5 Replies Latest reply on Feb 25, 2017 1:21 AM by turningblue

    MVT running 1 hour; HP fake support scammers calling

    turningblue

      HP Fake support has been calling again insisting they see a problem with my computer and need to log in. I fell for it about a year ago. Long story short -- the real HP saw them using Log Me In.  Couldn't find source. Scammers took over my computer with HP tech watching.  Ended up wiping disk.  Worrying now that I opened a file that released them back in. 

       

      Last night set firewall to Stealth and installed Malwareantibytes.  This morning on boot a McAfee warning popped up file trying to access the internet. I didn't write full folder name but it was lower to C:\ souce . The part I did not is it is \temp\curl.exe.   Spent hour or two with popup on hold for me to decide to block it.

       

      Downloaded and running MVT said Real Time Scan not active. I don't remember turning that off last night.  MVT said it would fix and window would close.  Its been 1.5 hours with Virus Scan 19.0.3060 and notice problem fixed but it won't close.

       

      What next?

        • 1. Re: MVT running 1 hour; HP fake support scammers calling
          catdaddy

          Please see the following;curl.exe | ThreatExpert statistics  I recommend that you run the McAfee Getsusp Tool , Enter your email address under the (Preferences) in the UI before scanning.  Also you can submit the file to (VirusTotal.com) directly from Getsusp.

           

          These Superb Tools can be obtained HERE;Anti-Spyware/Malware & Hijacker Tools

           

          I would also run Malwarebytes (Free) in Safe Mode with Networking. Follow up with Malwarebytes AdwCleaner.

           

          Please let us know your results,in case you need further assistance.

           

          Regards

          CD

          1 of 1 people found this helpful
          • 2. Re: MVT running 1 hour; HP fake support scammers calling
            turningblue

            Pardon the delay. I discovered another layer to this almost daily. 

            catdaddy - himHow do I attach logs mentioned below?

             

            From the beginning -

            January 2015 Issue begins with online search HP support.  Completed form with name, email address and phone number.  I knew something was up when a "HP support" person called back a few minutes later.  That in itself was a warning; a phone call from a support rep ? Within a few minutes???  but I went through with it and gave him remote access to my computer..  He clicked around and showed me I was told I was infected by thousands of viruses when it was actually it was a list of standard Windows services or dll's.  Cost me $100 for them to "fix".

             

            For months they called me insisting they were seeing activity on my computer and needed to my computer to for urgent repair.  Couple of times they said they were with Microsoft. I totally harangued them and  one day cussed got out.  When I sat down at my computer a while later it went berserk.  The mouse flying all over the place, opening programs and closing programs faster than I could get control of it.  Using touchscreen I tried to turn off any Internet access and it turned it back on faster than I could click it off.  I unplug the router and watched the frantic clicking go on for several more minutes.

             

            I called the real Hewlett-Packard support and talk to a low level tech who logged in and a few minutes into his analysis he was reviewing the test manager and realized there was another LogMeIn session going.  Someone else was in my computer also using LogMeIn.  HP support guide upgraded issue.  After reviews and scans we basic a reset setting this computer back to factory set up.  The issues continued and the calls  from fake HP support kept coming.  I don't recall the specific issue that let me know the intrusion continued.  Ended up formatting  the disc completely and reinstalling HP/Windows 10.  Once the fake HP guys found out what had happened they slacked off the calls.

             

            Sometime in summer of 2017 the Fake HP began calling again.  Although I sometimes b.s.'d and tease them, then hung up.  Never got back online with them. 

             

            February 15 I had yet another in a months long series of call telling me they had alerts that I had major infections and needed important, Windows updates and their antivirus scan.  I told him several times I'd not been at my computer in days.  The truth is I had been off-line for two days, but the day before his call I had gone on online again.  As I told him this several times there were long pauses before he replied.  This bothered me and I began this research outlined below.

             

             

            Based on information from newsgroups:

            ⦁ 2/16/2017 found suspicious file at c:\Windows\temp\datacollector\curl.exe.  Possible keylogger.  Don't remember what brought me to that: One was;

            https://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning /keylogger-detected-on-windows-10/ae439da2-34f0-4561-9b1d-9c2019369e7c action

            ⦁ I ran full scans from McAfee (paid version) then Malwarebytes and neither came up with an issue

            ⦁ contacted McAfee Community.  After I contacted you I found McAfee stealth mode but I'm not sure if timeline is that.

