Solved I had a red alert on my screen showing an 800 no. to call.

Dell Inspiron desktop - 4gb memory - 500...
September 9, 2018 at 01:24:54
Specs: Windows 10, 6.0 GB
This time my screen is frozen and so I called the advertised 800 No. The woman on the phone said I was hacked and she would help me! Then she started showing me on my screen the area where the notice that I was hacked, both local and foreign, on the screen. At this time, she took control of my computer with a Rescue Me App. Then, she "sold" me two apps to prevent my network to be hacked again - Microsoft modifier app $100 and Super SpyMaster App ($99) which she said she will load for me in my system. She also said a tech will call me and will scan my entire network to prevent getting hack again both locally and foreign.

I think my Microsoft account is compromised because I gave the tech my username and Password so he can navigate in my account to correct my infection.

Question: What do I do to stop this tech to get into my Microsoft account because I gave him my User Name and Password.
What else should I do to ever prevent this tech to go into my computer system?
At this point, do I have to do any preventive measures to prevent hacking?
Do I have to remit the $199 charge for the SAS app and Microsoft Modifier? And supposed labor they did to scanned my computer's network.
Can they do damage to my system if I do not pay so they can get even???


See More: I had a red alert on my screen showing an 800 no. to call.

Reply ↓  Report •

✔ Best Answer
September 15, 2018 at 16:10:48
Copy & Paste only the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

CreateRestorePoint:
emptytemp:
closeprocesses:
AlternateDataStreams: C:\Users\Ray\Documents\Las Vegas Utilities Phone Numbers.jpg: 3or4kl4x13tuuug3Byamue2s4b [97]
CHR StartupUrls: Default -> "hxxp://www.google.com/","","hxxp://google/","hxxps://www.google.com/","hxxps://www.google.com/","hxxp://us.yardood.com/?tn=sdks_inner_hp_01_yardood_us&guid=95c817cc47e31f743f66c2ec313dbcad"

Open FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.
Refer these SS if needed.
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...

message edited by Johnw



#1
September 9, 2018 at 04:08:04
Never respond to any such message; and never provide personal data of any kind.

Hopefully Johnw (amongst others of similar knowledge) will come across this thread and help resolve the situation

You have been scammed and possibly worse.

Do not pay anything.

message edited by trvlr


Reply ↓  Report •

#2
September 9, 2018 at 06:08:08
Hi folks, just about to go to bed.

You should be Ok with this Ray, similar to what we did 3 yrs ago.

Here are the first 2 steps, more steps will be needed, after I see the results of these logs.

Step 1: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.raymond.cc/blog/adwclean...
http://www.bleepingcomputer.com/dow...
Author's site
https://toolslib.net/downloads/view...
Tutorial
http://general-changelog-team.fr/en...
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click Scan
In the results tabs, uncheck anything you don't want to remove.
Click on Cleaning.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please Copy & Paste the contents of that logfile with your next answer.
You also can find the logfile at C:\AdwCleaner [C1 or later].txt as well.
http://i.imgur.com/r3PoAEG.gif

Step 2: Run Malwarebytes Anti-Malware ( MBAM ) Use Threat Scan.
http://www.softpedia.com/get/Antivi...
http://www.freewarefiles.com/Malwar...
http://www.freewarefiles.com/screen...
http://www.malwarebytes.org/downloads/
Forum
http://www.malwarebytes.org/forums/
After the Free trial, I choose this.
http://fs5.directupload.net/images/...
You then get this screen.
http://fs5.directupload.net/images/...
Or,
Deactivate Malwarebytes for Windows Premium Trial
https://support.malwarebytes.com/do...
At the end of a scan, you will get something like this.
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
After clicking on > View Report & then > Export. Click 'Copy to Clipboard'
Paste the contents of the clipboard into your reply.


Reply ↓  Report •

#3
September 9, 2018 at 10:45:11
You allowed yourself to get hacked. I'm curious how it happened...facebook? When you saw the original popup, you should have closed your browser and/or shutdown your computer, then immediately run a scan for infections. By calling the number & granting access, you allowed them to do who knows what to your computer? Bottom line - you fell for a scam. I assume you gave them your credit card number? Bad move. Call the credit card company & check for suspicious activity. See if you can cancel payment. You might want to cancel your card & get a new one. What security protection do you have installed? It apparently isn't very good.

Reply ↓  Report •

Related Solutions

#4
September 9, 2018 at 17:57:45
JohnW will help remove all that they did to your system BUT you should immediately change your Microsoft/user password (user name may be harder but with the password change you should be able to block future activity.

You have to be a little bit crazy to keep you from going insane.


