Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can I prove my PC was infected by a repair shop?


  • Please log in to reply
11 replies to this topic

#1 Chic Bowdrie

Chic Bowdrie

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 16 June 2014 - 11:10 AM

My friend took her laptop (Win  8.1) to have a key replaced.  After she got it back, she had trouble activating her AVG antivirus software and it was continually asking for a reboot.  When she took it back to the repair shop, they wanted over $200 to remove over 40 viruses.  It seemed like a scam to her and I agreed.  A review of the event logs shows evidence that settings were tampered with.  I don't think replacing a keyboard would need logon accounts to change?

 

First of all, I'm not positive of any virus let alone 40.  How can I confirm viruses?  I want the repair shop to refund her costs at a minimum, if they infected the PC.  If there is virus, can I determine when it was introduced?

 

Is this the best place to post a problem involving a possible sabotage by a PC repair shop?



BC AdBot (Login to Remove)

 


#2 zingo156

zingo156

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 AM

Posted 16 June 2014 - 11:24 AM

I worked at a pc repair shop, generally we would do a free tune up and run scans for infections with a few different tools. They may have found virus's or junkware that were already on the laptop that avg didn't pick up. I never removed anything or changed settings without calling the user first.

 

They may have found infections with a different anti-virus tool. You can ask which one they used and look in the quarantine or logs for the scanner they used. If you can find the files their anti-virus removed, you may be able to determine the dates the infected files were created, modified, etc.


Edited by zingo156, 16 June 2014 - 11:25 AM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#3 Chic Bowdrie

Chic Bowdrie
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 16 June 2014 - 11:40 AM

.... They may have found infections with a different anti-virus tool. You can ask which one they used and look in the quarantine or logs for the scanner they used. If you can find the files their anti-virus removed, you may be able to determine the dates the infected files were created, modified, etc.

Wow, fast reply thanks.

 

They didn't remove anything, because we aren't paying $200+ for possible virus/malware introductions while the laptop was in their possession.

 

In the event logs, I see Anonymous Logons, "A member was removed from a security-enabled local group," "Name of an account was changed," etc.   Why was this necessary, if the only reason the computer was brought in for service was to repair a key?

 

So do anti-virus removal tools collect infection dates? 



#4 zingo156

zingo156

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 AM

Posted 16 June 2014 - 11:45 AM

The av tool likely won't list infection date. The best way to determine the infection date is to use the AV tool to find infected files and then locate the file on the computer (most av's will give a location of the file, browse to that location), right click on it and then click properties.I recommend doing this before removing the infection. In the properties box there should be a date created, modified, and accessed. The date created or modified may indicate the actual infection time/date.

 

I do not know why they changed the account name or why a member was removed from a security enabled local group. It is possible they used a password removal tool to sign into the computer to run standard scans/tune up tools. This would be my best guess as to why someone was removed from the security local group...


Edited by zingo156, 16 June 2014 - 11:50 AM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#5 buddy215

buddy215

  • Moderator
  • 13,254 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:16 AM

Posted 16 June 2014 - 11:57 AM

Since foul play is suspected, it would be best to run some scans or better still to use the most recent image of the hdd to

reinstall. That is, if you have a backup image.

 

Scan your computer using this: AdwCleaner Download

Close all open programs and internet browsers.
Double click on adwcleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
You will be prompted to restart your computer. A text file will open after the restart.
Please post the contents of that logfile with your next reply.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

  • Free Virus Scan | Online Virus Scanner from ESET
  • Click the esetonlinebtn.png button in the link above.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

Use CCleaner to cleanup the temporary files, logs, cookies, etc. Use the default settings. Pay attention while

installing and UNcheck offers of toolbars such as Yahoo. No need to use the Registry Cleaner tool and it has 

the potential of causing another problem. CCleaner - PC Optimization and Cleaning - Free Download


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 Chic Bowdrie

Chic Bowdrie
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 16 June 2014 - 11:58 AM

OK, buddy214, there is no backup.  

 

That is good plan.  I was going to try to use AVG, but I don't use it and it may be corrupted anyway.  I'll try AdwCleaner and see what happens.

 

BTW, while at the shop, the PC was left on all night and there was activity spanning at least six hours over two days and possibly two separate techs using different IP addresses.


Edited by Chic Bowdrie, 16 June 2014 - 12:11 PM.


#7 zingo156

zingo156

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 AM

Posted 16 June 2014 - 12:08 PM

OK, that is a good plan.  I don't use AVG myself, but I will attempt a scan and see what happens.

 

BTW, while at the shop, the PC was left on all night and there was activity spanning at least six hours over two days and possibly two separate techs using different IP addresses.

Full virus scans can take a while to run. In some cases I have seen Microsoft Security Essentials take over 6 hours to run in some rare cases over 24 hours. Since most tools run on their own without the need of the tech to watch or click, we never charged per hour scan time. Only time we interacted with the computer. I am guessing they ran a few virus scans with multiple tools.


Edited by zingo156, 16 June 2014 - 12:10 PM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#8 Chic Bowdrie

Chic Bowdrie
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 16 June 2014 - 05:40 PM

Zingo, I checked with my friend and she confirmed that she did not have virus issues before taking the laptop in.  She did not ask them to do anything but replace a key.  IOW, having her computer online for any length of time, let alone changing things, is unacceptable.  Sorry if I did not make that clear originally.

 

Thank you for the suggestions and feedback from a shop's perspective.  We're going back there to see how they respond to charges they modified the drive in any way.  I just don't see why network access was necessary for a hardware fix.



#9 zingo156

zingo156

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 AM

Posted 17 June 2014 - 07:10 AM

If by network access you mean internet related access, there are many reasons why a shop would connect to the internet, windows updates, anti-virus updates etc. I can not say exactly what they did or did not do, as you mentioned, it would be best to speak with the shop about the matter. They can explain to you what they did.


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#10 buddy215

buddy215

  • Moderator
  • 13,254 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:16 AM

Posted 17 June 2014 - 10:30 AM

Have you run the scans I asked you to? You haven't posted the results.

 

Wouldn't it be better to find out if the shop is correct about malware being on the computer or not before

going back to the shop? I know that shops can and do exaggerate their finding malware/ viruses. I know of

one instance that one of the largest office suppliers were claiming cookies were viruses and offering to remove

them for $100. They offered free inspections of laptops to draw the customers in.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#11 Chic Bowdrie

Chic Bowdrie
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 18 June 2014 - 06:21 PM

Buddy, I did the scans. AdwCleaner found a couple things. Pokki and a RegCleaner were installed on the day before the PC was picked up from the shop. ESET found nothing.

So the shop denied modifying the laptop in any way. They said they always have customers OK the work done when the PC is picked up. They said it had 300 viruses. They said no one could use it outside work hours. So all of those are lies.

We confronted the shop owner who refused any accountability for the documented misbehavior. We're thinking over how to proceed. Any suggestions?

Here is the AdwCleaner log:

# AdwCleaner v3.212 - Report created 18/06/2014 at 11:14:56
# Updated 05/06/2014 by Xplode
# Operating System : Windows 8.1 (64 bits)
# Username : xxxx - xxxx-LAPTOP
# Running from : E:\AdwCleaner\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Found : C:\Program Files (x86)\RegClean Pro
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RegClean Pro
Folder Found : C:\Users\xxxx\AppData\Local\Pokki
Folder Found : C:\Users\xxxx\AppData\Roaming\Systweak

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki
Key Found : HKCU\Software\Pokki
Key Found : HKCU\Software\systweak
Key Found : [x64] HKCU\Software\Pokki
Key Found : [x64] HKCU\Software\systweak
Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17126

Setting Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL] - hxxp://mystart.toshiba.com
Setting Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Secondary Start Pages] - hxxp://mystart.toshiba.com

-\\ Google Chrome v35.0.1916.153

[ File : C:\Users\xxxxx\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [1369 octets] - [18/06/2014 11:14:56]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1429 octets] ##########

#12 buddy215

buddy215

  • Moderator
  • 13,254 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:16 AM

Posted 19 June 2014 - 04:49 AM

You should allow AdwCleaner to delete/ quarantine the crapware that the shop installed. It doesn't show you removed them.

 

300 viruses....that is likely cookies, unused/ orphaned registry entries or not true. Sounds like they were attempting to gouge you.

 

Did you run Ccleaner?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users