Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scammed with a microsoft licence security update


  • Please log in to reply
7 replies to this topic

#1 Byzance

Byzance

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 23 August 2013 - 11:04 AM

So I was partially scammed. Got a phone call from a person stating he is from Microsoft and a serious threat has been detected in my computer and they will help me fix it. I was suspicious so the guy made me go to my computer, click computer, manage, event viewers, then custom and I see warnings and errors so i started to be worried. He asked access to my computer through Teamviewer again suspicious he makes me go a website enter a number for Microsoft company and I see it listed. Stupidily I let him access. He opens a few windows I see him running CMD and at the end of the CMD where I see all the data running ultra fast I get the message your microsoft licence has expired risk of crash imminent renew so the guy said I have to renew and when he said I will be directed to a payment page I switched off the computer forced from buttom and hanged the phone. I changed my passwords for everything from another computer  just in case (online banking, emails etc...) and after restarting my pc again run all kind of anti viruses. Ad-ware finds issues but after cleaning keep finding the same. Spybot detects 2 Win32.downloader.gen but I keep getting the same threat after cleaning over and over which brings me to Bleepingcomputer website looking for solutions.  I had to uninstall teamviewer. When checking the activity log I saw "he" was connected again without permission. Every time I ended teamviewer in task manager it started over and over so I exited programme and uninstalled. Spybot is clear now thanks to Rkill and AdwCleaner. My Ad-Aware keeps finding 1 threat even when running those programmes though.

 

Im concerned by the Rkill log that states:

 

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * Cannot edit the HOSTS file.
 * Permissions Fixed. Administrators can now edit the HOSTS file.

 * HOSTS file entries found:

  127.0.0.1 www.007guard.com
  127.0.0.1 007guard.com
  127.0.0.1 008i.com
  127.0.0.1 www.008k.com
  127.0.0.1 008k.com
  127.0.0.1 www.00hq.com
  127.0.0.1 00hq.com
  127.0.0.1 010402.com
  127.0.0.1 www.032439.com
  127.0.0.1 032439.com
  127.0.0.1 www.0scan.com
  127.0.0.1 0scan.com
  127.0.0.1 1000gratisproben.com
  127.0.0.1 www.1000gratisproben.com
  127.0.0.1 1001namen.com
  127.0.0.1 www.1001namen.com
  127.0.0.1 100888290cs.com
  127.0.0.1 www.100888290cs.com
  127.0.0.1 www.100sexlinks.com
  127.0.0.1 100sexlinks.com

  20 out of 15490 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 08/24/2013 03:14:53 AM
Execution time: 0 hours(s), 0 minute(s), and 9 seconds(s)

 

 

Does that mean those websites have access to my internet connection or are they blocked? Sorry I am not very computer litterate so learning. I have also the teamviewer log if someone can check any info from it to see what they ve done to my computer. Thanks a lot.


Edited by hamluis, 23 August 2013 - 01:57 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:02 AM

Posted 23 August 2013 - 04:43 PM

There are several legitimate security programs like Spybot S&D, Webroot Spy Sweper, STOPzilla, etc which can add numerous entries to the HOSTS file.

If you open the Hosts file, the note at the top and bottom will show the entries were inserted by other security programs like Spybot:
# Start of entries inserted by Spybot - Search & Destroy
# This list is Copyright 2000-2008 Safer Networking Limited
127.0.0.1	007guard.com
127.0.0.1	www.007guard.com
127.0.0.1	008i.com
127.0.0.1	008k.com
127.0.0.1	www.008k.com
127.0.0.1	00hq.com
127.0.0.1	www.00hq.com
127.0.0.1 	legal-at-spybot.info
127.0.0.1 	www.legal-at-spybot.info
127.0.0.1...
# This list is Copyright 2000-2007 Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy
A better example of Spybot's Host file is shown here.

Anything that appears in your HOSTS file with a pound sign # are comments, and its main function is to write descriptions.
Anything that appears in your HOSTS file without an # at the beginning, except from the 127.0.0.1 localhost line, should be viewed with suspicion unless a security program you use or a custom HOSTS file has created them to block unwanted connections to malicious sites.

If you see 127.0.0.1 next to the domain name of security related sites such as an antivirus vendor, then your HOSTS file has likely been altered by malware so that it blocks access to those sites. When redirecting to another site, malware will substitute an illegitimate IP address for the legitimate one. Although malware can be responsible for altering the HOSTS file in an attempt to redirect your browser, it generally does not do so without infecting other areas of your system.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:02 AM

Posted 23 August 2013 - 05:51 PM

Checking HOSTS File:
* Cannot edit the HOSTS file

Forgot to address the above. The reason RKill provided that info, was that Spybot most likely locked the Host file to protect it from modification by malware if you chose to use that feature.
 

The Hosts file normally acts as a network-translation mechanism so that you can access certain network resources without having to go through DNS (domain name services). However, in many situations, spyware and adware modify this file so that web browser requests to sites such as PayPal, Amazon, or eBay go to other sites instead. You can help protect your hosts file from modification by having Spyware Search and Destroy write-protect it....[/b]

Spybot S&D HOSTS file Protection: How to Lock

* Permissions Fixed. Administrators can now edit the HOSTS file.

RKill unlocked it so if you want that added protection, follow the instructions in the above link.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Byzance

Byzance
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 23 August 2013 - 09:01 PM

Thanks for the info. I checked and it s Spybot search and destroy that put those sites as protection.

I have contacted my internet provider with the issue and a copy of teamviewer activity log. I cant understand very well what it is about but doesnt sounds good. I was wondering anyone here willing to have a look to my teamviewer log to see if i can get some info what the guy has done to my pc? Thanks. I copied and paste in a word doc.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:02 AM

Posted 23 August 2013 - 09:22 PM

I don't know much about a teamviewer log other than I read it shows connection data. I doubt if many of our members here are familiar either.

Are you having any issues going on since the scam with the fake Microsoft Support caller?

BTW Microsoft Support Connection (Remote Assistant) is LogMeIn123.com and you have to call them first.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Byzance

Byzance
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 23 August 2013 - 11:25 PM

Thanks quietman7. I found a programme I hadn't installed. Date of install was yesterday si I uninstalled it. It was : WinPcap and got that info googling

 

WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

WinPcap consists of a driver, that extends the operating system to provide low-level network access, and a library that is used to easily access the low-level network layers. This library also contains the Windows version of the well known libpcap Unix API.

Thanks to its set of features, WinPcap is the packet capture and filtering engine of many open source and commercial network tools, including protocol analyzers, network monitors, network intrusion detection systems, sniffers, traffic generators and network testers. Some of these networking tools, like Wireshark, Nmap, Snort, ntop are known and used throughout the networking community.

 

I will just keep checking n the next few weeks and continue to try protect the computer best I can. Some very good programs out there. I use Ad.aware free anti virus on my main PC avast in others but I might consider a paid one like ESET.



#7 Byzance

Byzance
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 24 August 2013 - 03:12 AM

Now I know what happened. So no sign I have a virus or any other threat but I have most my microsoft services stopped and can't restart them from task manager I get acess denied. Look like I ll have to take my computer to a tech.

Application Layer Gateway service

Application identity

ASP net state service

ActiveX installer

Bitlocker encryption service

Certificate propagation

Microsoft Net Framework

COM + system application

Wired auto config

etc...



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:02 AM

Posted 24 August 2013 - 06:31 AM

How to Start or Disable Services in Windows 7


Another thing you can try which may be easier to do is use System Restore to return to a previous state before the problems began.Note for Windows 7 users: Check the "Show other restore points box" to see any restore older points that may not be listed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users