PC crash followed by phone call scam - Techist - Tech Forum

Go Back   Techist - Tech Forum > Security | Computer, Devices, Software and Systems > General Security Topics
Click Here to Login
Reply
 
Thread Tools Display Modes
 
Old 05-25-2016, 01:13 PM   #1 (permalink)
Junior Techie
 
porgorg's Avatar
 
Join Date: Jul 2008
Location: UK
Posts: 76
Default PC crash followed by phone call scam

I'm sure most people have heard about these phone call scams where they offer to fix your PC over the phone. A friend of a friend had this recently and wants me to secure his PC (he's running Windows 10).
I was told all of a sudden his PC crashed and then he got a call on his mobile claiming they were from BT and they apologise for the crash and would give him 100 compensation. They then made out that they paid him 200 by mistake and that could he pay back 100.

Anyway I've been asked to clean his PC to get rid of any access 'they' have. I think they were able to see his screen but unsure if they have access to his email.
Just wondering if a few virus checks with Anti Malwarebytes and the like would sort it or is a reinstall of Windows 10 recommended?
I haven't spoken to the guy about it yet so I'll add things if they seem relevant.

Thanks
__________________

porgorg is offline   Reply With Quote
Old 05-25-2016, 01:42 PM   #2 (permalink)
Night Ninja
 
MidnightShadow's Avatar
 
Join Date: Jun 2015
Location: USA
Posts: 769
Default Re: PC crash followed by phone call scam

I have not seen one single instance of this where the person on the phone legitimately knows that the computer has an issue or has crashed. I'm going to presume that this was simply a coincidence. If you ask MOST basic users if their computer is slow at times, they're going to say yes. It's a pretty broad scope they dip into to scare people. They usually also show them the "errors" on the computer by using the Event Viewer to show them the common and completely normal things that show up as a scare tactic.

That said, if you want to check it out and make sure it's clean then run a scan with MBAM. You can also run MBAR to check for any rootkits. No need to re-install Windows unless there's a giant mess of the OS files, which is rare.
__________________

__________________
MidnightShadow is offline   Reply With Quote
Old 05-26-2016, 08:31 AM   #3 (permalink)
Junior Techie
 
porgorg's Avatar
 
Join Date: Jul 2008
Location: UK
Posts: 76
Default Re: PC crash followed by phone call scam

Quote:
Originally Posted by MidnightShadow View Post
I have not seen one single instance of this where the person on the phone legitimately knows that the computer has an issue or has crashed. I'm going to presume that this was simply a coincidence.
Thanks, I hope this was the case as otherwise I suppose that would mean they had total control of his machine and a reinstall was in order. I still haven't talked to the guy yet to get the full story.

Quote:
Originally Posted by MidnightShadow View Post
You can also run MBAR to check for any rootkits. No need to re-install Windows unless there's a giant mess of the OS files, which is rare.
Will give this a go, cheers. Was thinking that there might be some blatently obvious ad/malware programs in the Programs list. I've seen that before when someone installed an adblock program they found searching Google.
porgorg is offline   Reply With Quote
Old 05-26-2016, 08:40 AM   #4 (permalink)
Private Joker
 
carnageX's Avatar
 
Join Date: Feb 2007
Location: South Dakota
Posts: 23,915
Default Re: PC crash followed by phone call scam

Firstly, run a scan with Malwarebytes Antimalware (the Free version is fine, you don't need to activate the Pro trial). Scan with it, delete whatever it finds, reboot and post the log here. Download it from here:
https://www.malwarebytes.org/mwb-download/

Secondly, run a scan with AdwCleaner. Same as above, scan with it, delete what it finds, post the log file here. Download from here:
AdwCleaner Download

Thirdly, run a scan with HiJackThis. Run it as Admin, pick the "scan and generate log" option, and then post the logfile here. Do NOT remove ANYTHING unless told to do so, as removing the wrong entry can damage your system. Download it from here:
HiJackThis | SourceForge.net
__________________
Laptop: MSI GT70 2OC-059us | i7-4700MQ | 16GB | GTX 770m | 500GB SSD / 750GB HDD | 17.3" | Win10 Pro
Desktop: 4690k | 12GB g.Skill RipJaws | GTX 970 | 520hx | Z87X-UD4H | Corsair Vengeance C70 | Corsair H110 | Acer 25" | Acer 22" | Win10
Mobile: Samsung Galaxy Note 5


If I help you, or you just like what I said, rep me by clicking the under my post
carnageX is online now   Reply With Quote
Old 06-11-2016, 11:24 AM   #5 (permalink)
Junior Techie
 
porgorg's Avatar
 
Join Date: Jul 2008
Location: UK
Posts: 76
Default Re: PC crash followed by phone call scam

Finally got to scan the computer.
The results of the Malwarebytes scan were too long to post, but it quarantined 1475 infections.

