Jump to content

Numeric tech support scam

cel01

By cel01
in Resolved Malware Removal Logs

 Share

Recommended Posts

cel01

cel01

Posted
Posted

Malwarebytes program did not alert on this issue.  

Using my Chrome browser I had clicked a link in a google search I had done about a local event happening nearby.  It appeared to be legitimate link and I even had glanced down in the bottom to see if the link looked ok before clicking it.  Next thing I know I get the "Attention windows defender alert zeus virus detected".  It looked just like the one on the malwarebytes blog https://blog.malwarebytes.com/threat-analysis/2017/06/the-numeric-tech-support-scam-campaign/   I could not get out of it no how.  Finally I powered down let system sit for a few minutes and powered back up.  I did not restore the browser but did look at the history files and found a long list of urls with just numbers for the addresses.  I deleted the history followed by a ccleaner which now I wish I hadn't cause maybe there was info there that could have been used to figure this out, then did a Malwarebytes scan which came up clean and am now scanning with Defender.  My question....Why didn't Malewarebytes activate?

Thanks

Link to post
Share on other sites
cel01

cel01

Posted
  • Author
Posted

Defender scan came up clean.  I am running in a limited user account so maybe that protected me.  Now I just read about SMB and disabling that eeeek to much registry work I know I would get into trouble with.  Just gonna have to keep the faith in my Malwarebytes 3 Premium and Defender.  Take care.  Cel  Consider this issue resolved.

Link to post
Share on other sites
cel01

cel01

Posted
  • Author
Posted

Thank you.  Note I use an external keyboard and mouse USB wired on my laptop.  I run on a short eithernet cable and have my wireless disabled and have system set in airplane mode.  This is because my system keeps dropping my eithernet connection and searching out the wireless connection and I can't figure out why.  It sometimes says looking for DNS.  I just installed OpenDNS a couple hours ago hoping that would help but it didn't.  I also have an unknown usb device that shows up in the device manager and cannot figure out what that is either.  None of the MS diagnostic can tell what it is either.  System came with Windows 7 and I migrated 8 to 8.1 to 10 etc.   I would so like to wipe it and just run a clean 10 Creator and reinstall all my programs but a computer repair shop told me I would now have to buy the OS. for $130.00.   At this time I just want to make sure this system is safe to use for my banking and medical stuff. I couldn't figure out why my MB didn't flag this critter that popped up.  Any help appreciated.  I will not install uninstall or clear out any files from this point forward till I get directions from you folks  Thanks for your time. Take Care.

FRST.txt

Addition.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hello @cel01 and :welcome:

Please run Malwarebytes and check for updates. Then run a Threat Scan and post back that log. Then proceed and run the following.

 

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

 

 

adwcleaner_new.png Fix with AdwCleaner

 

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

Ron

 

Link to post
Share on other sites
cel01

cel01

Posted
  • Author
Posted

Hi Ron

Coming to u from another puter.  I think I goofed things up.  I pressed the fix button once a bit later a window came up but it was blank and the button on it was blank.  I waited 30 minutes and decided to click on the blank button.  It did a restart  but dumb me I clicked ok to repair c: instead of skip repair.  Screen shows HP logo with the little dots going around in circles. Has been stuck on 11% for over an hour and the hard drive light is active but not really blinking any.  Not to much you can do when the puter operator does dumb things. What do you think I should do.  Just wait it out.  Thanks I really appreciate your help.

Link to post
Share on other sites
cel01

cel01

Posted
  • Author
Posted

Took a chance turned system off.  Came bk with everything but my image on the account log in  grin.  Action center indicates wants me to click there and do restart to repair drive errors.  I so wish I was more patient.  This time I PROMISE not to do restart etc till I hear back from you or your crew.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

I'm sorry, the fixlist told the computer to run a full disk check. I normally put a note to let you know it's going to run, but I see I missed that, sorry.

Go ahead and run a scan with Malwarebytes and do a Threat Scan and post back that log please.

Then let me know if you're seeing anything that looks like it might be malware still.

Thanks

Ron

 

Link to post
Share on other sites
cel01

cel01

Posted
  • Author
Posted

Hi Ron:

Scan shows clean but I did have something weird happen when I opened Internet Explorer for the first time.  I included the report generated.  I think I read somewhere else in the forums about this but can't find the post now and can't recall what the final outcome was.  

I still am having problems with the DNS, websites won't load the first time around and many images don't load on the pages until it loads the second time.  It says "Err_network changed" then it loads. This is why I thought I may be infected with something.

Also when I check out my IP on the internet it says I am using the IPv6 address but when I look at network and sharing center it shows there is no server for IPv6 and only shows the OpenDNS as being used IPv4.  I attached text doc of network sharing info.

I am using a 10' eithernet connection and have wireless disabled, in fact running in airplane mode to make sure wireless disabled.  I only have my Roku1 on my wireless and I have that setup on the TimeWarner Ubee Modem Router to be the only MAC address that can access wireless.  If I need to print something then I add the printer MAC address to the router do the printing then remove the address.

