Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Victim of my own idiocy.


  • Please log in to reply
11 replies to this topic

#1 scamvictim

scamvictim

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 11 January 2018 - 07:27 PM

Okay so like, I was trying to find the customer service phone number for a website, couldn't find it. So I googled it, found their customer service number on google. Or so I thought.

 

I called the number, this indian guy on the phone told me to go to a website, next thing you know the website is some kind of remote admin tool and he was moving my mouse. I started to feel awkward, then my friend knocked on the door, and after a few minutes of feeling awkward I made an excuse to hang up the phone.

 

Then it dawned on me, it was fake customer support, and he used Remote Desktop on me.

Now, the computer I was on had a Firewall on as well as Vipre security measures. The computer is currently shut off, and I am on a different computer.

 

I'm kind of panicking right now, what do I do to wipe all traces of possible hacks/malware he installed on me. I don't know for sure if he put any hacks or malware on it, he seemed mostly interested in getting my GPS location for some reason.

 

Anyway, really creeped out right now, would appreciate the help. And yes I know I am an idiot, I am sorry but today I was having a really bad day and not really thinking clearly at all when I called the number.


Edited by scamvictim, 11 January 2018 - 07:28 PM.


BC AdBot (Login to Remove)

 


#2 mikey11

mikey11

  • Members
  • 1,366 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Psychiatric Ward @ Beelitz-Heilstatten Hospital, Beelitz, Germany
  • Local time:05:10 PM

Posted 11 January 2018 - 07:33 PM

do a system restore to a date previous of when this happened....do not connect to the internet while doing it



#3 scamvictim

scamvictim
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 11 January 2018 - 08:18 PM

do a system restore to a date previous of when this happened....do not connect to the internet while doing it

Not sure whether or not it is enabled, but I'll try. How sure are you this will erase all traces of hackery?



#4 scamvictim

scamvictim
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 11 January 2018 - 10:11 PM

Ok so like, turns out the buttholes at Microsoft disabled System Restore as default in Windows 10, so I have no restore points. What do I do?



#5 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,812 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 AM

Posted 11 January 2018 - 11:43 PM

G'day scamvictim, and Welcome to BC

 

Try the steps below......I have a few pc problems myself atm, so I have "Borrowed" this from buddy215 (BC Advisor)

 

See what the programs below can find. They will clean, remove malware and remove adware.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of Google Chrome and Avast.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Malwarebytes - Clean Mode

  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update its database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

 

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit (MBAR) to your desktop.

  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"

Edited by Condobloke, 11 January 2018 - 11:56 PM.

Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#6 scamvictim

scamvictim
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 13 January 2018 - 12:38 PM

Thanks man, I will try that, hope it gets rid of everything.



#7 scamvictim

scamvictim
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 13 January 2018 - 06:45 PM

Ok so out of the 3, only 2 returned anything suspicious. The first one seemed innocuous:

"

PUP.Optional.OpenCandy, C:\PROGRAMDATA\VIPRE\PATCHMANAGEMENT\PATCHES\PATCH-SMART.LIGHTNINGUKIMGBURN.EXE, No Action By User, [460], [297667],1.0.3688
PUP.Optional.Trovi, C:\USERS\CUSTOMER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, No Action By User, [4568], [454808],1.0.3688
PUP.Optional.Trovi, C:\USERS\CUSTOMER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 1\Web Data, No Action By User, [4568], [454808],1.0.3688
PUP.Optional.Conduit, C:\USERS\CUSTOMER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 1\Web Data, No Action By User, [510], [454835],1.0.3688

"

 

The second one returned an actual Trojan.

"

PUP.Optional.Legacy, C:\Users\Customer\AppData\Roaming\DriverCure
PUP.Optional.RegCurePro, C:\ProgramData\PARETOLOGIC
PUP.Optional.RegCurePro, C:\ProgramData\Application Data\PARETOLOGIC
PUP.Optional.RegCurePro, C:\Users\All Users\PARETOLOGIC
PUP.Optional.RegCurePro, C:\Users\Customer\AppData\Roaming\PARETOLOGIC
Trojan.Bayrob, C:\Users\Customer\Desktop\Transfer


***** [ Files ] *****

PUP.Optional.Legacy, C:\Windows\SysNative\drivers\swdumon.sys"

 

Don't know what Paretologic is, but it seems harmless.

