Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A scammer got remote access to my computer- what do I do now?


  • Please log in to reply
6 replies to this topic

#1 gerb1000

gerb1000

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 30 November 2016 - 10:38 PM

We got hit by a scammer who gained access to our computer and now I’m wondering what to do.

 

The computer is running Window 10 Home edition.

 

It was a classic scam. My son was working on his computer last night – writing a Google Doc on Chrome – when a window popped up that said he had a virus and he needed to call a Microsoft technician to fix it (855-281-5548). 

 

He called… the guy, “Rick”, told him to go to logmeinrescue.com and start a session, so he did.  The guy then got into the computer, fished around, and pulled up some files and showed a list of my son’s usernames and passwords… probably the one’s stored in Chrome?... and said the virus made the passwords visible and he needed to buy some firewall software for $300.  That’s when my son called me. When he told me what was going on, I told him to unplug the computer immediately and hang up on the guy!

 

When I got home, I disconnected his computer from the internet and ran a virus scan (Avast internet security) which came up clean.  My son changed all his passwords from a different computer. The rest of the computers on my home wifi network I changed the network settings to non-discoverable and no file sharing.  They are all running Avast as well.

 

I saw that “Rick” had installed a logmeinrescue app as well as a program called Systweak.  I removed them both.  I looked through the Avast firewall log and saw that when “Rick” was first contacted, the first thing that happened was that a network rule had been created for HH.exe.  Not knowing what else to do I deleted that file.  I can see from the logmeinrescue log that Rick requested a bunch of information about the computer as well as three of files that belong to a game.

 

So, now that my family has learned a valuable lesson about social engineering,  I have these questions:

 

1)      How did he get to see user names and passwords?  I had assumed they were encrypted if they were stored on Chrome. Is that something anyone can do?

 

2)      Are the rest of the computers on my home network safe or are they compromised now as well?

 

3)      What else do I do on my son’s computer to ensure there is no spyware, etc.?  Can I trust Avast to catch anything that might be there?  Is there another program that would be helpful? Do I need to do a full reinstallation of the OS?

 

Thanks for any help you can give!



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:21 AM

Posted 01 December 2016 - 04:50 AM

Welcome to BC...

 

You can read about how to view passwords in Chrome: Manage and view saved passwords in Chrome browser

As you can see, Windows login password is needed to view the passwords in the Chrome browser.

 

Changing the passwords should be done along with other account verifications for banks, CCs, stores....

 

How the criminal's popup ad was allowed to appear would be a concern. Suggest you run the scans below to clean, remove adware and remove malware.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).

  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • When MBAM is finished scanning it will display a screen that displays any malware that it has detected.
  • Click the Remove Selected button.
  • MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.

POST THE LOG FOR  REVIEW.

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 HolyCowz

HolyCowz

  • Members
  • 168 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GMT
  • Local time:06:21 AM

Posted 01 December 2016 - 07:12 AM

@ Gerb1000

HH.exe is a normal Microsoft file however some viruses cloak them selves as this file like Trojan.Gen.2, BKDR_CYCBOT.SME3 and TROJ_GEN.R03AC0CCA15.

 

 

@Buddy215

Is it not best to reinstall the OS in these cases buddy215?  I thought that in this kind of thing the attacker may have left another way in undetectable by av/malware scanners? Is this not the case? Sorry to but in just interested.

Thank you

 



#4 gerb1000

gerb1000
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 01 December 2016 - 07:37 AM

@Buddy215,

Thanks for the detailed information.  I'll try this out when I get back home tonight.  I think I'm going to stop saving passwords in Chrome.  How did the guy get the windows login to make the passwords visible?

 

@Holycoz,

Yeah, I looked up hh.exe and it looked innocent enough, but I didn't understand why an html help program (which is what it is supposed to be) would have needed to access the internet at that moment, so I zapped it. And good question about if reinstall is needed....



#5 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:21 AM

Posted 01 December 2016 - 07:37 AM

The short answer is NO...a reinstall is not necessary...but let's wait and see what Gerb1000's scan logs show. The criminal's intent

was to sell some useless crapola....as we've seen in this and other forums at BC...not to install backdoors.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 gerb1000

gerb1000
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 01 December 2016 - 10:41 PM

We ran all the recommended programs.  Here are the results:

 

1) MBAM:

 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 12/1/2016
Scan Time: 9:56 PM
Logfile: mbam-log.txt
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.12.02.02
Rootkit Database: v2016.11.20.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: Micah E
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 285865
Time Elapsed: 2 min, 54 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 4
PUP.Optional.SysTweak, C:\ProgramData\Systweak, Quarantined, [612960820d8d43f3435b573fb0538a76], 
PUP.Optional.SysTweak, C:\ProgramData\Systweak\Advanced Identity Protector, Quarantined, [612960820d8d43f3435b573fb0538a76], 
PUP.Optional.SysTweak, C:\ProgramData\Systweak\Advanced Identity Protector\1.1.1000.97, Quarantined, [612960820d8d43f3435b573fb0538a76], 
PUP.Optional.SysTweak, C:\ProgramData\Systweak\Advanced Identity Protector\updates, Quarantined, [612960820d8d43f3435b573fb0538a76], 
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
------------------------------------------------------------------------------------------------------------------------------------------------------
2) ADWARE CLEANER:
 
# AdwCleaner v6.030 - Logfile created 01/12/2016 at 22:13:39
# Updated on 19/10/2016 by Malwarebytes
# Database : 2016-12-01.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Micah Erb - DESKTOP-J215EE5
# Running from : C:\Users\Micah E\Downloads\AdwCleaner.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
No malicious folders found.
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Micah E\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found:  [C:\Users\Micah E\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [1207 Bytes] - [01/12/2016 22:13:39]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1280 Bytes] ##########
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
3) JRT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.9 (09.30.2016)
Operating System: Windows 10 Home x64 
Ran by Micah E (Administrator) on Thu 12/01/2016 at 22:20:33.31
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 0 
 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 12/01/2016 at 22:21:29.08
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--------------------------------------------------------------------------------------------------------------------
 
Does it look like it found anything interesting?
 
Also, do you have any idea why the scammer would want to copy three files from my download folder to himself?  They were from a game my son downloaded.  The Logmeinrescue log shows that he sent to himself C:\Users\Micah E\Downloads\Happy Adventure\credits.html, C:\Users\Micah E\Downloads\Happy Adventure\d3dcompiler_47.dll and C:\Users\Micah E\Downloads\Happy Adventure\ffmpegsumo.dll?
 
Thanks!


#7 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:21 AM

Posted 02 December 2016 - 05:09 AM

Please rerun AdwCleaner and be sure to click on Clean when scan finishes.

 

I'm not a gamer so I can only guess that the scammer thought he could use those files for monetary gain somehow. I see the word credits...maybe your son would

know more about how those credits are used.

 

Looks like MBAM removed the scammers sys tweak and something called Advanced Identity Protector.

 

Last scan:

  • download Security Check by glax24 and save the file to the Desktop
  • Run the tool by accepting all the Security prompts
  • when complete the tool will produce a log file C:\SecurityCheck\SecurityCheck.txt and also copy the contents to the Clipboard
  • Simply Paste the log to your reply

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users