GeekPolice Tech TutorialsLog in

 

Scammed-need to clear computer of contamination!

Share

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
I will uninstall MB but should I reboot before install of the beta version?.

Yes, some uninstalls require a re-boot.
I need to see the log for MBAR when you able to get it to me.

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org

Database version: v2014.05.01.12

Windows 8 x64 NTFS
Internet Explorer 11.0.9600.17031
Diana :: MAGICSTAR [administrator]

5/1/2014 3:15:50 PM
mbar-log-2014-05-01 (15-15-50).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 252248
Time elapsed: 16 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 6.2.9200 Windows 8 x64

Account is Administrative

Internet Explorer version: 11.0.9600.17031

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.394000 GHz
Memory total: 8497946624, free: 6443999232

Downloaded database version: v2014.05.01.12
Downloaded database version: v2014.03.27.01
Initializing...
======================
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: 7D9FBC7E

GPT Protective MBR Partition information:

Partition 0 type is EFI-GPT (0xee)
Partition is NOT ACTIVE.
Partition starts at LBA: 1 Numsec = 4294967295

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

GPT Partition information:

GPT Header Signature 4546492050415254
GPT Header Revision 65536 Size 92 CRC 1868343819
GPT Header CurrentLba = 1 BackupLba 1953525167
GPT Header FirstUsableLba 34 LastUsableLba 1953525134
GPT Header Guid 80ca6d62-504e-43a6-a41e-5573ba17365e
GPT Header Contains 128 partition entries starting at LBA 2
GPT Header Partition entry size = 128

Backup GPT header Signature 4546492050415254
Backup GPT header Revision 65536 Size 92 CRC 1868343819
Backup GPT header CurrentLba = 1953525167 BackupLba 1
Backup GPT header FirstUsableLba 34 LastUsableLba 1953525134
Backup GPT header Guid 80ca6d62-504e-43a6-a41e-5573ba17365e
Backup GPT header Contains 128 partition entries starting at LBA 1953525135
Backup GPT header Partition entry size = 128

Partition 0 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID b2128ffa-6eac-4191-8691-bd1a38e572ff
FirstLBA 2048 Last LBA 2050047
Attributes 1
Partition Name Basic data partition

Partition 1 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
Partition ID c6f6e5e7-4e50-4ea1-a3e0-ead7876e61bb
FirstLBA 2050048 Last LBA 2582527
Attributes 1
Partition Name EFI system partition

GPT Partition 1 is bootable
Partition 2 Type bfbfafe7-a34f-448a-9a5b-6213eb736c22
Partition ID c44120d1-bd51-4091-a063-87e14789a43c
FirstLBA 2582528 Last LBA 4630527
Attributes 1
Partition Name Basic data partition

Partition 3 Type e3c9e316-b5c-4db8-817d-f92df0215ae
Partition ID b7eb7258-98d-46e9-b56b-2c50359d380
FirstLBA 4630528 Last LBA 4892671
Attributes 0
Partition Name Microsoft reserved partition

Partition 4 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Partition ID b54680f9-d2cd-4e9f-b30-7b235e9b3136
FirstLBA 4892672 Last LBA 1874599935
Attributes 0
Partition Name Basic data partition

Partition 5 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Partition ID f0c68125-3e1a-40e6-9dc9-c1748d1c7887
FirstLBA 1874599936 Last LBA 1927028735
Attributes 0
Partition Name Basic data partition

Partition 6 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID 20d2e21b-d373-4c4b-a580-bcb7be45fc2d
FirstLBA 1927028736 Last LBA 1953523711
Attributes 1
Partition Name Basic data partition

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
It said I had no malware and did not offer a cleanup button! so I ended and here are the reports.

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.

  • Leave the check mark next to Remove found threats.

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
After 3 hours+ and only being at 47%, I left the computer running at a friend's house. This morning, the power seemed to be off and needed to be restarted but amazingly found on the desktop everything the way I had left it and still at 47% but still scanning files. After 21+ hours it finally went from 78% to done!! It said that there were no threats (amazing) and gave me no option for the button "List of Found Threats" or "Export to text file"...only an option to Finish. So I found the log thanks to your posting where I could find it in the ESET program files.  Here is the log:

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=1e44cf19a861ce4ba2b8376f6b3fcb43
# engine=18117
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-05-02 06:31:03
# local_time=2014-05-02 02:31:03 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.2.9200 NT
# compatibility_mode=5122 16777214 66 62 0 25360149 0 0
# compatibility_mode=5893 16776574 100 94 1030033 23015156 0 0
# scanned=5742
# found=0
# cleaned=0
# scan_time=127
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=1e44cf19a861ce4ba2b8376f6b3fcb43
# engine=18117
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-05-03 05:01:02
# local_time=2014-05-03 01:01:02 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.2.9200 NT
# compatibility_mode=5122 16777214 66 62 0 25441148 0 0
# compatibility_mode=5893 16776574 100 94 1111032 23096155 0 0
# scanned=208165
# found=0
# cleaned=0
# scan_time=80885

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
How's the computer now? Any other issues?