Reply ↓  Report •

#5
September 10, 2018 at 00:37:50
# -------------------------------
# Malwarebytes AdwCleaner 7.2.3.1
# -------------------------------
# Build: 09-03-2018
# Database: 2018-09-06.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 09-09-2018
# Duration: 00:00:21
# OS: Windows 10 Pro
# Cleaned: 15
# Failed: 0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

Deleted C:\ProgramData\FileViewPro
Deleted C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileViewPro
Deleted C:\Program Files\FileViewPro

***** [ Files ] *****

Deleted C:\Users\Ray\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Facebook.lnk

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted HKCU\Software\csastats
Deleted HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\FileViewPro_is1
Deleted HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main|Start Page
Deleted HKLM\Software\Microsoft\Internet Explorer\Main|Start Page
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\softonic.com
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\adobe-reader.en.softonic.com
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\softonic.com
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\adobe-reader.en.softonic.com

***** [ Chromium (and derivatives) ] *****

Deleted Search Manager

***** [ Chromium URLs ] *****

Deleted Ask
Deleted AOL

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [2859 octets] - [09/09/2018 17:50:24]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########


Reply ↓  Report •

#6
September 10, 2018 at 00:46:31
Hi riider, Thanks for your response as you did in the past due to my question.
The SCAM just froze off my computer while I was in FACEBOOK. The Screen
showed a warnng to not do anything but to call the 800 no, posted in their
warning. I did and the woman just scrolled me around a scan showing me
that I was hacked both domestic and foreign.

Their billing dept kept calling me to pay through a personal check for $199 for
their claim for labor and 2 apps, Microsoft Modifier($100) and SASpyware for
($99). I have not answered their call so the billing has not completed. They
are still trying to connect to my phone.


Reply ↓  Report •

#7
September 10, 2018 at 00:51:32
Johnw,
Thanks for coming in and helping. You are right I have this dumb hack 3 yrs ago which
you helped, then.
Now, here I am again. I run the AdwCleaner and pasted the contents of the logfile. But,
that's about where I can go. I was not able to follow Step 2 and thereafter.

Reply ↓  Report •

#8
September 10, 2018 at 01:03:33
"I was not able to follow Step 2 and thereafter"
Not sure if you mean, you could not understand or the computer won't let you.

Lets try this way.

Please download Dr.Web CureIt and save it to your Desktop. DO NOT perform a scan, until you get it on your desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. (If this is not possible, this program is portable, and runs right from the location it is downloaded to, like a USB drive or SD card.)
http://www.softpedia.com/get/Antivi...
http://filehippo.com/download_dr_we...
http://www.freedrweb.com/cureit//
http://www.freedrweb.com/cureit/?ln...
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Documentation
http://download.geo.drweb.com/pub/d...

Copy & Paste the contents of the log into a text file & upload it here.
No time delays/Captcha-I'm not a Robot/account/registration needed. Give us the link please.
http://www.fileconvoy.com/index.php


Reply ↓  Report •

#9
September 10, 2018 at 01:10:31
Thanks for the advise to change the Username and Password of my Microsoft account..


Reply ↓  Report •

#10
September 10, 2018 at 01:25:57
Pls see the UPLOAD note in the next message

message edited by raycuadro


Reply ↓  Report •

#11
September 10, 2018 at 01:30:06
"Which one do I use?"
Any, usually the one you find the easiest.
Too many choices eh.
Here is the direct download link.

https://www.softpedia.com/dyn-postd...

message edited by Johnw


Reply ↓  Report •

#12
September 10, 2018 at 01:36:53
Besides changing user name / password... with new characters...

Include a period (a full stop) somewhere in each. e.g.

If your user name was to be bigboy then insert a period somewhere in it so that it becomes bigb.oy or something like. Where you insert the period isn’t critical but certainly not between first and second characters, nor last and penultimate. Likewise use a mix of letters and numbers.

Apply similar to the password.

And use a mix of upper and lower cases.

The above approach seriously limits the vulnerability of an account.

I have a specific email account which uses the above system for user name and password. To date it’s had only one spam email, and that came via a contact who emailed to that account; and his mail box/contacts had been hacked.


Reply ↓  Report •

#13
September 10, 2018 at 01:57:40
"How do I download Dr.Web CureIt and save it to my Desktop?"
Once you have downloaded it to where ever you keep downloads & you don't know how to drag it out onto the desktop, right click on it & Copy, then Paste it on your Desktop.


Reply ↓  Report •

#14
September 10, 2018 at 09:42:52
Incidentally... If you haven't already copied (as in duplicated) any personal files to external storage - do so now... Ideally to an external hard drive and if possible (especially for photos etc.) also to DVD. Verify copies are fully accessible too.

