GeekPolice Tech TutorialsLog in

 


Scammed-need to clear computer of contamination!

Share

descriptionScammed-need to clear computer of contamination!

more_horiz
I am not sure where to place this issue.....but can you help me.
Yesterday, I was scammed into paying for my Windows to be "reactivated" in order to get rid of all the "hackers/viruses/malware" on my computer (which could only be done by him) or face having my new week-old computer blocked . Before I knew it, a "technician" was remotely manipulating my computer and downloading programs.  My computer is still useable, runs as good as new but now has programs on it that I don't trust. This event took place on 4/26/2014 between 3-5pm est.   Here's what I now have found on my computer:

***ON THE DESKTOP, THE FOLLOWING SHORTCUTS:
-Anti Hacker
-ATF Cleaner
-Malwarebytes AntiMalware Pro
-WebShield
   (the 4 above all have what looks like the Microsoft shield logo on the icon but at
    closer look it is actually a blue and yellow shield in the same shape and reflection as
    the MS shield-and I also see another icon with this shield called Lenovo Veriface and
    I'm not sure if this icon was present before the event.  I did see the technician pop
    by the Lenovo site-I watched him.....)
Computer Performance
CCleaner
Google Chrome
EventC (this does not have a shortcut symbol on it)

***"GLOBAL IT" FOLDER ON THE DESKTOP CONTAINS:
Anti Hacker  (.exe)
ATF-Cleaner (.exe) by Attribune.org
ccsetup406 -by Piriform Ltd. (in Properties it says application.exe) Digital signature is OK.   The certificate is valid from 6/24/2013-9/24/2015

Computer Performance (in Properties it says application.exe)Description: Sysinternals Process Explorer.  Digital signature is OK. ..but certificate is valid from 1/24/2013-4/24/2014

desktop.ini file
DisableUACforAdmin
Evntvwr Cleanr
favicon ICO File (.ico) (looks like a Microsoft Globe image and says Microsoft)
Malwarebytes licene Key text document
mbam-setup-1.75.0.1300 Signature is OK but valid from 5/23/2011-6/4/2013
WebShield, by Bleeping Computer LLC (in Properties>Digital Signatures>details: it says, the signature is not valid.

***IN THE DOWNLOAD FOLDER:
-aa_v3 - application (.exe) Description Ammyy Admin. Signature is OK. Certificate valid 1/13/2014-1/14/2015
-aa_v3 text document (.log)
-ccsetup-application (.exe) signature OK . Certificate 6/24/2013-9/24/2015.
-mbam-setup-1.75.0.1300 - application (.exe) Signature is OK but valid from 5/23/2011-6/4/2013
-Support-LogMeInRescue (1)
-Support-LogMeInRescue(2)
-Support-LogMeInRescue - application (.exe) Signature OK. Certificate valid 9/24/2012-10/10/2015

***IN THE PROGRAM FILES, I ONLY SEE, (IN REGARDS TO THIS EVENT):
-CCleaner
***IN THE PROGRAM FILES (x86), I FIND THE FOLLOWING FOLDERS (IN REGARDS TO THIS EVENT):
-Google (with a Chrome folder inside)
-LogMeIn Rescue RC - 7d1e22b2-8121-4749-8fd7-c5ab2887aff5  (Interesting that the date modified of this folder says 4/27/2014 at 9:04am when I believe that this was installed on 4/26/2014....are they still making changes to my computer????)
-Malwarebytes' Anti-Malware

***IN THE "UNINSTALL A PROGRAM" AREA, IN REGARDS TO THIS EVENT, I ONLY FIND:

-Malwarebytes Anti-Malware version 1.75.0.1300
-Google Chrome
-CCleaner

So where are the rest of the programs that link to the desktop shortcuts?
I've blocked my Visa card, changed my yahoo & amazon passwords. I do not do banking on line.  What else do I need to do to get rid of this mess???

How can I be sure that they can not take remote control again or are popping in on my computer ??

I read about someone else that this happened to and they reinstalled Windows (I guess they were able to regain control of their computer that way)....do I need to do that? go back to factory specs???

I am currently using a 30 day trial of McAfee and have a licensed copy of Panda on hand for afterwards and also want to buy the pro version of Malwarebytes (which I see that you offer an affiliate link for). Otherwise, everything seems to be  working fine, but I don't trust any of what was done nor the software that was added!

Do I need to change my wifi password? Could these bad people remotely take over another computer on my wifi???  Is it safe for THAT computer to pay bills? Is it safe for me to use my computer on other wifi systems??

You helped me out a few years back, which I was very grateful for.  Can you help me now, please??? With as traumatic as this event was, I " won't be fooled again!"
PS: What is a P2P program which I need to "uninstall before asking for help?"??

-----------------------------------------------
Hope it was OK to start this as I found posted on your site....

# AdwCleaner v3.204 - Report created 28/04/2014 at 02:47:04
# Updated 26/04/2014 by Xplode
# Operating System : Windows 8.1  (64 bits)
# Username : Diana - MAGICSTAR
# Running from : C:\Users\Diana\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Diana\AppData\Local\Pokki
Folder Deleted : C:\Users\Public\Pokki

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Classes\AllFileSystemObjects\shell\pokki
Key Deleted : HKCU\Software\Classes\Directory\shell\pokki
Key Deleted : HKCU\Software\Classes\Drive\shell\pokki
Key Deleted : HKCU\Software\Classes\lnkfile\shell\pokki
Key Deleted : HKCU\Software\Classes\pokki
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Pokki]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{A75BE48D-BF58-4A8B-B96C-F9A09DFB9844}
Key Deleted : HKCU\Software\Pokki
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17037


-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Users\Diana\AppData\Roaming\Mozilla\Firefox\Profiles\kylr0zt8.default\prefs.js ]


-\\ Google Chrome v34.0.1847.131

[ File : C:\Users\Diana\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************


AdwCleaner[R0].txt - [1545 octets] - [28/04/2014 02:42:15]
AdwCleaner[S0].txt - [1445 octets] - [28/04/2014 02:47:04]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1505 octets] ##########

How should I go about redowning loading Malwarebytes when I already have if installed (altho it is a suspicious copy?)??

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.  

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*******************************************************
You can uninstall MBAM and download this one. Update it and run a scan.
Don't change any passwords until later.
********************************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
Hello Dave,
1. Please be patient with my responding as my current situation has me without a internet connection and dependent on other networks.
2.The "infected" computer CAN access the internet but is it safe to use someone else's WiFi?  (this would be the easiest way to download your apps) or should I use a storage device just to be on the safe side?
3. The links in your answer do not work. Although they are blue, in checking the html, I find they are not actively hot linked. So I could not download malwarebytes or the other link. 
Hope to hear from you soon with updated links so I can try again at my next WiFi visit... (using my mobile right now)...thanks again.

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
The links work well for me so it must be a problem with the computer. Download MBAM on another cumputer and transfer it to your computer.

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
I did manage to download Malwarebytes after I logged into GeekPolice onto a storage device. Since I didn't get an answer about using someone else's wifi, I assume that it was OK, held my breath and installed it on the "infected computer". It did seem to be a different version than the one that I uninstalled first (and loaded by the bad person). The format was different than what I was use to and it did not give me an option for quick or full scan....just scan... so that's what I chose. When I went to remove the storage device, there was a small symbol of Malwarebytes with an exclamation mark on it.....what does that imply?
The results are as follows (How is it I have a Premium version??? I notice that the rootkits are disabled....did I really run a full scan?):

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/30/2014
Scan Time: 3:50:39 PM
Logfile: malwarebytes results 4_30_2014.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.04.30.10
Rootkit Database: v2014.03.27.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Diana

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 255043
Time Elapsed: 18 min, 51 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
The format was different than what I was use to and it did not give me an option for quick or full scan....just scan... so that's what I chose.

That's the second time I've heard that. I'm going to download a new version and try it.
When I went to remove the storage device, there was a small symbol of Malwarebytes with an exclamation mark on it.....what does that imply?

I'll see if I duplicate that.

Malwarebytes' Anti-Rootkit

Please download Malwarebytes' Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
(How is it I have a Premium version??? I notice that the rootkits are disabled....did I really run a full scan?):

You must have downloaded the Premium version. After we're finished, you can download the free version, if you wish, and keep it on your computer. I run mine once a week. The Rootkits are disabled because they have a separate scanner for rootkits.

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
I think that there might be something hinkey with the way MBAM loaded. First, I uninstalled the version that the hacker technian loaded (which was a PRO/premium version). I did NOT reboot...maybe I should have? When I went to install your version, it walked me thru the whole accept the terms, next...next...next ...finish and then I was suddenly back to the beginning of the whole procedure! Went thru it again and this time this premium versioncame up. I am familiar with M.B.'s free version. I intend to buy the premium version thru your site when we are done here but I have NEVER bought or ordered the premium version otherwise. I need to get to a wifi to download your latest link . Again, I will uninstall MB but should I reboot before install of the beta version?

