Scammed-need to clear computer of contamination!

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Scammed-need to clear computer of contamination!

Post by macmanetz on Mon 28 Apr 2014, 6:18 pm

I am not sure where to place this issue.....but can you help me.
Yesterday, I was scammed into paying for my Windows to be "reactivated" in order to get rid of all the "hackers/viruses/malware" on my computer (which could only be done by him) or face having my new week-old computer blocked . Before I knew it, a "technician" was remotely manipulating my computer and downloading programs.  My computer is still useable, runs as good as new but now has programs on it that I don't trust. This event took place on 4/26/2014 between 3-5pm est.   Here's what I now have found on my computer:

***ON THE DESKTOP, THE FOLLOWING SHORTCUTS:
-Anti Hacker
-ATF Cleaner
-Malwarebytes AntiMalware Pro
-WebShield
   (the 4 above all have what looks like the Microsoft shield logo on the icon but at
    closer look it is actually a blue and yellow shield in the same shape and reflection as
    the MS shield-and I also see another icon with this shield called Lenovo Veriface and
    I'm not sure if this icon was present before the event.  I did see the technician pop
    by the Lenovo site-I watched him.....)
Computer Performance
CCleaner
Google Chrome
EventC (this does not have a shortcut symbol on it)

***"GLOBAL IT" FOLDER ON THE DESKTOP CONTAINS:
Anti Hacker  (.exe)
ATF-Cleaner (.exe) by Attribune.org
ccsetup406 -by Piriform Ltd. (in Properties it says application.exe) Digital signature is OK.   The certificate is valid from 6/24/2013-9/24/2015

Computer Performance (in Properties it says application.exe)Description: Sysinternals Process Explorer.  Digital signature is OK. ..but certificate is valid from 1/24/2013-4/24/2014

desktop.ini file
DisableUACforAdmin
Evntvwr Cleanr
favicon ICO File (.ico) (looks like a Microsoft Globe image and says Microsoft)
Malwarebytes licene Key text document
mbam-setup-1.75.0.1300 Signature is OK but valid from 5/23/2011-6/4/2013
WebShield, by Bleeping Computer LLC (in Properties>Digital Signatures>details: it says, the signature is not valid.

***IN THE DOWNLOAD FOLDER:
-aa_v3 - application (.exe) Description Ammyy Admin. Signature is OK. Certificate valid 1/13/2014-1/14/2015
-aa_v3 text document (.log)
-ccsetup-application (.exe) signature OK . Certificate 6/24/2013-9/24/2015.
-mbam-setup-1.75.0.1300 - application (.exe) Signature is OK but valid from 5/23/2011-6/4/2013
-Support-LogMeInRescue (1)
-Support-LogMeInRescue(2)
-Support-LogMeInRescue - application (.exe) Signature OK. Certificate valid 9/24/2012-10/10/2015

***IN THE PROGRAM FILES, I ONLY SEE, (IN REGARDS TO THIS EVENT):
-CCleaner
***IN THE PROGRAM FILES (x86), I FIND THE FOLLOWING FOLDERS (IN REGARDS TO THIS EVENT):
-Google (with a Chrome folder inside)
-LogMeIn Rescue RC - 7d1e22b2-8121-4749-8fd7-c5ab2887aff5  (Interesting that the date modified of this folder says 4/27/2014 at 9:04am when I believe that this was installed on 4/26/2014....are they still making changes to my computer????)
-Malwarebytes' Anti-Malware

***IN THE "UNINSTALL A PROGRAM" AREA, IN REGARDS TO THIS EVENT, I ONLY FIND:

-Malwarebytes Anti-Malware version 1.75.0.1300
-Google Chrome
-CCleaner

So where are the rest of the programs that link to the desktop shortcuts?
I've blocked my Visa card, changed my yahoo & amazon passwords. I do not do banking on line.  What else do I need to do to get rid of this mess???

How can I be sure that they can not take remote control again or are popping in on my computer ??

I read about someone else that this happened to and they reinstalled Windows (I guess they were able to regain control of their computer that way)....do I need to do that? go back to factory specs???

I am currently using a 30 day trial of McAfee and have a licensed copy of Panda on hand for afterwards and also want to buy the pro version of Malwarebytes (which I see that you offer an affiliate link for). Otherwise, everything seems to be  working fine, but I don't trust any of what was done nor the software that was added!

Do I need to change my wifi password? Could these bad people remotely take over another computer on my wifi???  Is it safe for THAT computer to pay bills? Is it safe for me to use my computer on other wifi systems??

You helped me out a few years back, which I was very grateful for.  Can you help me now, please??? With as traumatic as this event was, I " won't be fooled again!"
PS: What is a P2P program which I need to "uninstall before asking for help?"??

-----------------------------------------------
Hope it was OK to start this as I found posted on your site....

# AdwCleaner v3.204 - Report created 28/04/2014 at 02:47:04
# Updated 26/04/2014 by Xplode
# Operating System : Windows 8.1  (64 bits)
# Username : Diana - MAGICSTAR
# Running from : C:\Users\Diana\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Diana\AppData\Local\Pokki
Folder Deleted : C:\Users\Public\Pokki

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Classes\AllFileSystemObjects\shell\pokki
Key Deleted : HKCU\Software\Classes\Directory\shell\pokki
Key Deleted : HKCU\Software\Classes\Drive\shell\pokki
Key Deleted : HKCU\Software\Classes\lnkfile\shell\pokki
Key Deleted : HKCU\Software\Classes\pokki
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Pokki]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{A75BE48D-BF58-4A8B-B96C-F9A09DFB9844}
Key Deleted : HKCU\Software\Pokki
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17037


-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Users\Diana\AppData\Roaming\Mozilla\Firefox\Profiles\kylr0zt8.default\prefs.js ]


-\\ Google Chrome v34.0.1847.131

[ File : C:\Users\Diana\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************


AdwCleaner[R0].txt - [1545 octets] - [28/04/2014 02:42:15]
AdwCleaner[S0].txt - [1445 octets] - [28/04/2014 02:47:04]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1505 octets] ##########

How should I go about redowning loading Malwarebytes when I already have if installed (altho it is a suspicious copy?)??

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Tue 29 Apr 2014, 1:42 am

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.  

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*******************************************************
You can uninstall MBAM and download this one. Update it and run a scan.
Don't change any passwords until later.
********************************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Wed 30 Apr 2014, 5:04 pm

Hello Dave,
1. Please be patient with my responding as my current situation has me without a internet connection and dependent on other networks.
2.The "infected" computer CAN access the internet but is it safe to use someone else's WiFi?  (this would be the easiest way to download your apps) or should I use a storage device just to be on the safe side?
3. The links in your answer do not work. Although they are blue, in checking the html, I find they are not actively hot linked. So I could not download malwarebytes or the other link. 
Hope to hear from you soon with updated links so I can try again at my next WiFi visit... (using my mobile right now)...thanks again.

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Wed 30 Apr 2014, 11:05 pm

The links work well for me so it must be a problem with the computer. Download MBAM on another cumputer and transfer it to your computer.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Thu 01 May 2014, 7:15 am

I did manage to download Malwarebytes after I logged into GeekPolice onto a storage device. Since I didn't get an answer about using someone else's wifi, I assume that it was OK, held my breath and installed it on the "infected computer". It did seem to be a different version than the one that I uninstalled first (and loaded by the bad person). The format was different than what I was use to and it did not give me an option for quick or full scan....just scan... so that's what I chose. When I went to remove the storage device, there was a small symbol of Malwarebytes with an exclamation mark on it.....what does that imply?
The results are as follows (How is it I have a Premium version??? I notice that the rootkits are disabled....did I really run a full scan?):

Malwarebytes Anti-Malware
[You must be registered and logged in to see this link.]

Scan Date: 4/30/2014
Scan Time: 3:50:39 PM
Logfile: malwarebytes results 4_30_2014.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.04.30.10
Rootkit Database: v2014.03.27.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Diana

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 255043
Time Elapsed: 18 min, 51 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Thu 01 May 2014, 9:09 am

The format was different than what I was use to and it did not give me an option for quick or full scan....just scan... so that's what I chose.
That's the second time I've heard that. I'm going to download a new version and try it.
When I went to remove the storage device, there was a small symbol of Malwarebytes with an exclamation mark on it.....what does that imply?
I'll see if I duplicate that.

Malwarebytes' Anti-Rootkit

Please download Malwarebytes' Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.


Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Thu 01 May 2014, 10:08 am

(How is it I have a Premium version??? I notice that the rootkits are disabled....did I really run a full scan?):
You must have downloaded the Premium version. After we're finished, you can download the free version, if you wish, and keep it on your computer. I run mine once a week. The Rootkits are disabled because they have a separate scanner for rootkits.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Fri 02 May 2014, 3:36 am

I think that there might be something hinkey with the way MBAM loaded. First, I uninstalled the version that the hacker technian loaded (which was a PRO/premium version). I did NOT reboot...maybe I should have? When I went to install your version, it walked me thru the whole accept the terms, next...next...next ...finish and then I was suddenly back to the beginning of the whole procedure! Went thru it again and this time this premium versioncame up. I am familiar with M.B.'s free version. I intend to buy the premium version thru your site when we are done here but I have NEVER bought or ordered the premium version otherwise. I need to get to a wifi to download your latest link . Again, I will uninstall MB but should I reboot before install of the beta version?

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Fri 02 May 2014, 3:44 am

Writing from my mobile. At a certain point the reply box does not allow me to review my message...sorry. I'm a little confused...in rereading your post...the very next thing that you want me to do, is to download MBAR and run that....&leave MBAR alone for the moment....correct?
Fyi: I have removed all personal data except for MBAM LOGS. Also when I changed my passwords, mentioned in my initial request, I used another computer.

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Fri 02 May 2014, 3:48 am

Thats leave MBAM alone (darn auto-correct)

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Fri 02 May 2014, 5:46 am

I will uninstall MB but should I reboot before install of the beta version?.
Yes, some uninstalls require a re-boot.
I need to see the log for MBAR when you able to get it to me.


Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Fri 02 May 2014, 6:34 am

Malwarebytes Anti-Rootkit BETA 1.07.0.1009
[You must be registered and logged in to see this link.]

Database version: v2014.05.01.12

Windows 8 x64 NTFS
Internet Explorer 11.0.9600.17031
Diana :: MAGICSTAR [administrator]

5/1/2014 3:15:50 PM
mbar-log-2014-05-01 (15-15-50).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 252248
Time elapsed: 16 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Fri 02 May 2014, 6:35 am

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 6.2.9200 Windows 8 x64

Account is Administrative

Internet Explorer version: 11.0.9600.17031

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.394000 GHz
Memory total: 8497946624, free: 6443999232

Downloaded database version: v2014.05.01.12
Downloaded database version: v2014.03.27.01
Initializing...
======================
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: 7D9FBC7E

GPT Protective MBR Partition information:

Partition 0 type is EFI-GPT (0xee)
Partition is NOT ACTIVE.
Partition starts at LBA: 1 Numsec = 4294967295

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

GPT Partition information:

GPT Header Signature 4546492050415254
GPT Header Revision 65536 Size 92 CRC 1868343819
GPT Header CurrentLba = 1 BackupLba 1953525167
GPT Header FirstUsableLba 34 LastUsableLba 1953525134
GPT Header Guid 80ca6d62-504e-43a6-a41e-5573ba17365e
GPT Header Contains 128 partition entries starting at LBA 2
GPT Header Partition entry size = 128

Backup GPT header Signature 4546492050415254
Backup GPT header Revision 65536 Size 92 CRC 1868343819
Backup GPT header CurrentLba = 1953525167 BackupLba 1
Backup GPT header FirstUsableLba 34 LastUsableLba 1953525134
Backup GPT header Guid 80ca6d62-504e-43a6-a41e-5573ba17365e
Backup GPT header Contains 128 partition entries starting at LBA 1953525135
Backup GPT header Partition entry size = 128

Partition 0 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID b2128ffa-6eac-4191-8691-bd1a38e572ff
FirstLBA 2048 Last LBA 2050047
Attributes 1
Partition Name Basic data partition

Partition 1 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
Partition ID c6f6e5e7-4e50-4ea1-a3e0-ead7876e61bb
FirstLBA 2050048 Last LBA 2582527
Attributes 1
Partition Name EFI system partition

GPT Partition 1 is bootable
Partition 2 Type bfbfafe7-a34f-448a-9a5b-6213eb736c22
Partition ID c44120d1-bd51-4091-a063-87e14789a43c
FirstLBA 2582528 Last LBA 4630527
Attributes 1
Partition Name Basic data partition

Partition 3 Type e3c9e316-b5c-4db8-817d-f92df0215ae
Partition ID b7eb7258-98d-46e9-b56b-2c50359d380
FirstLBA 4630528 Last LBA 4892671
Attributes 0
Partition Name Microsoft reserved partition

Partition 4 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Partition ID b54680f9-d2cd-4e9f-b30-7b235e9b3136
FirstLBA 4892672 Last LBA 1874599935
Attributes 0
Partition Name Basic data partition

Partition 5 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Partition ID f0c68125-3e1a-40e6-9dc9-c1748d1c7887
FirstLBA 1874599936 Last LBA 1927028735
Attributes 0
Partition Name Basic data partition

Partition 6 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID 20d2e21b-d373-4c4b-a580-bcb7be45fc2d
FirstLBA 1927028736 Last LBA 1953523711
Attributes 1
Partition Name Basic data partition

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Fri 02 May 2014, 6:36 am

It said I had no malware and did not offer a cleanup button! so I ended and here are the reports.

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Fri 02 May 2014, 9:09 am

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.

  • Leave the check mark next to Remove found threats.

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Sun 04 May 2014, 4:59 am

After 3 hours+ and only being at 47%, I left the computer running at a friend's house. This morning, the power seemed to be off and needed to be restarted but amazingly found on the desktop everything the way I had left it and still at 47% but still scanning files. After 21+ hours it finally went from 78% to done!! It said that there were no threats (amazing) and gave me no option for the button "List of Found Threats" or "Export to text file"...only an option to Finish. So I found the log thanks to your posting where I could find it in the ESET program files.  Here is the log:

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=1e44cf19a861ce4ba2b8376f6b3fcb43
# engine=18117
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-05-02 06:31:03
# local_time=2014-05-02 02:31:03 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.2.9200 NT
# compatibility_mode=5122 16777214 66 62 0 25360149 0 0
# compatibility_mode=5893 16776574 100 94 1030033 23015156 0 0
# scanned=5742
# found=0
# cleaned=0
# scan_time=127
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=1e44cf19a861ce4ba2b8376f6b3fcb43
# engine=18117
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-05-03 05:01:02
# local_time=2014-05-03 01:01:02 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.2.9200 NT
# compatibility_mode=5122 16777214 66 62 0 25441148 0 0
# compatibility_mode=5893 16776574 100 94 1111032 23096155 0 0
# scanned=208165
# found=0
# cleaned=0
# scan_time=80885

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Sun 04 May 2014, 5:10 am

How's the computer now? Any other issues?

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Sun 04 May 2014, 5:15 am

I didn't remove any of the ESET scan downloads....and have closed out those screens.......?

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Sun 04 May 2014, 5:36 am

"by Superdave on Sat 03 May 2014, 2:10 pm
How's the computer now? Any other issues?"