I haven't a clue on that original alert about the Zeus Virus and Malwarebytes not alerting but to the best I can tell and with your help this computer shows clean of any critters so I guess I will have to take it to a shop.  Oh, I found the fix for the "unkown device" issue on a Hewlett Packard Company forum it was a graphics driver. 

Question:  Should I go back and have the system do a complete c:/ disk check.  I had turned off the puter after it hung up at 11% and never completed that process?

Thank you so much for your time, expertise and assistance it is greatly appreciated.  I recommend MB Premium to all my friends.

Cel 

mbscanlog_06_19_17.txt

exploit_iexplorer.txt

networksharing.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

There is nothing wrong with having an IP6 address, but the threat of running out of IP4 addresses was pretty much abated by other means of super subnetting

This shows you have the IP6 protocol enabled.

Temporary IPv6 Address: 2604:6000:ff05:5e00:f548:be43:c39:8a3
Link-local IPv6 Address: fe80::5085:2d8a:8a3b:33b0%2
IPv6 Default Gateway: fe80::461c:a8ff:fed4:86b2%2

You can turn it off if you want. I've turned it off on many systems with no ill effects. If you look at the "properties" of you LAN Network connection you'll see a check mark for IP4 and IP6 - just uncheck the IP6 if you don't want to use it. Everything will still work.

That specific block was from our program blocking something that tried to run a VB Script file on your computer. In "most" cases there is no need to run a VB Script from IE and can be dangerous.

We can run a couple other scanners and see if the find anything, but my guess is they will not.

 

 

Please download and run the following Kaspersky antivirus tool to remove any found threats

Kaspersky Virus Removal Tool

Then, if it does find something let me know.

Ron

 

Link to post
Share on other sites
cel01

cel01

Posted
  • Author
Posted

Found a couple things.

One file....not-a-virus:NetTool.Win64.NetFilter.lg  I deleted this one no problem but trying to get the wppvcy driver was a tad more difficult.  The exe for the old WinPrivacy program I had from 2015 in where I keep my downloads was easy to delete but the driver took a bit of doing.  C:\Windows\System32\drivers\wppvcy.sys  When Bret took over WinPatrol I tried out the WinPrivacy program.  Decided I didn't want it and uninstalled it.  It took some doing but finally I was able to delete this file and it's backup.

In regards to the exploit alert.  My have my three browsers Edge, IE and Chrome all to open to google.com they all open https://www.google.com   but the internet explorer the first time I opened it I got that exploit alert.  Does that mean there is something amiss with the google page that is coming up?

System still disconnecting from the internet  says ERR_INTERNET_DISCONNECTED or a few times said ERR_NETWORK_CHANGED  the fact it says it changed has me concerned....what changed? am I seeing a legitimate website?

Thanks

Cel

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Do you only see that in Internet Explorer?

Make sure your date and time are correct on the computer. That can sometimes have odd behavior for some programs.

Then let's reset your browser settings and see if that helps or not.

 

Please the following site and let's reset your IE browser back to defaults to prevent unexpected issues.
 

Internet Explorer
How to reset Internet Explorer settings

Then restart the computer and let me know if you're still having an issue with IE.

There could possibly be a network driver issue. You could try updating that with a newer one.

Let me have you run the following to get the hardware specs and some software information for that hardware please.

 

 

Provide System Specifications:

  • Please download Speccy from here and save the installer to your desktop or another location where you can easily find it.
  • Double-click the file to begin installation and follow the onscreen steps to complete the installation and make sure that the checkbox next to Run Speccy is checked before you click on Finish at the end.
  • Once the program starts it will analyze your system, please be patient as it may take a few moments to complete.
  • Once it finishes and none of the areas say Analyzing click on the File button at the top and select Save Snapshot...
  • Save the file to your desktop and click Ok to confirm
  • Go to your desktop and right click on the file you just created and hover over Send to and select Compressed (zipped) Folder
  • Please attach the zip file you just created to your next post

 

Thank you again

Ron


 

Link to post
Share on other sites
cel01

cel01

Posted
  • Author
Posted

I reset ie.  So it is back like it was per instructions on the page.  Note I have also uninstalled Java, per the info I collected from Corrine at the Security Gardens blog.

No exploit alerts on ie now.  

I just recently added speecy on my system but I uninstalled it and installed the file copy you recommended.  I ran the exe for 64 systems  I did a file snapshot and zipped that.

Something I think is on this system is calling out to connect to my wireless system and when it does it disconnects me from the eithernet cat5 hardwire.  I have the wireless turned off on this laptop and am even running in Airplane mode too.

Thank you for all your time with this it is greatly appreciated!  I am concerned. I was logged into banking account went to log out and then it did a disconnect saying  "Your connection was interrupted. A network change was detected. ERR_NETWORK_CHANGED" hitting refresh the banking website home page came up with me being logged off.

Have a good day

Cel 

 

 

HP.zip

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Unable to access the HP update site at the moment.

This should be the latest AMD video driver for your computer.

There is a newer driver from Realtek on this page but I'd rather look on the HP site to verify an updated driver for it.

Remind me tomorrow or later tonight and I'll recheck the HP site for an updated network driver.

Ron

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.