But the Bayrob trojan is really dangerous.

 

Now I was having a bad day, I screwed up again, I deleted the trojan before I found out what date it was made. I'm an idiot I know. I should have found the file of the trojan and clicked what date it was made, in order to find out if the indian guy sent it or not. Now Im not sure if the trojan was from the indian guy, or if I had it all along.



#8 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,812 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 AM

Posted 13 January 2018 - 08:30 PM

you have not posted the full results from each scan...so I am at a loss to know whether you have quarantined the resulting infections/pups or not.....and when you say you have deleted the trojan, did you do that via the program that found it ?

 

PUP stands for "potentially unwanted program".......they are usually installed on your pc when you have installed some piece of software/program and the pup has been bundled with the software/program. Usually when you install anything the safer way is to not just click your way through the install.....take the custom install....and Untick any 'offers' that accompany your software.

 

Did you rerun adwware cleaner to clear/quarantine anything that was found ?

 

Please post the full logs which were created by malwarebytes, adwcleaner and malarebytes anti rootkit


Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#9 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,812 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 AM

Posted 18 January 2018 - 10:44 PM

Still there ?


Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#10 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,812 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 AM

Posted 29 January 2018 - 08:54 AM

I have not heard from you, so I will remove this topic from my watch list.

 

If you need further assistance please open a fresh topic.


Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#11 scamvictim

scamvictim
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 29 January 2018 - 12:09 PM

Still there ?

Yeah, I've just been rather fatigued lately. I don't think they saved the logs and I don't want to post my computer info over the internet. One of the scans didn't detect anything and so the only real malware I found was a trojan. Unfortunately I wish I could have examined the creation date of the trojan before I deleted it using the anti-virus, now I am pretty much screwed as to confirming whether the guy planted the trojan or not.



#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:10 AM

Posted 30 January 2018 - 01:55 PM

There is nothing in the posted logs our helpers request which would be of any value to cyber-criminals or hackers. If there were anything to be concerned about to include sensitive and personal information, our experts would not ask for it in a public forum. Bleeping Computer is here to assist our members with malware removal, provide security education, awareness, and prevention tips to help them not become infected again. We are not here to ask for any information which may expose our members to risk or harm.

These are comments from one of Bleeping Computer's most senior Site Admins.

While we appreciate your concerns. Nothing in the logs is of any value to would be 'hackers' intent on doing someone harm. Persons knowledgeable enough to create an attack of any significance would not need any information in the logs. Bleeping Computer has been in existence for close to 11 years. We have always operated this way and maintained our first priority is our members safety and security. The management of this forum would not put in place a process that would reveal any personally identifiable information.

As has been said the information created by the logs is necessary for those Malware Removal Team members to provide the service. The service is free of charge. While the suggestion you make would be a viable alternative, it would be impossible to implement and manage while maintaining a free service.

Posting logs in open forum

Personal names are common public information and can more easily be traced to social media like Facebook, telephone numbers, phone books, addresses, tax and voter rolls rather than in some log posted on a Internet security forum. Information posted on the Internet is indexed multiple times at archives like The Wayback Machine and due to how Google's cache works..."Google Never Forgets". Attempting to delete or remove anything is not going to work.

Most computers today rely on dynamic (always changing) IP addresses. A dynamic IP address uses Dynamic Host Configuration Protocol (DHCP) to obtain an IP address and typically change when you get a new lease. Since there are not enough IP numbers for each computer, many ISPs and DHCP Servers limit the number of static IP addresses they assign by utilizing a pool of IP addresses instead. The ISP will temporarily assign a dynamic IP address automatically to a requesting DHCP computer from this pool of addresses and it will change each time you connect to the Internet. When you disconnect from the Internet, the temporary dynamic IP address is returned to the IP address pool so it can be assigned to someone else. When you reconnect, you are then assigned a different dynamic IP address from those available in the pool.

The time has come for everyone to understand that if one chooses to use the Internet, they should assume nothing is ever totally safe and nothing is ever totally private..

The BC Staff
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users