Scammed-need to clear computer of contamination!

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Scammed-need to clear computer of contamination!

Post by macmanetz on Mon 28 Apr 2014, 6:18 pm

First topic message reminder :

I am not sure where to place this issue.....but can you help me.
Yesterday, I was scammed into paying for my Windows to be "reactivated" in order to get rid of all the "hackers/viruses/malware" on my computer (which could only be done by him) or face having my new week-old computer blocked . Before I knew it, a "technician" was remotely manipulating my computer and downloading programs.  My computer is still useable, runs as good as new but now has programs on it that I don't trust. This event took place on 4/26/2014 between 3-5pm est.   Here's what I now have found on my computer:

***ON THE DESKTOP, THE FOLLOWING SHORTCUTS:
-Anti Hacker
-ATF Cleaner
-Malwarebytes AntiMalware Pro
-WebShield
   (the 4 above all have what looks like the Microsoft shield logo on the icon but at
    closer look it is actually a blue and yellow shield in the same shape and reflection as
    the MS shield-and I also see another icon with this shield called Lenovo Veriface and
    I'm not sure if this icon was present before the event.  I did see the technician pop
    by the Lenovo site-I watched him.....)
Computer Performance
CCleaner
Google Chrome
EventC (this does not have a shortcut symbol on it)

***"GLOBAL IT" FOLDER ON THE DESKTOP CONTAINS:
Anti Hacker  (.exe)
ATF-Cleaner (.exe) by Attribune.org
ccsetup406 -by Piriform Ltd. (in Properties it says application.exe) Digital signature is OK.   The certificate is valid from 6/24/2013-9/24/2015

Computer Performance (in Properties it says application.exe)Description: Sysinternals Process Explorer.  Digital signature is OK. ..but certificate is valid from 1/24/2013-4/24/2014

desktop.ini file
DisableUACforAdmin
Evntvwr Cleanr
favicon ICO File (.ico) (looks like a Microsoft Globe image and says Microsoft)
Malwarebytes licene Key text document
mbam-setup-1.75.0.1300 Signature is OK but valid from 5/23/2011-6/4/2013
WebShield, by Bleeping Computer LLC (in Properties>Digital Signatures>details: it says, the signature is not valid.

***IN THE DOWNLOAD FOLDER:
-aa_v3 - application (.exe) Description Ammyy Admin. Signature is OK. Certificate valid 1/13/2014-1/14/2015
-aa_v3 text document (.log)
-ccsetup-application (.exe) signature OK . Certificate 6/24/2013-9/24/2015.
-mbam-setup-1.75.0.1300 - application (.exe) Signature is OK but valid from 5/23/2011-6/4/2013
-Support-LogMeInRescue (1)
-Support-LogMeInRescue(2)
-Support-LogMeInRescue - application (.exe) Signature OK. Certificate valid 9/24/2012-10/10/2015

***IN THE PROGRAM FILES, I ONLY SEE, (IN REGARDS TO THIS EVENT):
-CCleaner
***IN THE PROGRAM FILES (x86), I FIND THE FOLLOWING FOLDERS (IN REGARDS TO THIS EVENT):
-Google (with a Chrome folder inside)
-LogMeIn Rescue RC - 7d1e22b2-8121-4749-8fd7-c5ab2887aff5  (Interesting that the date modified of this folder says 4/27/2014 at 9:04am when I believe that this was installed on 4/26/2014....are they still making changes to my computer????)
-Malwarebytes' Anti-Malware

***IN THE "UNINSTALL A PROGRAM" AREA, IN REGARDS TO THIS EVENT, I ONLY FIND:

-Malwarebytes Anti-Malware version 1.75.0.1300
-Google Chrome
-CCleaner

So where are the rest of the programs that link to the desktop shortcuts?
I've blocked my Visa card, changed my yahoo & amazon passwords. I do not do banking on line.  What else do I need to do to get rid of this mess???

How can I be sure that they can not take remote control again or are popping in on my computer ??

I read about someone else that this happened to and they reinstalled Windows (I guess they were able to regain control of their computer that way)....do I need to do that? go back to factory specs???

I am currently using a 30 day trial of McAfee and have a licensed copy of Panda on hand for afterwards and also want to buy the pro version of Malwarebytes (which I see that you offer an affiliate link for). Otherwise, everything seems to be  working fine, but I don't trust any of what was done nor the software that was added!

Do I need to change my wifi password? Could these bad people remotely take over another computer on my wifi???  Is it safe for THAT computer to pay bills? Is it safe for me to use my computer on other wifi systems??

You helped me out a few years back, which I was very grateful for.  Can you help me now, please??? With as traumatic as this event was, I " won't be fooled again!"
PS: What is a P2P program which I need to "uninstall before asking for help?"??

-----------------------------------------------
Hope it was OK to start this as I found posted on your site....

# AdwCleaner v3.204 - Report created 28/04/2014 at 02:47:04
# Updated 26/04/2014 by Xplode
# Operating System : Windows 8.1  (64 bits)
# Username : Diana - MAGICSTAR
# Running from : C:\Users\Diana\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Diana\AppData\Local\Pokki
Folder Deleted : C:\Users\Public\Pokki

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Classes\AllFileSystemObjects\shell\pokki
Key Deleted : HKCU\Software\Classes\Directory\shell\pokki
Key Deleted : HKCU\Software\Classes\Drive\shell\pokki
Key Deleted : HKCU\Software\Classes\lnkfile\shell\pokki
Key Deleted : HKCU\Software\Classes\pokki
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Pokki]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{A75BE48D-BF58-4A8B-B96C-F9A09DFB9844}
Key Deleted : HKCU\Software\Pokki
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17037


-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Users\Diana\AppData\Roaming\Mozilla\Firefox\Profiles\kylr0zt8.default\prefs.js ]


-\\ Google Chrome v34.0.1847.131

[ File : C:\Users\Diana\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************


AdwCleaner[R0].txt - [1545 octets] - [28/04/2014 02:42:15]
AdwCleaner[S0].txt - [1445 octets] - [28/04/2014 02:47:04]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1505 octets] ##########

How should I go about redowning loading Malwarebytes when I already have if installed (altho it is a suspicious copy?)??

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down


Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Sat 10 May 2014, 5:11 am

In my reading about Combofix, it says to basically NOT touch or click on the computer. This brings me to my concern about any of these scans...before doing them, is it OK to go to Power options>change when the computer sleeps>and since I have it plugged in, choose to NEVER put the computer to sleep?....so that I don't have to jiggle the mouse or tap something......?

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Sat 10 May 2014, 6:03 am

Will turning off the Real-Time scanning be ENOUGH?
That's it.
or do I need to turn something else off as well? like the firewall?
Only if it interferes with the running of CF.
Do I need to also disable Malwarebytes, which opened upon bootup, for the first time today, and said that I was updated and protected! And what about all that other stuff that was put on my computer: Anti Hacker, AFT Cleaner, Webshield, Computer Performance, Event C, & CCleaner???? Do any of these need to be disabled? (I have not even opened them and don’t know if they are actively running).
No, that shouldn't be necessary.

is it OK to go to Power options>change when the computer sleeps>and since I have it plugged in, choose to NEVER put the computer to sleep?....so that I don't have to jiggle the mouse or tap something......?.
Try changing the settings before running CF.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Sat 10 May 2014, 6:19 am

I just turned off the Real time scanning in McAfee, changed the power options to Never and double clicked on the CF icon and again (as I mentioned two posts ago-above) I got the following message and have no idea where to look to change the “Modes”:
“ComboFix is not meant to run in ‘Compatibility Mode’.  The program shall now exit”. What do I do?

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Sat 10 May 2014, 9:40 am

Ok, here's what I found in my Windows 8 about compatibility. You can access it by going to Start, Control Panel and clicking on Troubleshooting. Click on Programs to run ComboFix in normal mode.

Program Compatibility Assistant

When you install or run an app, Windows monitors the app for symptoms of known compatibility issues. If it finds an issue, Program Compatibility Assistant provides some recommended actions that you can take to help the app run properly on Windows 8.

