live system or VM by logging in to her Firefox and seeing if there's anything nasty in the history.

If it is one of those then it begs the question whether any payload has been delivered.

[Pjotr]

Try this:
https://easylinuxtipsproject.blogspot.c ... html#ID7.1
(item 7.1)

When successful, nuke the infected backup:

Code: Select all

rm -v -R ~/.mozillabackup

Those Windows Defender popups are priceless, by the way.

[z-vap]

I have never heard of an ISP forcing their customers onto IPv6 when IPv4 is the standard.

I heard Comcast was reportedly doing this to alot of their customers, however last night I decided to trek over there and she's showing IPv4 now as well as IPv6.

But I did discover the culprit. It was a Fullscreen page that was easily taken care of with me hitting ESC and then closing the tab. I scanned her with clamav and also cleared her firefox profile.

Not sure how it was surviving a reboot, but its possible she was not doing a full recycle.

Thanks for the advice, I will be listing these for any potential future issues she may encounter.

[Midnight True]

But I did discover the culprit. It was a Fullscreen page that was easily taken care of with me hitting ESC and then closing the tab.

I recommend adding these on firefox:
- https://addons.mozilla.org/en-US/firefo ... ck-origin/ and setting to medium mode https://github.com/gorhill/uBlock/wiki/ ... edium-mode would help regarding ads, thus minimizing chance grandma clicking on one of this
- https://addons.mozilla.org/en-US/firefo ... -redirect/ to prevent redirection of URLs
- (optional) https://addons.mozilla.org/en-US/firefo ... r-youtube/ for youtube over-all quality customization

[z-vap]

Thank you