Jump to content

3rd party used Ultraviewer to update Garmin GPS, and more in scam...


Recommended Posts

Good day,

Late last year my father was trying to update his Garmin GPS and he selected the wrong site which sent him to a "support" agent. The support agent had him install Ultraviewer to assist him with his problems. Dad downloaded it, gave him the password, and the guy was in.

Over several months this guy and his "support team" provided IT "support" to my Dad. I wasn't involved, so I do not know everything that went on. What I do know, is: The IT support included updating the GPS, installing Ultraviewer on two other computers (I have factory reset them already), new Microsoft Office was installed, Windows 11 on two computers, and also included the installation of an SQL server to "secure the network" after a ransomware attack on one of the computers that I've already factory reset.

I finally became involved when he received an email from Google stating that they had suspended his Google Ads account (which he did not create, although they used his personal email to create the ad). While I have uninstalled and deleted everything that I could pinpoint was downloaded by these individuals, I know that there is more buried somewhere. 

We are in the process of changing all passwords and other assorted things. 

I saw a previous thread on here where someone else dealt with Ultraviewer and have followed most of the steps that were listed there (I will attach the txt files). Any further assistance and advice would be greatly appreciated.

AdwCleaner[C00].txt MBscan 3-17.txt Search.txt Search-folder.txt SearchReg.txt

Link to post
Share on other sites

  • Root Admin
Posted (edited)

Hello @currahee1

If you're able to it might be best to simply use software like Macrium Reflect Free (no cost, free for personal use) imaging software to make a full image backup of both computers to an external USB hard drive.

Then do a CLEAN install of Windows 10 on both systems to ensure that nothing is leftover from this remote site.

Backup Software
https://forums.malwarebytes.org/index.php?/topic/136226-backup-software

 

The links below show how to do a CLEAN install of Windows which includes removing ALL partitions. Great has an excellent article but I don't agree with him about keeping or using a Microsoft Online account. Yes, it allows syncing and some nice features but when you're dealing with potential threats and users that might have or know a lot more about you than you'd like then I'd keep everything local. So during install, I would shut off the router and only turn it back on AFTER creating a Local Admin account.

 

Greg Carmack - MVP 2010-2020 -Clean Install Windows 10
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

 

I'd also suggest doing a Factory Reset of the router BEFORE doing a Clean Install of Windows

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

 

Depending on one's preferences and the Router's capabilities please consider the following.

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2  using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address, or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555
  • Document passwords created and store them in a safe but accessible location.

 

 

 

Going through all these logs and trying to "clean up" one can never guarantee how safe the computer is at this point when someone has had full access to it for a long time now.

 

The complexity of finding, preventing, and cleanup from malware
https://forums.malwarebytes.com/topic/130154-the-complexity-of-finding-preventing-and-cleanup-from-malware/

 

Edited by AdvancedSetup
Updated info
Link to post
Share on other sites

Thank you for your reply @AdvancedSetup. I intend to begin resetting the router and begin the clean installs on the known infected computers shortly. I apologize for all the follow up questions, but as I dig into this situation, I keep finding out more details...

-My father kept his backup external hard drive, a thumb drive, and an SD card plugged into the main infected computer, rather than only connecting them when needed. How would you recommend preventing the files on these items from infecting the clean install after I finish it?

-Do you have any advice about how to handle another computer that was connected to the home network, but never had the Ultraviewer installed? I will be running Malwarebytes and CCleaner on it shortly.

-There are two Android devices that I have learned about that were connected to the two infected laptops for "updates"... Do you have any recommendations for handling them?

-Are there any concerns for Apple products (iPhones and iPads) that were also connected to this home network?

Link to post
Share on other sites

Thank you for your reply @AdvancedSetup. I intend to begin resetting the router and begin the clean installs on the known infected computers shortly. I apologize for all the follow up questions, but as I dig into this situation, I keep finding out more details...

-My father kept his backup external hard drive, a thumb drive, and an SD card plugged into the main infected computer, rather than only connecting them when needed. How would you recommend preventing the files on these items from infecting the clean install after I finish it?

-Do you have any advice about how to handle another computer that was connected to the home network, but never had the Ultraviewer installed? I will be running Malwarebytes and CCleaner on it shortly.

-There are two Android devices that I have learned about that were connected to the two infected laptops for "updates"... Do you have any recommendations for handling them?

-Are there any concerns for Apple products (iPhones and iPads) that were also connected to this home network?

Link to post
Share on other sites

18 hours ago, AdvancedSetup said:

I'd also suggest doing a Factory Reset of the router BEFORE doing a Clean Install of Windows

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

 

Depending on one's preferences and the Router's capabilities please consider the following.

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2  using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address, or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555
  • Document passwords created and store them in a safe but accessible location.

Update on resetting the router:

-I could not find anything that specifically mentions "ICMP" pings, but the setting for "Respond to ping on internet port" (is this the same thing?) is not selected.
-Router password has been changed to something stronger, and set to "WPA2-PSK [AES]". WPA3 was not an option (options were: WPA2-PSK [TKIP], WPA2-PSK [AES], WPA2-PSK [TKIP] + WPA2-PSK [AES], and WPA/WPA2 Enterprise).
-Remote management disabled.
-Could not find how to create separate WiFi groups, but will keep looking.
-Changed network name.
-Updated router firmware.
-Set it to block TCP/UDP ports listed.
-New passwords have been documented.

 

If I'm not missing anything, I'll move onto performing the Clean installs.

Link to post
Share on other sites

  • Root Admin

The external hard drivers can be scanned with Windows Defender or ESET. Malwarebytes can scan them be we don't keep old definitions and perform flat-file scanning as that is not typically how computers are infected. These other antivirus programs do keep old definitions going back even beyond a decade in many cases.

The Android or iPhone can be wiped if you're certain you have the data you want. In general, it's unlikely that the phones were a target of the attack but perhaps just like the PC, there may have been data siphoned off of them. The choice is yours once again. You can export any data you believe is important and then look at doing a Factory wipe and reinstalling of the OS.

Let me know if you have any other questions or concerns.

Thanks

 

 

Link to post
Share on other sites

Thanks again @AdvancedSetup

Should I be concerned about spreading anything if I reuse the USB keyboards and mice that were attached to these computers? 

My parents have decided to replace at least one of the computers with a new one. Do you have any recommendations for setting it up, considering that it may be exposed to that external hard drive that was connected to one of the computers that had Ultraviewer installed on it?

Thanks again.

Link to post
Share on other sites

  • Root Admin

Files, Folders, Applications on a remote drive mean nothing to the operating system if Windows has been reinstalled or is a new computer. It is NOT installed anymore so is just a file sitting on a drive.

Keyboards and Mice typically have no means to infect them.

Once you have a computer setup and are fully updated with all Microsoft updates then run either Microsoft Safety scanner on the drive or ESET, or both. Make sure you choose custom and choose the external USB drive to scan.

 

You would need to choose CUSTOM scan and select the external USB DRIVE.

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

 

Next  ESET ->

Make sure you double-check the options to ensure it is scanning or will scan external USB drives before running the scan.

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Thanks

 

Link to post
Share on other sites

Thank you for all of your help so far @AdvancedSetup. I know you wanted me to include a scan report on this response, but I need to provide an update to see how I proceed before running that scan.

My father purchased a new laptop through Best Buy, and he purchased the Geek Squad tech support package for more basic level support. Geek Squad is currently completing the wipe and clean installs on the previously affected computers as I type, since I didn't feel comfortable tackling that myself...

Now, for the issue that necessitates the update... My father, despite my instructions, inserted the potentially infected USB thumb drive into his new laptop, supposedly scanned it with Malwarebytes, and then accessed at least one file on it. Should I plug both the thumb drive and the external hard drive into this new laptop and run the scans that you listed in your last reply now? Or are there additional steps that you recommend before I complete those scans?

Thanks again.

Link to post
Share on other sites

{{ pardon my intrusion}} {{tip }} Before plugging in USB devices that may be of dubious security ...first, press and hold the SHIFT-key on keyboard before and during plug-in of USB-connector. That action prevents any auto-execute from that device.

  • Like 1
Link to post
Share on other sites

On 3/22/2022 at 3:19 PM, Maurice Naggar said:

{{ pardon my intrusion}} {{tip }} Before plugging in USB devices that may be of dubious security ...first, press and hold the SHIFT-key on keyboard before and during plug-in of USB-connector. That action prevents any auto-execute from that device.

Thanks for the tip @Maurice Naggar. I'll definitely be sure to do that once @AdvancedSetup advises whether to go ahead and run the scans he mentioned prior to my update post yesterday, or prescribes additional measures first regarding the new computer that has been exposed to the potentially infected thumb drive.

Link to post
Share on other sites

  • Root Admin
On 3/18/2022 at 3:27 PM, AdvancedSetup said:

Once you have a computer setup and are fully updated with all Microsoft updates then run either Microsoft Safety scanner on the drive or ESET, or both. Make sure you choose custom and choose the external USB drive to scan.

 

Yes, please include the advice from @Maurice Naggar and if/when the new computer is ready you can use that too. The bottom line is you don't want any automated mounting or running of any USB drive when it's first connected.

All computers involved should have a full scan from both Microsoft and ESET as well as scanning ALL external USB drives, and / or Thumb drives too.

Let me know if you have any other questions or concerns @currahee1

 

Link to post
Share on other sites

  • Root Admin
Posted (edited)

Please review the following but DO NOT download or run anything from their site.

https://www.nucleustechnologies.com/blog/three-methods-to-disable-autorun-in-windows-10/

https://www.windowscentral.com/how-configure-autoplay-windows-10

 

Edited by AdvancedSetup
Updated info
Link to post
Share on other sites

Thank you again @AdvancedSetup. I have completed the Microsoft Security Scan on the new computer (with USB hard drive plugged in after turning off AutoRun), and am running ESET as I type. I have attached the log for that, as you requested in your previous instructions.

I do have an additional question/concern... My father has scanned and saved a lot of documents, pictures, etc. to SD cards during this time. Should I be concerned that these may be infected/compromised as well? If so, what step(s) do you recommend cleaning these SD cards?

Thanks.

msert-newcomp.txt

Link to post
Share on other sites

  • Root Admin

The SD cards are normally just another USB type card that needs to be scanned as the other normal external USB drives do.

The scan can hopefully detect any infected files, as for being compromised in the sense that whoever had full remote access could have copies of all files or see, know, etc about them is just unknown. If the company was a legitimate company I wouldn't worry to much about it as most would not compromise their business by doing such.

The computer appears to be reasonably quick or not have a lot of data on it. The Microsoft log appears to have taken a couple of hours to complete which is good.

 

Link to post
Share on other sites

On 3/24/2022 at 4:08 PM, AdvancedSetup said:

The SD cards are normally just another USB type card that needs to be scanned as the other normal external USB drives do.

The scan can hopefully detect any infected files, as for being compromised in the sense that whoever had full remote access could have copies of all files or see, know, etc about them is just unknown. If the company was a legitimate company I wouldn't worry to much about it as most would not compromise their business by doing such.

The computer appears to be reasonably quick or not have a lot of data on it. The Microsoft log appears to have taken a couple of hours to complete which is good.

 

Thanks for the feedback @AdvancedSetup. I'm about to start scanning his SD cards now. The previous scan report was on the new computer, which is why it was so fast.

Another question, is there a way to access the Microsoft Safety Scanner logs that are run after the first one? So far when I type in the destination that you gave me earlier in this thread, it just comes up with the information for the first scan (where I saved it as a .txt file).

Link to post
Share on other sites

  • Root Admin

Hello @currahee1

That Microsoft Safety Scanner only runs once. It's not the built-in Windows Defender

You can click on Start and type in PowerShell and then on the right click to run with Administrator rights.

Then inside PowerShell copy and paste the following and press the Enter Key

 

Get-MpThreatDetection 

 

As said, you can and probably should also be using the ESET antivirus scanner as well for secondary confirmation.

 

Link to post
Share on other sites

10 hours ago, AdvancedSetup said:

Hello @currahee1

That Microsoft Safety Scanner only runs once. It's not the built-in Windows Defender

You can click on Start and type in PowerShell and then on the right click to run with Administrator rights.

Then inside PowerShell copy and paste the following and press the Enter Key

 

Get-MpThreatDetection 

 

As said, you can and probably should also be using the ESET antivirus scanner as well for secondary confirmation.

 

Oh, okay. I misunderstood you @AdvancedSetup. I thought that you meant to scan every USB device with both Microsoft Safety Scanner and ESET (which I did). Do I need to scan all of those USB devices with this Windows Defender/PowerShell too (sorry, I'm a little lost at this point)? Or some other scan besides MS Safety Scanner and ESET?

Link to post
Share on other sites

  • Root Admin
On 3/27/2022 at 11:34 AM, currahee1 said:

Thanks for the feedback @AdvancedSetup. I'm about to start scanning his SD cards now.

Another question, is there a way to access the Microsoft Safety Scanner logs that are run after the first one?

SD cards are the same as USB so if you've already scanned all of them with Microsoft Safety Scanner as well as ESET and removed any detections found then that should be good.

What is your current state of operations? Have you finished all antivirus scans and all is clean at this time?

If so, then please restart the computer one more time and get me new Farbar logs.

 

 

Please do the following so that we can get started and see what's going on.


The Farbar Recovery Scan Tool is a free Windows utility designed to create troubleshooting logs for your computer. These logs help our Support team to identify and resolve issues with your computer.

There are two versions of the Farbar Recovery Scan Tool available for download: 32-bit and 64-bit.
To find which operating system is installed on your computer, refer to Microsoft's article: 32-bit and 64-bit Windows: Frequently asked questions

Download and launch Farbar Recovery Scan Tool

  1. Download the Farbar Recovery Scan Tool
    Do not click on any Ads.
     
  2. Locate the file you downloaded on your computer.
    Downloaded files are often saved to the Downloads folder.
     
  3. Double-click the downloaded file to run the Farbar Recovery Scan Tool.

    DOC-1318-1.png
     
  4. Windows protected your PC notification may appear. This notification is from the Windows Defender SmartScreen Filter which prevents unfamiliar apps from running on your PC.
    Disable smart screen ONLY if it interferes with software we may have to use:  What is SmartScreen and how can it help protect me?

         a.  Click More info.

    https://support.malwarebytes.com/hc/article_attachments/360051190254/DOC-1318-2.png
         b.  Click Run anyway.

    https://support.malwarebytes.com/hc/article_attachments/360051190294/DOC-1318-3.png
  5. When the User Account Control window appears, click Yes.

    image.png

     
  6. To accept the Disclaimer of warranty, click Yes.

    image.png

     
  7. Ensure only the boxes listed below are checked

    image.png

    Registry  Services  Drivers
    Processes  Internet  One month
    Addition.txt

    image.png

     

  8. Disable any Antivirus software you have installed ONLY if it stops software we may use from working.
    Please remember to re-enable any Antivirus software when we are finished running scans

    Click Scan. The scan may take a few minutes to complete.

    image.png
     

  9. When the scan completes, Farbar Recovery Scan Tool shows two messages:

  • Scan completed. FRST.txt is saved in the same directory FRST is located.

    image.png

  • Addition.txt is saved in the same directory FRST is located.

    image.png
     

  • Click OK to close each message window

 

Please attach both of those logs on your next reply, DO NOT copy/paste the contents of the logs directly

https://content.invisioncic.com/Mmalware/monthly_2018_10/_mb_attach.jpg.dbd89b8e360d3763b3bbe33ce83d680d.jpg

 

 

Thanks

 

 

Link to post
Share on other sites

13 hours ago, AdvancedSetup said:

SD cards are the same as USB so if you've already scanned all of them with Microsoft Safety Scanner as well as ESET and removed any detections found then that should be good.

What is your current state of operations? Have you finished all antivirus scans and all is clean at this time?

If so, then please restart the computer one more time and get me new Farbar logs.

Hello @AdvancedSetup,

My current state is as follows:

- I am waiting to get the last laptop back from Geek Squad (had to have them replace a cooling fan on it). I expect it later this week.
- I have ran Microsoft Safety Scan and ESET full scans on all the computers currently in my possession.
- I have ran Microsoft Safety Scan and ESET custom scans on all of his USB drives and SD cards (except for one lost thumbdrive).
- All scans are showing clean right now.

Point of concern:

I am not 100% sure that Geek Squad did a clean install of Windows on the affected computers. I think it could be possible that they may have only factory reset them. I say this because I specified that they install Windows 10 on the laptops, but the one that I have already received back has Windows 11 still on it... The scammer "upgraded" the two laptops from Windows 10 to Windows 11 as part of his IT guy scam, along with installing the "SQL server" that I mentioned earlier, which concerns me if Geek Squad only factory reset those two from the cloud. What are your thoughts about how I should proceed with that?


I have attached the requested logs.

Addition.txt FRST.txt

Link to post
Share on other sites

  • Root Admin

This is NOT a clean install of Windows. It does look to be a Factory Reset -

NOTE: Windows 11 will automatically update on a Windows 10 machine from Microsoft. It's not like it is or was some "trick, or scam" in that sense.

You would have to enable a policy to stop Microsoft from updating the computer to Windows 11

 

I would also get rid of Avast and use Windows Defender until you're certain all systems are clean and working well.

 

If you feel you have the skillset to do a clean install I'd suggest at least trying it. It's not really all the difficult these days and I can help if needed.

Let me know

 

Also, I believe you've already done a factory reset on your router, but if not let me know that as well

 

 

Link to post
Share on other sites

1 hour ago, AdvancedSetup said:

This is NOT a clean install of Windows. It does look to be a Factory Reset -

NOTE: Windows 11 will automatically update on a Windows 10 machine from Microsoft. It's not like it is or was some "trick, or scam" in that sense.

You would have to enable a policy to stop Microsoft from updating the computer to Windows 11

I would also get rid of Avast and use Windows Defender until you're certain all systems are clean and working well.

If you feel you have the skillset to do a clean install I'd suggest at least trying it. It's not really all the difficult these days and I can help if needed.

Let me know

Also, I believe you've already done a factory reset on your router, but if not let me know that as well

Ugh, thank you for confirming what I suspected about the factory reset rather than a clean install. And thank you for the info about the Windows 10 to 11 update.

I will try to do a clean install. Maybe this time I can wrap my head around the concept and understand it better. I would definitely appreciate all the help/tips/tricks that I can get.

Yes, I did factory reset the router, and applied as many of your suggestions as possible.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.