Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: apris89 on August 06, 2012, 10:33:52 AM
-
Help me, please.
It may be out of topic for this forum but I don't know what to do and I desperately need help.. please help me.
I recently had call from those phone fraudsters claiming they are MS security and fell for it.
They told me there was problem in my computer that is keep on sending messages to them and asked me to download the remote access program (which I later found out)
While they were in remote access, they showed me the prefetch, msconfig, eventvwr and they turned on cmd.exe and asked me to type "cd\" (\appeared as dashed W) enter, and "scan" and enter.
whole bunch of words flew through cmd screen for few seconds and "hacker found" showed up at the very bottom of the screen.
Then, they directed me to this "pcpestfix.com" and told me to buy the plan.
At that time fortunately I did not have any means of payment so I did not buy the plan.
but they kept me on the line and did not let me go from the remote access thing for awhile.
after awhile they let me go.
I did not realize it was a phone scam but I thought it was creepy so I went through full system scan and booting scan using the Avast free antivirus program.
After a week, today i got another phone call from them, which I hung up on, and researched about this and finally realized it was a phone scam.
I am so scared and I dont konw what to do.
Was the full scan and booting scan enough to solve the problem?
Can they access my computer after this?
I deleted the program and went through full system scan number of time.
I do not do much using my computer but I moved some video files yesterday (after many full scan and boot scan) to my dad's computer and I am worried sick about my dad's computer.
Please help me. Please...
I am worried sick. I can't even sleep. please.
-
Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0
-
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.06.05
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Kim :: KIM-PC [administrator]
Protection: Enabled
2012-08-06 오전 2:52:47
mbam-log-2012-08-06 (02-52-47).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195449
Time elapsed: 8 minute(s), 14 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCR\AppID\{FCF9C839-34AD-499C-A9CE-CE4226E66EE9} (Adware.KorAd) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\Users\Kim\Downloads\neodiary19054_full.exe (PUP.Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\Users\Kim\Downloads\wrar393k_fsetup_349_25.exe (Adware.Kraddare) -> Quarantined and deleted successfully.
(end)
-
here are those reports from OTL
-
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-06 03:31:06
-----------------------------
03:31:06.231 OS Version: Windows x64 6.1.7601 Service Pack 1
03:31:06.231 Number of processors: 4 586 0x2A07
03:31:06.231 ComputerName: KIM-PC UserName: Kim
03:31:09.413 Initialize success
03:31:10.645 AVAST engine defs: 12080600
03:31:17.088 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
03:31:17.088 Disk 0 Vendor: TOSHIBA_ GT00 Size: 715404MB BusType: 3
03:31:17.151 Disk 0 MBR read successfully
03:31:17.166 Disk 0 MBR scan
03:31:17.166 Disk 0 Windows VISTA default MBR code
03:31:17.182 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
03:31:17.197 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 673742 MB offset 3074048
03:31:17.229 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 26105 MB offset 1382897664
03:31:17.260 Disk 0 Partition 4 00 17 Hidd HPFS/NTFS NTFS 14056 MB offset 1436360704
03:31:17.291 Disk 0 scanning C:\windows\system32\drivers
03:31:26.620 Service scanning
03:32:48.395 Modules scanning
03:32:48.411 Disk 0 trace - called modules:
03:32:48.957 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
03:32:48.957 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80081cb060]
03:32:48.972 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80062b8050]
03:32:50.673 AVAST engine scan C:\windows
03:32:53.730 AVAST engine scan C:\windows\system32
03:35:37.874 AVAST engine scan C:\windows\system32\drivers
03:35:48.685 AVAST engine scan C:\Users\Kim
04:19:18.003 AVAST engine scan C:\ProgramData
04:21:00.687 Scan finished successfully
04:23:25.522 Disk 0 MBR has been saved successfully to "C:\Users\Kim\Documents\MBR.dat"
04:23:25.528 The log file has been saved successfully to "C:\Users\Kim\Documents\aswMBR.txt"
This is aswMBR scan log.
What else do I need to do?
-
What else do I need to do?
Now you've to wait a bit. ;)
-
Nothing readilly apparent there, what programme did they download to access your system ?
I will dig deeper though
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
FF - prefs.js..browser.search.selectedEngine: "?¤ì´ë²?
