Having a hard time tracking this virus fix.

[computertechguy]

"Microsoft" was nice enough to call a home client and help Her fix her two computers, they placed some kind of bug that opens a bunch of dos windows and basically says if you see this error call our 800 number, and then it triggers windows to shut down each time.

I ran a kaspersky full scan on the safe mode desktop and it found nothing, not sure what other anti virus tools can help me get started.

Need suggestions, thank you.

 

[MichaelBits]

Check the task scheduler and startup entries.
It's not a virus you're looking for.

 

[Diggs]

If someone remotes in to a computer like this there is no 100% way to know what they did or to be sure you "fixed" it. I nuke & pave any computer that has been remoted into unless proven to be reputable (or there is a restore point set as above).

 

[Slaters Kustum Machines]

I agree with the others. What else have you done besides run Kaspersky? Also check out Autoruns.

 

[Porthos]

If someone remotes in to a computer like this there is no 100% way to know what they did or to be sure you "fixed" it. I nuke & pave any computer that has been remoted into unless proven to be reputable (or there is a restore point set as above).

Same here.
Pray for a good restore point if the scammers did not delete them.

 

[phaZed]

Does it still do it in Safe Mode?

 

[ComputerRepairTech]

I don't nuke and pave these computers, the odds are very low that they are going to do something super clever that I didn't think of. Technically speaking I could delete all the restore points and create a bunch of restore points and manipulate the dates displayed for the restore points so that you think you are restoring to before the incident but in reality you didnt....of course that would be easy to see after the restore if you check things but its just an example.

Edit: To clarify, im not suggesting manually checking things is a better idea than trying a recent restore point.

 

[bdoggman]

Nuke and pave! This client is going to owe you a fortune. Not sure what your hourly is but mine is $80. But if they really wanna pay you.. that’s good for you!

 

[Porthos]

I don't nuke and pave these computers, the odds are very low that they are going to do something super clever that I didn't think of.

I know this might no go well with some members. There are 2 reasons I generally nuke these.

1- To be sure it is 100% clean.
2- This is the controversial reason. It reinforces to home users not to fall for/let others into the computer no matter who they say they are so they do not have to go thru this again. And re stress the importance of image backups at least monthly.

I always let the client choose their level of security risk after something like this happens. Also, encourage them to change all passwords to all accounts from the clean computer.

 

[Porthos]

most of the time a System Restore

Unlesss restore is off as it is with Win 10 in many cases.

 

[Porthos]

If we've ever seen the computer before then it's definitely on

I have seen it get turned off after a feature update before especially with smaller SSD's.
I make sure it is on as well.

I also base things on how long the scammer was connected before the user figured out it was a scam.
I do not see previous clients with the issue because that is the first thing I warn clients about.
It does bring me, new clients, though. I win them over no matter how I address the situation.

 

[Your PCMD]

Clear the AppData folder. Roaming! Usually this is where these things reside. Task scheduler will guide you to this I am sure.

 

[GTP]

I don't trust restore points so...

PCHunter

LastActivityView

Check here and delete anything suspicious: (Hidden Folder) C:\ProgramData

and also C:\Users\"name"\Appdata\Roaming

Run Bleachbit (Portable) to empty any "temp" folders

Full scan with a reputable Antimalware

(make a donation if you find the programs useful)

 

[tf76]

I've had much success with these types of issues using a boot-up Hitman Pro on USB disk.
https://www.bleepingcomputer.com/download/hitmanpro/


Regards,

 

[MDD1963]

www.freefixer.com

about 3/4 of the legit tasks in task scheduler will be whitelisted, but, the remnants are easy to view and just as easy to delete from the results of a freefixer scan...

Additionally, listening TCP ports, browser helper objects, browser toolbars, registry startups, all processes, services, Explorer Modules, software drivers for applications, Chrome extensions, and recently created files list are shown/listed (many are whitelisted but shown) and easy to peruse or delete (at your discretion, of course)...

At least if the system is still bootable you can extract what files are needed (desired photos/docs, etc) in the event a nuke and pave is required later...

 

[Sky-Knight]

N&P, is the only treatment I'll give these units. There's no other way to be certain you got everything, and you're talking about a device that will be used for protected information. Not paving these units is becoming complicit in that user's future ID theft.