Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remote Assistance Issue


  • Please log in to reply
5 replies to this topic

#1 Curiousp

Curiousp

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:28 AM

Posted 15 July 2011 - 02:01 AM

Hey Guys,

Well while I was with my friend, I returned home to find that in our firefox history there was a logmeinrescue.com website listed there. I immediately got suspicious and asked my father what happened. He said that our emails were playing up and the network was out so he rang our ISP and asked for technical support and my Dad, who doesn't know a lot about computers and the various software you can use, agreed to visit this logmein site. My Dad did not actually know it was where remote assistance would be used, and the technical Indian ISP guy would be remotely logging in to our computer, so he went ahead with it.

First the ISP guy tried logmein123 which was blocked by WOT because it is listed as a red site. Then he suggested logmeinrescue, where my Dad went through the process. As soon as my Dad saw that the man was controlling our mouse and was attempting to rectify the issue through this method (which freaked him out) he shut down the computer. The man protested and said we can do this manually, but my dad hung up on him.

I am very concerned, although I know the guy is reputable and is not some dodgy fake Microsoft 'employee,' that he could have viewed personal information or passwords or done something that we recognize as a breach of privacy. He was only on there for about 2 minutes or less, but does he still have access to the computer? And should I be concerned if I know it was a reputable guy? My Dad is very angry that this guy did not notify him of what he was doing, and when he rang up again, a woman went through the process in a matter of minutes without remote assistance.

Thank you

BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,718 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 PM

Posted 15 July 2011 - 08:51 AM

Check if Logmein installed any software, and uninstall it.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Curiousp

Curiousp
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:28 AM

Posted 15 July 2011 - 08:54 PM

Hi, there is support-logmeinrescue.exe which is a PF file and located in the Windows Prefetch Folder... is it safe to delete that?

There was another query about the logmein software on bleeping computer and I looked at the posts and it listed a number of instructions to delete it from the registry. I deleted the logmeinrescue folder from the registry and then when searching for any other files, the only one which came up was lmi_rescue.exe which was set to enabled in LMI134.tmp pathway, so are those settings to configure the ports in the firewall as it was linked to firewall policy? I am not sure if it is safe to delete it, or if the firewall can block those specific ports again.


Thank you

Edited by Curiousp, 15 July 2011 - 09:16 PM.


#4 Curiousp

Curiousp
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:28 AM

Posted 16 July 2011 - 07:30 AM

Bump

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,718 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 PM

Posted 16 July 2011 - 03:08 PM

... when searching for any other files, the only one which came up was lmi_rescue.exe which was set to enabled in LMI134.tmp pathway...


I'm not sure I understand you, can you explain what you mean? For example, what is a pathway?
And is LMI134.tmp a directory or a file, and where is it located?

Edited by Didier Stevens, 16 July 2011 - 03:09 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:04:28 PM

Posted 16 July 2011 - 04:44 PM

logmein123 and logmeinrescue are same sites and are used by companies to resolve customer problems.
The customer downloads an applet for this to work (support-logmeinrescue.exe) every time access is needed.
Customer has to give access manually for someone to make changes to computer remotely.
This site and software is safe.

Now you have to see if he installed anything else like a backdoor trojan or made changes to your system so he can access your computer later.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users