VICTIM OF A SCAM; HELP IN GETTING MY COMPUTER BACK UP?

Posts

Pages: first 12 next last
Ratty524
The 524 is for 524 Stone Crabs
12986
So because I'm a numpty, I fell victim to a long-running scam and my main computer is compromised.

I already took the first steps to recovering from this mess. I put a lock on my bank account and I'm going to issued a replacement debit card, and the transaction I made with these crooks didn't go through yet. I also turned off and unplugged my computer so that they can't fuck things up any further then what they've probably already done.

My main question is what to do next? All of my project files are on that computer and I don't want to lose them. My mom seems pretty insistent on going through a professional technician to get this fixed, but is there a way I can do this on my own? How could I create a system image backup... without turning on my computer? That's a step I researched that I don't really understand.

Anyone who is tech-savvy, can you help? My OS is Windows 7
I always wondered who the people that were gullible enough to fall for this kind of stuff were. Now I know.
User was warned for this post
Can you get a copy of ubuntu onto a DVD and boot from DVD? Linux will be able to read your windows drive and you should be able to recover your important files. Then you can do a complete rebuild of Windows.

That's probably what I would do. I am no tech expert though.

The other thing you can try is ComboFix.
Boot off of external media (like a boot cd or usb drive). I used to use Ultimate Boot CD for Windows but that was a long time ago when I still did tech support so I don't remember how to use it to access your hard drive.

Once a computer has been compromised you can't guarantee that it'll ever be safe without a flatten and reinstall.

Also make sure you change all of your passwords too. I recommend using something like a password manager like Keepass to generate and keep track of them all and all you have to remember / write down (on paper, not your computer) is the master password.
Ratty524
The 524 is for 524 Stone Crabs
12986
author=GreatRedSpirit
Boot off of external media (like a boot cd or usb drive). I used to use Ultimate Boot CD for Windows but that was a long time ago when I still did tech support so I don't remember how to use it to access your hard drive.

Once a computer has been compromised you can't guarantee that it'll ever be safe without a flatten and reinstall.

Also make sure you change all of your passwords too. I recommend using something like a password manager like Keepass to generate and keep track of them all and all you have to remember / write down (on paper, not your computer) is the master password.

Yeah, I've been making an effort to change my passwords for important stuff like my back account and stuff that has stored credit information.

I'm curious about booting from external media. I'll have to do some research on how exactly to do that since I'm kind of a novice with computers (as evident that I was stupid enough to fall for this scam to begin with -_-)
Um, it should be safe to boot on without the internet turned on. So unplug any modem, turn off any router and the like - any connection to the internet at all. Then do what you want with what is on your computer.
Putting any writable media on an infected machine is a risk as any virus can simply infect it to spread itself, such as through autorun operations on a clean machine. One of the most common attack vectors of industrial espionage is through infected usb drives that attack computers once they are plugged in. iirc the Department of Defense in the US had to seal unused USB ports in their machines to prevent users from unwittingly infecting their machine this way.

The safest way while remaining disconnected is probably using CD/DVDs as a medium as they have a special process to write to them. Viruses may not make use of it.
I work for a service called TechXpert xD and I deal with this kind of thing pretty much daily.

While it's possible that disconnecting the network would prevent any outside influence from kicking in, there are plenty of infections that don't need an internet connection to cause mayhem. I would have suggested that you not turn off your computer at all when you first got infected. I've seen a few where things were fine and when I tried to boot into safe mode to run scans, the login screen was replaced with a different one that you can't log into. It's a risk but if you can still log in and use the computer, then you are mostly safe. The bad things would have happened already and if it was going to encrypt your files or make the computer unusable you'd know by now.

Rather than deal with trying to boot from an external source on your comptuer, buy a usb-sata cable so you can take the hard drive out and plug it into another computer to get the files. It's not too expensive, it's a good thing to have, and is much less of a headache than trying to boot off something else.

Unless you don't want to open up your computer. Although It's not that difficult. Most laptops have an easy access panel on the bottom. If you don't want to do that then I don't know anything about booting off something else. We don't support that kind of thing.

