Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win7 notebook hit by "Microsoft Support" scam, possible Rootki


  • Please log in to reply

#91
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

I ran it in IE11 and it didn't find anything. 

 

Are any of the tools I've been using capable of scanning the MBR?


  • 0

Advertisements


#92
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
I believe tdss killer did.

You can try this one too

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

  • 0

#93
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Sorry, on a call, back in a bit. 


  • 0

#94
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Okay, aswMBR has finished scanning... the "Fix MBR" button is lit up, as well as "Save Log" and "Exit." 

 

Should I fix the MBR? 


  • 0

#95
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
No, save log and exit post log
  • 0

#96
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2017-02-17 19:36:39
-----------------------------
19:36:39.218    OS Version: Windows x64 6.1.7601 Service Pack 1
19:36:39.218    Number of processors: 4 586 0x4E03
19:36:39.218    ComputerName: BARB-PC  UserName: Barb
19:36:39.577    Initialize success
19:36:39.577    VM: initialized successfully
19:36:39.577    VM: Intel CPU BiosDisabled 
19:37:12.331    AVAST engine defs: 17010903
19:37:16.293    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
19:37:16.293    Disk 0 Vendor: Crucial_CT750MX300SSD1 _M0CR011 Size: 715404MB BusType: 11
19:37:16.293    Disk 0 MBR read successfully
19:37:16.293    Disk 0 MBR scan
19:37:16.293    Disk 0 Windows 7 default MBR code
19:37:16.309    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
19:37:16.309    Disk 0 default boot code
19:37:16.309    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       715302 MB offset 206848
19:37:16.325    Disk 0 scanning C:\Windows\system32\drivers
19:37:19.538    Service scanning
19:37:26.527    Modules scanning
19:37:27.026    Disk 0 trace - called modules:
19:37:27.026    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys 
19:37:27.026    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80073fe060]
19:37:27.026    3 CLASSPNP.SYS[fffff880018dd43f] -> nt!IofCallDriver -> [0xfffffa80071f0520]
19:37:27.026    5 ACPI.sys[fffff88000f627a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80071ec680]
19:37:27.385    AVAST engine scan C:\Windows
19:37:28.399    AVAST engine scan C:\Windows\system32
19:38:35.073    AVAST engine scan C:\Windows\system32\drivers
19:38:39.161    AVAST engine scan C:\Users\Barb
19:39:06.367    AVAST engine scan C:\ProgramData
19:39:21.998    Disk 0 statistics 3895511/0/0 @ 54.02 MB/s
19:39:21.998    Scan finished successfully
19:44:46.010    Disk 0 MBR has been saved successfully to "C:\Users\Barb\Desktop\MBR.dat"
19:44:46.026    The log file has been saved successfully to "C:\Users\Barb\Desktop\aswMBR log.txt"
 

  • 0

#97
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
Logs clean, if there were a rootkit

It would say Disk 0 MBR and give the file.

Can you send a picture of the taskbar with the MY Technician stuff.

What other symptoms do we have, besides the My Technician crap in the taskbar.


Can you right click on The My Technician stuff in the task bar ? What options are present when you do that ?
  • 0

#98
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Here's the taskbar, that hasn't changed. 

Attached Thumbnails

  • Scammer Taskbar.jpg

  • 0

#99
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
That's the only issue, no scammer window and the computer is not shutting off by itself ?

Right click on that MY Technician see if you can un-Pin it.

By the way here's the tdss killer report it did scan the MBR

19:41:00.0674 0x0864 ================ Scan MBR ==================================
19:41:00.0674 0x0864 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
19:41:00.0737 0x0864 \Device\Harddisk0\DR0 - ok
19:41:00.0737 0x0864 ================ Scan VBR ==================================
19:41:00.0737 0x0864 [ F7670BB65880E7591EF25B67EEA7E746 ] \Device\Harddisk0\DR0\Partition1
19:41:00.0737 0x0864 \Device\Harddisk0\DR0\Partition1 - ok
19:41:00.0737 0x0864 [ EA1411703A746A9822AE4411BDE4616E ] \Device\Harddisk0\DR0\Partition2
19:41:00.0737 0x0864 \Device\Harddisk0\DR0\Partition2 - ok


  • 0

#100
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Okay, right clicked on the "My Technician" section and got the standard Taskbar options, "Lock the taskbar" etc, plus "Toolbars." 

 

That opened another drop-down menu and "Toolbar" was checked. 

 

I unchecked it and "My Technician" disappeared off the taskbar.

 

I went back to "Toolbars" again, and now the drop-down menu says "New Toolbar," and when I click on that I get an error message saying the location is unavailable; "C:\Users\Barb\Documents\MY TECHNICIAN (etc) refers to a location that is unavailable..." 


  • 0

Advertisements


#101
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Sorry, double posted. 


Edited by HALlives, 17 February 2017 - 10:17 PM.

  • 0

#102
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
C:\Users\Barb\Documents\MY TECHNICIAN

Did barb put My Techician in the Documents folder ?

The location is unavailable because we removed it 2 days ago in a FRST fix
  • 0

#103
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

I have no idea, she got hacked, they installed something on the system that shut it down every 10mins, they were in the machine for about 15mins before she figured it out.

 

She wouldn't be able to do it by herself. 


  • 0

#104
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
Every scan shows clean now.
  • 0

#105
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

No scan has found anything that could shut the machine down every 10mins and hide itself. 

 

She was hacked, the bastards called her back the following day and tried to get her to give them access to he machine again so they could "repair" it. 

 

Are you suggesting I hand her back the machine and tell her to go ahead and do all her online banking, taxes etc and not worry? 


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP