[HALlives]

I ran it in IE11 and it didn't find anything. 

 

Are any of the tools I've been using capable of scanning the MBR?

[Advertisements]

I believe tdss killer did.

You can try this one too

Please download aswMBR ( 511KB ) to your desktop.

• Double click the aswMBR.exe icon to run it
• Click the Scan button to start the scan
• On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

[zep516]

I believe tdss killer did.

You can try this one too

Please download aswMBR ( 511KB ) to your desktop.

• Double click the aswMBR.exe icon to run it
• Click the Scan button to start the scan
• On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

[HALlives]

Sorry, on a call, back in a bit. 

[HALlives]

Okay, aswMBR has finished scanning... the "Fix MBR" button is lit up, as well as "Save Log" and "Exit." 

 

Should I fix the MBR? 

[zep516]

No, save log and exit post log

[HALlives]

aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software

Run date: 2017-02-17 19:36:39

-----------------------------

19:36:39.218    OS Version: Windows x64 6.1.7601 Service Pack 1

19:36:39.218    Number of processors: 4 586 0x4E03

19:36:39.218    ComputerName: BARB-PC  UserName: Barb

19:36:39.577    Initialize success

19:36:39.577    VM: initialized successfully

19:36:39.577    VM: Intel CPU BiosDisabled 

19:37:12.331    AVAST engine defs: 17010903

19:37:16.293    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

19:37:16.293    Disk 0 Vendor: Crucial_CT750MX300SSD1 _M0CR011 Size: 715404MB BusType: 11

19:37:16.293    Disk 0 MBR read successfully

19:37:16.293    Disk 0 MBR scan

19:37:16.293    Disk 0 Windows 7 default MBR code

19:37:16.309    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048

19:37:16.309    Disk 0 default boot code

19:37:16.309    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       715302 MB offset 206848

19:37:16.325    Disk 0 scanning C:\Windows\system32\drivers

19:37:19.538    Service scanning

19:37:26.527    Modules scanning

19:37:27.026    Disk 0 trace - called modules:

19:37:27.026    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys 

19:37:27.026    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80073fe060]

19:37:27.026    3 CLASSPNP.SYS[fffff880018dd43f] -> nt!IofCallDriver -> [0xfffffa80071f0520]

19:37:27.026    5 ACPI.sys[fffff88000f627a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80071ec680]

19:37:27.385    AVAST engine scan C:\Windows

19:37:28.399    AVAST engine scan C:\Windows\system32

19:38:35.073    AVAST engine scan C:\Windows\system32\drivers

19:38:39.161    AVAST engine scan C:\Users\Barb

19:39:06.367    AVAST engine scan C:\ProgramData

19:39:21.998    Disk 0 statistics 3895511/0/0 @ 54.02 MB/s

19:39:21.998    Scan finished successfully

19:44:46.010    Disk 0 MBR has been saved successfully to "C:\Users\Barb\Desktop\MBR.dat"

19:44:46.026    The log file has been saved successfully to "C:\Users\Barb\Desktop\aswMBR log.txt"

 

[zep516]

Logs clean, if there were a rootkit

It would say Disk 0 MBR and give the file.

Can you send a picture of the taskbar with the MY Technician stuff.

What other symptoms do we have, besides the My Technician crap in the taskbar.


Can you right click on The My Technician stuff in the task bar ? What options are present when you do that ?

[HALlives]

Here's the taskbar, that hasn't changed. 

Attached Thumbnails

• 

[zep516]

That's the only issue, no scammer window and the computer is not shutting off by itself ?

Right click on that MY Technician see if you can un-Pin it.

By the way here's the tdss killer report it did scan the MBR

19:41:00.0674 0x0864 ================ Scan MBR ==================================
19:41:00.0674 0x0864 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
19:41:00.0737 0x0864 \Device\Harddisk0\DR0 - ok
19:41:00.0737 0x0864 ================ Scan VBR ==================================
19:41:00.0737 0x0864 [ F7670BB65880E7591EF25B67EEA7E746 ] \Device\Harddisk0\DR0\Partition1
19:41:00.0737 0x0864 \Device\Harddisk0\DR0\Partition1 - ok
19:41:00.0737 0x0864 [ EA1411703A746A9822AE4411BDE4616E ] \Device\Harddisk0\DR0\Partition2
19:41:00.0737 0x0864 \Device\Harddisk0\DR0\Partition2 - ok

[HALlives]

Okay, right clicked on the "My Technician" section and got the standard Taskbar options, "Lock the taskbar" etc, plus "Toolbars." 

 

That opened another drop-down menu and "Toolbar" was checked. 

 

I unchecked it and "My Technician" disappeared off the taskbar.

 

I went back to "Toolbars" again, and now the drop-down menu says "New Toolbar," and when I click on that I get an error message saying the location is unavailable; "C:\Users\Barb\Documents\MY TECHNICIAN (etc) refers to a location that is unavailable..." 

[HALlives]

Sorry, double posted. 

Edited by HALlives, 17 February 2017 - 10:17 PM.

[zep516]

C:\Users\Barb\Documents\MY TECHNICIAN

Did barb put My Techician in the Documents folder ?

The location is unavailable because we removed it 2 days ago in a FRST fix

[HALlives]

I have no idea, she got hacked, they installed something on the system that shut it down every 10mins, they were in the machine for about 15mins before she figured it out.

 

She wouldn't be able to do it by herself. 

[zep516]

Every scan shows clean now.

[HALlives]

No scan has found anything that could shut the machine down every 10mins and hide itself. 

 

She was hacked, the bastards called her back the following day and tried to get her to give them access to he machine again so they could "repair" it. 

 

Are you suggesting I hand her back the machine and tell her to go ahead and do all her online banking, taxes etc and not worry?