Just checking with the experts...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by arthurfp, Nov 18, 2014.

  1. arthurfp

    arthurfp Private E-2

    Good evening,

    I am in hopes that I do NOT have any malware, however I had a person take control of my computer today and show me screens that seemed to say that many of my Microsoft programs had stopped working. This person claimed that I had supposed trouble that was likely the result of two or more viruses and then he volunteered to sign me up for the appropriate tech support for only $149.99.

    Sheesh...needless to say I was skeptical! I told them "no, thank you," but I was left with an uncomfortable feeling and confusion about how they were able to produce the screen shots that seemingly showed computer problems.

    Immediately after I ended my conversation with this person, and got my computer back in my own control, I ran a full scan with Microsoft Security Essentials which found no threats. I followed that with all of the steps in the Major Geeks malware removal protocol and have attached the logs to this message.

    Again, I am hoping that all is well and that this guy was simply performing some sort of trick to get my money, but on the off chance that he did find something (or worse put something in my computer), I would appreciate one of the Major Geeks forum experts checking my logs for anything suspicious.

    Thank you very much!
     

    Attached Files:

    arthurfp, Nov 18, 2014
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What person at what company? And how did you come to contact them? Or did they contact you.

    They lied.

    What software did they use to connect to your PC? Was it LogMeIn?


    Your logs showed that you had no protection software installed at the time you ran the READ & RUN ME!!! Why would you run your PC without protection? Consider yourself lucky that you have no major infections? And hopefully no important private info has been stolen while unprotected.

    Are you having any noticeable problems?

    We just have a little minor tweaking to do.



    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Windows\system32\tasks\829b1c00
C:\Windows\system32\tasks\8424da00
C:\Users\A&L\AppData\Local\LMIR0001.tmp.bat
C:\Users\A&L\AppData\Local\LMIR0001.tmp_r.bat
C:\Windows\SysNative\drivers\49013504.sys
C:\Users\A&L\AppData\Local\Temp\*.*
 
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"1118_10436671646824"=-
[HKEY_USERS\S-1-5-21-2745138752-813156658-2326638059-1001\Software\Microsoft\Windows\CurrentVersion\runonce]
"1118_10436671646824"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXT log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Nov 18, 2014
    #2
  3. arthurfp

    arthurfp Private E-2

    Hello chaslang,

    I appreciate your attention to my situation; unfortunately, I have already run into a problem trying to follow your instructions. I will do my best to answer all of your questions and provide details of the problem I am facing, below:

    The man only identified himself as "Mike" and it was a very strange situation. It started because I had tried to find a customer service phone number for the Mozilla Thunderbird email product. I had been notified that it had crashed and had given permission for them to contact me by email, if needed. However, after Thunderbird restarted I was unable to use the program because of server errors. At first, I thought it was simply something that would resolve and that it was likely a result of the crash which was simply taking a little longer to get back on track.

    After waiting for quite a long time and not being able to hear anything back via email, I decided to follow-up by telephone. When I could not find a contact number within Thunderbird, I did a Google search and found several responses but none that looked official. I tried two phone numbers (one 800# and one 855#); however, neither answered nor identified themselves as anything connected with Thunderbird so I did NOT leave any message in either voice mailbox. I simply gave up and decided to wait out my server issue to see if it would resolve itself later in the day.

    Several house later, the server issue remained but I received a strange phone call. It was from "Mike" and all he said when I picked up the phone was "you called me." I was totally taken off guard and had no idea who he was or what he was talking about because I had not left any message and he did not identify himself as being from any company, he just insisted that I called him over and over.

    Finally, I remembered the two attempts to reach Thunderbird (which had slipped my mind while I was working on other projects) and then I asked "Mike" if he was calling from Thunderbird. He said "computer?" I confirmed the I meant the Thunderbird computer program and he said "computer, yes!" It was really weird; it seemed as if he couldn't speak English very well. I kept trying to verify if he was calling in response to my concerns over Thunderbird but I was stuck in a very circular conversation.

    When, at last, he stated unequivocally that he was from Thunderbird and that he was from tech support, I told him the two error messages that I had be getting on my screen. He did not seem to understand what I was saying when I was reading the error messages and codes to him so he suggested it would be much easier if he could read them for himself. It was at that point that he ask me to allow him access to my computer by typing 123rescue into my browser address bar and directed me to a LogMeIn Rescue site where he provided a 6 digit code. All of a sudden, his ability to speak English seemed to improve.

    From that point on he walked me through the process of granting him access to my computer and then proceeded to bring up all sorts of screens faster than I could figure out where he was getting them from. That's when he showed me a long list of Microsoft programs that were supposedly not working. The rest of the story you already know! He gave me his direct line of (855) 704-4301 x302 so that I could call back, make my payment, and begin the tech support.

    I have no intension of beginning tech support with this mystery person/company, but I did call the general number to see what company would answer the phone. Since "Mike" had provided an extension, I had hoped there would be some type of receptionist or automated system which could give me information. No such luck; I found the same thing I experienced the first time: a computer generated voicemail that says, "We are sorry. No one is available to take your call" with no identification of what company was being reached. Clearly, I let me guard down and, in hindsight, I felt really stupid! I found something on my computer called Support-LogMeInRescue afterward and recycled it.

    As far as your comment about not having any protection, I am confused because I was running the Microsoft Security Essentials Real-time Protection. I have had it on throughout all of this trouble; I only turned it off after beginning to follow your instructions...still, I definitely do consider myself extremely lucky!

    In answer to your question about noticing any problems, I have not; but I have been limiting my computer use because of this situation.

    I was able to complete your instructions for running the OTM program and have attached the log.

    I tried to follow the next step, (this is when I shut done the MS Security Essentials) however the JRT program started and then just seemed to disappear. I did not have a completion log open on my desktop, but I did notice a strange icon that appears to be shown as a shadow. It is now located right below the JRT.exe icon. I do not know if this is the log, or not, so I tied to provide it for your inspection but I got an error message that says:
    desktop.ini:
    Invalid File

    Should I try to run the JRT program, again? The instructions say to be patient because the program can take a while depending on one's system, but I do not know how long to wait. I am sorry!

    Because I am unsure if the JRT program worked as you needed it to, I am not moving on to the third step involving MGTools until I hear back. I don't want to create further problems by my ignorance.

    Thank you so much!
     

    Attached Files:

    arthurfp, Nov 18, 2014
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That phone number you listed can be searched on and you will see it leads to some supposed support site in Canada ( which is a scam ) that proports to be able to support everything. Any reputable site would have a phone number that gets answered by valid customer service. This one is a scam. I suggest that you change all passwords for all user accounts on your PC and also email accounts to. Also disable remote access capability if you have it enabled. See the below which may help if you don't know how to.

    To disable Remote Access see the below link for enabling and then just uncheck where you enabled it.

    http://technet.microsoft.com/en-us/magazine/ff404238.aspx

    Okay I went back and looked in more detail and see a couple of services for it running. It just did not show up in your logs as installed and there was nothing showing it your startup processes for it loading.

    Please try booting in safe boot mode and running it there. Whether it runs or not, reboot back to normal mode to get the new MGlogs.zip file.
     
    chaslang, Nov 19, 2014
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds