1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

In Progress Beeping Noise, Tech Support Scam, 100% Disk Usage

Discussion in 'Virus & Other Malware Removal' started by petermartn, Jan 26, 2016.

Thread Status:
Not open for further replies.
Advertisement
  1. petermartn

    petermartn Thread Starter

    Joined:
    Jan 23, 2016
    Messages:
    8
    Last week I downloaded phony software and had pop-ups galore, along with one that couldn't be closed and had no icon in the task bar that told me I needed to "Call Microsoft Support Immediately". I uninstalled all programs installed that day, but whenever I opened the internet it would redirect me to some weird search site and any other website I typed in would be redirected to this "live tech support" page, then the internet would close after a few seconds.

    I ended up calling the number on that pop up that wouldn't go away because I was clueless and freaking out. I don't remember the number but they had me give them remote access and "evaluated" my computer, telling me this and that about how other IP addresses were in my network and I had a Koobface worm, blah blah blah. I believed them because I am very gullible. He told me I will need a "level 3 tech" and gave me "two options" of places that can fix this issue. One was more expensive (I know it was phony now) and I would have to take my computer states away to get it fixed, so I picked what seemed to be the more reasonable option.

    They "transferred my case" to Right Help Desk at 1-855-936-7543 and said it would cost $169.99. At this point I still believed them. When I got to Right Help Desk they told me it would be another hundred something for the 1 year coverage and I told them that I didn't have anything more on my credit card so they "gave it to me for free". So after he took remote control of both of the laptops in my house and "fixed them", I thanked him and got off the phone. My computer was seemingly working fine at first.

    Later that day, my pointer jumped to the edge of the screen randomly once or twice as if someone was taking control of the mouse. This same night at 3 am and I walked away to get something to eat and when I got back, the screen had went black and when I woke it up the mouse didn't move at first. When it did move, it started moving by itself, jumping in one direction across the screen, then I moved it in the other direction and it started jumping in that direction by itself. I then put on my headphones and heard this. It scared me and I went to sleep.

    So the next day, I was monitoring my computer intensively. Whenever I walked away from my computer I would get back and the disk usage would be at 100%. When I got back it would go right back down, as if someone knew I was watching. I called Right Help Desk and they said they would get back to me within two hours. I kept monitoring and literally every time I walked away the usage would go up. I put duck tape over the web cam and watched it rise from 10 to 100% in a few seconds. I started trying to end random processes that were taking up the most usage.This is when Right Help called me back. And guess what, as soon as he called the usage went right back down. He took remote control of the computer and opened some windows and insisted nothing was wrong and to call back if I had any more issues. I called back two minutes later because I had the same problem and a different person answered and did the same thing.

    I then proceeded to reporting this to the ftc.

    Now I downloaded Avira AntiVirus, ZoneAlarm FireWall, Bitdefender free trial, and SUPERanti spyware. After running these the disk usage doesn't seem to be an issue.

    I have been scanning once or twice a day with multiple programs for a week and don't find threats, but I still hear the beeping several times a day. Usually whenever it happens Avira and/or Bitdefender find about 10-20 threats and I remove them, but sometimes nothing is detected and I'm afraid that this means something is breaching my security!

    Please Help! Sorry for the long explanation, I just wanted to give as much info on my situation as possible! Thanks!
     
    Last edited by a moderator: Jan 28, 2016
  2. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,720
    petermartn likes this.
  3. petermartn

    petermartn Thread Starter

    Joined:
    Jan 23, 2016
    Messages:
    8
    Tech Support Guy System Info Utility version 1.0.0.2
    OS Version: Microsoft Windows 8.1, 64 bit
    Processor: Intel(R) Core(TM) i3-2370M CPU @ 2.40GHz, Intel64 Family 6 Model 42 Stepping 7
    Processor Count: 4
    RAM: 3979 Mb
    Graphics Card: Intel(R) HD Graphics 3000, 1797 Mb
    Hard Drives: C: Total - 454969 MB, Free - 373743 MB;
    Motherboard: ASUSTeK COMPUTER INC., X55CR
    Antivirus: Avira Antivirus, Updated and Enabled
     
  4. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,720
    petermertin,
    Let's find out what's on there.
    Please don't install or remove anything on your own, or run any extra scans unless I ask, until we are through cleaning.
    We will get rid of the extra antivirus first. Having more than one can corrupt the system.
    Just take each instruction, one at a time. You can do it.
    ------------------------------------------------
    Remove A Program Using Control Panel
    Point to the upper-right corner of the screen, move the mouse pointer down, and then click Search.
    Enter "control panel" in the search box, and then click Control Panel.
    Under View by, select Large Icons, and then click Programs and features.
    Click this icon Entry,if it exists, choose Uninstall, and give permission to Continue:
    BitDefender
    Take extra care in answering questions posed by any Uninstaller.
    -----------------------------------------------------------
    REBOOT (RESTART) Your Machine
    -------------------------------------------------------------
    AdwCleaner Download and Run
    Download AdwCleaner and save it to your desktop or somewhere you can find it.
    Take care NOT to click on any ad, like from PC Optimizer Pro. The correct link is the button labeled "Download from Bleeping Computer".
    NOTE:
    If using Internet Explorer and you get an alert that stops the program downloading, click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

    Close your browser and double click the AdwCleaner icon on your desktop.
    • Click on the Scan button, accept any prompts that appear, and allow it to run.
      It may take several minutes to complete.
    • When it is done, the Scan button will be dimmed down, and it will wait for you to make any exceptions to its suggested removals. Don't make any exceptions or uncheck anything
    • Click on the Cleaning button, accept any prompts that appear, and allow the system to Reboot.
    • You will then be presented with the report. Copy & Paste it into a reply here.
    • If you lose track of the log, it is saved in this folder C:\AdwCleaner\
      The filename will be adwcleaner[xx].txt, where [xx] will be S1, or S2, etc. whichever filename is newest.
    -----------------------------------------------------------
    Download and Run the Farbar Scan Tool
    • Download FRST64 and save to your Desktop.
    • Double click Frst64.exe to launch it.
    • FRST64 will start to run.
      • When the tool opens click Yes to disclaimer.
      • Press the Scan button.
      • When finished scanning, 2 logs will open on your Desktop, FRST.txt and Addition.txt
      • Please post them in your next reply.
    If you lose track of them, they will be saved in the same location as FRST64.exe
    Feel free to use separate replies if it's more convenient.
    -----------------------------------------------------------

    So we will be looking for the report from AdwCleaner, and the two logs from FRST64.
    If you have a problem doing anything I ask, just stop and tell me in a reply.
    askey127
     
  5. petermartn

    petermartn Thread Starter

    Joined:
    Jan 23, 2016
    Messages:
    8
    Thank you for helping me. Here are the reports.
     

    Attached Files:

  6. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,720
    peter,
    If you don't need RealNetworks, let me know.
    I have not removed its moving parts yet. It's an ad generator and security risk.
    ------------------------------------------------
    Remove Programs Using Control Panel
    Point to the upper-right corner of the screen, move the mouse pointer down, and then click Search.
    Enter "control panel" in the search box, and then click Control Panel.
    Under View by, select Large Icons, and then click Programs and features.
    Click each icon Entry, as follows, one by one, if it exists, choose Uninstall, and give permission to Continue:

    Adobe Reader X MUI
    Google Update Helper
    Wondershare Filmora

    Take extra care in answering questions posed by any Uninstaller.
    -----------------------------------------------------------
    REBOOT (RESTART) Your Machine

    --------------------------------------------------------
    Run A Fix With FRST
    Download attached fixlist.txt file and save it to the Desktop.
    NOTE. It's important that both the program FRST64.exe and Fixlist.txt be in the same location, or the fix will not work.
    (Both on the Desktop is OK, or both in the same folder elsewhere)

    Run FRST64 and press the FIX button just once, and wait. DO NOT PRESS THE SCAN BUTTON.
    If for some reason the tool needs a restart, please make sure you let the system restart normally.
    The tool may start automatically and complete its work after the system restart. Let the tool complete its run.
    When finished, FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents in your reply.

    Please post the log text in the reply, if you can. It's more difficult for me if you attach.
    Let me know about RealNetworks..

    askey127
     

    Attached Files:

    Last edited: Jan 28, 2016
  7. petermartn

    petermartn Thread Starter

    Joined:
    Jan 23, 2016
    Messages:
    8
    Okay. Google Update Helper is not in the programs list to uninstall. What should I do?
     
  8. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,720
    That's OK.
    Just skip that, and try to do the rest of the instructions.
    .
     
  9. petermartn

    petermartn Thread Starter

    Joined:
    Jan 23, 2016
    Messages:
    8
    Okay I believe I uninstalled it. I searched for it and uninstalled GoogleUpdateHelper.msi
     
  10. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,720
    OK.
    That was actually the program installer.
    The program itself may still be there.
    We will get it later, if necessary.
     
  11. petermartn

    petermartn Thread Starter

    Joined:
    Jan 23, 2016
    Messages:
    8
    Fix result of Farbar Recovery Scan Tool (x64) Version:27-01-2016
    Ran by Peter (2016-01-28 16:03:47) Run:1
    Running from C:\Users\Peter\Downloads
    Loaded Profiles: Peter (Available Profiles: Drew & Peter)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    CreateRestorePoint:
    CloseProcesses:
    Task: {4AFD1E9D-5351-43D3-990C-8716FB715B14} - \SecurityApps2 -> No File <==== ATTENTION
    Task: {72E151F6-4F4D-49B1-BA5A-2B004E3AD5CE} - \Cassiopesa tiro -> No File <==== ATTENTION
    Task: {8768FE64-1B60-4296-BB6B-A15C19319CE1} - System32\Tasks\System Update => C:\Users\Drew\AppData\Roaming\Updater\winupd.exe <==== ATTENTION
    Task: {A666CB0D-B341-4BA4-AD80-4715E02E5B40} - \EbonmediaUpdater -> No File <==== ATTENTION
    AlternateDataStreams: C:\Users\Peter\Downloads\HitmanPro.exe:BDU
    HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2087264 2014-09-11] (Wondershare)
    HKLM-x32\...\Run: [sun3] => [X]
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RealPlayer Cloud Service UI.lnk [2016-01-19]
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    SearchScopes: HKLM-x32 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-1616661146-3959517231-329336679-1004 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    S4 WsAppService; C:\Program Files (x86)\Wondershare\WAF\2.1.3.10\WsAppService.exe [379392 2015-11-05] (Wondershare) [File not signed]
    C:\Program Files (x86)\Wondershare
    S3 WsAudioDevice_383; C:\Windows\system32\drivers\VirtualAudio.sys [31080 2015-07-30] (Wondershare)
    C:\Windows\system32\drivers\VirtualAudio.sys
    2016-01-25 01:58 - 2016-01-25 01:58 - 00000000 ____D C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
    2016-01-22 16:27 - 2016-01-22 16:27 - 00000258 __RSH C:\ProgramData\ntuser.pol
    2016-01-27 00:32 - 2015-07-12 00:18 - 00000000 ____D C:\ProgramData\boost_interprocess
    2016-01-22 05:23 - 2015-09-01 00:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare
    2016-01-20 23:58 - 2014-04-10 01:05 - 00000000 ____D C:\ProgramData\Package Cache
    2016-01-19 20:52 - 2012-08-22 00:06 - 00002429 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
    2016-01-18 02:23 - 2015-09-01 00:25 - 00000000 ____D C:\Program Files (x86)\Wondershare
    EmptyTemp:
    Cmd: ipconfig /flushdns

    *****************

    Restore point was successfully created.
    Processes closed successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4AFD1E9D-5351-43D3-990C-8716FB715B14}" => key removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4AFD1E9D-5351-43D3-990C-8716FB715B14}" => key removed successfully
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SecurityApps2 => key not found.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{72E151F6-4F4D-49B1-BA5A-2B004E3AD5CE}" => key removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{72E151F6-4F4D-49B1-BA5A-2B004E3AD5CE}" => key removed successfully
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Cassiopesa tiro => key not found.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8768FE64-1B60-4296-BB6B-A15C19319CE1}" => key removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8768FE64-1B60-4296-BB6B-A15C19319CE1}" => key removed successfully
    C:\WINDOWS\System32\Tasks\System Update => moved successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System Update" => key removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A666CB0D-B341-4BA4-AD80-4715E02E5B40}" => key removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A666CB0D-B341-4BA4-AD80-4715E02E5B40}" => key removed successfully
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\EbonmediaUpdater => key not found.
    C:\Users\Peter\Downloads\HitmanPro.exe => ":BDU" ADS removed successfully.
    HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Wondershare Helper Compact.exe => value removed successfully
    HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\sun3 => value removed successfully
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RealPlayer Cloud Service UI.lnk => moved successfully
    "HKLM\SOFTWARE\Policies\Google" => key removed successfully
    "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
    "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9CB96984-43C3-4D44-90EF-01466EFCF7BB}" => key removed successfully
    HKCR\Wow6432Node\CLSID\{9CB96984-43C3-4D44-90EF-01466EFCF7BB} => key not found.
    HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
    HKU\S-1-5-21-1616661146-3959517231-329336679-1004\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
    WsAppService => service removed successfully
    C:\Program Files (x86)\Wondershare => moved successfully
    WsAudioDevice_383 => service removed successfully
    C:\Windows\system32\drivers\VirtualAudio.sys => moved successfully
    C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware => moved successfully
    C:\ProgramData\ntuser.pol => moved successfully
    C:\ProgramData\boost_interprocess => moved successfully
    "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare" => not found.
    C:\ProgramData\Package Cache => moved successfully
    "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk" => not found.
    "C:\Program Files (x86)\Wondershare" => not found.

    ========= ipconfig /flushdns =========


    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.

    ========= End of CMD: =========

    EmptyTemp: => 1001.7 MB temporary data Removed.


    The system needed a reboot.

    ==== End of Fixlog 16:05:21 ====
     
  12. petermartn

    petermartn Thread Starter

    Joined:
    Jan 23, 2016
    Messages:
    8
    I am not sure what you are talking about, RealNetworks ?
     
  13. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,720
    They must all be hidden from you.
    That tells me what I want to know.
    I will take care of them on the next pass.
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,872
    petermartn,

    I've edited several instances of profanity out of your initial post. Please be careful with your language as this is a family friendly site.
     
  15. petermartn

    petermartn Thread Starter

    Joined:
    Jan 23, 2016
    Messages:
    8
    I'm very sorry about that.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1164957

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice