Dad Clicked On A "geek Squad" Scam Attachemnt

Hello,

My Father got a geek squad scam email today and opened the attachment, which was an "invoice" with the extension .jpg. No matter how many times I tell him to never open an email he isn't expecting and doesn't recognize (let alone an attachment), he still seems to do it from time to time. He wanted to show me something on his computer and so he sits down, opens the email, double clicks on the attachment and says, "what's this?" Good Lord. ...and the answer is, "something you should never double click on."

I think that with most of these scams the intent is to get you to call the phone number on the attachment and not to trigger a malware download but I ran a set of scans anyway. With Malwarebytes, there was a popup indicating that there was a problem with downloading the update. The message said something like, "there was a problem with one of the items on the download list, check you internet connection, etc." Everything else seemed to run properly.

I have attached the .zip with the logs. Most of what was found where items that I know are not an issue, but there were one or two concerning items that I haven't seem before. I do run scans of his computer from time to time.

If someone could have a look, I would appreciate it.

Thanks,

LMHmedchem

 

The attachment, "logfiles.zip" contains all of the logs, including MGlogs.zip and the other 4 log text files.

Sorry if that wasn't' clear. I seem to remember this site wanting everything put into one zip folder. Maybe I am remembering something else.

LMHmedchem

 

That's fine, thanks for trying. Hopefully you will get your connection sorted out.

The two items that I saw that I didn't recognize were both in the rogue killer log.

Code:

************************* Registry *************************
>>>>>> XX - System Policies
└── [PUM.Policies (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System|ConsentPromptBehaviorAdmin -- 0 -> Found

************************* Filesystem *************************
[Tr.Gen (Malicious)] (folder) found.000 -- C:\found.000 -> Found

I have never seen either of these in any of the scan output before.

LMHmedchem

 

I have attached an updated version of MGlogs.zip. I couldn't remember if I had the MGtools binary at the correct location or if I ran it as administrator so I ran it again. This time MGtools.exe was definitely located at C:\MGtools.exe and was run as administrator.

LMHmedchem

 

That's no problem, hopefully your provider will get it sorted soon. It can be very annoying when your ability to function is seriously interfered with. Hopefully they will give you a refund of some kind.

That kind of thing happens around here in the winter with all the snow and ice but not usually in the summer. In the winter we are lucky if it's just the internet and not the power and heat as well.

LMHmedchem

 

I have deleted the file found by roguekiller. There was also an entry in roguekiller for a Yahoo search bar that wasn't there last run. I went ahead and deleted that as well.

I did run > %temp% and deleted everything that was found. There was only one file the could not be deleted because windows said it was open in windows explorer. I'm not sure what that means because I didn't have any folders open other than temp.

Is there some difference between running %temp% and manually deleting and running CCleaner?

The only thing I have noticed in the last few days is that his shortcut for Outlook disappeared from the task bar and had to be replaced. Other than that is seems like thing are working normally.

I noticed that he is using Microsoft Forefront Client Security which is believe is past EOL and so no longer being maintained and updated. Is there a good replacement for this?

LMHmedchem