Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tech Support Phone Scam


  • This topic is locked This topic is locked
8 replies to this topic

#1 jackdup

jackdup

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 07 September 2014 - 02:01 PM

I don't know how many people have had an issue with the phone call from tech support and they want access to your computer and then they essentially lock it and you need a password to get access again and the only way to get the password is to pay them.

A friend called tonight and she was taken in by the scam. Her immediate concern was to get her pictures and other personal documents off of the computer. I have no idea what these people do or if it is just a matter of getting the password and once input everything is okay?

Anyway I took her drive out and connected it to my computer and copied off all of her personal data to a flash drive. I ran Malwarebytes and selected only drive E, which is her drive, but the only problems it showed were on Drive C. I have no idea how it detected issues on Drive C as I had unselected Drive C and only selected Drive E for a scan.

So the first question is, is there a way around the password and to be able to remove it without reinstalling the OS. or recovering from a set of recovery disks?

Second is there a way to access the control panel on her drive with it still being connected to my computer to make a recovery disk for her drive, as like most people she didn't bother making a recovery disk set so if it has to be reformatted and the OS reinstalled she has no disks? It has a partition on the drive which I assume may the recovery information but the only visible folders are system volume information and recycle bin and I do have the appropriate boxes checked so I can see hidden files and operating system files. The computer is an ASUS.

Where is the start menu stored on her computer so I can find the actual shortcut for creating the recovery disk to see what it runs and try to run it that way to make a recovery disk in case it is the only way to recover her computer. I have found more than one start menu folder but they all have the arrow inside which I assume means it is actually in a different folder elsewhere on the drive but have been unable to find a start menu that I can open as they all say access denied.

Thank you

 

This was also posted here

http://www.bleepingcomputer.com/forums/t/547185/tech-support-phone-scam/

 

 



BC AdBot (Login to Remove)

 


m

#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 12 September 2014 - 02:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/547265 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 jackdup

jackdup
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 12 September 2014 - 09:06 PM

I can't add to much more other than what is posted above. As I literally can't do anything with the computer I can't give you much of what is normally requested. It has Windows 8.1 but am not sure if it is 32 or 64 bit as it is not my computer and am helping out the owner and they do not know if it is 32 or 64 bit.

 

Thank you



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:56 AM

Posted 14 September 2014 - 11:38 AM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi jackdup,
 
Please confirm you can get to the Advanced Startup Options (see methods 4-6 here or try SHIFT+F8 if you can, if you do not know how to get to Advanced Startup Options).
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 jackdup

jackdup
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 14 September 2014 - 01:52 PM

I can get to advanced options but don't have command prompt as an option unless I boot from a rescue USB drive I made from my own computer.



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:56 AM

Posted 18 September 2014 - 09:34 AM

Hi jackdup,
 
Sorry about the delay, I missed the email notification. Use the rescue USB to boot into recovery mode.
 
FRST Scan from RECOVERY Environment on Vista, 7, and 8:
 
On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

 
 
To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========
 
On the System Recovery Options menu you will get the following options:
 
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

 
Select Command Prompt
 
==========
 
 
Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 jackdup

jackdup
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 18 September 2014 - 11:13 AM

You can now mark this as solved as I have found a solution. There is a folder named regback in windows\system32\config. Copying the files in that folder to the config folder replaces the registry files with the backup set found in regback which solved the problem. It may not solve the problem for everyone if another backup was done after the syskey was set but that was not the case for us so we are okay now.

 

Thank you for your assistance and the above may be of help for someone else.



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:56 AM

Posted 18 September 2014 - 01:56 PM

Hi jackdup,

 

Indeed, that is the way to go about fixing the problem. As long as you have that regback folder then you can restore, otherwise you are mostly out of luck unless a system restore point works.

 

I will close this topic now as resolved.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:56 AM

Posted 18 September 2014 - 01:56 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users