Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Urgent question about remote access!!


  • Please log in to reply
4 replies to this topic

#1 LobsterRed

LobsterRed

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 22 September 2017 - 03:52 PM

Hi!  Yesterday, in an attempt to speed-up the process of uninstalling an unwanted trial subscription to Norton Security, I called a toll-free number that I mistakenly thought was giving me Norton, but it turned out to be a company called GuruAid.  While still believing I was dealing with a tech arm of Norton who was helping me swiftly uninstall the unwanted software for free, I allowed GuruAid remote access to my computer.  At a certain point GuruAid demanded a one-time payment of $120 to complete the uninstall-- at that moment I realized that it was not Norton I was interacting with and shortly thereafter I tried to break the link between my computer and GuruAid by turning off my computer.  But when I turned it back on, GuruAid was still there.  I used Task Manager to try to close out the connection, but it popped right back up. So I turned off that computer (I'll refer to that computer, which incidentally uses Windows 8.1, as computer A) and haven't turned it back on.  24 hours have now elapsed-- I've been using computer B since then-- and I want to know if, when I turn computer A back on, the remote access allowing GuruAid into computer A will still be in effect or whether the mere passage of time will have broken the connection.  If the passage of time alone is not sufficient, what do I have to do to break the link between GuruAid and computer A and exactly how should I do it?

 

At this point, although I looked GuruAid up on the internet, I'm not sure how dangerous GuruAid is-- do they confine themselves to demanding outrageous payments for trivial tasks or do they behave more nefariously?  I don't know.

 

In any case, I certainly want to destroy any link Computer A has to GuruAid, so please let me know if, after 24 hours, the connection will still exist when I turn on computer A, and if so, what I should do then.


Edited by LobsterRed, 22 September 2017 - 03:58 PM.


BC AdBot (Login to Remove)

 


#2 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 7,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:08:01 AM

Posted 22 September 2017 - 05:07 PM

I don't know what you'll see, but if you disconnect the computer from the internet regardless of what's there it cannot be actively used to do anything.

 

If you have System Protection enabled I would definitely try to restore to a restore point prior to last night.  Then I would try to uninstall Norton yourself, which should be a very easy task using their uninstaller.  If the latest one doesn't work then keep working backward to the next older one, etc., etc., until one does work or you've exhausted all restore points.

 

If System Restore doesn't work, then if you take System Image backups I'd back up all my user data then restore from your most recent full system image backup.

 

If push comes to shove then it's back up your system as it stands in a system image backup, back up your user data separately, then reinstall Windows 8.1.


Brian AKA Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

 

     In a modern society where everyone thinks their opinion deserves to be heard nothing annoys me more than individuals who mistake their personal preferences for fact.

         ~ Commenter TheCruyffGurn on the The Guardian website, 8/13/2014

 

              

 


#3 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:05:31 PM

Posted 24 September 2017 - 06:12 AM

Hi LobsterRed,

Sorry to hear the situation you are going through. Glad that they didn't screwup much.

 

As Brian said, disconnecting from the internet (pulling the Ethernet cable or switching off the Wi-Fi adapter) will kick them off temporarily as some times the set the remote program to access the computer till it is manually revoked.

 

You can use the system restore to restore the PC to a previous stage before you got scammed.

 

Make sure you have no programs installed, like "GoTo Assist" or "LogMeIn" or "Screen Connect" or "TeamViewer" in installed programs list.

Please make sure the TEMP and %TEMP% folders are cleaned manually later.

 

In order to remove Norton product installed, you can simply go to www.norton.com/nrnr and download the tool listed.

Use "Reinstall" if you intend you re install or use "Advanced options" to remove it completely.

If you are a Norton Identity Safe user, you will have to reinstall Norton Tool bar (your password are stored in Norton Servers most probably).

 

Scamming is one of the largest criminal offence on internet.
Please never ever call these phone numbers which you see in these kind of pop-ups.

In order to contact a company or manufacturer, you should only rely on phone numbers and addresses displayed on that company's website or contact cards.

For contacting Norton, www.norton.com/support

 

If you still suspect suspicious activity, you can get help from here anytime.


Edited by Nikhil_CV, 24 September 2017 - 06:15 AM.

Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#4 LobsterRed

LobsterRed
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 24 September 2017 - 06:23 PM

Hello britechguy and Nikhil__CV,

 

After being exposed to the worst of humanity in my dealings with the deceivers at GuruAid, it's very gratifying to interact with people who are not only not trying to scam me but are actually seeking to help me !!!  Wow!  So I must immediately express my appreciation to you guys: imagine I'm uttering the following words in the kind of thunderous basso profundo that is used to simulate God's Voice in the movies!!  

THANK YOU!!!!

 

So, here's what I've done in the past few days:  synthesizing the disparate pieces of advice I've gotten from all sources into a coherent, sensible plan, the first thing I did as I turned on the affected computer was to instantly put it in Airplane Mode to sever it from the internet and any potential further mischief from GuruAid should there still be a connection between them and that computer.  Then, following a good suggestion, while still in Airplane Mode, I carefully examined my full list of programs in Add or Uninstall a Program and my full list of Apps in the Start Menu to see a) if I saw anything with GuruAid's name in it (when I was going through the Windows process to give remote access to GuruAid, I typed their name into the box that Windows supplied)-- and no, I didn't see anything with GuruAid's name in it, and then, realizing that of course GuruAid, while on that computer, might have slipped something into it without their name on it, I carefully checked to see if I noticed anything that didn't 'belong' in the Add or Uninstall a Program list or any inappropriate new Apps in the Apps list.  Again the answer was 'No', and my pulse started to noticeably slow!  But, at this point my senses were still on Full Alert, as I cautiously left Airplane Mode and connected to the internet.  The first thing that happened was the appearance of a notice from Windows that popped up on my computer screen that said something like "the Host has ended the session" and referenced GuruAid by name.  That must have been what appeared on the GuruAid guy's screen at some point after I turned off my computer on Thursday and didn't turn it back on (in thinking about why the connection had remained in effect on Thursday when, in my first failed attempt to sever the connection, I briefly turned off and then restarted my computer but GuruAid was still there, I realized that if a person is getting help from someone using remote access, then during the course of the computer repair, it might well be necessary to restart the damaged computer, so a brief interruption shouldn't end the session, only a longer-lasting one-- and 24 hours is certainly long-lasting enough to indicate that a repair session is not still going on!!)  Anyway, after reading that notice from Windows, my breathing returned to normal and my mood brightened considerably!  At least I could be sure GuruAid no longer had remote access to my computer-- at least in the normal way (some illicit means, like using a 'backdoor', couldn't be ruled out, but I'm certainly not computer-savvy enough to determine the presence of something like a 'back door'.)

 

Also on Friday, I backed up all my un-backed-up files (I didn't have too many of those, since I'm pretty good at frequently making safe copies of my files, which I store on not one but TWO external hard drives!-- whether using two external drives is being sensibly cautious or displaying a touch of obsessive-compulsiveness, I'm not entirely sure!!).

 

Then, on Saturday, I returned to the affected computer, and after updating Windows Defender to make sure it had the latest definitions for viruses and malware, I ran a Full Scan of my computer.  Although some people disparage Windows Defender when comparing it to Web Security protectors like Norton or McAfee, which people pay extra for, one thing I'll note in praise of Windows Defender-- their Full Scans are exhaustive!  Their scan on Saturday was something right out of Eugene O'Neill: a long day's journey into night!!!  It took six hours and they detected only one piece of malware, a Browser Modifier: Win32/Obrypser worthy of High Alert in the eyes of Windows Defender and something that ought to be removed from my computer.  Of course, I ordered it removed, but I was pretty sure it had not been placed there during my encounter with GuruAid-- that sort of detection is pretty routine when I run a full scan with Windows Defender.

 

Then, as soon as the Windows Defender full scan had finished, I followed to the letter the suggestion from someone--who deemed himself an expert on the detection and removal of malware, a proficiency gained over many years, he told me-- to download the scan offered on a trial basis from Zemana and to conduct a full scan, but to first go Advanced and check off certain boxes there, which would make the scan even more penetrating and more likely to ferret out any malware lurking deep within my computer.  I ran that scan, and it made four detections, but three of the four I didn't consider genuine detections because they involved items I myself had deliberately downloaded (7zip decompression software and Scanguard), and the fourth detection involved too many empty lines in the Hosts File, with Hosts Hijack mentioned-- I really don't know how to evaluate that threat; in any case I instructed Zemana to repair the problem in the Hosts File.  My conclusion from the Windows Defender and Zemana scans is that GuruAid probably didn't infect my computer with any malware.

 

Britechguy and Nikhil_CV, I'd like your opinion of my overall evaluation of my episode with GuruAid, since my experience with these matters is far more limited than yours.  First, most evil things that unscrupulous people do to innocents on the internet are done anonymously.  People are victimized without realizing it, and by parties whose identity is completely unknown to them.  In contrast, in this case, GuruAid is a known company, with known addresses, including one in Connecticut, and therefore is identifiable and thus capable of being prosecuted by the authorities-- whether in the US, Europe, or India-- should they cross the line between unsavory behavior that nice people don't do and  downright illegal acts that are criminally prosecutable.  In reading a lot about GuruAid on the web, and reviewing my own interaction with their representative, my sense is that they do some sleazy things (like giving me the impression they were a tech arm of Norton, and certainly never correcting me when I expressed that perception at the beginning of our encounter), but they make their money not by the outright cheating of the customer or getting hold of their financial passwords and looting their accounts, but by doing very trivial tasks for affluent computer illiterates and then charging those wealthy but dumb folks ridiculously high fees for it.  The intuitive feeling that I have is that once GuruAid failed to extract the $120 fee from me, they just moved on to another potential 'mark'.  All day today I've been back on the affected computer (I am right now, typing these words!), keeping my eyes open and checking Task Manager frequently for anything unfamiliar or out of place, and I've not noticed anything unusual-- except for one thing, that I'm still trying to understand.  On Thursday, during the remote access session with GuruAid, when they hit me with the absurd $120 fee and I realized that I was not dealing with Norton and I immediately turned off my computer, when I turned it back on, instead of getting the desktop with its usual colorful background, I got an absolutely black screen, with just my icons on the blackness, and the taskbar at the bottom.  And every time I've turned this computer on since then, I've found the same black screen with my icons on it, and with the taskbar at the bottom.  So clearly something happened during GuruAid's time on my computer that caused this, but I have several questions about it: was it a deliberate act done by GuruAid either out of pure anger or from a desire to perhaps intimidate me into cooperating with their demand for the $120 fee (by implicitly threatening not to return my computer to normal unless I paid them), or was it done accidentally, or as a byproduct of some other action taken by them, perhaps in the course of beginning to uninstall the Norton trial software)?  By the way, while still connected to GuruAid on Thursday, I went to the real Norton website and was guided by them through the removal process to rid myself of their trial software.  Anyway, what do you guys think happened that resulted in the black screen instead of the colorful background I had on my destktop?  And if a person simply wanted to remove the colorful image from the desktop and make it a black screen, how would they do that?

 

Well, that's a pretty full account of things; I'm eagerly looking forward to hearing your comments!!

 

                                                                              Very cordially, 

                                                                                    LobsterRed


Edited by LobsterRed, 24 September 2017 - 06:39 PM.


#5 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:05:31 PM

Posted 01 October 2017 - 03:11 AM

Hi LobsterRed,
 
Sorry for the delay.

when I turned it back on, instead of getting the desktop with its usual colorful background, I got an absolutely black screen, with just my icons on the blackness, and the taskbar at the bottom. And every time I've turned this computer on since then, I've found the same black screen with my icons on it, and with the taskbar at the bottom.

That indicates that the remote access program is not completely removed from your computer.
Log me in remote access removes the desktop background and theme customizations temporarily till the session is disconnected.
 
Let me remind you: "You can use the system restore to restore the PC to a previous stage before you got scammed. ".
 
I suggest you to get help from our virus removal forum members ( https://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/ ) to remove the active remote access program traces or post a topic in Am I Infected ( https://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/ ) to be helped after checking further and reply here with a link.
 
Please include screen captures of the messages you think you should not be receiving.

Edited by Nikhil_CV, 01 October 2017 - 03:28 AM.

Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users