Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Beeping Noise, Tech Support Scam, 100% Disk Usage

In Progress 
3K views 15 replies 3 participants last post by  Cookiegal 
#1 · (Edited by Moderator)
Last week I downloaded phony software and had pop-ups galore, along with one that couldn't be closed and had no icon in the task bar that told me I needed to "Call Microsoft Support Immediately". I uninstalled all programs installed that day, but whenever I opened the internet it would redirect me to some weird search site and any other website I typed in would be redirected to this "live tech support" page, then the internet would close after a few seconds.

I ended up calling the number on that pop up that wouldn't go away because I was clueless and freaking out. I don't remember the number but they had me give them remote access and "evaluated" my computer, telling me this and that about how other IP addresses were in my network and I had a Koobface worm, blah blah blah. I believed them because I am very gullible. He told me I will need a "level 3 tech" and gave me "two options" of places that can fix this issue. One was more expensive (I know it was phony now) and I would have to take my computer states away to get it fixed, so I picked what seemed to be the more reasonable option.

They "transferred my case" to Right Help Desk at 1-855-936-7543 and said it would cost $169.99. At this point I still believed them. When I got to Right Help Desk they told me it would be another hundred something for the 1 year coverage and I told them that I didn't have anything more on my credit card so they "gave it to me for free". So after he took remote control of both of the laptops in my house and "fixed them", I thanked him and got off the phone. My computer was seemingly working fine at first.

Later that day, my pointer jumped to the edge of the screen randomly once or twice as if someone was taking control of the mouse. This same night at 3 am and I walked away to get something to eat and when I got back, the screen had went black and when I woke it up the mouse didn't move at first. When it did move, it started moving by itself, jumping in one direction across the screen, then I moved it in the other direction and it started jumping in that direction by itself. I then put on my headphones and heard this. It scared me and I went to sleep.

So the next day, I was monitoring my computer intensively. Whenever I walked away from my computer I would get back and the disk usage would be at 100%. When I got back it would go right back down, as if someone knew I was watching. I called Right Help Desk and they said they would get back to me within two hours. I kept monitoring and literally every time I walked away the usage would go up. I put duck tape over the web cam and watched it rise from 10 to 100% in a few seconds. I started trying to end random processes that were taking up the most usage.This is when Right Help called me back. And guess what, as soon as he called the usage went right back down. He took remote control of the computer and opened some windows and insisted nothing was wrong and to call back if I had any more issues. I called back two minutes later because I had the same problem and a different person answered and did the same thing.

I then proceeded to reporting this to the ftc.

Now I downloaded Avira AntiVirus, ZoneAlarm FireWall, Bitdefender free trial, and SUPERanti spyware. After running these the disk usage doesn't seem to be an issue.

I have been scanning once or twice a day with multiple programs for a week and don't find threats, but I still hear the beeping several times a day. Usually whenever it happens Avira and/or Bitdefender find about 10-20 threats and I remove them, but sometimes nothing is detected and I'm afraid that this means something is breaching my security!

Please Help! Sorry for the long explanation, I just wanted to give as much info on my situation as possible! Thanks!
 
See less See more
#3 ·
Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 8.1, 64 bit
Processor: Intel(R) Core(TM) i3-2370M CPU @ 2.40GHz, Intel64 Family 6 Model 42 Stepping 7
Processor Count: 4
RAM: 3979 Mb
Graphics Card: Intel(R) HD Graphics 3000, 1797 Mb
Hard Drives: C: Total - 454969 MB, Free - 373743 MB;
Motherboard: ASUSTeK COMPUTER INC., X55CR
Antivirus: Avira Antivirus, Updated and Enabled
 
#4 ·
petermertin,
Let's find out what's on there.
Please don't install or remove anything on your own, or run any extra scans unless I ask, until we are through cleaning.
We will get rid of the extra antivirus first. Having more than one can corrupt the system.
Just take each instruction, one at a time. You can do it.
------------------------------------------------
Remove A Program Using Control Panel
Point to the upper-right corner of the screen, move the mouse pointer down, and then click Search.
Enter "control panel" in the search box, and then click Control Panel.
Under View by, select Large Icons, and then click Programs and features.
Click this icon Entry,if it exists, choose Uninstall, and give permission to Continue:
BitDefender
Take extra care in answering questions posed by any Uninstaller.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
-------------------------------------------------------------
AdwCleaner Download and Run
Download AdwCleaner and save it to your desktop or somewhere you can find it.
Take care NOT to click on any ad, like from PC Optimizer Pro. The correct link is the button labeled "Download from Bleeping Computer".
NOTE:
If using Internet Explorer and you get an alert that stops the program downloading, click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

Close your browser and double click the AdwCleaner icon on your desktop.
  • Click on the Scan button, accept any prompts that appear, and allow it to run.
    It may take several minutes to complete.
  • When it is done, the Scan button will be dimmed down, and it will wait for you to make any exceptions to its suggested removals. Don't make any exceptions or uncheck anything
  • Click on the Cleaning button, accept any prompts that appear, and allow the system to Reboot.
  • You will then be presented with the report. Copy & Paste it into a reply here.
  • If you lose track of the log, it is saved in this folder C:\AdwCleaner\
    The filename will be adwcleaner[xx].txt, where [xx] will be S1, or S2, etc. whichever filename is newest.
-----------------------------------------------------------
Download and Run the Farbar Scan Tool
  • Download FRST64 and save to your Desktop.
  • Double click Frst64.exe to launch it.
  • FRST64 will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press the Scan button.
    • When finished scanning, 2 logs will open on your Desktop, FRST.txt and Addition.txt
    • Please post them in your next reply.
If you lose track of them, they will be saved in the same location as FRST64.exe
Feel free to use separate replies if it's more convenient.
-----------------------------------------------------------

So we will be looking for the report from AdwCleaner, and the two logs from FRST64.
If you have a problem doing anything I ask, just stop and tell me in a reply.
askey127
 
#6 · (Edited)
peter,
If you don't need RealNetworks, let me know.
I have not removed its moving parts yet. It's an ad generator and security risk.
------------------------------------------------
Remove Programs Using Control Panel
Point to the upper-right corner of the screen, move the mouse pointer down, and then click Search.
Enter "control panel" in the search box, and then click Control Panel.
Under View by, select Large Icons, and then click Programs and features.
Click each icon Entry, as follows, one by one, if it exists, choose Uninstall, and give permission to Continue:

Adobe Reader X MUI
Google Update Helper
Wondershare Filmora

Take extra care in answering questions posed by any Uninstaller.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine

--------------------------------------------------------
Run A Fix With FRST
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both the program FRST64.exe and Fixlist.txt be in the same location, or the fix will not work.
(Both on the Desktop is OK, or both in the same folder elsewhere)

Run FRST64 and press the FIX button just once, and wait. DO NOT PRESS THE SCAN BUTTON.
If for some reason the tool needs a restart, please make sure you let the system restart normally.
The tool may start automatically and complete its work after the system restart. Let the tool complete its run.
When finished, FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents in your reply.

Please post the log text in the reply, if you can. It's more difficult for me if you attach.
Let me know about RealNetworks..

askey127
 

Attachments

#11 ·
Fix result of Farbar Recovery Scan Tool (x64) Version:27-01-2016
Ran by Peter (2016-01-28 16:03:47) Run:1
Running from C:\Users\Peter\Downloads
Loaded Profiles: Peter (Available Profiles: Drew & Peter)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
Task: {4AFD1E9D-5351-43D3-990C-8716FB715B14} - \SecurityApps2 -> No File <==== ATTENTION
Task: {72E151F6-4F4D-49B1-BA5A-2B004E3AD5CE} - \Cassiopesa tiro -> No File <==== ATTENTION
Task: {8768FE64-1B60-4296-BB6B-A15C19319CE1} - System32\Tasks\System Update => C:\Users\Drew\AppData\Roaming\Updater\winupd.exe <==== ATTENTION
Task: {A666CB0D-B341-4BA4-AD80-4715E02E5B40} - \EbonmediaUpdater -> No File <==== ATTENTION
AlternateDataStreams: C:\Users\Peter\Downloads\HitmanPro.exe:BDU
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2087264 2014-09-11] (Wondershare)
HKLM-x32\...\Run: [sun3] => [X]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RealPlayer Cloud Service UI.lnk [2016-01-19]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1616661146-3959517231-329336679-1004 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
S4 WsAppService; C:\Program Files (x86)\Wondershare\WAF\2.1.3.10\WsAppService.exe [379392 2015-11-05] (Wondershare) [File not signed]
C:\Program Files (x86)\Wondershare
S3 WsAudioDevice_383; C:\Windows\system32\drivers\VirtualAudio.sys [31080 2015-07-30] (Wondershare)
C:\Windows\system32\drivers\VirtualAudio.sys
2016-01-25 01:58 - 2016-01-25 01:58 - 00000000 ____D C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2016-01-22 16:27 - 2016-01-22 16:27 - 00000258 __RSH C:\ProgramData\ntuser.pol
2016-01-27 00:32 - 2015-07-12 00:18 - 00000000 ____D C:\ProgramData\boost_interprocess
2016-01-22 05:23 - 2015-09-01 00:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare
2016-01-20 23:58 - 2014-04-10 01:05 - 00000000 ____D C:\ProgramData\Package Cache
2016-01-19 20:52 - 2012-08-22 00:06 - 00002429 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2016-01-18 02:23 - 2015-09-01 00:25 - 00000000 ____D C:\Program Files (x86)\Wondershare
EmptyTemp:
Cmd: ipconfig /flushdns

*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4AFD1E9D-5351-43D3-990C-8716FB715B14}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4AFD1E9D-5351-43D3-990C-8716FB715B14}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SecurityApps2 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{72E151F6-4F4D-49B1-BA5A-2B004E3AD5CE}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{72E151F6-4F4D-49B1-BA5A-2B004E3AD5CE}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Cassiopesa tiro => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8768FE64-1B60-4296-BB6B-A15C19319CE1}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8768FE64-1B60-4296-BB6B-A15C19319CE1}" => key removed successfully
C:\WINDOWS\System32\Tasks\System Update => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System Update" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A666CB0D-B341-4BA4-AD80-4715E02E5B40}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A666CB0D-B341-4BA4-AD80-4715E02E5B40}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\EbonmediaUpdater => key not found.
C:\Users\Peter\Downloads\HitmanPro.exe => ":BDU" ADS removed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Wondershare Helper Compact.exe => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\sun3 => value removed successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RealPlayer Cloud Service UI.lnk => moved successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9CB96984-43C3-4D44-90EF-01466EFCF7BB}" => key removed successfully
HKCR\Wow6432Node\CLSID\{9CB96984-43C3-4D44-90EF-01466EFCF7BB} => key not found.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-1616661146-3959517231-329336679-1004\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
WsAppService => service removed successfully
C:\Program Files (x86)\Wondershare => moved successfully
WsAudioDevice_383 => service removed successfully
C:\Windows\system32\drivers\VirtualAudio.sys => moved successfully
C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware => moved successfully
C:\ProgramData\ntuser.pol => moved successfully
C:\ProgramData\boost_interprocess => moved successfully
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare" => not found.
C:\ProgramData\Package Cache => moved successfully
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk" => not found.
"C:\Program Files (x86)\Wondershare" => not found.

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

EmptyTemp: => 1001.7 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 16:05:21 ====
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top