Jump to content

Search the Community

Showing results for tags 'trojan.techsupportscam'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes 3 Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 2 results

  1. What is Office 1.00? The Malwarebytes research team has determined that Office 1.00 is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by Office 1.00? You will see this screen as soon as the file is executed: You may see a short glimpse of this one before the screenlock and after you have stopped it: How did Office 1.00 get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as an installer for a cracked Office version. How do I remove Office 1.00? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps. You may have to use the systems power button to shut the system down, or if you have that option, switch user and then shut down to get the system to reboot as this program actively stops a normal shutdown. Then boot into Safe Mode with Networking. As an alternative: we have found that in most cases the screenlock stops when you push the F7 key. After returning to your desktop, continue with the instructions below. You can use the Taskmanager to End the MicrosoftOffice process: Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Office 1.00? No, Malwarebytes removes Office 1.00 completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Tech Support Scam. Technical details for experts You may see these entries in FRST logs: (Microsoft ) C:\Users\{username}\Desktop\microsoftoffice- blue Screen.exe () C:\Program Files (x86)\Microsoft Office\MicrosoftOffice.exe HKCU\...\Run: [SC.exe] => C:\Program Files (x86)\Microsoft Office\Microsoftoffice.exe [253952 2017-07-18] () C:\Program Files (x86)\Microsoft Office Microsoft Office 1.00 (HKLM-x32\...\Microsoft Office 1.00) (Version: 1.00 - Microsoft) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Microsoft Office Adds the file MicrosoftOffice.exe"="7/18/2017 3:51 PM, 253952 bytes, A Adds the file Uninstall.exe"="9/19/2017 8:48 AM, 99895 bytes, A Adds the file Uninstall.ini"="9/19/2017 8:48 AM, 2781 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Office 1.00] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Microsoft Office\Uninstall.exe" "DisplayName"="REG_SZ", "Microsoft Office 1.00" "DisplayVersion"="REG_SZ", "1.00" "EstimatedSize"="REG_DWORD", 346 "HelpLink"="REG_SZ", "mailto:support@microsoft.com" "InstallDate"="REG_SZ", "20170919" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Microsoft Office\" "InstallSource"="REG_SZ", "C:\Users\{username}\Desktop\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Microsoft" "UninstallString"="REG_SZ", "C:\Program Files (x86)\Microsoft Office\Uninstall.exe" "URLInfoAbout"="REG_SZ", "http://www.Microsoft.com/" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "SC.exe"="REG_SZ", "C:\Program Files (x86)\Microsoft Office\Microsoftoffice.exe" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/20/17 Scan Time: 3:04 PM Log File: 3e2aa053-9e04-11e7-8352-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.188 Update Package Version: 1.0.2850 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 320367 Threats Detected: 7 Threats Quarantined: 7 Time Elapsed: 2 min, 3 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 Trojan.TechSupportScam, C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\MICROSOFTOFFICE.EXE, Quarantined, [77], [437097],1.0.2850 Ransom.TechSupportScam, C:\USERS\{username}\DESKTOP\MICROSOFTOFFICE- BLUE SCREEN.EXE, Quarantined, [648], [437068],1.0.2850 Module: 2 Trojan.TechSupportScam, C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\MICROSOFTOFFICE.EXE, Quarantined, [77], [437097],1.0.2850 Ransom.TechSupportScam, C:\USERS\{username}\DESKTOP\MICROSOFTOFFICE- BLUE SCREEN.EXE, Quarantined, [648], [437068],1.0.2850 Registry Key: 0 (No malicious items detected) Registry Value: 1 Trojan.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|SC.EXE, Delete-on-Reboot, [77], [437097],1.0.2850 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 2 Trojan.TechSupportScam, C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\MICROSOFTOFFICE.EXE, Delete-on-Reboot, [77], [437097],1.0.2850 Ransom.TechSupportScam, C:\USERS\{username}\DESKTOP\MICROSOFTOFFICE- BLUE SCREEN.EXE, Delete-on-Reboot, [648], [437068],1.0.2850 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is Pcobserver? The Malwarebytes research team has determined that Pcobserver is a fake registry cleaner. These so-called "registry cleaners" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog. How do I know if I am infected with Pcobserver? This is how the main screen of the registry cleaning application looks: You will find these icons in your taskbar and on your desktop: and this one in your Startup folder: Note that this one will download a Tech Support screenlocker given the chance. See reply to this post. And see these warnings during install: and these screens during "operations": You may see this entry in your list of installed programs: How did Pcobserver get on my computer? These so-called registry cleaners use different methods of getting installed. This particular one was bundled by other software. How do I remove Pcobserver? Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Pcobserver? No, Malwarebytes removes Pcobserver completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this registry cleaner. As you can see below the full version of Malwarebytes would have protected you against the Pcobserver installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts You may see these entries in FRST logs: () C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.exe Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WMPNewtworksSvcx.lnk [2017-04-05] ShortcutTarget: WMPNewtworksSvcx.lnk -> C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\background\WMPNewtworksSvcx.exe (Windows Media Player) C:\Users\{username}\AppData\Roaming\Pcobserver Pcobserver (HKLM-x32\...\{1BFA4EE2-69A7-457C-B697-D332D6A17422}) (Version: 1.0.0 - Pcobserver) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Installer\{1BFA4EE2-69A7-457C-B697-D332D6A17422} Adds the file Pcobserver.exe"="4/6/2017 1:12 PM, 370070 bytes, RA Adds the file WRC9Setup2.exe"="4/6/2017 1:12 PM, 67646 bytes, RA In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Adds the file WMPNewtworksSvcx.lnk"="4/6/2017 1:12 PM, 1285 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver Adds the file installdetails.txt"="4/6/2017 1:13 PM, 0 bytes, A Adds the file Interop.Scripting.dll"="7/21/2016 7:17 AM, 32768 bytes, A Adds the file Pcobserver.exe"="9/7/2016 5:01 AM, 615936 bytes, A Adds the file Pcobserver.exe.config"="9/7/2016 5:01 AM, 641 bytes, A Adds the file Pcobserver.pdb"="9/7/2016 5:01 AM, 226816 bytes, A Adds the file Pcobserver.vshost.exe"="9/7/2016 4:50 AM, 11608 bytes, A Adds the file Pcobserver.vshost.exe.config"="8/9/2016 8:32 PM, 642 bytes, A Adds the file Pcobserver.vshost.exe.manifest"="7/14/2016 5:37 PM, 2502 bytes, A Adds the file Pcobserver.xml"="9/7/2016 5:01 AM, 38330 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\background Adds the file Interop.IWshRuntimeLibrary.dll"="7/6/2016 4:04 PM, 49152 bytes, A Adds the file Interop.Scripting.dll"="7/11/2016 3:39 PM, 32768 bytes, A Adds the file PlatformInfo.dll"="7/10/2016 8:30 PM, 27136 bytes, A Adds the file WMPNewtworksSvcx.exe"="4/5/2017 10:41 AM, 244224 bytes, A Adds the file WMPNewtworksSvcx.exe.config"="4/5/2017 10:40 AM, 1616 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver 1.0.0\install In the existing folder C:\Users\{username}\Desktop Adds the file Pcobserver.lnk"="4/6/2017 1:12 PM, 2124 bytes, A In the existing folder C:\Windows\Installer Adds the file b0666.msi"="4/6/2017 1:12 PM, 1149440 bytes, A Adds the file SourceHash{1BFA4EE2-69A7-457C-B697-D332D6A17422}"="4/6/2017 1:12 PM, 20480 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{CUSID}\Products\2EE4AFB17A96C7546B793D236D1A4722\InstallProperties] "AuthorizedCDFPrefix"="REG_SZ"", "" "Comments"="REG_SZ"", "This installer database contains the logic and data required to install Pcobserver." "Contact"="REG_SZ"", "" "DisplayName"="REG_SZ"", "Pcobserver" "DisplayVersion"="REG_SZ"", "1.0.0" "EstimatedSize"="REG_DWORD"", 1266 "HelpLink"="REG_SZ"", "" "HelpTelephone"="REG_SZ"", "" "InstallDate"="REG_SZ"", "20170406" "InstallLocation"="REG_SZ"", "C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\" "InstallSource"="REG_SZ"", "C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver 1.0.0\install\" "Language"="REG_DWORD"", 1033 "LocalPackage"="REG_SZ"", "C:\Windows\Installer\b0666.msi" "ModifyPath"="REG_EXPAND_SZ, "MsiExec.exe /I{1BFA4EE2-69A7-457C-B697-D332D6A17422}" "Publisher"="REG_SZ"", "Pcobserver" "Readme"="REG_SZ"", "" "Size"="REG_SZ"", "" "UninstallString"="REG_EXPAND_SZ, "MsiExec.exe /I{1BFA4EE2-69A7-457C-B697-D332D6A17422}" "URLInfoAbout"="REG_SZ"", "" "URLUpdateInfo"="REG_SZ"", "" "Version"="REG_DWORD"", 16777216 "VersionMajor"="REG_DWORD"", 1 "VersionMinor"="REG_DWORD"", 0 "WindowsInstaller"="REG_DWORD"", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1BFA4EE2-69A7-457C-B697-D332D6A17422}] "AuthorizedCDFPrefix"="REG_SZ"", "" "Comments"="REG_SZ"", "This installer database contains the logic and data required to install Pcobserver." "Contact"="REG_SZ"", "" "DisplayName"="REG_SZ"", "Pcobserver" "DisplayVersion"="REG_SZ"", "1.0.0" "EstimatedSize"="REG_DWORD"", 1266 "HelpLink"="REG_SZ"", "" "HelpTelephone"="REG_SZ"", "" "InstallDate"="REG_SZ"", "20170406" "InstallLocation"="REG_SZ"", "C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\" "InstallSource"="REG_SZ"", "C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver 1.0.0\install\" "Language"="REG_DWORD"", 1033 "ModifyPath"="REG_EXPAND_SZ, "MsiExec.exe /I{1BFA4EE2-69A7-457C-B697-D332D6A17422}" "Publisher"="REG_SZ"", "Pcobserver" "Readme"="REG_SZ"", "" "Size"="REG_SZ"", "" "UninstallString"="REG_EXPAND_SZ, "MsiExec.exe /I{1BFA4EE2-69A7-457C-B697-D332D6A17422}" "URLInfoAbout"="REG_SZ"", "" "URLUpdateInfo"="REG_SZ"", "" "Version"="REG_DWORD"", 16777216 "VersionMajor"="REG_DWORD"", 1 "VersionMinor"="REG_DWORD"", 0 "WindowsInstaller"="REG_DWORD"", 1 [HKEY_CURRENT_USER\Software\DIS\Pcobserver] "Path"="REG_SZ"", "C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\" "Version"="REG_SZ"", "1.0.0" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/7/17 Scan Time: 1:22 PM Logfile: mbamPcobserver.txt Administrator: Yes -Software Information- Version: 3.0.6.1469 Components Version: 1.0.96 Update Package Version: 1.0.1680 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 325647 Time Elapsed: 1 min, 16 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 1 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.exe, Quarantined, [5687], [387647],1.0.1680 Module: 2 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Interop.Scripting.dll, Quarantined, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.exe, Quarantined, [5687], [387647],1.0.1680 Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver 1.0.0\install, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\background, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver 1.0.0, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\USERS\{username}\APPDATA\ROAMING\PCOBSERVER, Delete-on-Reboot, [5687], [387647],1.0.1680 File: 17 PUP.Optional.Pcobserver, C:\USERS\{username}\APPDATA\ROAMING\PCOBSERVER\PCOBSERVER\INSTALLDETAILS.TXT, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\background\Interop.IWshRuntimeLibrary.dll, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\background\Interop.Scripting.dll, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\background\PlatformInfo.dll, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\background\WMPNewtworksSvcx.exe, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\background\WMPNewtworksSvcx.exe.config, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Interop.Scripting.dll, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.exe, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.exe.config, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.pdb, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.vshost.exe, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.vshost.exe.config, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.vshost.exe.manifest, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.xml, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\USERS\{username}\DESKTOP\PCOBSERVER.LNK, Delete-on-Reboot, [5687], [387649],1.0.1680 Trojan.Dropper, C:\USERS\{username}\DESKTOP\WRC9SETUP.EXE, Delete-on-Reboot, [17], [387646],1.0.1680 PUP.Optional.Pcobserver, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\WMPNEWTWORKSSVCX.LNK, Delete-on-Reboot, [5687], [387650],1.0.1680 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.