O2 - BHO: (no name) - {0A4ABCA7-7612-4BA1-B1D3-4D56D964D3F4} - No CLSID value found.
O3 - HKU\S-1-5-21-137632020-889758999-164455875-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-137632020-889758999-164455875-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4:64bit: - HKLM..\Run: [] File not found
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Here is OTL log
-
After the reboot by the combofix, every time I try to start any program, message popped up saying "illegal operation attempted on a registry key that has been marked for deletion," and program did not run.
So I rebooted, and it seems it works normal. When I was typing the very first sentence in this reply, there was a short time lag but it works fine now so I guess I did not wait enough for all the start program starts.
The program I downloaded... I deleted right away so I cannot remember the name of the program they used.
It was on the website "pcpestfix.com" and when I clicked the link "connect to the technician" it was automatically downloaded.
The website is still there but little scared to go check what was the name of the program.
While I was waiting for the reply, I ran Microsoft Safety scanner as suggested by Microsoft for ones who got phone scammed and it found the "Win32/Obfuscator.XY", which Avast did not detect. Microsoft Safety Scanner says it cannot cure it. What should I do?
-
This won't be a popular reply, but if I were you, I would reinstall Windows. Do you at least have any restore points prior to this? How about a system image? Again, if it were me, I would never be able to trust the machine, so I would reimage or reinstall.
-
Hindsight is always easy but in this case,I totally agree with DBone.
-
Sorry guys, but I strongly suggest to let Essexboy decide. ;)
-
I am not sure but I don't think there is any restore points prior to this. I checked the recovery section of the control section and it only lists today which created by OTL program thing as I followed the instruction above.
I do not know how to create the restore points and I have not done anything before hand.
Mine's labtop and the windows came with it when I bought it so I am not sure about the system image either....
-
Please wait for Essexboy's reply. He's the expert on such issues..!!
-
c:\programdata\AMMYY
c:\programdata\AMMYY\hr
c:\programdata\AMMYY\hr3
c:\programdata\AMMYY\settings3.bin
c:\windows\apppatch\AppLoc.exe
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
Combofix killed it
To be really sure, although I feel it has all gone now
You may not get all options for this programme
Scanning with GMER
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
(http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif)
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).
- Extract the contents of the zipped file to desktop.
- Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
- If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
(http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg) (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it
- In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
- Save it where you can easily find it, such as your desktop, and attach it in your reply.
Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
-- If you encounter any problems, try running GMER in safe mode (http://www.computerhope.com/issues/chsafe.htm).
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
-
Can the type of problem I had for my computer have infected my dad's computer in process of moving some video files using external harddrive?
I am worried about his computer (he is right now at different place where there is no internet connection) which he uses many personal information on.
-
I faced an problem using gmer. On the right panel, everything except last three "service", "registry","files" are grey boxed and i cannot select. This happens both the normal window and safety mode
-
That is OK as dependant on the version of windows you are running will dictate what options are available so run GMER with what shows
Nothing would have been transfered as the programme that you downloaded was purely to access your system and I can see no sign of a replicator
-
I ran GMER and it said there hasn't been a modification. The white screen of GMER stays as blank and the file I save under name GMER.text was blank. I am not sure it is a good sign or bad sign. ??
-
Nope that means there is no rootkit activity ... How is the computer behaving ? Anything unusual or weird ?
-
It seems it is working normally.
Thanks very much for all the help.
You are a lifesaver. Thank you. :)
-
OK lets now remove all my rubbish.. ;D
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Go to control panel
- Select folder options (Appearance > Folder options in category view)
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
- Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
I followed all instructions. Guess it is working fine now.
I will come back if I do have problem.
Thank you :) :D
-
Well you don't need to worry about this any longer..If you think of any scam going around & any remote support is going just restart your computer.This will disconnect the connection & They will no longer be able to access the computer until & unless you permit them by giving the passwords/id again.If you have already given any info to them..Just restart the computer.This will automatically disconnect any further communication between them & your computer .They can't access your computer after this incident .These guys (How much smart they think they might be) will still need your permission to access it.
However every company is not a scam.If you think they are stealing your information..Call their officials to sort out the problems.
Regards,
Ricky