Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hello everyone, New also.


  • Please log in to reply
46 replies to this topic

#1 Panlex

Panlex

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 17 March 2017 - 11:26 PM

I recently bought an HP Pavilion All in One. Windows 10 Home. Im not that too computer savy. Just basic. First time on net today some pop up warns of a virus with error number and to call 800# immediately. Some guy talks me into "go to assist" connection" and he operates my mouse thru different steps and says I have "Malware, trojan horse", who knows. But need to buy firewall protection immediately for $500 and asks for my name,email,credit. I give no credit card. Then I disconnect cable. call retail store where purchased and they give me numbr for tech supp for HP. That guy sounded more legit also does goassist connect and scans all my files. Tells me so far that I have 32 files infected. Not to do factory reset and will finish scans tomorrow. But sends pdf with his cobtact info. And he is with "geeksoftwareexperts.com". But now he says he can fix and protect me from future attacks and now tomorrow he wants $300 payment. Should I just return computer to store and get new one? Should I leave comp. disconnected?Appreciate any advice someone can give. Thank you.

Edit: Moved topic from Introductions to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Panlex

Panlex
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 17 March 2017 - 11:32 PM

What is appropriate forum to move my topic to?

#3 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:07:45 PM

Posted 17 March 2017 - 11:57 PM

You are in the appropriate forum. To me it sounds like you just came up against 2 scammers, it's a bit of a learning curve with these new scam techniques.

 

Let's check if you really do have any problems though :)

 

29bgcgg.jpg  Please download AdwCleaner and save to your Desktop.

  • Right click and "Run as Administrator"
  • Click on the Scan button.
  • After the scan has finished, click Clean and ok the reboot
  • When complete, your machine will restart and a log file will appear
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

 

2zh1g08.jpg  Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Right click and "Run as Administrator".
  • The tool will open and start scanning your system.
  • On completion a log will open, note the saved JRT.txt on your desktop to copy into your reply

 

 

malwarebytes_icon_mini_by_linux_rules-d9 Please download and install MalwareBytes Anti-Malware.

  • Run the program.
  • Click Scan Now.
  • If threats are detected, click Remove Selected. If you are prompted to reboot, click Yes.
  • Upon completion of the scan (or after the reboot), click the HISTORY tab.
  • Click Application Logs, followed by the first Scan Log.
  • Click Export, followed by Copy to Clipboard. Paste the log in your next reply.

 

 

149nkg7.jpg Please download Farbar Service Scanner and run it

  • Please check all of the boxes then click Scan
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log into your reply.

 

 

34hammr.jpg Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • please copy and paste the log into your reply.

If prompted by your firewall allow DIG.exe
If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run

 

Please copy and paste all the logs into your reply.

 

John


Edited by TsVk!, 17 March 2017 - 11:58 PM.


#4 Panlex

Panlex
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 17 March 2017 - 11:59 PM

Downlosding adwcleaner now. Thank you.

#5 Panlex

Panlex
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 18 March 2017 - 12:03 AM

Where is scan button once ive diwnload adw cleanerm i have a nes "my way tab" appearing

#6 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:07:45 PM

Posted 18 March 2017 - 12:09 AM

Do you not have a screen like this when you run the program?

 

adwcleaner-001.jpg

 

If you have something different please let me know.


Edited by TsVk!, 18 March 2017 - 12:10 AM.


#7 Panlex

Panlex
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 18 March 2017 - 01:09 AM

Sorry took so long whoever is there. I just ran the malware program after downloading it.  I created a new file and copied the results. the malware scan came back with 323 detected threats all under "PUP.Optional.Mindspark" .  The computer restarted but "chrome" Is unavailable on my desktop tab. It says "your file was not found". Should I copy the scan results to a reply here. And should I even let that supposed HP tech guy continue a scan of my computer tomorrow? What other programs should I download to protect?



#8 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:07:45 PM

Posted 18 March 2017 - 01:21 AM

Please copy and paste the scan results and continue with the other 4.



