Author Topic: HELP! I had the phone fraud claiming MS and worried sick  (Read 10762 times)

0 Members and 1 Guest are viewing this topic.

apris89

  • Guest
HELP! I had the phone fraud claiming MS and worried sick
« on: August 06, 2012, 10:33:52 AM »
Help me, please.
It may be out of topic for this forum but I don't know what to do and I desperately need help.. please help me.

I recently had call from those phone fraudsters claiming they are MS security and fell for it.
They told me there was problem in my computer that is keep on sending messages to them and asked me to download the remote access program (which I later found out)
While they were in remote access, they showed me the prefetch, msconfig, eventvwr and they turned on cmd.exe and asked me to type "cd\" (\appeared as dashed W) enter, and "scan" and enter.
whole bunch of words flew through cmd screen for few seconds and "hacker found" showed up at the very bottom of the screen.
Then, they directed me to this "pcpestfix.com" and told me to buy the plan.
At that time fortunately I did not have any means of payment so I did not buy the plan.
but they kept me on the line and did not let me go from the remote access thing for awhile.
after awhile they let me go.

I did not realize it was a phone scam but I thought it was creepy so I went through full system scan and booting scan using the Avast free antivirus program.
After a week, today i got another phone call from them, which I hung up on, and researched about this and finally realized it was a phone scam.

I am so scared and I dont konw what to do.
Was the full scan and booting scan enough to solve the problem?
Can they access my computer after this?
I deleted the program and went through full system scan  number of time.

I do not do much using my computer but I moved some video files yesterday (after many full scan and boot scan) to my dad's computer and  I am worried sick about my dad's computer.

Please help me. Please...
I am worried sick. I can't even sleep. please.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76032
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: HELP! I had the phone fraud claiming MS and worried sick
« Reply #1 on: August 06, 2012, 10:43:34 AM »
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

apris89

  • Guest
Re: HELP! I had the phone fraud claiming MS and worried sick
« Reply #2 on: August 06, 2012, 11:10:26 AM »
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.06.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Kim :: KIM-PC [administrator]

Protection: Enabled

2012-08-06 오전 2:52:47
mbam-log-2012-08-06 (02-52-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195449
Time elapsed: 8 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCR\AppID\{FCF9C839-34AD-499C-A9CE-CE4226E66EE9} (Adware.KorAd) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Kim\Downloads\neodiary19054_full.exe (PUP.Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\Users\Kim\Downloads\wrar393k_fsetup_349_25.exe (Adware.Kraddare) -> Quarantined and deleted successfully.

(end)

apris89

  • Guest
Re: HELP! I had the phone fraud claiming MS and worried sick
« Reply #3 on: August 06, 2012, 11:29:33 AM »
here are those reports from OTL

apris89

  • Guest
Re: HELP! I had the phone fraud claiming MS and worried sick
« Reply #4 on: August 06, 2012, 12:25:02 PM »
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-06 03:31:06
-----------------------------
03:31:06.231    OS Version: Windows x64 6.1.7601 Service Pack 1
03:31:06.231    Number of processors: 4 586 0x2A07
03:31:06.231    ComputerName: KIM-PC  UserName: Kim
03:31:09.413    Initialize success
03:31:10.645    AVAST engine defs: 12080600
03:31:17.088    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
03:31:17.088    Disk 0 Vendor: TOSHIBA_ GT00 Size: 715404MB BusType: 3
03:31:17.151    Disk 0 MBR read successfully
03:31:17.166    Disk 0 MBR scan
03:31:17.166    Disk 0 Windows VISTA default MBR code
03:31:17.182    Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS         1500 MB offset 2048
03:31:17.197    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       673742 MB offset 3074048
03:31:17.229    Disk 0 Partition 3 00     17 Hidd HPFS/NTFS NTFS        26105 MB offset 1382897664
03:31:17.260    Disk 0 Partition 4 00     17 Hidd HPFS/NTFS NTFS        14056 MB offset 1436360704
03:31:17.291    Disk 0 scanning C:\windows\system32\drivers
03:31:26.620    Service scanning
03:32:48.395    Modules scanning
03:32:48.411    Disk 0 trace - called modules:
03:32:48.957    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
03:32:48.957    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80081cb060]
03:32:48.972    3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80062b8050]
03:32:50.673    AVAST engine scan C:\windows
03:32:53.730    AVAST engine scan C:\windows\system32
03:35:37.874    AVAST engine scan C:\windows\system32\drivers
03:35:48.685    AVAST engine scan C:\Users\Kim
04:19:18.003    AVAST engine scan C:\ProgramData
04:21:00.687    Scan finished successfully
04:23:25.522    Disk 0 MBR has been saved successfully to "C:\Users\Kim\Documents\MBR.dat"
04:23:25.528    The log file has been saved successfully to "C:\Users\Kim\Documents\aswMBR.txt"




This is aswMBR scan log.
What else do I need to do?
 

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76032
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: HELP! I had the phone fraud claiming MS and worried sick
« Reply #5 on: August 06, 2012, 12:33:28 PM »
What else do I need to do?

Now you've to wait a bit. ;)
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: HELP! I had the phone fraud claiming MS and worried sick
« Reply #6 on: August 06, 2012, 04:20:01 PM »
Nothing readilly apparent there, what programme did they download to access your system ?

I will dig deeper though

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


    Quote
    :OTL
    FF - prefs.js..browser.search.selectedEngine: "?¤ì´ë²?
    O2 - BHO: (no name) - {0A4ABCA7-7612-4BA1-B1D3-4D56D964D3F4} - No CLSID value found.
    O3 - HKU\S-1-5-21-137632020-889758999-164455875-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-137632020-889758999-164455875-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O4:64bit: - HKLM..\Run: [] File not found

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

apris89

  • Guest
Re: HELP! I had the phone fraud claiming MS and worried sick
« Reply #7 on: August 06, 2012, 05:07:44 PM »
Here is OTL log

apris89

  • Guest
Re: HELP! I had the phone fraud claiming MS and worried sick
« Reply #8 on: August 06, 2012, 05:40:54 PM »
After the reboot by the combofix, every time  I try to start any program, message popped up saying "illegal operation attempted on a registry key that has been marked for deletion," and program did not run.
So I rebooted, and it seems it works normal. When I was typing the very first sentence in this reply, there was a short time lag but it works fine now so I guess I did not wait enough for all the start program starts.

The program I downloaded... I deleted right away so I cannot remember the name of the program they used.
It was on the website "pcpestfix.com" and when I clicked the link "connect to the technician" it was automatically downloaded.
The website is still there but little scared to go check what was the name of the program.

While I was waiting for the reply, I ran Microsoft Safety scanner as suggested by Microsoft for ones who got phone scammed and it found the "Win32/Obfuscator.XY", which Avast did not detect. Microsoft Safety Scanner says it cannot cure it. What should I do? 

DBone

  • Guest
Re: HELP! I had the phone fraud claiming MS and worried sick
« Reply #9 on: August 06, 2012, 06:12:21 PM »
This won't be a popular reply, but if I were you, I would reinstall Windows. Do you at least have any restore points prior to this? How about a system image? Again, if it were me, I would never be able to trust the machine, so I would reimage or reinstall.

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48645
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: HELP! I had the phone fraud claiming MS and worried sick
« Reply #10 on: August 06, 2012, 06:19:36 PM »

Hindsight is always easy but in this case,I totally agree with DBone.
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v24H2 64bit, 32 Gig Ram, 1TB SSD, Avast Free 24.4.6112, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76032
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: HELP! I had the phone fraud claiming MS and worried sick
« Reply #11 on: August 06, 2012, 06:22:48 PM »
Sorry guys, but I strongly suggest to let Essexboy decide. ;)
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

apris89

  • Guest
Re: HELP! I had the phone fraud claiming MS and worried sick
« Reply #12 on: August 06, 2012, 06:25:16 PM »
I am not sure but I don't think there is any restore points prior to this. I checked the recovery section of the control section and it only lists today which created by OTL program thing as I followed the instruction above.
I do not know how to create the restore points and I have not done anything before hand.
Mine's labtop and the windows came with it when I bought it so I am not sure about the system image either....

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76032
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: HELP! I had the phone fraud claiming MS and worried sick
« Reply #13 on: August 06, 2012, 06:37:51 PM »
Please wait for Essexboy's reply. He's the expert on such issues..!!
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: HELP! I had the phone fraud claiming MS and worried sick
« Reply #14 on: August 06, 2012, 07:37:53 PM »
Quote
c:\programdata\AMMYY
c:\programdata\AMMYY\hr
c:\programdata\AMMYY\hr3
c:\programdata\AMMYY\settings3.bin
c:\windows\apppatch\AppLoc.exe
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
Combofix killed it

To be really sure, although I feel it has all gone now

You may not get all options for this programme

Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

    • Save it where you can easily find it, such as your desktop, and attach it in your reply.

    Notes:
    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries 

    -- If you encounter any problems, try running GMER in safe mode.
    -- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning