Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A co-worker was taken in by fake support scam


  • Please log in to reply
9 replies to this topic

#1 o0Nighthawk0o

o0Nighthawk0o

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 13 August 2014 - 12:21 PM

A co-worker of mine's wife received a phone call claiming to be from Microsoft Support and saying she had problems with her computer. She allowed them remote access to the computer but got suspicious and hung up without giving any CC info.

 

The computer started being over run with pop ups and other annoying behavior. He brought the computer in to me and I ran Malwarebytes, Combofix and MSSE. I also did a system restore to the furthest back date that was there.

 

After multiple scan the computer came up clean with no maleware detected. He took the computer home and after 10 minutes he got a fake virus warning among other things. He brought the computer back and I scanned and cleaned again. This time he went through everything he normally does on the computer while it was sitting on my desk. Again, everything was fine and no problems.

 

He took the computer home and again got a fake virus warning and other issues.

 

Essentially, the computer works fine connected to the network at work and will for hours. But when connected to his home network it will run for about 10 minutes and then the maleware is back.

 

I told him that he needed to call his ISP and have them check that his internet connection was secure and that no changes had been made. His ISP told him there was nothing they could do to help him and that he needed to wipe out and reload his computer. I also told him to have them change his IP address if possible but I don't know if he remembered to do that.

 

My question is, could these scammers have somehow gotten into his router and opened a port or two so that they could gain access to his system even if all maleware were removed? Could they have done something to the cable modem? Both?

 

I'm thinking the cable modem is a long shot and am leaning towards the router being tampered with. Has anyone heard of these people doing anything like that?

 

I have cleaned a lot of computers but this is the first one that was a victim of this type of scam.



BC AdBot (Login to Remove)

 


#2 maggot7

maggot7

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:33 PM

Posted 13 August 2014 - 12:29 PM

I've seen hundreds of these scams and the resulting infection and based on experience, it is highly unlikely that his router has been tampered with and far more likely that there is still infection present. AdwCleaner, TDSSKiller, and ESET are highly effective tools at removing these infections. Also, if you're technologically inclined, Process Explorer, Autoruns, and Task Scheduler are fantastic tools for diagnosing and locating infections.

 

By any change, was the scam called "LogMeIn123" or something like that?



#3 o0Nighthawk0o

o0Nighthawk0o
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 13 August 2014 - 12:38 PM

I have no idea what the scam was called. My co worker found out from a phone call from his wife and she apparently didn't pay attention to what exactly happened.

 

What confuses me is that the problems only show up when he connects to his home network.

 

I told him to disconnect the computer from the network, do a system restore back to before Monday. He just replaced his router and still has the old one so I told him while system restore was running to take out the new router and install the old one just to eliminate that possibility. If the problems still come back I told him to bring the computer in and I will run even more scans and cleaners on it.



#4 maggot7

maggot7

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:33 PM

Posted 13 August 2014 - 12:55 PM

I think that it is more likely a coicoincidence that it is appearing on his home network. It could easily be the result of Task Scheduler or something like that.

 

Also, I do NOT advise using System Restore for malware removal purposes. System Restore points are usually one of the first things exploited by malware and in turn can just re-infect the computer whenever they are used.



#5 McSheHe

McSheHe

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 13 August 2014 - 01:07 PM

I've seen this happen before where it happens to anything connected to the network, seems to be attached to the router. Are there multiple computers connected to his home network? If so have him check to see if the same issue is happening on the other PCs. Have him try resetting his router and see if that resolves the pop up issue



#6 cmptrgy

cmptrgy

  • Members
  • 1,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:04:33 PM

Posted 13 August 2014 - 02:47 PM

May I recommend the following? This what I have done in similar situations including what you have encountered.

 

Have him disconnect the computer from the Internet

Go into the list of installed programs and uninstall any suspicious programs

Go into the startup list and uncheck anything that isn’t needed

--- The idea is if there’s an entry in there pointing to the malware, you eliminate it from calling home shortly after startup

--- The only item that should be checked in is the real time security program that he uses

Shut down and start the computer back up still unconnected from the Internet

 

Go into Internet Options and clear out the browsing history with Delete browsing history checked in. Click on Delete. On the following page, ensure Cookies and website data is checked in. Click on Delete at the bottom. Delete browsing history will follow

--- Later on when the computer is safe and secure, he can uncheck Cookies and website data

 

In his case he might want to also set cookie control in Advanced Privacy Settings

--- Since you should still be in Internet Options, click on the Privacy tab

--- In the Settings section, click on Advanced

--- On the Advanced Privacy Settings window click on the following items

------ Override automatic cookie handling

------ First party cookies: Accept

------ Third party cookies: Block

------ Always allow session cookies

--- Click on OK

 

Run Disk Cleanup. If Cleanup system files isn’t present, click OK

--- If  Cleanup system files is present, click on it, Disk Cleanup will cycle again, upon completion click OK

 

Shut down the computer. Connect the computer directly to the ISP modem/router

Start the computer back up

Run his malware & maintenance programs to ensure his computer is in fact good and clean

Shut down, start back up and verify whether or not the computer doesn’t have any more pop ups and that any malware isn’t calling home

 

Then he can insert his router back into the system

--- There have been times when I did use the router still connected instead of directly connecting to the ISP modem/router and things worked out just as well

--- But in your case eliminating the router in the meantime might make sense



#7 o0Nighthawk0o

o0Nighthawk0o
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 18 August 2014 - 10:16 AM

Just an update.

 

It seems that changing out the router cured the problem. He did the system restore and installed his old router and the computer seems to be back to normal. No pop ups and no fake virus warnings. He is bringing his other router in for me to check out just to see if there is something strange with it.



#8 cmptrgy

cmptrgy

  • Members
  • 1,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:04:33 PM

Posted 18 August 2014 - 11:15 AM

Thanks for the update and solution



#9 maggot7

maggot7

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:33 PM

Posted 18 August 2014 - 11:27 AM

What brand is the router? Even if it is infected, wouldn't resetting it clear the infection? I don't believe routers have non-volatile memory.

 

http://www.tomshardware.com/news/themoon-worm-linksys-infected-8080,26042.html

 

This seems to be one of the few documented router viruses, short of simple DNSChangers



#10 o0Nighthawk0o

o0Nighthawk0o
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 18 August 2014 - 12:48 PM

I haven't seen the router yet but I don't think it was a virus infecting the router. What I suspect is that while they were in poking around the computer they got into the router and opened a port and set up a route to that computer. No other computers were effected that were connected to his home network, just this one computer and only when connected to that network.

 

I want to check the router to see if that is what happened and then close the port or just reset the router to factory defaults.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users