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
I didn't remove any of the ESET scan downloads....and have closed out those screens.......?

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
"by Superdave on Sat 03 May 2014, 2:10 pm
How's the computer now? Any other issues?"

My computer has run smoothly all along but I was concerned about threats, changes of settings and all these programs that were installed and staring at me on my desk top (see my initial post):

1. Are you saying my computer is clear...no problems?
2. other issues: when I boot up, I see a flash of the black run window and at the same time it shows an icon on the task bar but both are gone in a flash. I don't remember seeing this prior to this hacking/technician event....maybe this doesn't have anything to do with it or maybe someone can access my computer thru this???? (He did change settings here and there and I took photos while he did it...and I don't know what those changes imply)

3. Previously, I had a house button on the task bar and it was sort of like a START button....had put off exploring it but now it's not there.....was it removed somewhere along all of this??
4. The regular icon for Mozilla/Firefox appears as a sheet with a turned down corner....how do I get back the regular fox in a circle icon back???
5. what do I do with all these programs that were installed??? 4 have MS blue & yellow shields on them...does that mean they have been OKed???



descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
Did you still want me to run Security Check by screen317?

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
Previously, I had a house button on the task bar and it was sort of like a START button....had put off exploring it but now it's not there.....was it removed somewhere along all of this??

I'm not sure about that button. I've never seen it before. Is it something you installed yourself?
The regular icon for Mozilla/Firefox appears as a sheet with a turned down corner....how do I get back the regular fox in a circle icon back???

Your best bet would be to uninstall and re-install Firefox.
what do I do with all these programs that were installed??? 4 have MS blue & yellow shields on them...does that mean they have been OKed???

You may keep AdwCleaner and MBAM and run them on a regular basis, if you have room for them.
Did you still want me to run Security Check by screen317?.

I just wanted to see what you have for protection but this next scanner will tell me.

Download Combofix from any of the links below, and save it to your DESKTOP.
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:



Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
"To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure."

I am unsure and the "here" link comes up with an "error|PC Help Forum" (and I'm logged in). need new link, please.

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
Sorry, To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
1. Thank's for the new link, however, McAfee LiveSafe-Internet Security (the 30 day trial included with this new computer) is not listed.  I tried the other McAfee options to see if they led me to possibly disabling it. Will turning off the Real-Time scanning be ENOUGH? or do I need to turn something else off as well? like the firewall? I checked to see if the Windows firewall was on but it said that it was under the control of McAfee (which expires in 11 days but I would like to delete the whole thing and install Panda in the next 5 days).

2. Do I need to also disable Malwarebytes, which opened upon bootup, for the first time today, and said that I was updated and protected! And what about all that other stuff that was put on my computer: Anti Hacker, AFT Cleaner, Webshield, Computer Performance, Event C, & CCleaner???? Do any of these need to be disabled? (I have not even opened them and don’t know if they are actively running).

3. I thought that I’d download ComboFix and be ready for your responses. While trying to do this, suddenly McAfee said that I had a Trojan:
Item: Wcj+TfdH.exe.part     Threat:   Artemis!D0270A3C736B  
and was put in quarantine...no further actions were necessary. I tried to download 3 more times with the other Artemis items being E4LK7Y0y.exe.part and twice it was ComboFix.exe

4. So, I realized that I needed to turn off McAfee's Real-Time scanning just to download ComboFix. I did that, without McAfee’s interference, put the icon on the desktop & double clicked; I got the following message and have no idea where to look to change the “Modes”:
“ComboFix is not meant to run in ‘Compatibility Mode’.  The program shall now exit”.
FYI, I am now back home and hope to respond more quickly....thanks for your patience and guidance.

descriptionRe: Scammed-need to clear computer of contamination!

more_horiz
It appears that bleeping computer is the designated site (?) for combofix based on this following guide: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

so I assume they have the latest version. I believe that I chose the BC link that you offered to download from. It appears that combofix is still not compatible with 8.1....Do you want me to uninstall it, make sure it is downloaded from BC and try again? what do you want me to do next?
Permissions in this forum:
You cannot reply to topics in this forum