#9 Panlex

Panlex
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 18 March 2017 - 03:17 PM

Im going nuts with this new computer. Appreciate all input. I scanned and saved with the FRST download the two results. But when try copying and pasting to this post I get error "because of browser security settings, editor not able to access clipboard data. Please paste inside the following box using (Ctrl/cmd+V". ?????

#10 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:07:45 PM

Posted 18 March 2017 - 05:16 PM

Hi Panlex,

 

We do not deal with FRST logs in this area. IMO it is probably unnecessary for your machine also.

 

To paste the data hold down Ctrl+Alt and press v

 

The reason your Chrome icon disappeared is likely linked to which version you installed. Internet Explorer can give you a malicious link first in it's results before giving you a legitimate Chrome or Firefox link. I saw this just last week on Win 10. The security programs I have advised you to run may remove illegitimate chrome installs.

 

The correct link is

 

https://www.google.com.au/chrome/browser/desktop/

 

if you wish to re-install it.

 

Now, don't go nuts... Please follow the instructions in post #3.

 

We will have you up and running in no time if you follow my instructions.

 

John



#11 Panlex

Panlex
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 18 March 2017 - 06:04 PM

# AdwCleaner v6.044 - Logfile created 18/03/2017 at 17:44:19
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-18.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : AlexWehr - DESKTOP-TMNLSRU
# Running from : C:\Users\AlexWehr\Downloads\AdwCleaner (1).exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support
 
***** [ Services ] *****
[-] Service deleted: rtop
[-] Service deleted: ByteFenceService

***** [ Folders ] *****
[-] Folder deleted: C:\Users\AlexWehr\AppData\Local\WebBar
[-] Folder deleted: C:\Program Files\ByteFence
[-] Folder deleted: C:\Program Files\webBarMedia
[-] Folder deleted: C:\ProgramData\ByteFence
[#] Folder deleted on reboot: C:\ProgramData\Application Data\ByteFence

***** [ Files ] *****
 
***** [ DLL ] *****
 
***** [ WMI ] *****
 
***** [ Shortcuts ] *****
 
***** [ Scheduled Tasks ] *****
[-] Task deleted: ByteFence
[-] Task deleted: WBUpdateTask
[-] Task deleted: WBLaunchTask

***** [ Registry ] *****
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\ByteFenceService
[#] Key deleted on reboot: [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\ByteFenceService
[-] Key deleted: HKU\S-1-5-21-2272620626-234366973-3376253922-1001\Software\ByteFence
[-] Key deleted: HKU\S-1-5-21-2272620626-234366973-3376253922-1001\Software\PRODUCTSETUP
[-] Key deleted: HKU\S-1-5-21-2272620626-234366973-3376253922-1001\Software\csastats
[#] Key deleted on reboot: HKCU\Software\ByteFence
[#] Key deleted on reboot: HKCU\Software\PRODUCTSETUP
[#] Key deleted on reboot: HKCU\Software\csastats
[-] Key deleted: HKLM\SOFTWARE\ByteFence
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ByteFence
[#] Key deleted on reboot: [x64] HKCU\Software\ByteFence
[#] Key deleted on reboot: [x64] HKCU\Software\PRODUCTSETUP
[#] Key deleted on reboot: [x64] HKCU\Software\csastats
[-] Key deleted: [x64] HKLM\SOFTWARE\ByteFence
[-] Key deleted: [x64] HKLM\SOFTWARE\WebBar
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0BCE8B0A-1E76-44E5-9909-3CF804D92E4D}_is1
[-] Data restored: HKU\S-1-5-21-2272620626-234366973-3376253922-1001\Software\Microsoft\Internet Explorer\Main [Start Page]
[-] Data restored: HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]
[-] Data restored: HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]
[-] Data restored: [x64] HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]
[-] Data restored: [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]
[-] Key deleted: HKU\S-1-5-21-2272620626-234366973-3376253922-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data restored: HKU\S-1-5-21-2272620626-234366973-3376253922-1001\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[#] Key deleted on reboot: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data restored: HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data restored: HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data restored: [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data restored: [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Value deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [WebBar Toolbar]
[-] Value deleted: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION [winwb.exe]

