Tech Support Scam Popup

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by wagnsew, Jun 2, 2018.

  1. wagnsew

    wagnsew Private E-2

    My mother-in-law got a tech support popup on her computer and called. They uninstalled MalwareBytes and loaded and a number of freeware programs then declared it fixed. And charged a lot of money.

    It is a Windows 7 Home laptop. I've run the scans for malware and have attached the logs. The computer seems to be running OK. It looks like they did a backup of the registry. Not sure what they may have done to the registry. There are some *.bat files on the desktop. One is FirewallSecurity.bat, AdvanceSecurity.bat and VPNSecurity.bat. She tells me these are from the "tech support" people. Just not sure what could be hidden and working in the background.

    There are some weird things happening and I am not sure if it because of the "fixes" the "tech support" did on her computer or not. Right mouse click does not always work. Also, files in the Library are locked and a message comes up that they are not accessible. Plus there are duplications of folders, some locked some not.

    Thanks,
    Chris
     

    Attached Files:

    wagnsew, Jun 2, 2018
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Well, I kind of doubt they have done anything malicious, since they already have their money. But...I would advise you do a system restore to before this happened, rerun the scans and attach those logs.
     
    TimW, Jun 2, 2018
    #2
  3. wagnsew

    wagnsew Private E-2

    Fortunately, husband works for bank and was able to stop the payment. The earliest restore point was the day that she called "tech support". It was when they installed AdBlock Plus on her computer. Did the restore and reran the scans and attached files. Is there anything available to prevent the popups in the future?

    Chris
     

    Attached Files:

    wagnsew, Jun 3, 2018
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please remove everything in ADWCleaner - except:
    PUP.Optional.DriverAgent HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\DriverSupport.exe
    PUP.Optional.DriverAgent HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\DriverSupport.exe
    PUP.Optional.DriverAgent HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\driversupport.com
    PUP.Optional.DriverAgent HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\download.driversupport.com
    PUP.Optional.DriverAgent HKCU\Software\Microsoft\Internet Explorer\DOMStorage\driversupport.com
    PUP.Optional.DriverSupport HKU\S-1-5-18\Software\ActiveOptimization
    PUP.Optional.DriverSupport HKCU\Software\ActiveOptimization
    PUP.Optional.DriverSupport HKU\S-1-5-20\Software\ActiveOptimization
    PUP.Optional.DriverSupport HKU\S-1-5-19\Software\ActiveOptimization
    PUP.Optional.DriverSupport HKU\.DEFAULT\Software\ActiveOptimization
    PUP.Optional.DriverSupport HKLM\Software\Wow6432Node\ActiveOptimization

    Rerun Hitman and remove everything it finds.

    Reboot and rescan with both ADW and Hitman and attach the new logs.

    I suggest you install WOT on their system. These tech scam pop ups come from infected web sites or links.

    Good to know you were able to cancel the payment!!
     
    TimW, Jun 3, 2018
    #4
  5. wagnsew

    wagnsew Private E-2

    Here are the new logs.

    First thing I thought when I saw WOT was World of Tanks...it takes me a minute sometimes.
     

    Attached Files:

    wagnsew, Jun 3, 2018
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    LOL....You/they should be good. I have occasionaly been hit with the tech scam and all I could do was to close my browser ( often with Task Manager ) and then I could reopen and delete the tab.

    But you do need to tell you folks to not fall for the scam in the future.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Re-enable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now go to the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 or 10 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. After doing the above, you should work thru the below link:
     
    TimW, Jun 3, 2018
    #6
  7. wagnsew

    wagnsew Private E-2

    Sorry to be so long in replying. I was out of town for business.

    The computer seems to be running well. I've removed all of the tools and done the general clean up. The computer now has a big sticky note reminding her not to call any 800 numbers that pop up!

    Thanks for your help.
    Chris
     
    wagnsew, Jun 10, 2018
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No problem. Good luck. :)
     
    TimW, Jun 11, 2018
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds