Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Worried about phishing after remote control interface used

phishing remote user teamviewer.com

  • This topic is locked This topic is locked

#1
mem7_7

mem7_7

    New Member

  • Member
  • Pip
  • 8 posts

My Xbox was not connecting to my profile Wednesday, so I looked up the support number online.  I ended up calling a psuedo-support site.  The following is what I recall from that experience.

 

They said my account was blocked due to suspected hacking activity.  They asked me if my Xbox was on the same network as my computer. They had me download a file from teamviewer.com and I granted remote control.  He paused about 15-20 seconds, and then very fast ran through some steps to show me I was hacked.  What I recall is he showed me some type of dos log indicating about four lines of time-outs or disconnects or something.  He said that means I'd been hacked.  He opened the event viewer and showed me a green and red line graph.  Then he did some more on the event viewer.  Then he opened paypal and said I had to pay $199 to clean 41,000 malware files.  I declined and exited the remote control session. Total time about 2 minutes.

 

I ran McAffee full scan with no reported files.  I experienced some slow video and internet surfing the next night, and had a suspicious error at start up saying that explorer hadn't closed properly to permit shutdown.  I'm pretty sure I had shut it all the way down and turned off WLAN on last use.  No other symptoms.

 

Worried about passive tracking malware.

 

Please help a fool.  

Attached Files


  • 0

Advertisements


#2
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Hi! My name is zep516 and Welcome to Geekstogo!
I'll do the best I can to resolve your computer issue
Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, don't continue Stop and ask! Never be afraid to ask questions! :)

Not seeing anything, lets run a few scans though.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete , make sure that that all Threats are selected, and click Remove Selected.
  • Reboot your computer if prompted.


    Posting the Malwarebytes log.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the Scan Log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • post that saved log to your next reply.

  • 0

#3
mem7_7

mem7_7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

thank you thank you thank you

Attached Files


  • 0

#4
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Hello,

We need to run a fix using FRST. Just some left overs.

Next

A few items to fix

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.
start
CloseProcesses:
CreateRestorePoint:
SearchScopes: HKLM -> DefaultScope {682A7A5C-953E-4F46-BE75-B46823CC9E8B} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&FORM=HPNTDF
SearchScopes: HKLM -> {682A7A5C-953E-4F46-BE75-B46823CC9E8B} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&FORM=HPNTDF
SearchScopes: HKLM -> {F866DC5B-A053-40B9-BCDE-375ED3441201} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM-x32 -> DefaultScope {682A7A5C-953E-4F46-BE75-B46823CC9E8B} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&FORM=HPNTDF
SearchScopes: HKLM-x32 -> {682A7A5C-953E-4F46-BE75-B46823CC9E8B} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&FORM=HPNTDF
SearchScopes: HKLM-x32 -> {F866DC5B-A053-40B9-BCDE-375ED3441201} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKU\S-1-5-21-797596941-2681491629-3159916735-1000 -> DefaultScope {36DE244C-822B-41E3-B41C-8F33D36D220B} URL = hxxps://search.yahoo.com/search?fr=mcafee&type=B011US0D20150613&p={searchTerms}
SearchScopes: HKU\S-1-5-21-797596941-2681491629-3159916735-1000 -> {36DE244C-822B-41E3-B41C-8F33D36D220B} URL = hxxps://search.yahoo.com/search?fr=mcafee&type=B011US0D20150613&p={searchTerms}
SearchScopes: HKU\S-1-5-21-797596941-2681491629-3159916735-1000 -> {682A7A5C-953E-4F46-BE75-B46823CC9E8B} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-797596941-2681491629-3159916735-1000 -> {F866DC5B-A053-40B9-BCDE-375ED3441201} URL = 
BHO: McAfee Phishing Filter -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL => No File
BHO-x32: McAfee Phishing Filter -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> c:\progra~1\mcafee\msk\mskapbho.dll => No File
Toolbar: HKU\S-1-5-21-797596941-2681491629-3159916735-1000 -> No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
Toolbar: HKU\S-1-5-21-797596941-2681491629-3159916735-1000 -> No Name - {9D425283-D487-4337-BAB6-AB8354A81457} -  No File
S2 Norton Internet Security; "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1
"C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe"
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\ENG64.SYS [X]
S3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\EX64.SYS [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S1 SRTSP; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSP64.SYS [X]
S1 SRTSPX; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSPX64.SYS [X]
2016-04-20 17:34 - 2016-04-20 17:34 - 00000000 ____D C:\Users\Jason\AppData\Roaming\TeamViewer
2016-04-20 17:33 - 2016-04-20 17:34 - 07096856 _____ (TeamViewer) C:\Users\Jason\Downloads\TeamViewerQS_en.exe
AlternateDataStreams: C:\ProgramData\Temp:0574215C [480]
AlternateDataStreams: C:\ProgramData\Temp:D95ACC7D [191]
CMD: bitsadmin /reset /allusers
CMD: netsh winsock reset catalog
CMD: ipconfig /flushdns
RemoveProxy:
Emptytemp:
  • Click Format and ensure Wordwrap is unchecked.
  • Save as Fixlist.txt to your Desktop (Must be in this location)
  • Run FRST/FRST64 and press the Fix button just once and wait.
  • If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
  • The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

  • 0

#5
mem7_7

mem7_7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Done and done.  However, the fixlist.txt is no longer on the desktop?  Either that was planned or I messed up and called it fixlog instead.  I didn't re-do that instruction, so if that is next I hope I can just re-do it.

Attached Files


  • 0

#6
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Hello,

Fixlist looks ok, nice work. Lets run two adware scans.


Next

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the logfile button and the log will open in Notepad.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished and the PC has rebooted.
  • Please post the content of that log file with your next answer.
  • The report will be saved in the C:\AdwCleaner folder.

    Next

    thisisujrt.gif Please download Junkware Removal Tool to your Desktop.
    Please close your security software to avoid potential conflicts. See Here how to disable you security protection (Anti Virus)
    Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
    The tool will open and start scanning your system.
    Please be patient as this can take a while to complete, depending on your system's specifications.
    On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
    Please post the contents of JRT.txt into your reply.

    In your next reply post;
  • The AdwCleaner [SO].txt Log
  • The JRT.txt Log

  • 0

#7
mem7_7

mem7_7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Smooth and quick.  Two adware logs though, and not SO.

Attached Files


  • 0

#8
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Looks good, some junk cleared out.

Download Security Check by screen317 from http://rocketgrannie...curityCheck.exe
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE: If SecurityCheck aborts and you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED! try rebooting the system and then run SecurityCheck again.
  • 0

#9
mem7_7

mem7_7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

I think it moved.  Link is dead.


  • 0

#10
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
New link,

http://www.bleepingc.../securitycheck/
  • 0

Advertisements


#11
mem7_7

mem7_7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Alright, that worked.

Attached Files


  • 0

#12
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Looks good except for Java out of date..

Note
Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it.

Because Java has had so many vulnerabilities, if you don't have a program that requires Java, or a web site you visit that requires it, I recommend leaving it uninstalled. Your system will be more secure. If you decide to reinstall, or find that a program or website requires it, you can download the latest version from here:
http://java.com/en/d...anual_java7.jsp
If you reinstall it because a program requires Java, you can increase your security by going to the Java Control Panel (Start > Control Panel > Java), selecting the Security tab, and Unchecking "Enable Java content in the browser".
  • 0

#13
mem7_7

mem7_7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Thank you so much.  Mind is very at ease now.  Computer is fast as lightning too!


  • 0

#14
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
You're welcome

1 more thing to do and I'll close the topic.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).


Why we need to remove some of our tools:
Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight. They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.



Download DelFix by Xplode and save it to your desktop.
  • Run the tool by right click on the 51a5ce45263de-delfix.png icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run.
  • The program will run for a few seconds and display a notepad report.
    Paste it for my review.

  • 0

#15
mem7_7

mem7_7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Ok

Attached Files


  • 0






Similar Topics


Also tagged with one or more of these keywords: phishing, remote user, teamviewer.com

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP