Cleaned up a scammed computer and a weird command prompt window showed up

[Velvis]

a person reached out last week after they called the "Microsoft" number on a scam pop up. The scammers locked their computer and eventually asked for payments with a gift card at which point they called me.
I was able to disable the PC lock, remove it and the remote access software they installed and removed all the PUP. I scanned it clean for malware and updated everything. Today they woke up to the computer with a command prompt open that I have attached and reads:

[SC] OpenSCManager FAILED 5:
Access is denied.
[SC] OpenService FAILED 1060:
The specified service does not exist as an installed service.
[SC] OpenService FAILED 1060:
The specified service does not exist as an installed service.
No Instance(s) Available.

Has anyone run into something like this before?

 

[britechguy]

I have not seen this, but it's almost certainly a remnant of something the nefarious actors put in place.

I never, ever trust any sort of malware remover program anymore because of things just like this. For a machine as thoroughly compromised as that one was, it's nuke and pave only. I have seen "little surprises" like this too many times, and they disturb the client and have a tarnishing effect on your reputation. They just don't happen if you nuke and pave.

I will use Fabs AutoBackup to snag the user data and settings, and I have yet to see these compromised, then put them back on and let Windows Defender check things out afterward. If they happen to be a M365 subscriber who has virtually all their data in the cloud, things are even faster, as there's very little to Fabs off compared to when everything is local.

 

[YeOldeStonecat]

Related to permissions to various services....user account likely got stripped way back with permissions, and/or a whole bunch of other shenanigans.
Nuke 'n pave candidate for sure! This rig will likely have a plethora of other oddball quirks for the rest of its life if the current install remains.

 

[Philippe]

Some remnants, look in scheduled tasks (taskschd.msc).
or/and with Sysinternals' Autoruns.

 

[britechguy]

@Philippe

Worth doing for curiosity and self-education, that's for certain, but in the end, I still would not trust that Windows instance ever again.

@YeOldeStonecat pretty much expressed many of the reasons why. I hate having to revisit anything that I can avoid revisiting, and particularly when the reason I'd likely be doing so is a frightened and/or confused and/or angry client.

 

[timeshifter]

Any time a scammer has been on someone's computer it's nuke and pave time.

 

[Metanis]

I'd put money on a nefarious ScreenConnect installation that got deleted.

 

[thecomputerguy]

Remove the command from startup either MSCONFIG or use Autoruns to remove any reference to the command prompt program called BO

Autoruns is a great tool

Autoruns - Sysinternals

See what programs are configured to startup automatically when your system boots and you login.

learn.microsoft.com

Also find the path the CMD called BO and remove it.

 

[Markverhyden]

I agree on nuke and pave if the user actually allowed the scammer to connect. There are so many things that could have been done and, at the end of the day, I'm not a hard core forensics tech. N&P is the quickest and most reliable way to get them back running. Of course scan the backup on another computer before restore.

 

[GTP]

I never, ever trust any sort of malware remover program anymore because of things just like this. For a machine as thoroughly compromised as that one was, it's nuke and pave only.

This ^^
Once the device has been compromised you can never trust it again, so nuke and pave is the only option.
Also, if the client was dumb enough to store passwords in their browser or - anywhere else on the computer - make sure they change them!

Don't forget the most important part of this experience...educating the client.

 

[britechguy]

Also, if the client was dumb enough to store passwords in their browser or - anywhere else on the computer - make sure they change them!

I can only agree if the passwords were stored in the browser password manager, as that can potentially be tapped behind the scenes, and even that's not likely. But for password managers, unless there's some way that the master password for it was obtained, those are safe. This is but one of the many reasons I encourage the use of a "real" password manager.

Of course, if you happen to have had your password manager open, that's a different kettle of fish.

 

[britechguy]

Of course scan the backup on another computer before restore.

