Hey gang. My secretary came to me and told me the following about her laptop at home, which is a 30 day old HP or whatever that she bought a Best Buy.
1. She's sitting there (on the net) and gets a pop-up that her Webroot subscription has expired.
2. She clicks on the pop-up which takes her to a site where she pays $39.95 for a new subscription, downloads the program.
3. the program won't install so she eventually ends up back on the Webroot site and asks for help on the chat function.
4. What happens next is a little unclear, but I think they had her uninstall the existing webroot program and then install the new one. At some point, it appears she entered into a remote session with someone "with a foreign accent" who ran some kind of "scan" on her computer and then told her that she had "x" number of problems, that she could be held liable for problems her computer caused, and that they could fix it for a mere $399. She figured something was up and was stalling the guy and at some point an image of a cartoon dog eating stuff appeared on her screen. She said at that point her computer became completely non-responsive and she shut it off with the power button.
5. She then packed the whole thing up and took it to the geek squad at BB for advice, basically they fired it up and said it looked ok (sigh).
6. My take is that she ended up in a remote session with a scammer and should assume that she is rootkitted up the wazoo and that all the information on her computer is compromised. She has cancelled her credit card and I told her to change the passwords on all her online accounts asap. She is not sure whether she got any windows disks with the computer.
7. Can't see that anything less than a full reinstall after a complete wipe makes any sense.
Thanks!
Need a second opinion from the pros
Need a second opinion from the pros
<a href="http://www.heatware.com/eval.php?id=123" target="_blank" >Heatware</a>
-
FlyingPenguin
- Flightless Bird
- Posts: 33161
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
I wouldn't necessarily wipe it yet, unless she's one of those basic users that only does web & email, and a factory install is no big deal for her, in which case it's a no brainer to play safe.
Actually, believe it or not, this type of scam is USUALLY not malicious. They actually are just out to scare you into spending money on the remote PC cleanup. Usually it's around $150 which most people wouldn't find totally objectionable. These guys usually pretend to work for Microsoft.
In a great majority of these cases, they actually run a quick free malware scan and CCLeaner, and pretend to tweak a few things.
Some of these companies even operate somewhat legitimately (you see them advertise on TV late at night like FINALLYFAST.COM and others).
The reason they don't get into anything malicious is many of them are run out of the US and they don't want to bring attention from law enforcement. It becomes more of a business regulation issue - same as a water filter company doing a fake test on your water to scare you into buying a filter.
I would definitely run the following scans on the PC - preferably from "Safe Mode with Networking" to make sure there isn't something malicious lurking in there (free versions are all you need):
TDSSKiller: http://support.kaspersky.com/faq/?qid=208283363
Trojan Remover: http://majorgeeks.com/Trojan_Remover_d903.html
Fitsec Bank Trojan Detector Tool: http://www.fitsec.com/blog/index.php/20 ... tion-tool/
Malwarebytes AntiMalware (full scan if possible, but it'll take a while, quick scan is adequate): http://majorgeeks.com/download.php?det=5756
Hitman Pro: http://www.surfright.nl/en/hitmanpro
If anything finds something, run it again afterward to make sure it's gone. If that comes up clean I think she's fine, and yes I'd change all passwords and cancel credit cards. Also check Add/Remove Programs to make sure they didn't leave a remote access program installed (VNC, TeamViewer, etc). It would also be running in the task bar if it was left on.
You don't need the factory discs if you DO want to do a factory restore. All PCs for the last 10 years or so - assuming that's her factory hard drive - have a hidden recovery partition. Boot the PC and while the manufacturer's logo is up, press the secret key combination that brings up the Recovery Menu (backup all data first!). If one of these don't work, you can also Google "HP FACTORY RECOVERY KEYBOARD SHORTCUT"
FACTORY RECOVERY KEYBOARD SHORTCUTS:
ACER:
1. Power on the machine
2. At the white ACER BIOS screen, hold the “Alt” key and press the “F10” key simultaneously to start Acer eRecovery
3. Once eRecovery has loaded, click “Restore to Factory Default Settings”
4. Click “OK” to continue
5. From here, the eRecovery process will update all the data on the C: drive and restore a fully functional factory image (approximately 10 minutes).
6. Once eRecovery has run, press “OK” to reboot unit
NOTE: If you get asked for an Acer Empowering Technology password then the client setup a password. To recover it use an ubuntu live disc and boot from that. Browse the hidden partition and look under all the .dat files. One of them has the password in it.
------------------------
DELL:
- When the Dell screen appears press and hold the CTRL key on the
keyboard, press the F11 key, then release them both at the same
time. The Dell PC Restore by Symantec window appears.
- Click the Restore button or press the TAB key to highlight Restore
and press the ENTER key. A caution message appears advising that all data will be lost.
- Click the Confirm button or press the TAB key to highlight Confirm
and press the ENTER key. The Progress window appears. Once the process is begun, Dell PC
Restore usually takes only 8 to 10 minutes to complete. When the restore is complete, the message The system recovery process was successful appears.
- Click the Finish button or press the TAB key to highlight Finish and
press the ENTER key. The computer will restart.
-------------------------------
HP:
During the POST screen repeatedly press F11.
------------------------------------------
TOSHIBA:
Pressing the zero (0) key and power on. This should start the Toshiba Recovery process
Actually, believe it or not, this type of scam is USUALLY not malicious. They actually are just out to scare you into spending money on the remote PC cleanup. Usually it's around $150 which most people wouldn't find totally objectionable. These guys usually pretend to work for Microsoft.
In a great majority of these cases, they actually run a quick free malware scan and CCLeaner, and pretend to tweak a few things.
Some of these companies even operate somewhat legitimately (you see them advertise on TV late at night like FINALLYFAST.COM and others).
The reason they don't get into anything malicious is many of them are run out of the US and they don't want to bring attention from law enforcement. It becomes more of a business regulation issue - same as a water filter company doing a fake test on your water to scare you into buying a filter.
I would definitely run the following scans on the PC - preferably from "Safe Mode with Networking" to make sure there isn't something malicious lurking in there (free versions are all you need):
TDSSKiller: http://support.kaspersky.com/faq/?qid=208283363
Trojan Remover: http://majorgeeks.com/Trojan_Remover_d903.html
Fitsec Bank Trojan Detector Tool: http://www.fitsec.com/blog/index.php/20 ... tion-tool/
Malwarebytes AntiMalware (full scan if possible, but it'll take a while, quick scan is adequate): http://majorgeeks.com/download.php?det=5756
Hitman Pro: http://www.surfright.nl/en/hitmanpro
If anything finds something, run it again afterward to make sure it's gone. If that comes up clean I think she's fine, and yes I'd change all passwords and cancel credit cards. Also check Add/Remove Programs to make sure they didn't leave a remote access program installed (VNC, TeamViewer, etc). It would also be running in the task bar if it was left on.
You don't need the factory discs if you DO want to do a factory restore. All PCs for the last 10 years or so - assuming that's her factory hard drive - have a hidden recovery partition. Boot the PC and while the manufacturer's logo is up, press the secret key combination that brings up the Recovery Menu (backup all data first!). If one of these don't work, you can also Google "HP FACTORY RECOVERY KEYBOARD SHORTCUT"
FACTORY RECOVERY KEYBOARD SHORTCUTS:
ACER:
1. Power on the machine
2. At the white ACER BIOS screen, hold the “Alt” key and press the “F10” key simultaneously to start Acer eRecovery
3. Once eRecovery has loaded, click “Restore to Factory Default Settings”
4. Click “OK” to continue
5. From here, the eRecovery process will update all the data on the C: drive and restore a fully functional factory image (approximately 10 minutes).
6. Once eRecovery has run, press “OK” to reboot unit
NOTE: If you get asked for an Acer Empowering Technology password then the client setup a password. To recover it use an ubuntu live disc and boot from that. Browse the hidden partition and look under all the .dat files. One of them has the password in it.
------------------------
DELL:
- When the Dell screen appears press and hold the CTRL key on the
keyboard, press the F11 key, then release them both at the same
time. The Dell PC Restore by Symantec window appears.
- Click the Restore button or press the TAB key to highlight Restore
and press the ENTER key. A caution message appears advising that all data will be lost.
- Click the Confirm button or press the TAB key to highlight Confirm
and press the ENTER key. The Progress window appears. Once the process is begun, Dell PC
Restore usually takes only 8 to 10 minutes to complete. When the restore is complete, the message The system recovery process was successful appears.
- Click the Finish button or press the TAB key to highlight Finish and
press the ENTER key. The computer will restart.
-------------------------------
HP:
During the POST screen repeatedly press F11.
------------------------------------------
TOSHIBA:
Pressing the zero (0) key and power on. This should start the Toshiba Recovery process
---
“The Government of Spain will not applaud those who set the world on fire just because they show up with a bucket.” - Prime Minister of Spain, Pedro Sánchez
“The Government of Spain will not applaud those who set the world on fire just because they show up with a bucket.” - Prime Minister of Spain, Pedro Sánchez
I looked over the web activity and it looked like some of the history from firebird was missing.....there is an easy factory restore option which I showed her and she will do tonight.
here's the doggie..hurr durr
http://blog.quiqinq.com/2010/12/hurr-du ... ycool.html
here's the doggie..hurr durr
http://blog.quiqinq.com/2010/12/hurr-du ... ycool.html
<a href="http://www.heatware.com/eval.php?id=123" target="_blank" >Heatware</a>