As for cleaning the computer it really depends on what they had time to do. Can you describe exactly what happened? Did they remote in and take control of your computer? How long were they in there? What did they seem to open? They sometimes don't have time to do anything or they may have pushed a bunch of stuff in the background without you even seeing it. It varies.

First look at your installed programs sorted by date. If they installed anything recently uninstall it using Revo Uninstaller. Choose the advanced option, deleting all registry entries and left over files. It's also good to look at all your installed program. If there is anything you don't recognize go to shouldiremoveit.com and search for it. You get an idea if it may be harmful.

Then check the Task Scheduler. Win+R, taskschd.msc, click Task Scheduler Library on the left side, click the Actions tab along the bottom, then click each task at the top to see what file is being run. If it looks suspicious delete it. Most of what is here is updates from programs like Google and Skype. There isn't much that needs to be here so don't worry about deleting stuff. Mine only has 2 Google entries and Sleep timer I created myself. You want to check this first because if you remove a threat it could simply install itself again from here.

Check your startup items.

Check your browsers for proxys, addons/extension and bad search engines. Reset all browsers.

Download a few programs. You can most of them from bleepingcomputer.com. You'll want TDSSkiller, Roguekiller, Junkware Removal Tool (JRT), Hitmanpro, ADWcleaner and Malwarebytes from their site. All free, some are trials so you will only be able to run them once.

Reboot to safe mode and run all the tools. I do them in this order: TDSS, Malwarebytes, Roguekiller, Hitmanpro, JRT, ADWcleaner.

That is usually enough to clean out most infections. If your browser seems to keep redirecting and have ads/pop ups, you'll need to uninstall with Revo and look for any leftover folders to delete them. Then reinstall.

By the way, we charge 129.99$ for this kind of work if you don't have the TechXpert sub on your account so you can pay me any way you'd like :)
Corfaisus
"It's frustrating because - as much as Corf is otherwise an irredeemable person - his 2k/3 mapping is on point." ~ psy_wombats
7874
Oh thank God. I've been having this problem every night around midnight where my computer would just magically bump 7 or so items onto my drive that would cause stupid ads and stuff to take over Firefox. I thought it was just some sort of Windows bullshit (you're not using a "genuine" (it totally is, I installed it off a Win7 boot CD) copy of Windows 7, so we're going to chuck crap at you until you fix it), but now I think I've got this figured out.

Hopefully it's the same for this stupid search.protectedio thing that latches onto Firefox. Pretty sure I got that from my last spat with BitTorrent. I really should blame myself...

author=SnowOwl
I always wondered who the people that were gullible enough to fall for this kind of stuff were. Now I know.

... instead of having others do it for me.
LockeZ
I'd really like to get rid of LockeZ. His play style is way too unpredictable. He's always like this too. If he ran a country, he'd just kill and imprison people at random until crime stopped.
5958
Ratty, it's usually fine to run the computer with no internet access - as Link_2112 said, some viruses can still cause mayhem, but the worst thing they can do is keep you from using your computer, which isn't nearly as bad as giving a hacker access to it. But the problem is that your computer probably connects to the internet automatically as soon as it starts up, before you even enter your password to log in.

To change this, start the computer in safe mode first by pressing the F8 key over and over really fast as the computer is starting up. The timing of when to press it is hard to explain so just mashing it is the simplest way. Eventually a menu will appear and the first two options will be to start in Safe Mode or Safe Mode With Networking. Either one is fine since your computer is invincible in safe mode. However, if you want to turn off the internet so that it doesn't come on automatically when you start your computer up in normal mode, then choose Safe Mode With Networking. Once you're in Safe Mode With Networking you can simply click on your wifi connection in the lower right corner and make it forget your home wifi network.

To fix your computer, the absolute best first thing to do is a System Restore. When you start the computer up in safe mode, the very first thing it asks is if you want to do a System Restore. Say yes. Restore your computer to about a week before it was compromised.

It's possible that you won't be able to do a System Restore. A wide variety of things can make it fail. However, if it works, it's the same as doing the entire last two thirds of Link_2112's post automatically, instead of having to manaully check each possible infection point.

System Restore will not necessarily remove 100% of problems! It will reverse any changes they made and any programs they installed, but it won't delete the files that insalled those programs. You should still run virus scans afterwards also.

If you do a system restore and then run virus scans, I would call your computer fixed.

Also, change your Email and Facebook passwords immediately, if you didn't already, as well as the password for your bank's website and for Paypal, and anything else sensitive.
Yeah, system restore first is a good idea. We don't normally do that first so I didn't think of that. Since you know when it happened you can pick a good restore point.

But I would disagree that a computer is invincible in safe mode. It's safer but not immune to problems. Just a lot less likely for them to be loaded into memory on start up.
I forgot to mention that you should also look into checking your Master Boot Record (MBR). A flatten doesn't mean shit if that's infected since the MBR isn't part of any partition and a format won't touch it. Check this page for some directions on how to using external media including Windows install CDs. It's a bit out of date and there's no reference for Windows 10 unfortunately which'd be nice given the mass digital push Microsoft is giving it.

Make sure to clean it using external media. You can't trust an infected machine to clean it's own MBR; It infected it once and there's nothing stopping it from doing so again after rebuilding the MBR as long as its in memory.

It's somebody who's putting actual time/effort/money into calling people to get them to install invasive software so I'd assume it's a bit more dangerous than a random email with hot_anime_titties.wmv.exe attached and it has infected the MBR.
Solitayre
Circumstance penalty for being the bard.
18257
I think I just got a call from these guys too, they really get around. They were really skittish though, they hung up as soon as I started asking questions.

Hope you get everything sorted out, Ratty! If you think financial information mgiht have been compromised, you might want to contact your financial institutions and tell them to keep an eye out for any suspicious transactions. Edit: Whoops looks like you did that already.
Ratty524
The 524 is for 524 Stone Crabs
12986
For further info, yes, I did let these guys have remote access to my computer and they installed programs that seem to be based off reputable antivirus software.

I'll have to take a look at these posts in depth soon. I spent a while trying to figure everything out
I think it's a little...hasty to assume his PC has been infected with the worst possible thing out there. Thing is, what these guys get out of their time/effort/money is insane amounts of money from old people who give them upwards of 300$ for basically doing nothing. Some of them simply do an ipconfig and say "see, your IP address has been compromised and we need to clean your computer".

I would suggest that the emails are the most dangerous thing of all. In most of the stories you read about new malware attacks it says that email is the most common way it gets on your system. That is what all the smart hackers do to distribute the dangerous stuff. These guys on the phone are low level goons who can't handle basic probing questions. By calling people think they are more legit and are more likely to give them money.
Ratty524
The 524 is for 524 Stone Crabs
12986
Your top paragraph describes what happened. They ran ipconfig and did a bunch of scans through command prompt and pointed to some extra ips and koobface as the problem, then they installed their junk.
$300 is nothing compared to what can be reaped from identity theft. It's like the Nigerian Prince scam, even if you send them one payment they just don't disappear but spew more excuses to try and keep the gravy train flowing. The system has been compromised and rebuilding the MBR, flatten, and reinstall is more thorough cleaning than a bunch of tools (although neither is a guarantee). It's like contacting your bank and canceling your cards: I wouldn't trust hacker's incompetence or fear of persecution to protect my identity.
Dude that horrible...You shouldn't trust people to install stuff on your computer just do it yourself..just disconnect from the internet and you will be fine...backup your stuff and just incase and do scan your PC for any junk or viruses.

This is why i don't buy softwares!!
Solitayre
Circumstance penalty for being the bard.
18257
Yeah the guy who called me didn't sound like some kind of mastermind, he was pretty clearly reading from a script. I kind of doubt they got access to anything but its definitely worth taking extra precautions.
Ratty524
The 524 is for 524 Stone Crabs
12986
I took a combination of both link and lockez' advice. I did a system restore, and afterwards downloaded the programs link mentioned and cleaned my computer.

I haven't run my computer extensively since then, but it looks like everything is fine. I still have to do some extra damage control just to be safe, though. (I'm typing this through my iPhone fyi).
Pages: first 12 next last