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
Writing from my mobile. At a certain point the reply box does not allow me to review my message...sorry. I'm a little confused...in rereading your post...the very next thing that you want me to do, is to download MBAR and run that....&leave MBAR alone for the moment....correct?
Fyi: I have removed all personal data except for MBAM LOGS. Also when I changed my passwords, mentioned in my initial request, I used another computer.

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
Thats leave MBAM alone (darn auto-correct)

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
I will uninstall MB but should I reboot before install of the beta version?.

Yes, some uninstalls require a re-boot.
I need to see the log for MBAR when you able to get it to me.

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org

Database version: v2014.05.01.12

Windows 8 x64 NTFS
Internet Explorer 11.0.9600.17031
Diana :: MAGICSTAR [administrator]

5/1/2014 3:15:50 PM
mbar-log-2014-05-01 (15-15-50).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 252248
Time elapsed: 16 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 6.2.9200 Windows 8 x64

Account is Administrative

Internet Explorer version: 11.0.9600.17031

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.394000 GHz
Memory total: 8497946624, free: 6443999232

Downloaded database version: v2014.05.01.12
Downloaded database version: v2014.03.27.01
Initializing...
======================
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: 7D9FBC7E

GPT Protective MBR Partition information:

Partition 0 type is EFI-GPT (0xee)
Partition is NOT ACTIVE.
Partition starts at LBA: 1 Numsec = 4294967295

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

GPT Partition information:

GPT Header Signature 4546492050415254
GPT Header Revision 65536 Size 92 CRC 1868343819
GPT Header CurrentLba = 1 BackupLba 1953525167
GPT Header FirstUsableLba 34 LastUsableLba 1953525134
GPT Header Guid 80ca6d62-504e-43a6-a41e-5573ba17365e
GPT Header Contains 128 partition entries starting at LBA 2
GPT Header Partition entry size = 128

Backup GPT header Signature 4546492050415254
Backup GPT header Revision 65536 Size 92 CRC 1868343819
Backup GPT header CurrentLba = 1953525167 BackupLba 1
Backup GPT header FirstUsableLba 34 LastUsableLba 1953525134
Backup GPT header Guid 80ca6d62-504e-43a6-a41e-5573ba17365e
Backup GPT header Contains 128 partition entries starting at LBA 1953525135
Backup GPT header Partition entry size = 128

Partition 0 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID b2128ffa-6eac-4191-8691-bd1a38e572ff
FirstLBA 2048 Last LBA 2050047
Attributes 1
Partition Name Basic data partition

Partition 1 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
Partition ID c6f6e5e7-4e50-4ea1-a3e0-ead7876e61bb
FirstLBA 2050048 Last LBA 2582527
Attributes 1
Partition Name EFI system partition

GPT Partition 1 is bootable
Partition 2 Type bfbfafe7-a34f-448a-9a5b-6213eb736c22
Partition ID c44120d1-bd51-4091-a063-87e14789a43c
FirstLBA 2582528 Last LBA 4630527
Attributes 1
Partition Name Basic data partition

Partition 3 Type e3c9e316-b5c-4db8-817d-f92df0215ae
Partition ID b7eb7258-98d-46e9-b56b-2c50359d380
FirstLBA 4630528 Last LBA 4892671
Attributes 0
Partition Name Microsoft reserved partition

Partition 4 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Partition ID b54680f9-d2cd-4e9f-b30-7b235e9b3136
FirstLBA 4892672 Last LBA 1874599935
Attributes 0
Partition Name Basic data partition

Partition 5 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Partition ID f0c68125-3e1a-40e6-9dc9-c1748d1c7887
FirstLBA 1874599936 Last LBA 1927028735
Attributes 0
Partition Name Basic data partition

Partition 6 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID 20d2e21b-d373-4c4b-a580-bcb7be45fc2d
FirstLBA 1927028736 Last LBA 1953523711
Attributes 1
Partition Name Basic data partition

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
It said I had no malware and did not offer a cleanup button! so I ended and here are the reports.

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.

  • Leave the check mark next to Remove found threats.

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
Permissions in this forum:
You cannot reply to topics in this forum