***** [ Web browsers ] *****
 
*************************
:: "Tracing" keys deleted
:: Winsock settings cleared
*************************
C:\AdwCleaner\AdwCleaner[C0].txt - [1213 Bytes] - [18/03/2017 02:03:28]
C:\AdwCleaner\AdwCleaner[C2].txt - [4391 Bytes] - [18/03/2017 17:44:19]
C:\AdwCleaner\AdwCleaner[S0].txt - [1313 Bytes] - [18/03/2017 02:03:06]
C:\AdwCleaner\AdwCleaner[S1].txt - [4935 Bytes] - [18/03/2017 17:43:37]
########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [4610 Bytes] ##########


#12 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:07:45 PM

Posted 18 March 2017 - 06:06 PM

Okay, there's nothing scary in there, just some junkware.

 

Please post the next one.



#13 Panlex

Panlex
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 18 March 2017 - 06:12 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.2 (03.10.2017)
Operating System: Windows 10 Home x64
Ran by AlexWehr (Administrator) on Sat 03/18/2017 at 18:06:47.94
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

File System: 0
 

Registry: 0
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 03/18/2017 at 18:10:13.02
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#14 Panlex

Panlex
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 18 March 2017 - 06:25 PM

Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 3/18/2017
Scan Time: 6:15 PM
Logfile:
Administrator: Yes
Version: 2.2.1.1043
Malware Database: v2017.03.18.07
Rootkit Database: v2017.03.11.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
OS: Windows 10
CPU: x64
File System: NTFS
User: AlexWehr
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 289351
Time Elapsed: 5 min, 59 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 5
PUP.Optional.SearchManager, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pilplloabdedfmialnfchjomjmpjcoej, Quarantined, [017e62695a4e5cda91bf20c8df24ad53],
PUP.Optional.WebBar, HKLM\SOFTWARE\MICROSOFT\TRACING\winwb_RASAPI32, Quarantined, [4837edde6444e5511d9becff24dfa957],
PUP.Optional.WebBar, HKLM\SOFTWARE\MICROSOFT\TRACING\winwb_RASMANCS, Quarantined, [245bc2095a4e122430888368030046ba],
PUP.Optional.SearchManager, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\pilplloabdedfmialnfchjomjmpjcoej, Quarantined, [f68916b5e3c5fd3990c0bf2942c13cc4],
PUP.Optional.SearchManager, HKU\S-1-5-21-2272620626-234366973-3376253922-1001\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pilplloabdedfmialnfchjomjmpjcoej, Quarantined, [304f3893b9ef96a0173200f653af54ac],
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 1
PUP.Optional.WebBar, C:\Windows\System32\config\systemprofile\AppData\Local\WebBar, Quarantined, [6e116f5c495f65d1e557e4ce18eb619f],
Files: 3
PUP.Optional.Webbar, C:\Users\AlexWehr\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winwb.exe.log, Quarantined, [d6a9418af1b7bb7b8271687c758cfa06],
PUP.Optional.Webbar, C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winwb.exe.log, Quarantined, [631cb516a20674c253a00ed670915ba5],
PUP.Optional.WebBar, C:\Windows\System32\config\systemprofile\AppData\Local\WebBar\wb.log, Quarantined, [6e116f5c495f65d1e557e4ce18eb619f],
Physical Sectors: 0
(No malicious items detected)

(end)


#15 Panlex

Panlex
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 18 March 2017 - 06:28 PM

Farbar Service Scanner Version: 27-01-2016
Ran by AlexWehr (administrator) on 18-03-2017 at 18:26:50
Running from "C:\Users\AlexWehr\Downloads"
Microsoft Windows 10 Home  (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users