Should the need arise at this time, or any future occasion, to have to rebuild the system afresh, then personal files will safe elsewhere. Likewise if suddenly locked out by Ransomware attacks, most of your data will be safe elsewhere. Do NOT leave the external drive connected al the time; only when copying files to it etc.

Make it a good habit to adopt and keep the eternal drive up to date; and safely stored...

message edited by trvlr


Reply ↓  Report •

#15
September 10, 2018 at 23:13:35
Hi Johnw, I was able to run Dr Web Curelt and saved (pasted) the log result to my Desktop. BUT, I do not know how to export the log to you.

Need help again to export the log to you.


Reply ↓  Report •

#16
September 11, 2018 at 00:43:55
Johnw:

Found out how to UPLOAD the file.....

http://www.fileconvoy.com/dfl.php?i...


Reply ↓  Report •

#17
September 11, 2018 at 03:53:36
"Found out how to UPLOAD the file....."
Got it Ray.

Next step.

Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt) on the Desktop.
The logs are large, upload them using one of these. No time delays/Captcha-I'm not a Robot/account/registration needed. Give us the links please.
http://www.fileconvoy.com/index.php


Reply ↓  Report •

#18
September 11, 2018 at 16:54:34

Reply ↓  Report •

#19
September 11, 2018 at 16:57:04

Reply ↓  Report •

#20
September 11, 2018 at 17:08:13
johnw:

from FRST64 - FRST text


http://www.fileconvoy.com/dfl.php?i...


Reply ↓  Report •

#21
September 11, 2018 at 17:13:20
Got them Ray, back in about 3/4 hour.

Reply ↓  Report •

#22
September 11, 2018 at 17:16:31
Johnw
From FRST64 - Addtion.text


http://www.fileconvoy.com/dfl.php?i...


Reply ↓  Report •

#23
September 11, 2018 at 17:53:21
""I was not able to follow Step 2 and thereafter"
Not sure if you mean, you could not understand or the computer won't let you"
You haven't told me why you were not able.

If the comp wouldn't let you, try again.
Make sure Scan for rootkits is On. Refer this SS.
http://fs5.directupload.net/images/...


Reply ↓  Report •

#24
September 11, 2018 at 18:06:27
This app will not let me do anything.....
From Message #23 Above

http://fs5.directupload.net/images/...


Reply ↓  Report •

#25
September 11, 2018 at 18:10:35
Ok, next step. Copy & Paste the contents of the log in your reply.

Run Trend Micro RootkitBuster
http://www.softpedia.com/get/Antivi...
http://downloadcenter.trendmicro.co...


Reply ↓  Report •

#26
September 11, 2018 at 20:52:53
Johnw- -

http://www.fileconvoy.com/dfl.php?i...


Reply ↓  Report •

#27
September 11, 2018 at 21:21:16
Thanks Ray, but that is your Webroot SecureAnywhere log.

Where you able to run RootkitBuster.


Reply ↓  Report •

#28
September 11, 2018 at 21:50:14
Johnw:

+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 5.0.0.1203
| Computer Name: RAYC-PC
| OS version: 6.2-9200
| User Name: Ray
+----------------------------------------------------


--== Dump malicious MBR ==--
No hidden MBR found.

--== Dump Hidden Files and Alternate Data Streams on C:\ ==--
No hidden files found.

--== Dump Kernel Code Patching ==--
No kernel code patching detected.

--== Dump Hidden Services ==--
No hidden services found.


Reply ↓  Report •

#29
September 11, 2018 at 22:09:55
Next step.

Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

CreateRestorePoint:
emptytemp:
closeprocesses:
AlternateDataStreams: C:\Users\Ray\Documents\Las Vegas Utilities Phone Numbers.jpg: 3or4kl4x13tuuug3Byamue2s4b [97]
AlternateDataStreams: C:\Users\Ray\Documents\Las Vegas Utilities Phone Numbers.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
SearchScopes: HKU\S-1-5-21-709431754-592006492-3596901255-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR DefaultSearchURL: Default -> hxxp://srchbar.com/?q={searchTerms}
CHR DefaultSuggestURL: Default -> hxxp://srch.bar/?s={searchTerms}
HKLM\SYSTEM\CurrentControlSet\Services\45831882CBB4FCEF <==== ATTENTION (Rootkit!)

Open FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.
Refer these SS if needed.
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...


Reply ↓  Report •

#30
September 12, 2018 at 00:15:37
Took a while but I finally got it.

http://www.fileconvoy.com/dfl.php?i...


Reply ↓  Report •

#31
September 12, 2018 at 01:04:40
Now see if you can run Malwarebytes.
Make sure Scan for rootkits is On.

message edited by Johnw


Reply ↓  Report •

#32
September 12, 2018 at 12:12:33

Run Rootkit Buster - (Scan)

Result:
Trend Micro RootkitBuster
| Module version: 5.0.0.1203
| Computer Name: RAYC-PC
| OS version: 6.2-9200
| User Name: Ray
+----------------------------------------------------


--== Dump malicious MBR ==--
No hidden MBR found.

--== Dump Hidden Files and Alternate Data Streams on C:\ ==--
No hidden files found.

--== Dump Kernel Code Patching ==--
No kernel code patching detected.

--== Dump Hidden Services ==--
No hidden services found.


Reply ↓  Report •

#33
September 12, 2018 at 15:59:38
Thanks Ray, but I asked >

"Now see if you can run Malwarebytes.
Make sure Scan for rootkits is On."


Reply ↓  Report •

#34
September 12, 2018 at 17:03:43
I do not understand when you said "Now see if you can run Malwarebytes.
Make sure Scan for rootkits is On."

How do I do that?


Reply ↓  Report •

#35
September 12, 2018 at 17:14:01
"How do I do that?"
Already covered that in posts #23 & #24

Reply ↓  Report •

#36
September 13, 2018 at 21:29:39
I went back to Message #2 and I was able to view the Report (took a long while) and Exported the report. I copied the report to the Clipboard but I cannot find the report in the Clipboard to Paste

iiS RUNNING \the Malwarbytes important? Can I just NOT run it. I spent a day looking in the Clipboard to paste in my reply but I cannot . I know I click the "Copy to the Clipboard, but I must be doing something wrong bez I cannot see the copy.


Reply ↓  Report •

#37
September 13, 2018 at 22:31:24
Ok.

Next step.

Run Hitman Pro, then Copy and Paste the contents of the log, into your reply please.
http://www.softpedia.com/get/Intern...
https://www.hitmanpro.com/en-us/hmp...
How to scan and obtain a log
http://forums.majorgeeks.com/showth...
Unlimited free scanning and free 30-day version to remove detected malware.
Download now (64-bit)
https://dl.surfright.nl/HitmanPro_x...
Review
http://www.youtube.com/watch?v=WmPQ...


Reply ↓  Report •

#38
September 13, 2018 at 22:31:55
http://www.fileconvoy.com/dfl.php?i...

Reply ↓  Report •

#39
September 13, 2018 at 22:42:49
http://www.fileconvoy.com/dfl.php?i...

Reply ↓  Report •

#40
September 13, 2018 at 23:06:38
You have sent the same log twice Ray.
Did you Run Hitman Pro?

Reply ↓  Report •

#41
September 13, 2018 at 23:28:30
Am still running the Hitman Pro! Another tough one like the first one I did 3 yrs ago.

Reply ↓  Report •

#42
September 14, 2018 at 01:03:23
Hitman Pro (1)


[code]
HitmanPro 3.8.0.295
www.hitmanpro.com

Computer name . . . . : DESKTOP-17CTSSF
Windows . . . . . . . : 10.0.0.17134.X64/4
User name . . . . . . : DESKTOP-17CTSSF\cuadr
UAC . . . . . . . . . : Enabled
License . . . . . . . : Trial (31 days left)

Scan date . . . . . . : 2018-09-14 00:41:49
Scan mode . . . . . . : Normal
Scan duration . . . . : 9m 13s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 0
Traces . . . . . . . : 11

Objects scanned . . . : 2,940,424
Files scanned . . . . : 25,502
Remnants scanned . . : 361,842 files / 2,553,080 keys

