Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Coworkers got duped by Adware


  • Please log in to reply
8 replies to this topic

#1 manmountain8

manmountain8

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 02 December 2016 - 08:18 PM

So I came in to my weekend job Friday night and found out that on Tuesday my coworkers got duped by a classic adware saying our work computer had been blocked by Microsoft.  A quick search of the number 1-877-261-5407 reveals that it is a classic known scam.  They called the number and paid them $199 with a credit card.  They gave these scammers remote control of the computer and they changed things.  They even have a call back number and they answer and pretend to be Microsoft support. It is 1-800-371-8964 if anyone is interested and the guys name is supposedly Raymond.   A quick search of that number reveals it is also a known scam number that has pretended to be support for many different companies including Dell and Microsoft.  So anyways, what do I do now?  Can someone help me find what they did and remove it?  I have not run any scans yet because I want to see the whole picture before I start removing parts of it.  Maybe we lucked out and all they wanted was $200 but I doubt it. I would have to imagine they have complete control of the computer.  Keyloggers, back doors, who knows what they did.  There are a few things on the desktop that I don't recognize.  They are  'Send Anywhere', 'Team Viewer 9', and 'Network Security.bat'.  Do these guys typically just take their $200 and run or are they after more?'



BC AdBot (Login to Remove)

 


#2 manmountain8

manmountain8
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 03 December 2016 - 01:34 AM

So I discovered they used Team Viewer 9 to gain remote control, or at least remote viewing, of the computer.  'Send Anywhere' is a program they used to share files, and Network Security.bat is supposedly used to clear logs and make the computer appear to be clean.  Team Viewer 9 was running and could not be shut down normally.  i just had to end all the processes, then I could just uninstall the programs with CC cleaner.  Malewarebytes didn't find any infection.  Could I be missing something? 



#3 buddy215

buddy215

  • Moderator
  • 13,192 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:13 AM

Posted 03 December 2016 - 07:00 AM

Once the criminals had access to your computer(s) they could have found and downloaded any passwords and screen names. All should be changed

especially any relating to banking, CCs, shopping, email accounts, etc. Be sure to change any other verifications such as the name of your pet or phone number.

 

You should dispute the CC charge. You will most likely get your money back. If the CC number was given directly to the criminals then I suggest you cancel the CC.

You will likely find an email in the sent folder confirming the $200 charge. The criminals do that.

 

Use the two programs below to find and remove adware.

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#4 RolandJS

RolandJS

  • Members
  • 4,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:02:13 AM

Posted 03 December 2016 - 08:18 AM

manmountain8, this is serious, do everything suggested by buddy215 yesterday.  Do you have any full image backups of the OS partition and the data partition of the affected [and very likely infected] computers?  You mentioned coworkers, plural, is it possible that more than one computer has been compromised through the entry of the first affected computer -- I don't know, BC regulars here can help you determine that.  Getting back to full images, if such exist, you can return computer or computers to a state before the scammers got in, what I don't know:  just how old are the full images?  How recent are they?


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#5 manmountain8

manmountain8
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 09 December 2016 - 07:24 PM

Adware cleaner removed this.

 

Folder deleted: C:\Program Files (x86)\ShowMyPCService



#6 manmountain8

manmountain8
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 09 December 2016 - 07:28 PM

malewarebytes active protection is blocking this...      

 

Malicious Website Protection, Domain, 50.22.58.48, services.searchtabnew.com, 57096, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe



#7 manmountain8

manmountain8
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 09 December 2016 - 07:43 PM

junk removal tool removed this...

 

Successfully deleted: C:\Windows\system32\Tasks\PCDEventLauncherTask (Task)



#8 manmountain8

manmountain8
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 09 December 2016 - 07:45 PM

Firefox is no longer being redirected by services.searchtabnew.com.

 

Thank you...



#9 buddy215

buddy215

  • Moderator
  • 13,192 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:13 AM

Posted 10 December 2016 - 07:03 AM

You're welcome....other suggested steps to take below:

  • Please download Security Check by glax24 and save the file to the Desktop
  • Run the tool by accepting all the Security prompts
  • when complete the tool will produce a log file C:\SecurityCheck\SecurityCheck.txt and also copy the contents to the Clipboard
  • Simply Paste the log to your reply

 

Install an ad blocker if you are not using one. I suggest Adblock Plus. Once it is installed click on the ABP icon and choose Filter Preferences.

UNcheck the box next to Allow some non-intrusive advertisements.

 

Block third party....aka ad/ tracking.... cookies from installing. Once blocked, run CCleaner to remove the ones presently installed.

How to disable third-party cookies in all major web browsers

 

Curious....did you get back the $200?


Edited by buddy215, 10 December 2016 - 08:35 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users