Not that this isn't excellent advice, because it is, but I have to say that I don't follow it in most instances simply because I have not encountered user data files that were infected by the sort of scam described, plus a number of others, for years. Even if they were, when the first scan gets run by the antivirus it should flag and quarantine anything infected.

It's really a matter of how much risk you are willing to accept. Given that I've never had any scan of user data extracted prior to a nuke and pave have any infection of any kind, I'm willing to assume it's far more likely that this is the general case.

Very little worms (no pun intended) on to systems these days. The user opens the door and invites it in (as happened here).

 

[Velvis]

So, I ended up nuking and paving but beforehand I looked for the .bat file it was autorunning and I have attached a picture of it. Not sure what it was trying to do but something to do with remote access apps.

 

[frase]

@Metanis was correct as I thought as well, trying to find & enable screenconnect.clientservice
In this case it looks like the .bat script ran as a ScheduleTask on boot, errored as could not find the service.

Check msconfig and TaskManager, Task Scheduler for any references.

 

[HCHTech]

We had one of these last week. We found a reference to bo.bat like above, although didn't examine the file - N&P for sure, once you reach that level of access, there just isn't any way to be sure you got it all otherwise. We see scammer-access frequently with residential clients, and almost always it's just scareware with no real damage. Not in this case, though.

 

[britechguy]

We see scammer-access frequently with residential clients, and almost always it's just scareware with no real damage.

Just curious whether you've ever seen anything malicious "implanted" in the user data that gets picked up when scanned? No matter how messy things have gotten, I have not encountered such in the wild for years.

They may dig deep into the bowels of Windows, but a N&P takes care of that. Even the new Windows 11 automatic backup feature doesn't seem to bring infections back. Focus of the nefarious actors these days seems to be implanting spyware that reports back to "the mothership" on an ongoing basis, but not much else. (And I hasten to add that this is probably the worst thing that could be implanted, I'm talking about scope, though.)

 

[Philippe]

Worth doing for curiosity and self-education, that's for certain, but in the end, I still would not trust that Windows instance ever again.

I agree.
Anyway, I always explain the situation & consequences to the client & ask him/her to choose between fast clean up or N&P...

 

[Markverhyden]

Not that this isn't excellent advice, because it is, but I have to say that I don't follow it in most instances simply because I have not encountered user data files that were infected by the sort of scam described, plus a number of others, for years. Even if they were, when the first scan gets run by the antivirus it should flag and quarantine anything infected.

It's really a matter of how much risk you are willing to accept. Given that I've never had any scan of user data extracted prior to a nuke and pave have any infection of any kind, I'm willing to assume it's far more likely that this is the general case.

Very little worms (no pun intended) on to systems these days. The user opens the door and invites it in (as happened here).

To be honest I do that because of the handful real breaches I've been involved in, as in the EU lost real money, the bank/insurance company/credit card company/ etc all asked for proof that the machine was scanned. So I'll do it before, I'll do it on the data backup, and I'll do it on the "restored" machine. As mentioned there are so may ways things could be compromised, from PDF's to website links if the scammer was so inclined, it's the least I can do. And they're underwriters know about those things as well. Absence of proof is not proof of absence.

 

[britechguy]

Absence of proof is not proof of absence.

Precisely. I'm not criticizing what you do, I'm simply saying I don't choose to do it twice. I'll either do it prior to restoring user data, or after restoring user data, because:

1. I've never had infected user data (or at least any scanner finding it, if it is).
2. What you say is true, and any given scanner might miss something. Absence of proof is always a possibility.

We just have different ideas of what constitutes "due diligence," and in situations like the ones you describe, that should be much higher than your run-of-the-mill remote access scam. What was described here was, to me, the latter, and requires one scan, whether pre or post restoration.

 

[timeshifter]

all asked for proof that the machine was scanned. So I'll do it before, I'll do it on the data backup, and I'll do it on the "restored" machine.

care to share what tools and techniques you're using to scan the data?