Here's a certified FRESH one!

[thecomputerguy]

Client gets your usual fake Norton receipt in her personal email on a COMPANY Laptop that comes with a support number if you want to "CANCEL", client proceeds to call the number (which was actually a local number ). The email has all the typical signs that clients ignore like a free Gmail account as the sender, BILLING INQUIRY for the subject, mis-spellings everywhere, terrible logo, URGENT TO CALL IMMEDIATELY.

Client proceeds to allow them remote control of the COMPANY computer, she gets nervous and hangs up the phone, upon turning the computer back on as soon as the computer connects to the internet you get this.

Obviously this is a fake message so I told her to bring it in thinking it was just a chrome pop-up or something. Oh no, this one is different ... you can't even CTRL+ALT+DEL around it ... can't even bring the task manager up.

I think I'm going to start by disabling the WiFi at my office so I can at least get into the thing and go from there.

 

[300DDR]

Yikes!

 

[300DDR]

It can't hurt to remove the drive and clone first in a case like this. Then you can freely experiment with deleting whatever is causing this.

 

[timeshifter]

Client gets your usual fake Norton receipt in her personal email on a COMPANY Laptop that comes with a support number if you want to "CANCEL", client proceeds to call the number (which was actually a local number ). The email has all the typical signs that clients ignore like a free Gmail account as the sender, BILLING INQUIRY for the subject, mis-spellings everywhere, terrible logo, URGENT TO CALL IMMEDIATELY.

Client proceeds to allow them remote control of the COMPANY computer, she gets nervous and hangs up the phone, upon turning the computer back on as soon as the computer connects to the internet you get this.

Are people really that stupid? Or are they otherwise intelligent but ignorant about how Internet things work?

 

[thecomputerguy]

Can confirm that turning off my WiFi allows the laptop to bootup properly ... now ... how to move forward ... hmmm

 

[300DDR]

Are people really that stupid? Or are they otherwise intelligent but ignorant about how Internet things work?

I assume these are mainly old people and not computer savvy. Any of us would see that email and immediately know it's BS.

 

[300DDR]

Can confirm that turning off my WiFi allows the laptop to bootup properly ... now ... how to move forward ... hmmm

Interesting. Perhaps they changed DNS settings?

 

[thecomputerguy]

Interesting. Perhaps they changed DNS settings?

DNS/Hosts looks fine ... it doesn't feel like a pop-up ... it feels like a program starting up in the background when it's connected to the internet.

 

[thecomputerguy]

Are people really that stupid? Or are they otherwise intelligent but ignorant about how Internet things work?

Yes they are that stupid and this person is in their early 40's.

Her brain apparently just shuts down sometimes.

 

[thecomputerguy]

Interesting. Perhaps they changed DNS settings?

I stand corrected ... it looks like this could be a DNS issue ... starting 6 minutes before she called me I see some very strange entries into the Application log that don't appear anywhere else in the life of the system. Starting with the installation of ScreenConnect.exe about a minute before all of these started popping up.

All of the information entries in the log just show id159 connected or id159 disconnected the errors show some nasty looking something

 

[nlinecomputers]

Don’t bother . FABS THE DATA AND NUKE FROM ORBIT. This machine cannot be trusted.

 

[thecomputerguy]

I think I found it ... per this article here: https://answers.microsoft.com/en-us...e-screen/30154de1-afcc-4fe9-922c-daaff6380c5f

I stopped and disabled the service ... will attempt a reboot and connect to WiFi and see what happens.

Also after stopping the service I was able to rename the folder in use in the AppData folder

 

[300DDR]

FYI: https://docs.connectwise.com/Connec...ledge_base/Manually_uninstall_an_access_agent

 

[thecomputerguy]

FYI: https://docs.connectwise.com/Connec...ledge_base/Manually_uninstall_an_access_agent

Hmmm ... There is no entry in Add/Remove programs, just the folders in the AppData folder I tried where the ID used us the ID in the service that I've stopped and it says no instance could be found ... even after I reverted my re-naming of the AppData Folder and starting the service again.

wmic product where name="ScreenConnect Client (deae6487-4d9d-415e-b2a2-95d099d1ba2f)" call uninstall /nointeractive

I think I'm at the point where I either just disable the service and delete the folders and call it good, or N&P it and set it back up again from scratch which I personally don't really want to do.

 

[nlinecomputers]

I think I'm at the point where I either just disable the service and delete the folders and call it good, or N&P it and set it back up again from scratch which I personally don't really want to do.

I'm sorry but that IMO is gross malpractice. YOU CAN NOT KNOW OR TRUST WHAT WAS DONE TO THIS MACHINE. Screenconnect shouldn't lock the system down. So it is unlikely to be the real screenconnect service. So god knows what else is on here.

 

[300DDR]

Perhaps it was auto-connecting to screenconnect (or the person on the other end would automatically start it as soon as it connected to the internet). I think SC has option to black-out the display and likely can have a custom black-out screen (hence the fake blue screen message). But, ya... I'd backup, fresh OS install, then migrate back to be safe.

 

[thecomputerguy]

I'm sorry but that IMO is gross malpractice. YOU CAN NOT KNOW OR TRUST WHAT WAS DONE TO THIS MACHINE. Screenconnect shouldn't lock the system down. So it is unlikely to be the real screenconnect service. So god knows what else is on here.

The article states that the splash screen showing that the computer is being updated is overlaid to prevent the user from seeing anything happening in the background. I see where you are coming from but 20 years into this career and we used to fix things, we didn't automatically resort to N&P or replacement at the first sign of trouble, so I figured I'd give it a shot. I'm not saying I won't go that direction in the end considering I'm still troubleshooting.

 

[timeshifter]

I see where you’re coming from. It’s interesting to figure what has been done and undo it. Satisfying. But at the end of the day I’m going to still nuke it to be 100% sure to protect myself and my client.

 

[britechguy]

I assume these are mainly old people and not computer savvy. Any of us would see that email and immediately know it's BS.

Which is correct to an extent, but look at the description of the situation, I wouldn't suspect that most people having company-issued laptops are "mainly old people."

This was just stupidity, pure and simple, of the worst kind. It's not like one red flag was ignored, but multiples, and then, after plowing through those allowing remote control.

Who are *those* people?

 

[thecomputerguy]

Which is correct to an extent, but look at the description of the situation, I wouldn't suspect that most people having company-issued laptops are "mainly old people."

This was just stupidity, pure and simple, of the worst kind. It's not like one red flag was ignored, but multiples, and then, after plowing through those allowing remote control.

Who are *those* people?

"Those" People are my clients.

I had an onsite job yesterday, turns out, I went out there to replace batteries in a keyboard for $200. The client claimed they had already replaced them. I show up, take the batteries out, rotate them and put the same batteries in just opposite of what they were before. Keyboard works fine.

I tell the client well you were expecting a new mouse and keyboard anyways, so you just want me to replace it anyways? They agreed so that total bill was $250, $50 of which was what the keyboard and mouse cost me and I walked with $200 for about 7 minutes of work.

"Those" people are out there, they are my clients, and somehow, they have all the money.