Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Neighbor's Computer has been Hacked


  • This topic is locked This topic is locked

#16
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,422 posts

You didn't attach the logs again.  :)  It's difficult for me to review the topic when so long logs are posted. That's why I asked you to attach them instead of copy/paste them.
 
The logs are clean. But as I mentioned earlier, the system mess remains. That's why the programs' opening issues. I would recommend uninstalling and reinstalling them. But it seems that you have issues with that too.
 
Let's take things one by one and see what we can do.
 
1. FRST fix
 
This is to remove some overseen things.

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Start::
CreateRestorePoint:
CloseProcesses:
Hosts:
DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2
EmptyTemp:
End::
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.

 

2. Troubleshooting

 

Download this Troubleshooter from Microsoft, save it on the Desktop and run it. 

Check if uninstalling a program still has issues. If it worked, then uninstall all the problematic programs. If not, report back. 

 

 

In your next reply, please post:

  1. The fixlog.txt
  2. If the Troubleshooter allowed you to uninstall the problematic programs

  • 0

Advertisements


#17
Kenjesse

Kenjesse

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 110 posts

Very sorry for confusing the instructions... I've gotten help here before some years ago and for whatever reason that's the way I remember posting logs.  Again, very sorry.  This latest reboot brings up one more issue I had after the 1st fix that I forgot to add and that is dropbox is not loading properly on bootup and requires ending the task to get it to stop trying. I've attached a screenshot with the error.  Closing the error, it comes back in about 10 seconds and continues this until I end the task.

 

Have already had my neighbor notify banks and credit card companies to freeze accounts and have begun the process of changing all passwords.  She has LifeLock and they have been given a heads up and have opened a case file.  As for the remaining problems the priority is restoring Family Tree Maker.

 

After that if there is any chance of finding the files from Documents, Downloads, etc. (the Library Folders) that would be a big win.  Given what I have seen I don't see much chance of that, however.

 

I will likely backup Family Tree Maker, if restored, and then lean towards a clean install setting my neighbor up as a User with limited authority and calling it a day.  My biggest concern was finding out how bad the intrusion was as regards their information, that is about as bad as it can get as it appears they took the contents of the Library Folders.

 

Again, sorry for making your efforts tougher with my inability to pay attention.

Attached Thumbnails

  • Screenshot_Dropbox_load_fail_2025-02-11 161712.png

Attached Files


  • 0

#18
Kenjesse

Kenjesse

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 110 posts

This just happened, of course.  Windows Update wants to restart to complete "Cumulative update for Win10 Ver 22H2 for x64-based systems (KB5051974)".  Problems if I agree or would you prefer I stall it?


  • 0

#19
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,422 posts

Hi, Ken. 

 

You can proceed with the update.

 

As to the Dropbox message at startup, the corrupted installation files cause it. 

 

I guess you didn't try the Troubleshooter by Microsoft yet?

 

And another question: Did this issue with the programs appear after February 7th or it existed before that? 


  • 0

#20
Kenjesse

Kenjesse

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 110 posts

I really do hate when I go stupid.  IE blocked the downloaded and was getting setup to download on my computer and move over when I got interrupted; failed to come back to it on return.  Ran the troubleshooter to "install" Family Tree Maker 2017 but the trouble shooter only offered option to uninstall which I am reluctant to do because of not wanting to lose the data for the program I found in the user app data folders for it.  Ran the trouble shooter again for "uninstall" selecting Dropbox as the test.  Trouble shooter completed indicated it made fixes and to try uninstalling the program; uninstall failed again in the same way.

 

All issues started after my neighbor allowed a scammer into their computer on the 7th of February. 

 

Took a screen shot of the Dropbox fail, but when I try to attach the file it I get the error "No file was selected for upload".  So I am posting this from my computer so I can include the screen shots.  The other screen shots are of trying to attach the file.

 

Dr. M, I can see from the activity that you are helping multiple people. My hats off to you Sir, you are a better man than me being able to juggle all this.  It's 5:30am here and I've been stumbling through trying to get this one post done for over an hour...lol  I'm going back to bed for now.  As always thank you for all your efforts.

 

PS:  The 4th screen shot is of the Download history on their computer, it came up when it blocked the Trouble Shooter download.  Ultra Viewer is not a program I would use and I suspect it is the one one the scammer had them install. They hung-up the call and powered off the computer via long pressing the power button when they were asked to log-in to their bank account.  They said that at that time the computer was displaying "Your computer is updating, do not turn off..." or something to that effect and it took a couple of try's to get it powered off.

Attached Thumbnails

  • Screenshot_dropbox_uninstall_fix_2025-02-12 045400.png
  • Screenshot_file_selected_2025-02-12 051628.png
  • Screenshot_file_selected_error_2025-02-12 051728.png
  • Screenshot_Downloads_history_2025-02-12 054628.png

  • 0

#21
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,422 posts

 

Dr. M, I can see from the activity that you are helping multiple people. My hats off to you Sir, 

 

And I am at work at the same time!  :laughing:

 

Have a good night's sleep, and I'll be back to you when I get home.


  • 0

#22
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,422 posts

Ken,

 

Please try to restore the system in an earlier state, before February 7th. Here are the instructions: System Restore - Microsoft Support

 

Let me know if there is any improvement. 


  • 0

#23
Kenjesse

Kenjesse

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 110 posts

Dr. M.

 

Available Restore Point for "system" is 10FEB labeled as "automatic".  There are a couple more dated the 11th and 12th and are labeled "install".  I would have bet money that when I looked thru the initial scan results it showed two Restore Points with one dated the FEB prior to the 7th.  One of the missing folders is c:\Backup which is the folder that Tweaking.com Reg Backup puts its Shadow Volume produced reg backups.

 

I've got a contractor coming by anytime now to finalize some extensive work for my house so will be away from the computer for a few hours.  If you can point me to where the restore files are located, I'd be happy to look for earlier ones.


  • 0

#24
Kenjesse

Kenjesse

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 110 posts

Well, look at that it let me attach the file this time.  Screen shot of restore points.

Attached Thumbnails

  • Screenshot_Restore_Points_2025-02-12 132226.png

  • 0

#25
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,422 posts

Yes... Unfortunately, no Restore Points before February 7th. 
 

I would have bet money that when I looked thru the initial scan results it showed two Restore Points with one dated the FEB prior to the 7th.

 
What do you mean by "initial scan"?
 
Another thing to try:

 

Enable the built-in Administrator account

  • Press Windows icon key on your keyboard, together with the letter R.
  • Type cmd, and press Ctrl + Shift + Enter to run Command Prompt as administrator.
  • Copy and paste the following command and press Enter to execute it:
net user administrator /active:yes
  • Restart the computer and choose this account (Administrator) instead of the original user account.
  • Check the following: 
  1. If the issue with opening programs is still there
  2. If there are more Restore Points shown

  • 0

Advertisements


#26
Kenjesse

Kenjesse

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 110 posts

The 1st FRST64 scans that were done.  Its in the Additions scan, screenshot attached.  Been a very busy day I'm calling it for now, will catch up with your tomorrow if that's OK.  I'll try the built=in Admin account after I've rested a bit.  Just another weird thing with something "saying" it's there and when you look or try to use it, it isn't...lol

Attached Thumbnails

  • Screenshot_Addition_Scan_1st_2025-02-12 155427.png

  • 0

#27
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,422 posts

Good observation, Ken!

 

Bedtime for me now. See you tomorrow, when you are ready.


  • 0

#28
Kenjesse

Kenjesse

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 110 posts

Sleep well and remember to wake up.  Behavior of Admin acct is same as current user account. Same restore points.


  • 0

#29
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,422 posts

Using the Administrator account we enabled in the previous post, do the following:

 

In-place upgrade

This will reinstall and update the operating system and fix any corruptions, without removing any file or program.

  • Go to this Microsoft page and under the title Create Windows 10 installation media press on Download tool now.
  • Save the tool on your Desktop and double click to run it.
  • On the License terms page, if you accept the license terms, select Accept.
  • On the What do you want to do page, select Upgrade this PC now, and then select Next.
  • Follow the instructions and select Keep personal files and apps, when you are asked to.
  • It might take a couple of hours, depending on your wifi speed connection, to install Windows 10. Your PC will restart a few times. Make sure you don’t turn off your PC.
  • After downloading and installing, the tool will walk you through how to set up Windows 10 on your PC.

Let me know if everything ran smoothly.

 

We will continue from there. 


  • 0

#30
Kenjesse

Kenjesse

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 110 posts

Good Afternoon Sir (I think) still early morning here,

 

I'm copying off the entire "app data" file tree, just in case.  As soon as that is done I'll start the in-place upgrade.  As soon as my neighbor is up and about I'll be getting with them to contact Family Tree Maker to re-download the installation file to try the repair, if the option is still available, for that program (with your approval of course).  Copy now at 24%.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP