Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2 Simple/Quick Questions-point me in the right direction to solve possible virus


  • Please log in to reply
2 replies to this topic

#1 mymaus1

mymaus1

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 28 September 2017 - 02:13 PM

I only have 2 simple and quick questions (simple/quick for one of you experts) for now -- 
 
1) can I just use the Remove the Windows Warning Tech Support Scam self help guide 
2) is it SAFE for me to wait to do that this weekend instead of now -- I'm under a time crunch but also need to use my computer to access my bank and credit card accounts to complete what I'm working on.
 
I run Windows 7, and use Firefox for my browse. I use Microsoft Security Essentials real-time protection and do full scans with that and Malewarebytes Free once a week. Microsoft Firewall is always on. I am also very careful with my browsing.  I haven't had any kind of virus for longer than I can remember and I'm not sure if I have one now, which is why I'm here.
 
I was talking to my bank this morning because for some reason I could not sign onto my online bank account. They told me to clear Browsing, Download, Forms and Search History. I did this successfully. They then instructed me to go to their website (usbank.com). As soon as I typed it in a robotic announcement came over my speakers saying Microsoft Windows had a virus and a warning screen popped up in the browser page. I even look at the page... I immediately closed the window and I told the bank I needed to call back.  
 
Here are the steps I immediately took:
Opened Malewarebytes Free, updated the definitions and started a scan. 
 
Opened MS Security Essentials, updated definitions and started a Full Scan. 
 
After updates were finished unplugged ethernet cable -> no network or internet
 
Closed all other applications
 
Malewarebytes finished scan with 0 threats detected.
 
MS Essentials is about 25% done after 1.5 hours with 0 threats detected so far
 
While I was waiting I opened Firefox back up and looked at history. I was surprised to find a LOT of history since I had just cleared it with the bank.  I never heard of any of the sites in the history. Here is the order that came up in history (ALL were labeled most recent visit at the exact SAME time):
sarah.tnctrx.com/tr?id=followed by a long string of numbers and characters. 
travellandflightdeals.com/index followed by a long string of numbers and characters
intion-admils.com/ followed by a long string of numbers and characters
eu7bi.redirectvoluum.com/redirect?target= followed by a long string of numbers and characters
server1.trckservfst.com/? followed by a long string of numbers and characters
Then it gets interesting. What follows was 700 (!) locations that all started with the same characters:
alert-1tr2sx1.stream/guest/0
the second ended in 01
the third ended in 012
the fourth in 0123
and so on....700 of them!!!
 
So, my only 2 question right now are do I need to just follow the Remove the Windows Warning Tech Support Scam self help guide AND is it's safe for me to wait to do that this weekend instead of now -- I'm under a time crunch but also need to use my computer to access my bank and credit card accounts to complete what I'm working on?
 


BC AdBot (Login to Remove)

 


#2 mymaus1

mymaus1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 28 September 2017 - 04:38 PM

UPDATE: Microsoft Security Essentials just finished without any threats detected. So the questions remains from above: do I need to just follow the Remove the Windows Warning Tech Support Scam self help guide AND is it's safe for me to wait to do that this weekend instead of now -- I'm under a time crunch but also need to use my computer to access my bank and credit card accounts to complete what I'm working on?



#3 mymaus1

mymaus1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 28 September 2017 - 09:50 PM

ANOTHER UPDATE: I made some time to follow the Remove the Windows Warning Tech Support Scam self help guide. I ran all of the tools suggested. Below are the contents of the txt file from RKill (only found 1 item - OBroker.exe) and AdwCleaner (found 4 items but they seem harmless). Hitman found a bunch of tracking cookies and a couple old exe files that I recognized and then deleted. Can someone let me know if I'm OK? Things seem to be working OK but I certainly don't want to be accessing my bank accounts if there is still a chance I have a virus.

 

Rkill 2.9.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/28/2017 07:18:32 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Windows\SysWOW64\OBroker.exe (PID: 5320) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * Cannot edit the HOSTS file.
 * Permissions Fixed. Administrators can now edit the HOSTS file.

 * HOSTS file entries found:

  127.0.0.1    www.007guard.com
  127.0.0.1    007guard.com
  127.0.0.1    008i.com
  127.0.0.1    www.008k.com
  127.0.0.1    008k.com
  127.0.0.1    www.00hq.com
  127.0.0.1    00hq.com
  127.0.0.1    010402.com
  127.0.0.1    www.032439.com
  127.0.0.1    032439.com
  127.0.0.1    www.0scan.com
  127.0.0.1    0scan.com
  127.0.0.1    1000gratisproben.com
  127.0.0.1    www.1000gratisproben.com
  127.0.0.1    1001namen.com
  127.0.0.1    www.1001namen.com
  127.0.0.1    100888290cs.com
  127.0.0.1    www.100888290cs.com
  127.0.0.1    www.100sexlinks.com
  127.0.0.1    100sexlinks.com

  20 out of 15495 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 09/28/2017 07:18:49 PM
Execution time: 0 hours(s), 0 minute(s), and 17 seconds(s)
 

 AdwCleaner 7.0.2.1 - Logfile created on Fri Sep 29 00:47:49 2017
# Updated on 2017/29/08 by Malwarebytes
# Running on Windows 7 Home Premium (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

No malicious folders deleted.

***** [ Files ] *****

Deleted: C:\Users\All Users\Desktop\eBay.lnk
Deleted: C:\Users\Public\Desktop\eBay.lnk


***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cloudfront.net
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cloudfront.net
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d10lpsik1i8c69.cloudfront.net
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d10lpsik1i8c69.cloudfront.net
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\dotomi.com
Deleted: [Key] - HKLM\SOFTWARE\AVG Secure Search
Deleted: [Key] - HKU\S-1-5-21-164053083-3145499044-3792551303-1000\Software\YahooPartnerToolbar
Deleted: [Key] - HKCU\Software\YahooPartnerToolbar
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Deleted: [Value] - HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\TBDEn|SBOEM2
Deleted: [Key] - HKLM\SOFTWARE\InfoAtoms
Deleted: [Key] - HKU\.DEFAULT\Software\Auslogics
Deleted: [Key] - HKU\S-1-5-18\Software\Auslogics


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0



*************************

C:/AdwCleaner/AdwCleaner[S0].txt - [2257 B] - [2017/9/29 0:45:14]


########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users