After that ADW didn't really find anything but here are the results:
# AdwCleaner v5.119 - Logfile created 11/06/2016 at 16:51:39
# Updated 30/05/2016 by Xplode
# Database : 2016-06-10.1 [Server]
# Operating system : Windows 10 Home (X64)
# Username : Mark - ILMPC_GAME
# Running from : C:\Users\Mark\AppData\Local\Microsoft\Windows\INet Cache\IE\D7IUZIFH\AdwCleaner.exe
# Option : Scan
# Support : ToolsLib - Forum: Ask for help or share your experience.

***** [ Services ] *****


***** [ Folders ] *****

Folder Found : C:\Program Files (x86)\PicRec
Folder Found : C:\Program Files (x86)\TotalRecipeSearch_14
Folder Found : C:\Program Files (x86)\TotalRecipeSearch_14
Folder Found : C:\WINDOWS\Microsoft\sogr
Folder Found : C:\Users\Mark\AppData\Local\TotalRecipeSearch_14
Folder Found : C:\Users\Mark\AppData\Local\TotalRecipeSearch_14
Folder Found : C:\Users\Mark\AppData\LocalLow\iac
Folder Found : C:\Users\Mark\AppData\LocalLow\Yahoo! Companion
Folder Found : C:\Users\Mark\AppData\LocalLow\Yahoo!\Companion
Folder Found : C:\Users\Mark\AppData\LocalLow\IAC
Folder Found : C:\Users\Mark\AppData\Roaming\Search Protection
Folder Found : C:\Users\Mark\AppData\Roaming\Yahoo!\Companion

***** [ Files ] *****


***** [ DLL ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****

Shortcut Infected : C:\Users\Mark\Desktop\Search.lnk ( hxxp://feed.helperbar.com/?publisher=YahooTR&dpid=YahooTR&co=GB&userid=7beb5 7bd-645f-4248-0f3a-44d50895e549&searchtype=sc&fr=linkury-tb&installDate=12/08/2014&barcodeid=37903&um=0&type=hp2000 )
Shortcut Infected : C:\Users\Mark\AppData\Roaming\Microsoft\Windows\St art Menu\Programs\Search.lnk ( hxxp://feed.helperbar.com/?publisher=YahooTR&dpid=YahooTR&co=GB&userid=7beb5 7bd-645f-4248-0f3a-44d50895e549&searchtype=sc&fr=linkury-tb&installDate=12/08/2014&barcodeid=37903&um=0&type=hp2000 )
Shortcut Infected : C:\Users\Mark\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Search.lnk ( hxxp://feed.helperbar.com/?publisher=YahooTR&dpid=YahooTR&co=GB&userid=7beb5 7bd-645f-4248-0f3a-44d50895e549&searchtype=sc&fr=linkury-tb&installDate=12/08/2014&barcodeid=37903&um=0&type=hp2000 )

***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\Record\{425E7597-03A2-338D-B72A-0E51FFE77A7E}
Key Found : HKLM\SOFTWARE\Classes\Record\{915BB7D5-082E-3B91-B1E0-45B5FDE01F24}
Key Found : HKLM\SOFTWARE\Classes\Record\{2009AF2F-5786-3067-8799-B97F7832FDD6}
Key Found : HKLM\SOFTWARE\Classes\Record\{FB2E65F4-5687-33EF-9BBF-4E3C9C98D3B9}
Key Found : HKLM\SOFTWARE\Classes\AppID\YCAPlugin.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\YPUBC.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\YTabBar.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\YTBM.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\YTMsgr.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\YTSingleInstance.DLL
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\TotalRecipeSearch_14bar Uninstall Firefox
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\TotalRecipeSearch_14bar Uninstall Internet Explorer
Key Found : HKLM\SOFTWARE\Classes\IESmartBar.BandObjectAttribu te
Key Found : HKLM\SOFTWARE\Classes\IESmartBar.DockingPanel
Key Found : HKLM\SOFTWARE\Classes\IESmartBar.IESmartBar
Key Found : HKLM\SOFTWARE\Classes\IESmartBar.IESmartBarBandObj ect
Key Found : HKLM\SOFTWARE\Classes\IESmartBar.SmartbarDisplaySt ate
Key Found : HKLM\SOFTWARE\Classes\IESmartBar.SmartbarMenuForm
Key Found : HKLM\SOFTWARE\Classes\Sample.BrowserHandler
Key Found : HKLM\SOFTWARE\Classes\Sample.BrowserHandler.1
Key Found : HKLM\SOFTWARE\Classes\Sample.YTBPartnerSample
Key Found : HKLM\SOFTWARE\Classes\Sample.YTBPartnerSample.1
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.FeedMan ager
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.FeedMan ager.1
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.HTMLMen u
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.HTMLMen u.1
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.HTMLPan el
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.HTMLPan el.1
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.Multipl eButton
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.Multipl eButton.1
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.PseudoT ransparentPlugin
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.PseudoT ransparentPlugin.1
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.Radio
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.Radio.1
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.RadioSe ttings
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.RadioSe ttings.1
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.ScriptB utton
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.ScriptB utton.1
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.Setting sPlugin
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.Setting sPlugin.1
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.ThirdPa rtyInstaller
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.ThirdPa rtyInstaller.1
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.Toolbar Protector
Key Found : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14.Toolbar Protector.1
Key Found : HKLM\SOFTWARE\Classes\Yahoo.AntiSpyPlugin
Key Found : HKLM\SOFTWARE\Classes\Yahoo.AntiSpyPlugin.6
Key Found : HKLM\SOFTWARE\Classes\Yahoo.PopupBlockerPlugin
Key Found : HKLM\SOFTWARE\Classes\Yahoo.PopupBlockerPlugin.4
Key Found : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserTool bar
Key Found : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserTool bar.1
Key Found : HKLM\SOFTWARE\Classes\YCAPlugin.CAYASPlugin
Key Found : HKLM\SOFTWARE\Classes\YCAPlugin.CAYASPlugin.1
Key Found : HKLM\SOFTWARE\Classes\YPUBC.BlockerCtrl
Key Found : HKLM\SOFTWARE\Classes\YPUBC.BlockerCtrl.1
Key Found : HKLM\SOFTWARE\Classes\YPUBC.DataStore
Key Found : HKLM\SOFTWARE\Classes\YPUBC.DataStore.1
Key Found : HKLM\SOFTWARE\Classes\YPUBC.PUBHTMLEventHandler
Key Found : HKLM\SOFTWARE\Classes\YPUBC.PUBHTMLEventHandler.1
Key Found : HKLM\SOFTWARE\Classes\YPUBC.StringList
Key Found : HKLM\SOFTWARE\Classes\YPUBC.StringList.1
Key Found : HKLM\SOFTWARE\Classes\YTabBar.YTabBarControl
Key Found : HKLM\SOFTWARE\Classes\YTabBar.YTabBarControl.1
Key Found : HKLM\SOFTWARE\Classes\YTBM.YTBMButton
Key Found : HKLM\SOFTWARE\Classes\YTBM.YTBMButton.1
Key Found : HKLM\SOFTWARE\Classes\YTSingleInstance.SingleInsta nce
Key Found : HKLM\SOFTWARE\Classes\YTSingleInstance.SingleInsta nce.1
Key Found : HKLM\SOFTWARE\Classes\AppID\{07CDAAD9-1226-4C6D-B774-C00E7B323484}
Key Found : HKLM\SOFTWARE\Classes\AppID\{35860EFB-1589-4F32-A618-99E847A502B2}
Key Found : HKLM\SOFTWARE\Classes\AppID\{39DCCEAF-C749-4390-9953-527CF916935C}
Key Found : HKLM\SOFTWARE\Classes\AppID\{41D7CEE0-D91F-498C-BC88-4A6BEE46C2BC}
Key Found : HKLM\SOFTWARE\Classes\AppID\{9EDCCD11-960D-49AE-B523-C6B5AB7E1345}
Key Found : HKLM\SOFTWARE\Classes\AppID\{FFFFE1D1-E40D-49a1-9622-BC59BD1879C3}
Key Found : HKLM\SOFTWARE\Classes\AppID\{7375D127-3955-4654-8E7D-1949A7A9C902}
Key Found : HKCU\Software\Classes\CLSID\{8a7d2060-824d-4b17-b00a-759b1b5f30d9}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E041E037-FA4B-364A-B440-7A1051EA0301}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B33BD6CF-BF4C-4CF0-AC84-B2974BC14ABD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1147DC83-6208-4dca-8E88-DD45BAAB3043}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{11CB4723-D5A1-4a55-8D1D-5C2679D54CF5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B7A0E898-93E5-43f4-B99A-6C70B303699C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D40A62D1-8FC0-4F03-90C4-0DE03BE73A41}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DDCED22E-D018-471D-9A5C-A4EA2F21133D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E1A2D448-6334-45ec-8800-6D7F71DC87FC}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F9A10D86-182A-4946-869B-70C3D109D14D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03f3147c-cea6-4aae-b0ae-8d8abe7a8080}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2502086b-5a46-4d05-8d5b-a1e77ab8bb32}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{396a4e14-83e7-4941-b0d9-b598e1b97197}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{76f3207c-3a0a-461b-b958-5653c5718243}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{895f3dbd-2484-4a14-a0ea-c3252ebb0ff7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{8c4b563e-52a1-4a10-b700-f8bf1cd7b726}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9e5c950c-93f2-46b4-a47e-8450fff4d841}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{a0154e07-2b48-475c-a82a-80efd84ea33e}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A4503EC3-1111-4B62-8F46-0D88508F8A7B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{a9c524bf-4044-402a-aa00-8c3b3da86125}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{b38fbaed-ded1-4ba6-ba2e-f2515fd49442}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{b5ede79d-b004-47dd-93f9-152b0d145914}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{d0690e53-168c-4632-99b2-5700228f760f}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{e1f82c34-7195-49a8-9c9b-47c064c22132}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{e8106344-16d4-41d1-9a2a-0521a59199ea}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{f62d46cc-3eb0-4b4f-a11a-663f834e78b3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{fc1025d1-c5d8-4a1b-bb68-6b79c51c54e4}
Key Found : HKLM\SOFTWARE\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{8233093C-178B-484B-979E-3C6B5B147DBC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{11D5E9EA-3117-4389-8E58-742F0975C980}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2723E96B-905F-4C64-8999-D868A08E6370}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2FCB4E7E-E5C7-4D07-BB2C-78DF2DA867AD}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3D592FCB-FEFD-43A6-9A4F-BDE2D4607D07}
Key Found : HKLM\SOFTWARE\Classes\Interface\{67E5E37C-E6B8-4782-877D-E9437C4CD982}
Key Found : HKLM\SOFTWARE\Classes\Interface\{686D40BC-FA43-4317-8474-E634E6B487F2}
Key Found : HKLM\SOFTWARE\Classes\Interface\{A310B105-FB7D-4497-A7E8-E046462B012F}
Key Found : HKLM\SOFTWARE\Classes\Interface\{DF522774-8CA0-4B15-A93A-5F61AB95DA1C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{F9A10D86-182A-4946-869B-70C3D109D14D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{371AD4A5-1520-4AA2-A8A4-F9AD3BAC6957}
Key Found : HKLM\SOFTWARE\Classes\Interface\{7F124846-5453-4BB8-A41D-E11481FFC9DF}
Key Found : HKLM\SOFTWARE\Classes\Interface\{8FD65019-BF09-45DA-AD81-E95AE911F1FD}
Key Found : HKLM\SOFTWARE\Classes\Interface\{0384459A-9D5E-4AE1-B154-8EAC39721C97}
Key Found : HKLM\SOFTWARE\Classes\Interface\{0CE10DC6-DB5B-4255-BB4C-420C9B8D4F60}
Key Found : HKLM\SOFTWARE\Classes\Interface\{23A73CDC-711C-4D7E-AECC-D9AECFA152AA}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2D465563-7CA8-45EC-83F2-6F5C293762F3}
Key Found : HKLM\SOFTWARE\Classes\Interface\{377DB814-EBF3-464B-8688-AAE2798E1999}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3B0C32DB-699F-4B5E-BE81-1E78693D50D9}
Key Found : HKLM\SOFTWARE\Classes\Interface\{40FE5A09-64EC-411D-B743-7EA5EC3CBD60}
Key Found : HKLM\SOFTWARE\Classes\Interface\{41CA38C7-E4D6-4DE4-A667-0AB3D17E2312}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4874BC7B-0681-49E4-A9B8-631B218F90D2}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4FFED4E7-CF5A-467C-965C-0E425314E0CF}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6A01347F-FD7B-4EDF-871D-5143F104BFE6}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6A6B3763-2264-4710-B165-26DB0B35920C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6D2D2DDF-CFF7-47A0-B4E9-F9043DF6C2C4}
Key Found : HKLM\SOFTWARE\Classes\Interface\{81C8B625-F505-4E26-84F9-207AF4240B00}
Key Found : HKLM\SOFTWARE\Classes\Interface\{831C6B3A-02D4-4639-90E4-3D381CD5480C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{0384459A-9D5E-4AE1-B154-8EAC39721C97}
Key Found : HKLM\SOFTWARE\Classes\Interface\{0CE10DC6-DB5B-4255-BB4C-420C9B8D4F60}
Key Found : HKLM\SOFTWARE\Classes\Interface\{23A73CDC-711C-4D7E-AECC-D9AECFA152AA}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2D465563-7CA8-45EC-83F2-6F5C293762F3}
Key Found : HKLM\SOFTWARE\Classes\Interface\{377DB814-EBF3-464B-8688-AAE2798E1999}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3B0C32DB-699F-4B5E-BE81-1E78693D50D9}
Key Found : HKLM\SOFTWARE\Classes\Interface\{40FE5A09-64EC-411D-B743-7EA5EC3CBD60}
Key Found : HKLM\SOFTWARE\Classes\Interface\{41CA38C7-E4D6-4DE4-A667-0AB3D17E2312}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4874BC7B-0681-49E4-A9B8-631B218F90D2}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4FFED4E7-CF5A-467C-965C-0E425314E0CF}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6A01347F-FD7B-4EDF-871D-5143F104BFE6}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6A6B3763-2264-4710-B165-26DB0B35920C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6D2D2DDF-CFF7-47A0-B4E9-F9043DF6C2C4}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{AD34BE7D-2603-43DD-8D1F-E4431D42C44E}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{B82D18E0-1649-48DE-92D7-AA89BBB5F0AD}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{D2EA97F6-6235-4B2D-B5AA-A4472B9CE557}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{0548C79F-7B8C-455D-B228-97D35371BB62}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4A1E52AC-64F2-49E9-BFD7-0806D9494DBB}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{78DB07DF-483E-4829-AB44-ED7952083584}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{8A1AB044-787D-4309-8410-709768E484AB}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{A2C55651-A23E-43CA-B63D-C10B99EFF7E0}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{F6C2BABA-9E4C-425F-9AEC-24AB8F2B640D}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{06A16622-19D9-47E8-9FEC-6CA8CF275BD7}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{0B41B972-09C0-4406-B15C-0310E138F2F1}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{20F60738-FCC6-4CF0-9526-A61F321BBF38}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{398035F8-0621-4534-AEF6-B5592A68F6D8}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{529B4045-715C-46E7-BC81-81E3AAEC9060}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{829E44ED-CB4F-4CCC-990F-428FBD0B128A}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{A0676B02-1367-4651-88C0-28DCC456365F}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{B7B60F9D-F1E4-4694-9A40-1538EA07A795}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{BCF02409-9333-44E7-96E8-01890EA9D58E}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{CC748B11-E10D-4C87-9A24-93E429FDD1FD}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{FFED91AD-6369-48F5-B351-2A42D09CB27C}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{2FF49ED5-A3EF-410B-918E-97DECEB5996D}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{a0154e07-2b48-475c-a82a-80efd84ea33e}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{b38fbaed-ded1-4ba6-ba2e-f2515fd49442}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{e8106344-16d4-41d1-9a2a-0521a59199ea}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Settings\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Settings\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext \Settings\{a0154e07-2b48-475c-a82a-80efd84ea33e}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \PreApproved\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \PreApproved\{2FF49ED5-A3EF-410B-918E-97DECEB5996D}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \PreApproved\{2502086b-5a46-4d05-8d5b-a1e77ab8bb32}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \PreApproved\{76f3207c-3a0a-461b-b958-5653c5718243}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \PreApproved\{A4503EC3-1111-4B62-8F46-0D88508F8A7B}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \PreApproved\{b38fbaed-ded1-4ba6-ba2e-f2515fd49442}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \PreApproved\{e8106344-16d4-41d1-9a2a-0521a59199ea}
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{a0154e07-2b48-475c-a82a-80efd84ea33e}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{a0154e07-2b48-475c-a82a-80efd84ea33e}]
Key Found : HKCU\Software\Browser
Key Found : HKCU\Software\Yahoo\Companion
Key Found : HKCU\Software\Yahoo\YFriendsBar
Key Found : HKCU\Software\AppDataLow\Software\Yahoo\Companion
Key Found : HKLM\SOFTWARE\SpeedBrowser
Key Found : HKLM\SOFTWARE\Yahoo\Companion
Key Found : HKU\.DEFAULT\Software\Browser
Key Found : HKU\.DEFAULT\Software\Yahoo\Companion
Key Found : HKU\.DEFAULT\Software\AppDataLow\Software\Yahoo\Co mpanion
Key Found : HKU\S-1-5-21-715770824-369694339-256802149-1001\Software\Browser
Key Found : HKU\S-1-5-21-715770824-369694339-256802149-1001\Software\Yahoo\Companion
Key Found : HKU\S-1-5-21-715770824-369694339-256802149-1001\Software\Yahoo\YFriendsBar
Key Found : HKU\S-1-5-21-715770824-369694339-256802149-1001\Software\AppDataLow\Software\Yahoo\Companion
Key Found : HKU\S-1-5-18\Software\Browser
Key Found : HKU\S-1-5-18\Software\Yahoo\Companion
Key Found : HKU\S-1-5-18\Software\AppDataLow\Software\Yahoo\Companion
Key Found : HKLM\SOFTWARE\Classes\Installer\Features\DF917BEA0 BDE9E345B42099FC7E14699
Key Found : HKLM\SOFTWARE\Classes\Installer\Products\DF917BEA0 BDE9E345B42099FC7E14699
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ins taller\UserData\S-1-5-18\Components\3152E1F19977892449DC968802CE8964
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ins taller\UserData\S-1-5-18\Components\649A52D257CA5DB4EAAE8BA9EB23E467
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ins taller\UserData\S-1-5-18\Products\DF917BEA0BDE9E345B42099FC7E14699
Key Found : [x64] HKLM\SOFTWARE\Classes\Installer\Products\DF917BEA0 BDE9E345B42099FC7E14699
Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules [{A3FDA73C-9456-44C2-BE5C-7BC3A80EBFB9}]
Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules [{5CD22858-C6FB-49DB-B5DD-2483259AAA92}]
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E29DB3C0-EAA4-4DDC-803C-966D205E1A82}
Data Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - {E29DB3C0-EAA4-4DDC-803C-966D205E1A82}
Key Found : HKU\S-1-5-21-715770824-369694339-256802149-1001\Software\Microsoft\Internet Explorer\SearchScopes\{E29DB3C0-EAA4-4DDC-803C-966D205E1A82}
Data Found : HKU\S-1-5-21-715770824-369694339-256802149-1001\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - {E29DB3C0-EAA4-4DDC-803C-966D205E1A82}
Value Found : HKU\S-1-5-21-715770824-369694339-256802149-1001\Software\Microsoft\Windows\CurrentVersion\Exp lorer\StartupApproved\Run [Browser Infrastructure Helper]
Key Found : HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Ap plication\sogr

***** [ Web browsers ] *****


*************************

C:\AdwCleaner\AdwCleaner[S1].txt - [20971 bytes] - [11/06/2016 16:51:39]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [21045 bytes] ##########
porgorg is offline   Reply With Quote
Old 06-11-2016, 11:27 AM   #6 (permalink)
Junior Techie
 
porgorg's Avatar
 
Join Date: Jul 2008
Location: UK
Posts: 76
Default Re: PC crash followed by phone call scam

These are the results from Hijackthis:
Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 17:04:40, on 11/06/2016
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.10586.0020)


Boot mode: Normal

Running processes:
C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0 _x86__8wekyb3d8bbwe\SkypeHost.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\AppleIEDAV.exe
C:\Users\Mark\AppData\Local\Microsoft\OneDrive\One Drive.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Users\Mark\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = BT | Using the power of communication to make a better world
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Google
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Google
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com - Hotmail, Outlook, Skype, Bing, Latest News, Photos & Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com - Hotmail, Outlook, Skype, Bing, Latest News, Photos & Videos
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = Google
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = Google
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: BT Toolbar - {aba8d0e6-0d4d-4cb8-836a-04d69824b108} - C:\Program Files (x86)\bttb\bttbX.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstan ce.dll (file missing)
O3 - Toolbar: BT Toolbar - {aba8d0e6-0d4d-4cb8-836a-04d69824b108} - C:\Program Files (x86)\bttb\bttbX.dll
O3 - Toolbar: TotalRecipeSearch - {a0154e07-2b48-475c-a82a-80efd84ea33e} - C:\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14bar.dll (file missing)
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\DRIVERS\x64\3\EKIJ5000MU I.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKCU\..\Run: [EADM] "C:\Program Files (x86)\Origin\Origin.exe" -AutoStart
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [NokiaSuite.exe] C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe -tray
O4 - HKCU\..\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
O4 - HKCU\..\Run: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
O4 - HKCU\..\Run: [AppleIEDAV] C:\Program Files (x86)\Common Files\Apple\Internet Services\AppleIEDAV.exe
O4 - HKCU\..\Run: [iCloudDrive] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe
O4 - HKCU\..\Run: [OneDrive] "C:\Users\Mark\AppData\Local\Microsoft\OneDrive\On eDrive.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [OneDriveSetup] C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [OneDriveSetup] C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup (User 'NETWORK SERVICE')
O4 - Startup: Registration Tom Clancy's Rainbow Six
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O18 - Protocol: windows.tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\mcafee\msc\mcsniepl.dll
O23 - Service: McAfee Application Installer Cleanup (0071471465661046) (0071471465661046mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\007147~1.EXE
O23 - Service: AdaptiveSleepService - Unknown owner - C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\WINDOWS\system32\atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device Service - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\DiagSvcs\DiagnosticsHub.Sta ndardCollector.ServiceRes.dll,-1000 (diagnosticshub.standardcollector.service) - Unknown owner - C:\WINDOWS\system32\DiagSvcs\DiagnosticsHub.Standa rdCollector.Service.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)
O23 - Service: McAfee Home Network (HomeNetSvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\WINDOWS\system32\IEEtwCollector.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee AP Service (McAPExe) - McAfee, Inc. - C:\Program Files\McAfee\MSC\McAPExe.exe
O23 - Service: McAfee Boot Delay Start Service (McBootDelayStartSvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
O23 - Service: McciCMService64 - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee CSP Service (mccspsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\CSP\1.9.656.0\McCSPServiceHost.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Platform Services (mcpltsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Service Controller (mfemms) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - Unknown owner - C:\Windows\system32\mfevtps.exe (file missing)
O23 - Service: McAfee Module Core Service (ModuleCoreService) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Origin Client Service - Electronic Arts - C:\Program Files (x86)\Origin\OriginClientService.exe
O23 - Service: Intel Security PEF Service (PEFService) - Intel Security, Inc. - C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SensorDataService.exe,-101 (SensorDataService) - Unknown owner - C:\WINDOWS\System32\SensorDataService.exe (file missing)
O23 - Service: ServiceLayer - Nokia - C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\WINDOWS\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\WINDOWS\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\TieringEngineService.exe,-702 (TieringEngineService) - Unknown owner - C:\WINDOWS\system32\TieringEngineService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\WINDOWS\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\WINDOWS\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\WINDOWS\system32\wbengine.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-320 (WdNisSvc) - Unknown owner - C:\Program Files (x86)\Windows Defender\NisSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11430 bytes

Also discovered that he had no wireless password and his McAfee firewall was clashing with the WIndows 10 one, so for now the Windows one is turned off.
porgorg is offline   Reply With Quote
Old 06-11-2016, 12:30 PM   #7 (permalink)
Private Joker
 
carnageX's Avatar
 
Join Date: Feb 2007
Location: South Dakota
Posts: 23,915
Default Re: PC crash followed by phone call scam

Remove the following entries from HJT:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstan ce.dll (file missing)
O3 - Toolbar: TotalRecipeSearch - {a0154e07-2b48-475c-a82a-80efd84ea33e} - C:\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14bar.dll (file missing)

Otherwise, looks good. Looks like the scans definitely removed a lot of stuff... Did you run the anti-rootkit software suggested as well?

Quote:
Also discovered that he had no wireless password and his McAfee firewall was clashing with the WIndows 10 one, so for now the Windows one is turned off.
Definitely put a wifi password on; that'll protect more than just malware...that'll protect from anybody that decides to connect to their wireless and use WireShark and sniff their packets/intercept unencrypted data.

As for McAfee...I highly suggest ditching it and moving to something like Avast or Avira (both are free).
__________________
Laptop: MSI GT70 2OC-059us | i7-4700MQ | 16GB | GTX 770m | 500GB SSD / 750GB HDD | 17.3" | Win10 Pro
Desktop: 4690k | 12GB g.Skill RipJaws | GTX 970 | 520hx | Z87X-UD4H | Corsair Vengeance C70 | Corsair H110 | Acer 25" | Acer 22" | Win10
Mobile: Samsung Galaxy Note 5


If I help you, or you just like what I said, rep me by clicking the under my post
carnageX is online now   Reply With Quote
Old 06-11-2016, 01:03 PM   #8 (permalink)
Junior Techie
 
porgorg's Avatar
 
Join Date: Jul 2008
Location: UK
Posts: 76
Default Re: PC crash followed by phone call scam

Great, thanks for that. I'll delete them once I get to his machine again.

I forgot to run the Rootkit scan, will have to remember to do that as well.

I think he's paid for McAfee, or the prebuild PC came with a subscription so unsure if he'll be willing to change as yet. I've used Avast in the past, the only thing that gets me about it are the popups 'Do you know who's spying on you?' and so on.

He was running Trusteer Rapport which is supposed to be an extra layer of security. I uninstalled it as I know people who have had trouble with it slowing their computers, is it worth reinstalling though seeing as the scammers got into his account regardless?
porgorg is offline   Reply With Quote
Old 06-11-2016, 01:15 PM   #9 (permalink)
Junior Techie
 
porgorg's Avatar
 
Join Date: Jul 2008
Location: UK
Posts: 76
Default Re: PC crash followed by phone call scam

Quote:
Originally Posted by MidnightShadow View Post
I have not seen one single instance of this where the person on the phone legitimately knows that the computer has an issue or has crashed. I'm going to presume that this was simply a coincidence.
Speaking to him I think what actually happened is that the scammers called him up while viewing his PC (maybe due to having a disabled firewall) and said they will fix the McAfee disabling firewall. Convinced him to install Teamviewer, installed infections on his PC (the 1475 MBAM found) which persuaded him to install other software (maybe disabling McAfee and Rapport) to combat the infections. Said they would reimburse him, that weird part about overpayment, he logs into his account, the screen goes black and they empty his account.
__________________

porgorg is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Got a Call to set up a job interview... Research pays! -SCAM! Antec-User Technology Careers and Education 18 09-30-2013 11:17 AM
scam or no scam ITZBVAN005 Microsoft Windows and Software 11 12-20-2005 11:13 AM


Our Communities

Our communities encompass many different hobbies and interests, but each one is built on friendly, intelligent membership.

» More about our Communities

Automotive Communities

Our Automotive communities encompass many different makes and models. From U.S. domestics to European Saloons.

» More about our Automotive Communities

Marine Communities

Our Marine websites focus on Cruising and Sailing Vessels, including forums and the largest cruising Wiki project on the web today.

» More about our Marine Communities


Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 03:58 PM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.