Note that Program Compatibility Assistant doesn't monitor apps that work at low system levels (for example, kernel mode drivers, security, and backup apps). Due to the dependency of these apps on Windows system internals, you generally can't apply compatibility fixes to them.

If you try to run an app with known incompatibilities, you'll see a message telling you about the problem, and, depending on the severity of the problem, Program Compatibility Assistant might prevent the app from running.

Troubleshoot for app compatibility

1.
From Start, swipe in from the right edge of the screen and then tap Search (or if you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search).

2.
Enter troubleshoot in the search box, choose Settings, and then choose Troubleshooting.

3.
Tap or click Run programs made for previous versions of Windows.

4.
Follow the steps provided.

Apply a compatibility mode

If you know the compatibility mode that your app needs to run, here is how to apply it:
1.
From Start, enter the name of the app you want to run in compatibility mode, and in the search results list, swipe down or right-click to select the app, and choose Open file location.

2.
In File Explorer, swipe down on the app or right-click it, and choose Properties.

3.
In the Properties dialog, choose the Compatibility tab.

4.
Select the compatibility mode and other options you want to apply, and then click OK.

In addition to different operating system compatibility modes, you can also run apps in reduced color modes or with administrator permissions. You can apply the settings for everyone who uses the computer or only for you.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Sat 10 May 2014, 4:23 pm

OK…..I have been messing with this all evening and feel that I am spinning my wheels, banging my head against the wall and dead in the water! Here’s what I did:

First I disabled McAfee.
Since 8.1 does not have a Start button (at least like win7), the closest thing that I can do is press the WIN-logo-key + X >an options window opens in lower left corner on Desktop>
Clicked control panel > under System and Security clicked Find and Fix problems>
“Troubleshooting” window opens>
Under Programs, I chose “Run programs made for previous version of Windows”>
“Program Compatibility Troubleshooter” opens>
Click NEXT> “detecting issues” scans and generates a list of programs (are these all my programs or just specific programs that have issues?-some 64+ programs….must be everything on the computer)
“Select the program you’re having problems with”
Click on “ComboFix NSIS Installer” to highlight>
Click NEXT
“Select Troublshooting option:”

Option 1) Try recommended settings –select this option to test run program using recommended compatibility settings

Option 2) Troubleshoot program – select this option to choose compatibility settings based on problems you notice

I chose to click option 1, try recommended settings.
“Test Compatibility settings for the program” opens :
It states: Settings applied to ComboFix NSIS Installer: Windows compatibility mode: Windows 7”
“You need to test the program to make sure these new settings fixed the problem before you can click NEXT to continue.” So I clicked on the button that says “Test the program…”
ComboFix window opens: “ComboFix is not meant to run in ‘Compatibility Mode’.  The program shall now exit.”……!!!!!!

Click OK and instead of choosing NEXT, I chose CANCEL.
Back to Program Compatibility Troubleshooter, re-choose ComboFix, troubleshoot program, and this time chose option 2 listed above, “Troubleshoot Program” window opens>
“What problems do you notice?” with 4 choice boxes to check off.
-The program worked in earlier versions of windows but won’t install or run now (hovering over the box pops up “Example: the setup program won’t begin”)

-The program opens but doesn’t display correctly

-The program requires additional permissions (Example: Access denial errors appear, or the program requests administrative permissions to run.”)

-I don’t see my problem listed

NEXT     or      CANCEL……I chose cancel….because I really didn’t know what I was getting into.

Up to this point, this would all follow YOUR instructions and the first set of steps 1-4 “Trouble shoot for app compatibility” that you posted.

"APPLY a Compatibiliity Mode" follows (the next 4 steps that you posted):
Step 1-since I don’t have a start button, I pulled up search, which came from the Charms area-the right>
Typed ComboFix and first listed was the Combo icon.  I figured that was the application, but I could not right click on it. …and so could not Open File Location as a result!
Step 2- Win-logo-ket+X>
Chose File Explorer> clicked the desktop>scrolled to find ComboFix (not a shortcut but the actual application-and btw, it has one of those MS blue & yellow shields on it)>
Right clicked on it>properties>
Step 3-click Compatibility tab
Step 4-“Run this program in Compatibility mode for:” It had a drop-down menu and had selected Win7. I checked the box next to it and it allowed me to make another choice. Win7 had already not worked so I chose Win8.  There was not 8.1 option. There was NO option it run it in NORMAL mode, either.
I clicked APPLY and then OK.  The window closed.