            ⦁ Ran Getsup and think curl continued. Think I over wrote the log file

            ⦁ Ran Hijackthis

            ⦁ Firewall in Stealth and blocked curl.exe. .  It continued constant attempts

            ⦁ Hours later noticed in log YouCam attempting access to the Internet , usually within microseconds of curl (both have been tracking me)

            ⦁ Began operating mostly in Airplane Mode or completely turned off. Was using an XP for Internet.

             

            ⦁ Early morning February 23, 2017 am, (I think), switch to HP safe mode (a pain in the *** to get to an out of)

            ⦁ Several hours later noticed YouCam.  Blocked Youcam then uninstalled two versions of it using Windows 10 uninstall.  Incoming attempts about the same timing as curl.exe and YouCam

            ⦁ Noticed and Incoming Connection Blocked IP address 2620:0:863:ed1a::2:b and variations had been blocked by McAfee. Last attempt 2/22/2017 12:37 a.m.

            ⦁ A small pop up stated Malwarebytes needed access to Internet.  I hesitated, then clicked Yes and switch Airplane Mode off then immediately thought since there was no mail Malwarebytes logo it must be an imposter and hit Airplane Mode.  It probably had access 2 or 3 seconds.  Maybe this may be what putting into hibernation

            ⦁ 2/23/2017 pm Ran RootRemoverL HijackThis - reviewed logs can't find curl.exe and search C:\ and both folder and file are gone - \datacollector\curl.exe 

            ⦁ tonight found

             

            looks like malware & spyware  logs I don't see reference to an issue.  Blocked Incoming and outgoing issues disappeared.

             

            Tonight I found  "C:\Program Files (x86)\LogMeIn Rescue RC - b50002fd-dcfb-462b-ac50-e013276d1080\LMIRhook.002.dll"

            Not sure if that was fake HP or real HP

             

             

            This whole situation began with a call to what was probably a paid GoogleAd advertisement for HP support. I can't figure out where it's now coming from now.  Possibly from backup file restored after the original event.   Or maybe something they have access to from key logging?

             

            Thanks

            • 3. Re: MVT running 1 hour; HP fake support scammers calling
              turningblue

              One more observation in McAfee logs:

               

              2/22/2017 12:36:57 AM the Last incoming attempt by 2620:0:863:ed1a:2:b

              2/22/2017 12:37:13 AM Last cURL.exe outgoing attempt

               

              In the 10 minutes before the final attempts there were about a dozen curl.exe attempts going out and several dozen of the variations on address 2620:

               

              Most interesting are several listings for:

              Outgoing Network Connections Blocked (Program name: Program No Longer Exists)

              Program Location:  c:\\windows\temp\datacollector\curl.exe

               

              Why would there be attempts to connect to the Internet from a "program that no longer exists" at location that I had identified for curl.exe days before? Why would "program that no longer exists" cease in minutes before curl.exe and seconds later all incoming variations on ips 2600 cease?

               

              Something must still be in my system controlling inside and outside.

              • 4. Re: MVT running 1 hour; HP fake support scammers calling
                catdaddy

                Take a look at these Superb Free Programs/Tools. Run Malwarebytes Anti-Malware (Free) and McAfee Stinger (Read how to use). These can be obtained from Here;Anti-Spyware/Malware & Hijacker Tools

                 

                I would run the McAfee Getsusp Tool as well, as it will detect any suspicious/unknown files/programs on your system. Simply enter your email address under *Preferences* in the Getsusp UI before scanning. Also I would avoid any and all Fake Support phone calls.

                 

                Kindly inform us of your results...

                 

                All the best

                CD

                • 5. Re: MVT running 1 hour; HP fake support scammers calling
                  turningblue

                  Followed all of your recommendations first time around..  Thought it was all gone. Mcafee and Malwarebytes ran this afternoon and was running Hijackthis again tonight for confirmed cleanup.

                   

                  Been in Mcafee stealth mode for 2 days. Visually confirmed C:\windows\temp\datacollector\curl.exe folder and file were gone -

                   

                  For several days I've been running scans with Mcafee, Malwarebytes, AdwCleaner, GetSusp and HijackThis. The datacollector \ curl folder and file disappeared early on. Didn't review all logs so didn't know which one found it.

                   

                  30 mins ago ran GetSusp.  This is noted in the log :

                   

                  <comment value="curl.exe was attempting to access internet from a temp folder" />

                   

                  <scan-end-time value="Sat Feb 25 00:46:32 2017" />

                    <Scan-Summary>

                    <Identified-Files value="659" />

                    <Digitally-Signed value="609" />

                    <Artemis value="39" />

                    <Known-Files-Database value="0" />

                    <Suspicious-Files value="1" />

                    <Not-Scanned value="10" />

                    </Scan-Summary>

                   

                  Will now work focused on Artemis. Its deep in my system.