Suspicious files ____________________________________________________________

C:\Users\cuadr\OneDrive\Desktop\Applications - Malwares\FRST-OlderVersion\FRST-OlderVersion\FRST-OlderVersion\FRST-OlderVersion\FRST64.exe
Size . . . . . . . : 2,196,480 bytes
Age . . . . . . . : 78.3 days (2018-06-27 16:36:33)
Entropy . . . . . : 7.6
SHA-256 . . . . . : A6CE58B50CA37F34060EF79D4A9D62EBDDBF53CDE7F047E58279B8A755CC81AE
Needs elevation . : Yes
Fuzzy . . . . . . : 22.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Desktop\Applications - Malwares\FRST-OlderVersion\FRST-OlderVersion\FRST-OlderVersion\FRST64.exe
Size . . . . . . . : 2,198,528 bytes
Age . . . . . . . : 78.3 days (2018-06-27 16:35:45)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 6E8BF313C850728328088C2DC10FB5369B9C938F71F58EC7EB8D51374EB1CA51
Needs elevation . : Yes
Fuzzy . . . . . . : 22.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Desktop\Applications - Malwares\FRST-OlderVersion\FRST64.exe
Size . . . . . . . : 2,348,544 bytes
Age . . . . . . . : 78.3 days (2018-06-27 16:31:51)
Entropy . . . . . : 7.6
SHA-256 . . . . . : ECD10C08D843DA5D325A3B8E5D3324D2A8F9AD03CB9D9F91A622CF595224B067
Needs elevation . : Yes
Fuzzy . . . . . . : 22.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Desktop\Applications - Malwares\FRST64.exe
Size . . . . . . . : 2,193,408 bytes
Age . . . . . . . : 78.3 days (2018-06-27 16:28:22)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 4958876954DA3391CDAFD2343B6E07221A19890EA10CCF13BCA436F4EF4A344A
Needs elevation . : Yes
Fuzzy . . . . . . : 22.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Desktop\Applications - Malwares\Malwares, etc\mbam-setup-2.0.4.1028.exe
Size . . . . . . . : 20,447,072 bytes
Age . . . . . . . : 78.3 days (2018-06-27 16:36:39)
Entropy . . . . . : 8.0
SHA-256 . . . . . : 64E76A734A0F6864DC2EC0DC33542ADE0AF1F8738B906416A7B838C940ED398A
Product . . . . . : Malwarebytes Anti-Malware
Publisher . . . . : Malwarebytes Corporation
Description . . . : Malwarebytes Anti-Malware
Version . . . . . : 2.0.4.1028
RSA Key Size . . . : 2048
LanguageID . . . . : 0
Authenticode . . . : Invalid
Fuzzy . . . . . . : 23.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Documents\Applications - Malwares\FRST-OlderVersion\FRST-OlderVersion\FRST-OlderVersion\FRST-OlderVersion\FRST64.exe
Size . . . . . . . : 2,196,480 bytes
Age . . . . . . . : 91.1 days (2018-06-14 21:31:42)
Entropy . . . . . : 7.6
SHA-256 . . . . . : A6CE58B50CA37F34060EF79D4A9D62EBDDBF53CDE7F047E58279B8A755CC81AE
Needs elevation . : Yes
Fuzzy . . . . . . : 22.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Documents\Applications - Malwares\FRST-OlderVersion\FRST-OlderVersion\FRST-OlderVersion\FRST64.exe
Size . . . . . . . : 2,198,528 bytes
Age . . . . . . . : 91.1 days (2018-06-14 21:31:42)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 6E8BF313C850728328088C2DC10FB5369B9C938F71F58EC7EB8D51374EB1CA51
Needs elevation . : Yes
Fuzzy . . . . . . : 22.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Documents\Applications - Malwares\FRST-OlderVersion\FRST64.exe
Size . . . . . . . : 2,348,544 bytes
Age . . . . . . . : 91.1 days (2018-06-14 21:31:41)
Entropy . . . . . : 7.6
SHA-256 . . . . . : ECD10C08D843DA5D325A3B8E5D3324D2A8F9AD03CB9D9F91A622CF595224B067
Needs elevation . : Yes
Fuzzy . . . . . . : 22.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Documents\Applications - Malwares\FRST64.exe
Size . . . . . . . : 2,193,408 bytes
Age . . . . . . . : 91.1 days (2018-06-14 21:31:41)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 4958876954DA3391CDAFD2343B6E07221A19890EA10CCF13BCA436F4EF4A344A
Needs elevation . : Yes
Fuzzy . . . . . . : 22.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Documents\Applications - Malwares\Malwares, etc\mbam-setup-2.0.4.1028.exe
Size . . . . . . . : 20,447,072 bytes
Age . . . . . . . : 91.1 days (2018-06-14 21:31:41)
Entropy . . . . . : 8.0
SHA-256 . . . . . : 64E76A734A0F6864DC2EC0DC33542ADE0AF1F8738B906416A7B838C940ED398A
Product . . . . . : Malwarebytes Anti-Malware
Publisher . . . . : Malwarebytes Corporation
Description . . . : Malwarebytes Anti-Malware
Version . . . . . : 2.0.4.1028
RSA Key Size . . . : 2048
LanguageID . . . . : 0
Authenticode . . . : Invalid
Fuzzy . . . . . . : 23.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.


Cookies _____________________________________________________________________

C:\Users\cuadr\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\WGI1S637\cdn.flashtalking[1].xml


[/code]


Reply ↓  Report •

#43
September 14, 2018 at 01:05:17
Hitman Pro (2)
code]
HitmanPro 3.8.0.295
www.hitmanpro.com

Computer name . . . . : DESKTOP-17CTSSF
Windows . . . . . . . : 10.0.0.17134.X64/4
User name . . . . . . : DESKTOP-17CTSSF\cuadr
UAC . . . . . . . . . : Enabled
License . . . . . . . : Trial (31 days left)

Scan date . . . . . . : 2018-09-14 00:41:49
Scan mode . . . . . . : Normal
Scan duration . . . . : 9m 13s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 0
Traces . . . . . . . : 11

Objects scanned . . . : 2,940,424
Files scanned . . . . : 25,502
Remnants scanned . . : 361,842 files / 2,553,080 keys

Suspicious files ____________________________________________________________

C:\Users\cuadr\OneDrive\Desktop\Applications - Malwares\FRST-OlderVersion\FRST-OlderVersion\FRST-OlderVersion\FRST-OlderVersion\FRST64.exe
Size . . . . . . . : 2,196,480 bytes
Age . . . . . . . : 78.3 days (2018-06-27 16:36:33)
Entropy . . . . . : 7.6
SHA-256 . . . . . : A6CE58B50CA37F34060EF79D4A9D62EBDDBF53CDE7F047E58279B8A755CC81AE
Needs elevation . : Yes
Fuzzy . . . . . . : 22.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Desktop\Applications - Malwares\FRST-OlderVersion\FRST-OlderVersion\FRST-OlderVersion\FRST64.exe
Size . . . . . . . : 2,198,528 bytes
Age . . . . . . . : 78.3 days (2018-06-27 16:35:45)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 6E8BF313C850728328088C2DC10FB5369B9C938F71F58EC7EB8D51374EB1CA51
Needs elevation . : Yes
Fuzzy . . . . . . : 22.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Desktop\Applications - Malwares\FRST-OlderVersion\FRST64.exe
Size . . . . . . . : 2,348,544 bytes
Age . . . . . . . : 78.3 days (2018-06-27 16:31:51)
Entropy . . . . . : 7.6
SHA-256 . . . . . : ECD10C08D843DA5D325A3B8E5D3324D2A8F9AD03CB9D9F91A622CF595224B067
Needs elevation . : Yes
Fuzzy . . . . . . : 22.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Desktop\Applications - Malwares\FRST64.exe
Size . . . . . . . : 2,193,408 bytes
Age . . . . . . . : 78.3 days (2018-06-27 16:28:22)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 4958876954DA3391CDAFD2343B6E07221A19890EA10CCF13BCA436F4EF4A344A
Needs elevation . : Yes
Fuzzy . . . . . . : 22.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Desktop\Applications - Malwares\Malwares, etc\mbam-setup-2.0.4.1028.exe
Size . . . . . . . : 20,447,072 bytes
Age . . . . . . . : 78.3 days (2018-06-27 16:36:39)
Entropy . . . . . : 8.0
SHA-256 . . . . . : 64E76A734A0F6864DC2EC0DC33542ADE0AF1F8738B906416A7B838C940ED398A
Product . . . . . : Malwarebytes Anti-Malware
Publisher . . . . : Malwarebytes Corporation
Description . . . : Malwarebytes Anti-Malware
Version . . . . . : 2.0.4.1028
RSA Key Size . . . : 2048
LanguageID . . . . : 0
Authenticode . . . : Invalid
Fuzzy . . . . . . : 23.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Documents\Applications - Malwares\FRST-OlderVersion\FRST-OlderVersion\FRST-OlderVersion\FRST-OlderVersion\FRST64.exe
Size . . . . . . . : 2,196,480 bytes
Age . . . . . . . : 91.1 days (2018-06-14 21:31:42)
Entropy . . . . . : 7.6
SHA-256 . . . . . : A6CE58B50CA37F34060EF79D4A9D62EBDDBF53CDE7F047E58279B8A755CC81AE
Needs elevation . : Yes
Fuzzy . . . . . . : 22.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Documents\Applications - Malwares\FRST-OlderVersion\FRST-OlderVersion\FRST-OlderVersion\FRST64.exe
Size . . . . . . . : 2,198,528 bytes
Age . . . . . . . : 91.1 days (2018-06-14 21:31:42)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 6E8BF313C850728328088C2DC10FB5369B9C938F71F58EC7EB8D51374EB1CA51
Needs elevation . : Yes
Fuzzy . . . . . . : 22.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Documents\Applications - Malwares\FRST-OlderVersion\FRST64.exe
Size . . . . . . . : 2,348,544 bytes
Age . . . . . . . : 91.1 days (2018-06-14 21:31:41)
Entropy . . . . . : 7.6
SHA-256 . . . . . : ECD10C08D843DA5D325A3B8E5D3324D2A8F9AD03CB9D9F91A622CF595224B067
Needs elevation . : Yes
Fuzzy . . . . . . : 22.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Documents\Applications - Malwares\FRST64.exe
Size . . . . . . . : 2,193,408 bytes
Age . . . . . . . : 91.1 days (2018-06-14 21:31:41)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 4958876954DA3391CDAFD2343B6E07221A19890EA10CCF13BCA436F4EF4A344A
Needs elevation . : Yes
Fuzzy . . . . . . : 22.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\Users\cuadr\OneDrive\Documents\Applications - Malwares\Malwares, etc\mbam-setup-2.0.4.1028.exe
Size . . . . . . . : 20,447,072 bytes
Age . . . . . . . : 91.1 days (2018-06-14 21:31:41)
Entropy . . . . . : 8.0
SHA-256 . . . . . : 64E76A734A0F6864DC2EC0DC33542ADE0AF1F8738B906416A7B838C940ED398A
Product . . . . . : Malwarebytes Anti-Malware
Publisher . . . . : Malwarebytes Corporation
Description . . . : Malwarebytes Anti-Malware
Version . . . . . : 2.0.4.1028
RSA Key Size . . . : 2048
LanguageID . . . . : 0
Authenticode . . . : Invalid
Fuzzy . . . . . . : 23.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.


Cookies _____________________________________________________________________

C:\Users\cuadr\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\WGI1S637\cdn.flashtalking[1].xml


[/code]


Reply ↓  Report •

#44
September 14, 2018 at 01:21:21
Next step. Let me know when finished.

Run Wise Registry Cleaner ( Not Wise Disk Cleaner )
( Only use Registry Cleaner & with default settings. Don't use System Tuneup, that is for Experts, you really have to know what you are doing )
http://www.softpedia.com/get/Tweak/...
http://www.freewarefiles.com/Wise-R...
http://www.freewarefiles.com/screen...
http://www.wisecleaner.com/wiseregi...
http://i.imgur.com/Qy7HWcA.gif
http://fs1.directupload.net/images/...
http://fs1.directupload.net/images/...
http://fs1.directupload.net/images/...


Reply ↓  Report •

#45
September 14, 2018 at 10:16:49
Completed running the Wise Registry Cleaner .

Reply ↓  Report •

#46
September 14, 2018 at 18:05:13
Run Farbar ( FRST64 ) again please, follow this SS & upload the 2 new logs.
http://i.imgur.com/i3fg3Pf.gif

Reply ↓  Report •

#47
September 14, 2018 at 23:38:00


http://www.fileconvoy.com/dfl.php?i...


Reply ↓  Report •

#48
September 14, 2018 at 23:42:03

Not sure if I already sent this file:

http://www.fileconvoy.com/dfl.php?i...


Reply ↓  Report •

#49
September 14, 2018 at 23:54:20
Neither are any good Ray, I want new FRST & Addition logs.

Reply ↓  Report •

#50
September 15, 2018 at 00:33:23

http://www.fileconvoy.com/dfl.php?i...


Reply ↓  Report •

#51
September 15, 2018 at 00:34:56

http://www.fileconvoy.com/dfl.php?i...


Reply ↓  Report •

#52
September 15, 2018 at 02:24:34
You have sent 2 logs the same Ray, waiting on the FRST log.

Reply ↓  Report •

#53
September 15, 2018 at 12:27:33

http://www.fileconvoy.com/dfl.php?i...

Reply ↓  Report •

#54
September 15, 2018 at 16:10:48
✔ Best Answer
Copy & Paste only the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

CreateRestorePoint:
emptytemp:
closeprocesses:
AlternateDataStreams: C:\Users\Ray\Documents\Las Vegas Utilities Phone Numbers.jpg: 3or4kl4x13tuuug3Byamue2s4b [97]
CHR StartupUrls: Default -> "hxxp://www.google.com/","","hxxp://google/","hxxps://www.google.com/","hxxps://www.google.com/","hxxp://us.yardood.com/?tn=sdks_inner_hp_01_yardood_us&guid=95c817cc47e31f743f66c2ec313dbcad"

Open FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.
Refer these SS if needed.
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...

message edited by Johnw


Reply ↓  Report •

#55
September 16, 2018 at 01:54:14
I spent a lot of time getting Notepad and pasting this app in my desktop. But, I was not able to paste the text in BLUE.

How the devil do I get the Notepad? I tried Google store and downloaded Notepad for Windows 10 but I cannot work it out.

I did get Notepad before for Message #29 but I cannot do it again.

Need HELP!


Reply ↓  Report •

#56
September 16, 2018 at 02:56:44
Just type notepad into Search next to the Start button.

Reply ↓  Report •

#57
September 16, 2018 at 11:26:01
Fix result of Farbar Recovery Scan Tool (x64) Version: 15.09.2018
Ran by Ray (16-09-2018 11:09:29) Run:2
Running from C:\Users\Ray\Desktop
Loaded Profiles: Ray (Available Profiles: Ray)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
emptytemp:
closeprocesses:
AlternateDataStreams: C:\Users\Ray\Documents\Las Vegas Utilities Phone Numbers.jpg: 3or4kl4x13tuuug3Byamue2s4b [97]
CHR StartupUrls: Default -> "hxxp://www.google.com/","","hxxp://google/","hxxps://www.google.com/","hxxps://www.google.com/","hxxp://us.yardood.com/?tn=sdks_inner_hp_01_yardood_us&guid=95c817cc47e31f743f66c2ec313dbcad"
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Users\Ray\Documents\Las Vegas Utilities Phone Numbers.jpg => ": 3or4kl4x13tuuug3Byamue2s4b" ADS could not remove.
"Chrome StartupUrls" => removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 9461760 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 54941379 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 1377865 B
Edge => 1161658 B
Chrome => 252610680 B
Firefox => 0 B
Opera => 396879630 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 6344 B
LocalService => 0 B
NetworkService => 0 B
NetworkService => 0 B
Ray => 688476754 B

RecycleBin => 270390748 B
EmptyTemp: => 1.6 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:11:43 ====


Reply ↓  Report •

#58
September 16, 2018 at 15:49:55
Run AlternateStreamView to remove > Las Vegas Utilities Phone Numbers.jpg => ": 3or4kl4x13tuuug3Byamue2s4b" ADS.
Look for Las Vegas or parts of the file in the search result.
https://www.nirsoft.net/utils/alter...
Screenshot
http://fs1.directupload.net/images/...

Reply ↓  Report •

#59
September 16, 2018 at 17:28:10
Easier way to remove ADS on Win10 is to open PowerShell and type:
rm 'C:\Users\Ray\Documents\Las Vegas Utilities Phone Numbers.jpg' -Stream * -Force

How To Ask Questions The Smart Way

message edited by Razor2.3


Reply ↓  Report •

#60
September 17, 2018 at 10:28:54

http://www.fileconvoy.com/dfl.php?i...


Reply ↓  Report •

#61
September 17, 2018 at 10:34:45
Razor 2.3

Need help to open Power Shell. Am still a novice .


Reply ↓  Report •

#62
September 17, 2018 at 11:39:13
Right-click on the Start button / Windows logo, and select Windows PowerShell, or left-click on the Start button / Windows logo, and type powershell.

How To Ask Questions The Smart Way


Reply ↓  Report •

#63
September 17, 2018 at 14:18:05

Johnw -
I will be out for about 2 months starting tomorrow so thanks a lot for your
patience and help. Will catch you on the rebound.

message edited by raycuadro


Reply ↓  Report •

#64
September 17, 2018 at 16:06:50
Ok Ray, re your post #60, that is the program, not the log.
Have you been able to remove the Las Vegas file?

Reply ↓  Report •

#65
September 17, 2018 at 16:22:03

No, not yet. Will work on it tonight and send you a message. On #60, I should be looking at the Read Me text document to look for and remove the Las Vegas file, correct?

Reply ↓  Report •

#66
September 17, 2018 at 16:32:41
Just run the program ( hit Scan ) look for the file & only that file.
When found, click on it & hit the X ( Delete )

Reply ↓  Report •

#67
September 17, 2018 at 21:40:52
Johnw -

Run alternate stream view: and looked to remove the Las Vegas Utilities Phone Numbers.jpg => ": 3or4kl4x13tuuug3Byamue2s4b" ADS.. Examined the files and did not see the Las Vegas Utilitiies .......

So there was nothing to remove. Is that possible?


Reply ↓  Report •

#68
September 18, 2018 at 01:01:14
"So there was nothing to remove. Is that possible?"
Upload SS ( screenshots ) of all the steps you are trying.

message edited by Johnw


Reply ↓  Report •

#69
September 18, 2018 at 07:38:40
It's possible, if you ran that PowerShell line. If so, you manually removed what Johnw's tool would remove.

It's also possible that you've been reinfected. Such are the joys of fighting viruses on a live system.

How To Ask Questions The Smart Way


Reply ↓  Report •

Ask Question