Double clicked ComboFix and got that old familiar song:
“ComboFix is not meant to run in ‘Compatibility Mode’.  The program shall now exit.”……!!!!!!

Closed everything out. Turned McAfee back on, and did some reading up on ComboFix at Bleeping Computer.
At [You must be registered and logged in to see this link.] on April 18, 2014, they say "This program does not work on Windows 8.1 at this time!"
At [You must be registered and logged in to see this link.] one week ago, someone asked Is there COMBO FIX software being developed to be compatible in a Windows 8.1 OS? And amongst their answers is
“sUBs (the creator of ComboFix-who seems to have a connection with BC) has advised that he is holding off releasing any working version of his tools for Windows 8.1 which includes both ComboFix and DDS. Meaning he is fully aware of the compatibility issue but needs time for thorough testing to ensure they work safely on that OS.”
I have not asked them for help over there at BC, it’s just that every question involving ComboFix that I google leads me back to their site.
 I think we are barking up the wrong tree at this point involving the use of ComboFix for 8.1.

I never scanned with Security Check…do you still want me to do that?

What should I do next? :/


Last edited by macmanetz on Sat 10 May 2014, 4:25 pm; edited 1 time in total (Reason for editing : clarity)

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Sun 11 May 2014, 5:49 am

Since 8.1 does not have a Start button (at least like win7),
8.1 was supposed to install the Start button. I downloaded and install one myself from here and it's free.
I never scanned with Security Check…do you still want me to do that?
Yes, please but don't be surprised if 8.1 gives you problems with this also.
I need to know if you have any other problems with your computer?


Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Sun 11 May 2014, 1:18 pm

Results of screen317's Security Check version 0.99.83
x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
McAfee Anti-Virus and Anti-Spyware
Windows Defender
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Adobe Flash Player 13.0.0.206
Adobe Reader XI
Mozilla Firefox (29.0.1)
Google Chrome 34.0.1847.131
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbam.exe
Malwarebytes Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Sun 11 May 2014, 1:25 pm

Thank you for the tip on the Start Button! There is talk of a release in August that would have one for 8.1 and I have concerns about uninstalling it at that time....hopefully without issues....but this Start button looks great for the mean time!!!

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Sun 11 May 2014, 4:56 pm

My "infected" computer seems to be running fine as it has all along. My big concerns now are:

1. why do I see a black run-type screen flash upon bootup once I am on the desktop screen? what is it and how do I get rid of it? This morning when it flashed, I caught "windows/system32/_____" and something else that I couldn't make out.

2. I'm concerned about anyone EVER getting into my computer remotely again, so I located System Properties folder> remote tab> and unchecked "Allow Remote Assistance to this computer">apply>OK... Is there someone out there that would need access without first discussing it with me?? Is this OK to not allow open access? Will this block these hackers who now know the codes in my computer from ever entering my computer by remote, again???? What is LogMeInRescue RC-something that allows them to reenter my computer?

3. After performing these scans, can I now trust my computer & browser to type in usernames and passwords at this point? use charge cards? make purchases??? Trust that someone isn't stealing my info?

4. When can I change out McAfee for Panda and what's the best way to remove all traces of McAfee?

5. What about all this software that was loaded onto my computer??? (please refer to my first post where I listed everything which is all still there even after the scans) Can I trust any of it?? or should I just trash it all??? I don't even know what half of it is!!! ...and some items in the folder look suspicious to me! Like the Notepad file with a gear on it or the Registration Entry (.reg); Windows Batch file, ICO file??....what are those all about???

The only thing I see that has changed was caught by adwcleaner and deleted: a user file called pokki, an icon that SEEMED like a start button on the task bar (shaped like a white silhouette of a house which I can not find in google searches) and another icon on the task bar that was another link to windows store but pink background with a different bag on it.

