Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Infected Win 7 through showmypc attack

mbr anti-virus drivers clean install

  • Please log in to reply
17 replies to this topic

#1
2ndDan13

2ndDan13
  • Member
  • 3 posts
  • Joined 19-March 14
  • OS:Windows 7 x86
  • Country: Country Flag

A week ago I installed Windows 7 and a day later downloaded Office 2013, after establishing a Microsoft account. The following day I received a call alleging to be Microsoft engineers stating they noticed significant infections on my desktop PC. They used showmypc to lead me around my computer and show me alleged virus evidence. I consider myself to be reasonably intelligent and pretty familiar with PCs, but the timing was right for the perps and I'm embarrased to say I fell hook, line and almost sinker. When the dust settled and I stopped just short of commiting my credit card for a $180 "license renewal", I disconnected from the call and tried to remove/uninstall showmypc. Unable to do this, I eventuially attempted a clean install with the Windows 7 disk. It allowed me to remove the existing two partitions and install Windows 7 on a new single partition. When the splash screen appeared, there was a small white icon in the lower left that was obviously not Microsoft generated, containing 4 or 5 "fishy" applet links and a very poor computerized voice describing them. I tried installing drivers from my Msi driver disk, which worked perfectly the first time, but this time got a error box stating the files couldn't be found.  Rebooted the Win 7 disk and tried the repair option only to receive a message stating the repairs couldn't be accomplished.  Used Trend Micro Titanium Anti-Virus and Windows Security Essentials but they found no virus or spyware. Thinking there might be a bug in the boot sector or MBR, launched bootrec.exe and tried to use FixMbr and FixBoot, but neither one was allowed to function.There are sites that chronicle similar incidences dating back a couple years, but nothing that I could find with a solution to my particular problem. Would appreciate any incite and suggestion that anyone might be able to provide. By the way, on a normal install of Windows 7, is there more than one partition created?

Thanks.




How to remove advertisement from MSFN

#2
jaclaz

jaclaz

    The Finder

  • Developer
  • 15,316 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

No. :(

Meaning that if you do a clean install, from the original MS DVD, it is "clean".

What is possible (though I have difficulties in believing it :w00t:, in the sense that it would be "hooked/started" by sheer magic :ph34r:) is that the malware wrote *something* *somewhere* that *somehow* you failed to wipe/overwrite when you re-installed.

 

Can you describe the actual Windows 7 disc that you used (i.e. is it retail, OEM or what)?

 

You mention "downloading" the Office 2013 from MS.

Did you restore the "download" after having reinstalled the Windows?

I mean is it possible that what was infected was - besides the actual partition(s) - some data that you archived on external media and that you re-deployed or restored after the new install?

 

BTW a "real" clean (default) install of Windows 7 has 2 partitions, a 100 Mb "boot" one and another one the rest of the disk, if you have just one partition now it means that the new install was not "default" (and possibly also not "clean". :unsure:

 

jaclaz



#3
PinkFreud

PinkFreud

    Junior

  • Member
  • Pip
  • 96 posts
  • Joined 12-August 10
  • OS:Windows 7 x64
  • Country: Country Flag

...When the splash screen appeared, there was a small white icon in the lower left that was obviously not Microsoft generated, containing 4 or 5 "fishy" applet links and a very poor computerized voice describing them...

What you saw/heard is Windows' "Ease of Access" feature, completely legit.

 

[attachment=38097:screen.PNG]



#4
2ndDan13

2ndDan13
  • Member
  • 3 posts
  • Joined 19-March 14
  • OS:Windows 7 x86
  • Country: Country Flag

Thanks for the responses. Curious about "Ease of Access"....didn't appear on the splash screen on the initial install. Curious computeerized voice they used to introduce it.

 

As far as the Win 7 disk, it's retail and a gift from a trusted, tech/computer savvy friend. The initial issue was the inability to uninstall showmypc. Couldn't

 remove it from Program Files. Win 7 reinstalled without a hitch, but just when I thought I was out of the woods, I tried installing drivers from my Msi disk but was prevented from doing so. The crazy thing is that after using two anti-virus apps. and a anti-malware disk to scan the drive, it comes back clean.

 

I did not attempt to restore the download of Office 2013, since I wasn't able to load necessary drivers or connect to the inet, so there's no chance that could be a source of infection. Thanks also for the info on the partitions. A good buddy of mine with both knowledge and tools to repair and diagnose computer problems currently has the drive and found the drive to be clean through several scans. We'll pop it back into my PC, boot it and see what we see. I'll post the results.

 

Thanks again.



#5
jaclaz

jaclaz

    The Finder

  • Developer
  • 15,316 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Good :)

Then most probably it was just a "false alarm".

JFYI, the "showmypc" in itself is a "legitimate" software, nothing but one among the n "remote administration" tools for Windows, but since you were tricked into the scam, it is well possible that it was used as "vector" for some malware.

 

 

jaclaz



#6
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,852 posts
  • Joined 28-April 06
  • OS:Windows 7 x86
  • Country: Country Flag

Donator

Thanks for the responses. Curious about "Ease of Access"....didn't appear on the splash screen on the initial install. Curious computeerized voice they used to introduce it.

 

 

The Narrator is disabled by default, but can be enabled by using a key combination. I've done it accidently before.


MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
tpxmsfn1_zps393339c1.jpg


#7
jaclaz

jaclaz

    The Finder

  • Developer
  • 15,316 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

...and you can select different voices:

http://www.thewindow...-in-windows-8-7

The default is Microsoft David Desktop. You can also choose Microsoft Hazel Desktop or Microsoft Zira Desktop.

 

besides changing spped, volume and pitch...

 

jaclaz



#8
simonhind

simonhind

    Newbie

  • Member
  • 17 posts
  • Joined 21-September 11
  • OS:Windows 7 x64
  • Country: Country Flag

A week ago I installed Windows 7 and a day later downloaded Office 2013, after establishing a Microsoft account. The following day I received a call alleging to be Microsoft engineers stating they noticed significant infections on my desktop PC. They used showmypc to lead me around my computer and show me alleged virus evidence. I consider myself to be reasonably intelligent and pretty familiar with PCs, but the timing was right for the perps and I'm embarrased to say I fell hook, line and almost sinker. When the dust settled and I stopped just short of commiting my credit card for a $180 "license renewal", I disconnected from the call and tried to remove/uninstall showmypc. Unable to do this, I eventuially attempted a clean install with the Windows 7 disk. It allowed me to remove the existing two partitions and install Windows 7 on a new single partition. When the splash screen appeared, there was a small white icon in the lower left that was obviously not Microsoft generated, containing 4 or 5 "fishy" applet links and a very poor computerized voice describing them. I tried installing drivers from my Msi driver disk, which worked perfectly the first time, but this time got a error box stating the files couldn't be found.  Rebooted the Win 7 disk and tried the repair option only to receive a message stating the repairs couldn't be accomplished.  Used Trend Micro Titanium Anti-Virus and Windows Security Essentials but they found no virus or spyware. Thinking there might be a bug in the boot sector or MBR, launched bootrec.exe and tried to use FixMbr and FixBoot, but neither one was allowed to function.There are sites that chronicle similar incidences dating back a couple years, but nothing that I could find with a solution to my particular problem. Would appreciate any incite and suggestion that anyone might be able to provide. By the way, on a normal install of Windows 7, is there more than one partition created?

Thanks.

 

 

wow

 

I remember when someone tried the same with me

they called prending to be from microsoft, this is what was said

 

Him

 - you have a virus on your computer, i am connected to your PC and can see it

Me

- hi can you tell me what my IP address is ?

Him

- no

Me

- well how do you even know if i have a PC, i didnt say i had one and im not going to tell you if i have, your not geniune as you should know you need to know my IP address in order to see whats on my computer ( if i had one )

 

anyway the moral of the story was, from the start i already knew he was fake, i was playign with his head, i put the phone down on him 5 minutes later lol



#9
2ndDan13

2ndDan13
  • Member
  • 3 posts
  • Joined 19-March 14
  • OS:Windows 7 x86
  • Country: Country Flag

Yes, I learned the lesson the hard way...and I should have known better is what's so aggravating! Caught me by surprise just after a major MS download, requiring me to open a MS account. The good news is, thanks to a good buddy who has the tools to fix things, I gained a clean drive and have successfully re-installed Win 7, downloaded Office 2013 and have my dual boot reestablished with PC Linux. The more I see it and with what MS is planning, I think Linux is a much better option. In any event, thank you all for your interest, tips and sharing your experiences.  



#10
nimd4

nimd4

    kg8me

  • Member
  • 36 posts
  • Joined 29-October 05
  • OS:Windows 7 x64
  • Country: Country Flag

Just in case anyone else should need the info,

 

The following day I received a call alleging to be Microsoft engineers [..]

 

Micro$oft won't ever call.. :)

 

By the way, on a normal install of Windows 7, is there more than one partition created?

 

Yes, the "System Reserved" partition (typically 100 MB, for the bootloader and such) and it can be seen through Disk Management; there are ways to avoid it being created, just using the setup DVD (& no other tools), btw. Semi-complicated way here, although it can be done just through the setup GUI (going to advanced/manual and then deleting/merging the 2 partitions as they're created by the installer).

Also btw., any Linux Live-CD/DVD that has gparted can manipulate partitions. What's important is, if there's data that needs to be preserved on the HDD, usually the *best* way of doing that - is using a partition manager from within Windows, to insure there will be no loss (however this isn't always possible, if Windows isn't fully functional; it just gets more complicated from here)

=)


Edited by nimd4, 04 April 2014 - 03:31 PM.

Z68A-G43 (G3) - i7-3770 - Vengeance 2x4GB 2133MHz - GTX 650 Gainward - WD 1TB 64MB SATA - Win7 Pro/64 SP1 / Trusty Xfce AMD64


#11
cottonlane

cottonlane

    Newbie

  • Member
  • 12 posts
  • Joined 07-May 10
  • OS:Windows 8 x86
  • Country: Country Flag

Format The Drive and Start Again, It's the only Answer



#12
cottonlane

cottonlane

    Newbie

  • Member
  • 12 posts
  • Joined 07-May 10
  • OS:Windows 8 x86
  • Country: Country Flag

Format the Drive and start again,  It's the only answer.



#13
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,481 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag

@cottonlane: Really? :w00t: Take a look back at post #9. ;)


Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#14
Ponch

Ponch

    MSFN Junkie

  • Patrons
  • 3,336 posts
  • Joined 23-November 05
  • OS:none specified
  • Country: Country Flag

Format the Drive and start again,  It's the only answer.

Sorry but before you give an answer like that, please, read the (now old) thread. To what question is your answer anyway?



#15
ZortMcGort11

ZortMcGort11

    Senior Member

  • Member
  • PipPipPipPip
  • 619 posts
  • Joined 20-August 12
  • OS:none specified
  • Country: Country Flag

Donator

I only answer the phone if it's my parents or sister's number, everybody else trying to call me is a lying sack of crap. My experiences with human beings have driven me to this :-)


wow



I remember when someone tried the same with me

they called prending to be from microsoft, this is what was said

Back when I used to answer my phone, used to get these types of things all the time. Only it was usually credit card companies, mortgage companies, phone companies, insurance companies, etc.. pretending that I actually do business with them. They try to startle you into thinking you owe them money, and if you sign up for their plan this or that, you will be better off.

The last one I remember was some phone company calling me telling me that I'm paying too much for long distance calls and that if I switch to their plan, they can save me money. Hello? (1) You don't know jack about my long distance calls. (2) If you did know jack about my long distance calls, you'd know I never make any. But these liars have their scripts to read over the phone. Scripts that are designed to sound vague, scary, ambiguous and upsetting, and generic. They think if they throw enough crap against the wall, call up enough people, that somebody will eventually believe their LIES they're telling unsuspecting people answering their phones.

And really, you shouldn't need to use the phone for doing any important business. It's not necessary. If you're doing anything that's important it should be done person to person, at a bank, or an office or whatever. You don't give out information (social security numbers, any account numbers, credit card numbers) over the telephone. It's all scams!!!

Edited by LostInSpace2012, 05 April 2014 - 05:46 PM.


#16
ZortMcGort11

ZortMcGort11

    Senior Member

  • Member
  • PipPipPipPip
  • 619 posts
  • Joined 20-August 12
  • OS:none specified
  • Country: Country Flag

Donator

Another thing, be careful when you go to restaurants and hand them your credit cards. One time I got my identity stolen doing this... didn't realize what was going on until I noticed little withdrawls and transfers, and mystery purchases on my credit card statement. I had to verify and prove that I didn't purchase the items! There is a standard procedure that banks go through when this happens. You're supposed to contact the businesses that you have allegedly purchased things from, contact them, get receipts, dates of purchase, etc etc. Basically, the onus, the responsibility to track this crap down will be on you! They don't care. If you present enough "evidence" to the bank to substantiate your claims of fraud, they can freeze that credit card, and then they give you some FBI forms to fill out and you get entered into some huge online theft database and you never hear squat again. Luckily, the amounts they stole, charged from me, wasn't any more than a 1,000 bucks.

Edited by LostInSpace2012, 05 April 2014 - 06:00 PM.


#17
ZortMcGort11

ZortMcGort11

    Senior Member

  • Member
  • PipPipPipPip
  • 619 posts
  • Joined 20-August 12
  • OS:none specified
  • Country: Country Flag

Donator

To original poster, here's a website you might find interesting:

Internet Crime Complaint Center (IC3)
http://www.ic3.gov/default.aspx

The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C).


^Keep this in mind, the next time they call you pretending to be from Microsoft, and report them :-)

Don't fall prey to a new scam targeting computer owners! Thieves are calling and pretending to be from Microsoft tech support. It's yet another way to try and steal your personal information. If you get a call claiming to be from Microsoft, or any other company, just hang up.

Scammers are popping up like weeds, and because they mostly operate from foreign countries, forget about catching them.

The story sounds believable.

"I didn't think anything about it," said Vanessa Lee. She experienced the scam herself.

She said it began with a phone call.

"Saying they were from Microsoft, what their name was, saying that they had been receiving a lot of error messages from my computer," Lee told us.

The person then told Lee she had a virus, but he could fix it. The scammer walked her through all sorts of trouble-shooting techniques, before asking her to link up to a legitimate site that would allow him to access her computer, and personal information. Then, he asked for even more.

"He said, 'What I need to do is purchase the extended warranty through us and it was only going to be $10 for 2 years or $15 for 3 years,'" she said.

She gave him her debit card number and stepped away from the computer only to notice minutes later, an open window - showing a wire transfer from her bank account to India.

"We're lucky I came back and looked at the computer to see what it was doing, or I wouldn't have known," Lee said.

She immediately contacted the wire transfer company and stopped it before money was stolen from her account.

These type of scam complaint calls have more than doubled.

"What people need to be made aware of is Microsoft and Norton are not going to call you and tell you you have a virus," said fraud specialist Beth Schell.

The Lee family learned a lesson.

"I'd like to tell him off, would you treat your grandmother that way?" Lee said.

Bogus calls seem to be in vogue right now, but scammers will operate by any means necessary to get your money. Their trickery could show up by email, instant messaging or regular mail.


http://www.nbc12.com...-from-microsoft

Edited by LostInSpace2012, 05 April 2014 - 06:32 PM.


#18
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,481 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag

To LostInSpace2012 - WTH are you talking about? Fixing a PC or ranting and giving obvious information?

 

AGAIN, problem is SOLVED by a Reinstall! (Read the Etiquette/Rules about bumping post counts. :whistle: )


Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image






Also tagged with one or more of these keywords: mbr, anti-virus, drivers, clean install

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users