My computer has run smoothly all along but I was concerned about threats, changes of settings and all these programs that were installed and staring at me on my desk top (see my initial post):

1. Are you saying my computer is clear...no problems?
2. other issues: when I boot up, I see a flash of the black run window and at the same time it shows an icon on the task bar but both are gone in a flash. I don't remember seeing this prior to this hacking/technician event....maybe this doesn't have anything to do with it or maybe someone can access my computer thru this???? (He did change settings here and there and I took photos while he did it...and I don't know what those changes imply)

3. Previously, I had a house button on the task bar and it was sort of like a START button....had put off exploring it but now it's not there.....was it removed somewhere along all of this??
4. The regular icon for Mozilla/Firefox appears as a sheet with a turned down corner....how do I get back the regular fox in a circle icon back???
5. what do I do with all these programs that were installed??? 4 have MS blue & yellow shields on them...does that mean they have been OKed???




macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Sun 04 May 2014, 5:48 am

Did you still want me to run Security Check by screen317?

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Sun 04 May 2014, 6:29 am

Previously, I had a house button on the task bar and it was sort of like a START button....had put off exploring it but now it's not there.....was it removed somewhere along all of this??
I'm not sure about that button. I've never seen it before. Is it something you installed yourself?
The regular icon for Mozilla/Firefox appears as a sheet with a turned down corner....how do I get back the regular fox in a circle icon back???
Your best bet would be to uninstall and re-install Firefox.
what do I do with all these programs that were installed??? 4 have MS blue & yellow shields on them...does that mean they have been OKed???
You may keep AdwCleaner and MBAM and run them on a regular basis, if you have room for them.
Did you still want me to run Security Check by screen317?.
I just wanted to see what you have for protection but this next scanner will tell me.

Download Combofix from any of the links below, and save it to your DESKTOP.
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:



Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Thu 08 May 2014, 1:34 am

"To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure."

I am unsure and the "here" link comes up with an "error|PC Help Forum" (and I'm logged in). need new link, please.

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Thu 08 May 2014, 5:03 am

Sorry, To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Fri 09 May 2014, 5:47 pm

1. Thank's for the new link, however, McAfee LiveSafe-Internet Security (the 30 day trial included with this new computer) is not listed.  I tried the other McAfee options to see if they led me to possibly disabling it. Will turning off the Real-Time scanning be ENOUGH? or do I need to turn something else off as well? like the firewall? I checked to see if the Windows firewall was on but it said that it was under the control of McAfee (which expires in 11 days but I would like to delete the whole thing and install Panda in the next 5 days).

2. Do I need to also disable Malwarebytes, which opened upon bootup, for the first time today, and said that I was updated and protected! And what about all that other stuff that was put on my computer: Anti Hacker, AFT Cleaner, Webshield, Computer Performance, Event C, & CCleaner???? Do any of these need to be disabled? (I have not even opened them and don’t know if they are actively running).

3. I thought that I’d download ComboFix and be ready for your responses. While trying to do this, suddenly McAfee said that I had a Trojan:
Item: Wcj+TfdH.exe.part     Threat:   Artemis!D0270A3C736B  
and was put in quarantine...no further actions were necessary. I tried to download 3 more times with the other Artemis items being E4LK7Y0y.exe.part and twice it was ComboFix.exe

4. So, I realized that I needed to turn off McAfee's Real-Time scanning just to download ComboFix. I did that, without McAfee’s interference, put the icon on the desktop & double clicked; I got the following message and have no idea where to look to change the “Modes”:
“ComboFix is not meant to run in ‘Compatibility Mode’.  The program shall now exit”.
FYI, I am now back home and hope to respond more quickly....thanks for your patience and guidance.

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Sat 10 May 2014, 4:52 am

It appears that bleeping computer is the designated site (?) for combofix based on this following guide: [You must be registered and logged in to see this link.]

so I assume they have the latest version. I believe that I chose the BC link that you offered to download from. It appears that combofix is still not compatible with 8.1....Do you want me to uninstall it, make sure it is downloaded from BC and try again? what do you want me to do next?

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Sponsored content Today at 9:30 pm


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum