Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible ransomware infection - unsure how to proceed


  • Please log in to reply
6 replies to this topic

#1 Nixxxed

Nixxxed

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 11 November 2016 - 08:50 PM

I am helping an elderly family friend diagnose his computer problems.  He has fallen victim to a fake technical support scam by a company called "Adroit Rescue", and has paid their "fee" for what they claim is a year's worth of technical support.  I have his computer, and it is disconnected from the internet.

 

In looking through the machine, I see that the scam happened on August 7, 2016.  A text document was placed on the desktop, with the title "COMPUTER TECHNICIANS".  Inside, it lists the technician's supposed name and employee ID, the company name and phone number, and a customer ID number.

 

On the day the scam happened, he said received a popup on the screen which froze his computer, then received a phone call from Adroit.  He had no idea how they acquired his phone number.  He also cannot remember how the popup occurred - either by clicking an email link, Facebook link, Microsoft Edge browser ad, etc.  He said they spent an hour on the phone with him.  They did their fake security presentation on the computer screen, and "unlocked" his machine after taking his credit card information over the phone.

 

How do I go about determining exactly what they have done to his machine?

 

By searching the hard drive, I see the following happened on August 7th:

 

-  A folder for ADWCleaner was created.  Its logfile shows removal of the following:

   -  ask.com

   -  dotomi.com

   -  land.pckeeper.software

   -  media-dc6.msg.dotomi.com

   -  pckeeper.software

   -  www.ask.com

 

-  I am seeing error messages that state that Windows Security Center is not turned on.  I checked the Security settings, and Windows Defender appears to be running, but is out-of-date.

 

As I said, this machine is running, but is disconnected from the Internet.  Is it safe to plug into my Xfinity/Comcast modem with two other PCs attached?  I'd appreciate any advice on how to proceed.

 

 

 



BC AdBot (Login to Remove)

 


#2 Nixxxed

Nixxxed
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 12 November 2016 - 12:25 AM

A little more info:  This is a Dell Windows 10 machine - my apologies for not mentioning that in the previous post.  I had previously helped him with the Dell update software a few days earlier, and I remember installing Malwarebytes to scan for any malware as a precaution while looking at his setup.

 

Other things I've discovered:

 

-  It appears that in the process of the scam, the scammer uninstalled Malwarebytes, and downloaded a program called "Support-LogMeInRescue" on August 7th at 2:20 PM.  There is a file named "rescue.info" in the root C: directory.  I opened it with Notepad, but it only showed machine / computer code - no legible text.  The date and time of the rescue.info file is August 7th at 2:21 PM.

 

-  The scammers created a manual restore point labeled "tech123" on August 7th at 2:50 PM (the day of the scam).  There is a previous Windows update restore point from earlier that day - 12:38 PM - labelled as "Critical Update".  They deleted all other restore points.

 

-  They then used ADWcleaner as mentioned previously.  The date is August 7th at 4:40 PM.

 

-  The C:\ Program Files\ Common Files\ directory has a last-modified date of August 7th at 4:21 PM, but I cannot see any files inside which also contain that date.

 

-  I also searched for the date 8/7/2016 in both File Explorer and Event Viewer, and found some interesting things:

 

   -  Prefetch entries for CCleaner, LMI_Rescue, Malwarebytes setup, as well as indications that msconfig and Scheduled Tasks were modified.

   -  None of the above programs are now present on the computer.
   -  A strange entry named "TREE.COM-6E1D216E.pf".  Tree.com appears to be Lending Tree, which I hope doesn't indicate an identity theft scam.

   -  There are many files named "laspass.mo" which were created in various AppData\Roaming\Local\Temp\languages\ folders.  Were his passwords stolen?

 

There are many logs, Event Viewer entries, etc still remaining on the computer if they will help determine what was done during the episode.  I'm not sure what else to look for.

 

Also, I was able to successfully install Malwarebytes myself this evening while in Safe Mode.  It detected nothing during its scan.



#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:20 AM

Posted 15 November 2016 - 12:06 PM

Moved to Gen Security
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:20 AM

Posted 16 November 2016 - 06:03 AM


Fake ransomware has become an increasing common scam tactic over the past several years. In some cases it may involve Ranscam (Scam Ransomware) or Tech Support Scamming using browser pop-up and web pages indicating that "your computer is infected with ransomware", “all your files are encrypted" and similar "fake messages". In other cases, it may involve telephone scammers such as the Startup Password computer ransom lockout scam indicating the computer is configured to required a password in order to start up.

Some types of malware will modify the Master Boot Record (MBR) so that it displays a message indicating your computer has been encrypted and that you will be unable to access your data unless you pay a ransom.Actual ransomware infections typically targets and encrypts data files, appends an obvious extension to the end of encrypted filenames, demands a ransom payment by dropping ransom notes in every directory/affected folder where data has been encrypted but leaves the operating system working so the victim can pay the ransom.

If there are no obvious extensions appended to your file name, no ransom notes and you data is not actually encrypted, then you most likely are dealing with a fake ransomware scam or something else.

You may want to read Beware of Phony Emails & Tech Support Scams which includes recommendations for performing scans with specialized programs to check your system.

If you need individual assistance with a malware infection, you should start a new topic in the Am I infected? What do I do? forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Nixxxed

Nixxxed
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 16 November 2016 - 11:46 AM

Thank you very much, quietman7.

 

I read the Phony Emails & Tech Support Scams page, and that appears to be what is going on.  The owner only used his computer to get online.  He has a few family photos on the hard drive, and a couple of folders of music, and those are all.  None of those documents are encrypted, and the only message from the "tech support" scammers is the text file on the desktop.

 

Malwarebytes, MSE, and TrendMicro Housecall scans have all finished without any detection.

 

If I do a factory reset (reformat hard drive and re-install the OS from Dell backup), will that wipe out anything the scammers have possibly hidden on the PC?



#6 Nixxxed

Nixxxed
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 16 November 2016 - 12:02 PM

I found your "When should I reformat?" post.  I understand now that is the safest way to proceed.  Thank you again for your help.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:20 AM

Posted 16 November 2016 - 04:52 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users