BTW, even though I uninstalled Malwarebytes and reinstalled YOUR free version, it comes up occasionally and starts scanning just like a licensed version! can I trust it???

...and on a bright note, this morning, after booting, the Mozilla icon reappeared....without having done anything (maybe it updated over night)!

I realize that we have been trying to establish that there is no malware or virus but all the above things REALLY bother me....I haven't been doing anything involving a username, PW or purchase on this new computer since this all happened-no email or social networking- just working with you and looking at stuff....but thanks for helping....

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Mon 12 May 2014, 3:51 am

Windows 8 comes with its own AV called Windows Defender. If you wish to run McAfee instead Windows Defender should be de-activated. Having more than one AV active on a computer can cause conflicts.
why do I see a black run-type screen flash upon bootup once I am on the desktop screen? what is it and how do I get rid of it? This morning when it flashed, I caught "windows/system32/_____" and something else that I couldn't make out.
I'm not sure what that could be but you try running this tool by my buddy Broni. It should fix any anomalies in your OS.
I'm concerned about anyone EVER getting into my computer remotely again, so I located System Properties folder> remote tab> and unchecked "Allow Remote Assistance to this computer">apply>OK... Is there someone out there that would need access without first discussing it with me?? Is this OK to not allow open access? Will this block these hackers who now know the codes in my computer from ever entering my computer by remote, again???? What is LogMeInRescue RC-something that allows them to reenter my computer?
They shouldn't be able to access your computer unless you give them permission. As discussed in a previous post, they will need your permission. I would never give anyone access to my computer unless I knew and trusted them. I've never heard of LogMeInRescue RC but, from what I can find, it's some kind of method of logging into your computer from a remote site but I would imagine that you would have to have your computer set up in order to do this.
After performing these scans, can I now trust my computer & browser to type in usernames and passwords at this point? use charge cards? make purchases??? Trust that someone isn't stealing my info?
About the only way that your computer would be considered safe again is to re-format and re-install the OS or run the Recovery Console which will restore your computer back to the day you took it out of the box. I couldn't find any programs that were installed by this hacker but I wouldn't consider the computer safe. Your best bet would be to save your data and do a Recovery.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Mon 12 May 2014, 4:27 am

Will running the Recovery Console also automatically re-install the OS? It sounds like I need to do  Recovery...and that would delete all their stuff and make their presence disappear....correct?....and will it also delete my adobe photoshop/primiere elements? MS office???? I have the disk for adobe but I have a card for ms office and originally there was an icon on the desktop to start the download...do you think that icon will reappear after recovery? Can you guide me through that or should I refer to Lenovo, or microsoft?

Would bringing it back to a previous stored backup point do (because the first thing that this hacker did was to set a backup point!) or is the best thing to restore or reset or recover (I see all 3 of these terms being used)?


"I've never heard of LogMeInRescue RC but, from what I can find, it's some kind of method of logging into your computer from a remote site but I would imagine that you would have to have your computer set up in order to do this. "

Yes, I believe that they did do that!!!



Last edited by macmanetz on Mon 12 May 2014, 5:53 am; edited 2 times in total (Reason for editing : an after-thought & yet another after thought!)

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Mon 12 May 2014, 6:06 am

Will running the Recovery Console also automatically re-install the OS? It sounds like I need to do Recovery...and that would delete all their stuff and make their presence disappear....correct?...
Yes, it will restore your computer back to the day you purchased it. Any programs that the hacker installed will be gone.
and will it also delete my adobe photoshop/primiere elements? MS office???? I have the disk for adobe but I have a card for ms office and originally there was an icon on the desktop to start the download...do you think that icon will reappear after recovery? Can you guide me through that or should I refer to Lenovo, or microsoft?
You will need to make a note of the programs that you now have on your computer because they will have to be re-installed. You will also need to save all your important data to an external drive or DVD's.
Would bringing it back to a previous stored backup point do (because the first thing that this hacker did was to set a backup point!) or is the best thing to restore or reset or recover (I see all 3 of these terms being used)?
Doing a System Restore would not be as good as doing a Recovery.
In Windows 8 they call it Refresh and Reset. Here's more information about how to do that.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Mon 12 May 2014, 12:31 pm

I guess I need to do  reset. Thanks for the link, it sure seemed easy to do but it was about 2 years out dated...I found a video on Youtube also outdated but helpful and I am currently reading a user guide.  I have a question. If the hacker changed (and he did) something in the registry, that will all be undone and cleared also, right?

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Mon 12 May 2014, 12:42 pm

I guess I need to do reset. Thanks for the link, it sure seemed easy to do but it was about 2 years out dated...I found a video on Youtube also outdated but helpful and I am currently reading a user guide. I have a question. If the hacker changed (and he did) something in the registry, that will all be undone and cleared also, right?.
It's hard to believe that Windows 8 has been out that long. Yes, all the registry will be back to when it was new.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Sun 29 Jun 2014, 4:22 am

Sorry about the delay, but I had family issues out of state for weeks!  
I finally reset/recovery my Windows yesterday (after doing a lot of research on this procedure) and am writing from that computer. All went very smoothly. All my personal files & apps were gone, as expected, as well as, all the programs that the hackers installed AND I no longer see the black box flash on the desktop upon boot-up (yay!-I think it had something to do with the command prompt).
I changed the password to my Microsoft account,
password to log into my computer,
the name of my computer,
my last name,
AND under system properties>remote tab>  I unchecked the box for "Allow Remote Assistance connections to this computer". Also, uninstalled McAfee Trial and installed Panda Antivirus that I have a license for....and downloaded Mozilla. But I still have some concerns:

1. When I made my selections for the reset, one option was to select just the drive that Windows was on (the C:drive) or all drives which included the D:drive Lenovo. I chose the first option because I figured that I needed the info on the D:drive to get back to factory specs.  Because I didn't reset the D:drive, containing factory specs, would my computer still be considered secure at this point or is it possible that something could have been installed there by the hackers??

2. Also, I selected a deep clean that would "take hours" (took a little over 2 hours) in order to really wipe things out. Oddly, when everything rebooted, the desktop was the pale blue solid color wallpaper like I had selected prior to reset and not the Lenovo photo that first came on it. AND the Start Screen displayed the customized patterned wallpaper background that I had pre-selected, again, prior to the reset (not factory specs). Upon the first Windows log-in, the same pre-selected photo that I had by user name/password came up....and I had to go to the MS account to change the photo.  If everything was wiped clean, then why did these come up? or are these held in memory at the Microsoft Account online (I
didn't see anything about the wallpaper/screen choices there)?

3.  In light of #2 above, I want to be assured that all is wiped clean and am truly starting over with a clean slate. Have all restore points also been cleared (he saw him create a restore point and even know it's name)? DLLS all reset? He left a folder that he worked from on the desktop that were things over my head....(besides installing 6 applications, he disabled UAC for admin, configuration settings for the desktop file, favicon-ICO file, windows batch file-Evntvwr Cleanr....)have they all been removed/reset,
as it appears?

4. Pokki seems to be a free download that changes the start screen with a Start Button, etc. It was on my computer and was deleted as a possible virus with one of the first programs that you had me scan my computer with....and now it's on here again.  I do not see it on my apps page nor do I see their acorn icon in the task bar. But today, I suddenly see the little white house in the task bar again (I had previously asked you about this but you said you didn't know anything about it... It appears to be a start button and connected to the App store). But a search for Pokki definitely turns up files on my computer. Might this "house" be the results of Pokki?? Could it be something Lenovo included?? Might this be a border line virus conductive app and an antivirus would target it?

5. AND finally, I want to BUY a licensed version of Malwarebytes through your site. Which brings me to, can I feel safe/secure now to use a credit card (and make purchases, look at bank statements, etc) on this reset computer? Do you want me to download and run anything as a final check?  Should I redownload Adwcleaner, which got deleted?

I know that you were helping me with viruses and malware and I may be asking more than what might be your area of expertise. But I sure to appreciate any help you can pass my way. Thanks so much for being there.


macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Sun 29 Jun 2014, 5:52 am

and installed Panda Antivirus that I have a license for...
Don't forget to disable Windows Defender, the AV that comes with Windows 8.
Because I didn't reset the D:drive, containing factory specs, would my computer still be considered secure at this point or is it possible that something could have been installed there by the hackers??
The D drive is where you have the Recovery Console which you just used. I can't see any possibility of that drive being infected.
If everything was wiped clean, then why did these come up? or are these held in memory at the Microsoft Account online (I
didn't see anything about the wallpaper/screen choices there)?
The only real way to wipe the drive is to choose Reformat.
Have all restore points also been cleared (he saw him create a restore point and even know it's name)? DLLS all reset? He left a folder that he worked from on the desktop that were things over my head....(besides installing 6 applications, he disabled UAC for admin, configuration settings for the desktop file, favicon-ICO file, windows batch file-Evntvwr Cleanr....)have they all been removed/reset,
as it appears?
Not being seated in front of your computer it's difficult for me to say for certain that they're gone but I would have to guess yes.
It appears to be a start button and connected to the App store). But a search for Pokki definitely turns up files on my computer. Might this "house" be the results of Pokki?? Could it be something Lenovo included?? Might this be a border line virus conductive app and an antivirus would target it?
I know nothing about this site but here's a reputable site with one review. When free download is mention one has to take that with a grain of salt. In other words, be a bit leery.
AND finally, I want to BUY a licensed version of Malwarebytes through your site. Which brings me to, can I feel safe/secure now to use a credit card (and make purchases, look at bank statements, etc) on this reset computer? Do you want me to download and run anything as a final check?  Should I redownload Adwcleaner, which got deleted?
It would depend on the site where you use your card. PayPal is dependable and it should be safe. My bank offers a free security app called Rapport Trusteer which you can configure to protect any site you want. It's very good. You could check with your bank to see if they provide it. You can download and keep AdwCleaner on your computer. Update it and run it on a regular basis.


Last edited by Superdave on Sun 29 Jun 2014, 11:22 am; edited 2 times in total

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Sun 29 Jun 2014, 11:18 am

and installed Panda Antivirus that I have a license for...
Don't forget to disable Windows Defender, the AV that comes with Windows 8.
Oh, my! I didn't realize that there already was an antivirus on Win8! I just did a search for Windows defender, clicked on the icon and a speech box appeared saying that the app is turned off and is not protecting my  computer. McAfee or Panda must have turned it off. Good, thanks for drawing that to my attention.

If everything was wiped clean, then why did these come up? or are these held in memory at the Microsoft Account online (I didn't see anything about the wallpaper/screen choices there)?
The only real way to wipe the drive is the chose Reformat.

I realized that I did not reformat the entire physical drive containing both the C: & D: drives, but you are also saying that it is unlikely that the D:drive was tampered with.  So isn't reinstalling Windows8.1 reformatting the C:drive??? You had said "About the only way that your computer would be considered safe again is to re-format and re-install the OS or run the Recovery Console which will restore your computer back to the day you took it out of the box." "Your best bet would be to save your data and do a Recovery." So I did do a Recovery from the Recovery Console.  Please tell me you're really not suggesting that I actually reformat the whole drive and deal with partitioning. I was really hoping for a clean bill of health!

PayPal is dependable and it should be safe. My bank offers a free security app called Rapport Trusteer which you can configure to protect any site you want. It's very good. You could check with your bank to see if they provide it. [/quote]

Thanks for that tip...I have paypal and I will look into the Rapport Trusteer.


Last edited by macmanetz on Mon 30 Jun 2014, 12:35 am; edited 1 time in total

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Sun 29 Jun 2014, 11:40 am

So isn't reinstalling Windows8.1 reformatting the C:drive???
Here's more information about wiping and re-formatting. You did the correct thing in using the Recovery Console and your computer can be considerd safe to use.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by macmanetz on Mon 30 Jun 2014, 12:37 am

THANK YOU SSSOOOO MUCH!!!!!  

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Superdave on Mon 30 Jun 2014, 5:33 am

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Scammed-need to clear computer of contamination!

Post by Sponsored content Today at 7:56 am


Sponsored content


Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum