1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Windows 8.1 - Log in change password fails

Discussion in 'Virus & Other Malware Removal' started by bobr1940, Apr 10, 2015.

Thread Status:
Not open for further replies.
Advertisement
  1. bobr1940

    bobr1940 Thread Starter

    Joined:
    Apr 10, 2015
    Messages:
    13
    Fool that I am, I have been the victim of a Windows Support Scam.

    It is on a Toshiba laptop, running Windows 8.1.

    Following my session, I was able to change my Administrative account password. But I am unable to change my operating account (unprivileged) password. Each time I attempt to change it, it does not migrate to the "change password" dialog box (it just looks like it is trying to do that) then displays the message that the password may not have changed.

    Any help will be appreciated.

    TSG log:

    Tech Support Guy System Info Utility version 1.0.0.2
    OS Version: Microsoft Windows 8.1, 64 bit
    Processor: Intel(R) Core(TM) i7-4710HQ CPU @ 2.50GHz, Intel64 Family 6 Model 60 Stepping 3
    Processor Count: 8
    RAM: 16305 Mb
    Graphics Card: Intel(R) HD Graphics 4600, -2016 Mb
    Hard Drives: C: Total - 943516 MB, Free - 719571 MB;
    Motherboard: Type2 - Board Vendor Name1, Type2 - Board Product Name1
    Antivirus: Norton Security Suite, Updated and Enabled
     
  2. etaf

    etaf Moderator

    Joined:
    Oct 2, 2003
    Messages:
    65,355
    First Name:
    Wayne
  3. bobr1940

    bobr1940 Thread Starter

    Joined:
    Apr 10, 2015
    Messages:
    13
    The scam was that they were Microsoft Windows people.

    Yes, I did let them onto the computer remotely.

    How do I get a virus/malware investigation?

    Thank you very much.

    I have backed up my work files.
     
  4. etaf

    etaf Moderator

    Joined:
    Oct 2, 2003
    Messages:
    65,355
    First Name:
    Wayne
    A specialist (and only an approved specialist is allowed in this forum) will reply to this post - however, allow 48 hours as its a very busy forum
    No, they claimed to be, they have nothing to do with MS or any other company - they have been running this scam since 2008/9 to my knowledge claiming to be windows support , MS Support , BT , and other telecom companies. The latest I have received is windows update monitor , and warned me that as i had not updated , i only had 4 weeks before windows stopped working -
    They do not even know if you have a PC or not

    nasty people who make millions on this scam
    Theres some more info on my site - under scams , if interested - www.homecomputingskills.co.uk
     
  5. bobr1940

    bobr1940 Thread Starter

    Joined:
    Apr 10, 2015
    Messages:
    13
    Agreed, it was only a claim. Thy were east Indian with heavy accents. I am usually very careful about this but succumbed to this ploy in an attempt to "get my computer back" quickly. So much for expediency!

    What's next?
     
  6. etaf

    etaf Moderator

    Joined:
    Oct 2, 2003
    Messages:
    65,355
    First Name:
    Wayne
  7. dbreeze

    dbreeze Malware Specialist

    Joined:
    Oct 5, 2014
    Messages:
    431
    First Name:
    David
    Hi bobr1940,

    Welcome to Tech Support Guy. My name is dbreeze and I'll be helping you with this problem. Before I get into the removal of malware / correction of your problem, I need you to be aware of the following:
    • Please read all of my response through at least once before attempting to follow the procedures described.I would recommend printing them out, if you can, as you can check off each step as you complete it. Also, as some of the cleaning may be done in Safe Mode and there will be no internet connection then, you will find that having the steps printed for reference speeds the cleaning process along. If there's anything you don't understand or isn't totally clear to you, please come back to me for clarification before you start those steps.
    • All of the assistants and staff at Tech Support Guy are here on a volunteer basis; please respect our time given to the cause of helping others.If you are going to be away for more than 4 days, please let me know here. (I will do the same for you.) We do realize that 'life happens' and situations arise unexpectedly; we just ask that you keep us up to date.
    • Malware removal is a complex, multiple step process; please stay with me on this thread (don't start another thread) until I declare that your logs are clean and you are good to go. The absence of apparent issues does not mean your system is clean; I will tell you when everything looks good for you to go and help you remove the tools we have used.
    • If any of the security programs on your system should give any warnings about the software tools I ask you to download and use, please do not be alarmed.All of the tools I will have you use are safe to use (as instructed) and malware free.
    • While we strive to disrupt your system as little as possible, things happen.If you can, it would be best to back up your personal files now (if you do not already have a backup). You can store these on a CD/DVD, USB drive or stick, anywhere but on your same system. This will save you from possible anguish later if something unforeseen happens.
    • Please do not run any other tools or scanners than what I ask you to.Some of the openly available software made for malware removal can make changes to your system that interfere with the cleaning of the malware, or even destroy your system. I will use only what the situation calls for and direct you in the proper use of that software.
    • Please do not attach any log files to your replies unless I specifically ask you.Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.

      - Save ALL Tools to your Desktop-
      All the tools that I will have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

      Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
      [​IMG]Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.[​IMG] Choose Settings. at the bottom of the screen click the
      "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
      [​IMG]Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. [​IMG] Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
      and the click the "Select Folder" button. Click OK to get out of the Options menu.
      [​IMG]Internet Explorer - Click the Tools menu in the upper right-corner of the browser. [​IMG] Select View downloads. Select the Options link in the lower left of the window. Click Browse and
      select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
      NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.
    Let's get started....


    Please download Farbar Recovery Scan Tool 64bit and save it to your Desktop.

    • Right click the FRST file on your desktop and select "Run as Administrator..." (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
    • If an update is available, the program will inform you and download the update. Allow it do this please.
    • Once the tool shows "The tool is ready to use." message, please press the Scan button.
    • It will produce a log called FRST.txt in the same directory the tool is run from.
    • Please copy and paste log back here.
    • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
     
  8. bobr1940

    bobr1940 Thread Starter

    Joined:
    Apr 10, 2015
    Messages:
    13
    I have uploaded the files you asked for.

    bobr
     

    Attached Files:

  9. dbreeze

    dbreeze Malware Specialist

    Joined:
    Oct 5, 2014
    Messages:
    431
    First Name:
    David
    FIRST >>>>

    Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

    Web Bar 2.0.5435.23818

    To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.

    Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.


    SECOND >>>>

    Download the attached fixlist.txt file and save it to the Desktop.

    NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..". The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

    The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show that it is ready to use (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

    [​IMG]

    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the log in your next reply.



    Information to Reply with >>>>
    • How did the uninstall proceed?
    • The FRST Fixlog.txt log file text.
    • How is your system running now?
     

    Attached Files:

  10. bobr1940

    bobr1940 Thread Starter

    Joined:
    Apr 10, 2015
    Messages:
    13
    How did the uninstall proceed?
    It said that the program apparently had been uninstalled and asked whether I wanted to remove the file from the list.
    I clicked YES and the listing disappeared.

    The FRST Fixlog.txt log file text.


    How is your system running now?
    I was able to change my password.

    Thank you very much.

    bobr
     

    Attached Files:

  11. dbreeze

    dbreeze Malware Specialist

    Joined:
    Oct 5, 2014
    Messages:
    431
    First Name:
    David
    Good: glad to hear that you have control again.

    Let's run a few more scans to see if anything is lurking in the background ....

    FIRST >>>>

    Junkware Removal Tool
    Please download JRT from here to your desktop.

    Note: Temporarily disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.

    Double click the JRT.exe file to run the application.

    The application will open an Command Prompt window and run from there (this is normal for this program, so not to be alarmed).

    When it is asked, press any key to allow the program to continue / run.

    This will create a log on the desktop; please copy and paste the JRT.txt log text in your next post.

    Note: After the log file is created, please enable your protection software / reboot your system and verify your protection software is enabled.


    SECOND >>>>


    AdwCleaner by Xplode

    Download AdwCleaner from here or from here. Save the file to the desktop.


    NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

    Close all open windows and browsers.
    1. Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
      You will see the following console:

      [​IMG]
    2. Click the Scan button and wait for the scan to finish.
    3. After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
    4. Click the Clean button.
    5. Everything checked will be deleted.
    6. When the program has finished cleaning a report appears.
    7. Once done it will ask to reboot, allow this

      [​IMG]
    8. On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt
    Optional:

    NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.



    Information to Reply with >>>>
    • The JRT.txt log file text.
    • The AdwCleaner[S#].txt log file text.
     
  12. bobr1940

    bobr1940 Thread Starter

    Joined:
    Apr 10, 2015
    Messages:
    13
    JRT.txt attached.

    AdwCleaner[S0].txt log file text:
    # AdwCleaner v4.201 - Logfile created 14/04/2015 at 22:44:45
    # Updated 08/04/2015 by Xplode
    # Database : 2015-04-08.1 [Server]
    # Operating system : Windows 8.1 (x64)
    # Username : BobbyRas - RASS-LAPTOP
    # Running from : C:\Users\BobbyRas\Desktop\adwcleaner_4.201.exe
    # Option : Cleaning

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****

    Folder Deleted : C:\ProgramData\NetEngine
    Folder Deleted : C:\ProgramData\pokki
    Folder Deleted : C:\Program Files (x86)\OfferBoulevard
    Folder Deleted : C:\Program Files (x86)\ShowMyPCService
    Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\speed browser
    Folder Deleted : C:\Users\Bob\AppData\Local\WebBar
    Folder Deleted : C:\Users\Bob\AppData\Roaming\DigitalSites
    Folder Deleted : C:\Users\Bob\AppData\Roaming\PennyBee
    Folder Deleted : C:\Users\Bob\AppData\Roaming\1H1Q1V1N1N1O1R
    Folder Deleted : C:\Users\BobbyRas\AppData\Local\pokki
    Folder Deleted : C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
    File Deleted : C:\Users\Bob\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\speed browser.lnk

    ***** [ Scheduled tasks ] *****

    Task Deleted : NetEngine

    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
    Key Deleted : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
    Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Pokki]
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9CB2CD61-FFA0-406C-9D2D-8FDE6F4A4D8A}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
    Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}
    Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
    Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
    Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
    Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2E00D31D-D171-423D-836D-1A4D7EA7F1A9}
    Key Deleted : HKCU\Software\Pokki
    Key Deleted : HKLM\SOFTWARE\InstallCore
    Key Deleted : HKLM\SOFTWARE\SpeedBrowser
    Key Deleted : HKLM\SOFTWARE\EnterDigital
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki_Start_Menu
    Key Deleted : [x64] HKLM\SOFTWARE\WebBar

    ***** [ Web browsers ] *****

    -\\ Internet Explorer v11.0.9600.17416


    -\\ Google Chrome v41.0.2272.118

    [C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://discovermagazine.com/search?SearchableText={searchTerms}&Submit.x=Submit.x&Submit.y=Submit.y
    [C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
    [C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.fonts.com/findfonts/searchresults.htm?kid={searchTerms}
    [C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
    [C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://en.softonic.com/s/{searchTerms}
    [C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Extension] : mkfokfffehpeedafpekjeddnmnjhmcmk
    [C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Default_Search_Provider_Data] :
    [C:\Users\BobbyRas\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
    [C:\Users\BobbyRas\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
    [C:\Users\BobbyRas\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.homepage-web.com/?src=omnibox&partner=toshibaupd&q={searchTerms}
    [C:\Users\BobbyRas\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Extension] : mkfokfffehpeedafpekjeddnmnjhmcmk
    [C:\Users\BobbyRas\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Default_Search_Provider_Data] : hxxp://search.homepage-web.com/?src=omnibox&partner=toshibaupd&q={searchTerms}

    *************************

    AdwCleaner[R0].txt - [18636 bytes] - [14/04/2015 22:41:17]
    AdwCleaner[S0].txt - [4955 bytes] - [14/04/2015 22:44:45]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5014 bytes] ##########

    Thanks again, dbreeze.

    bobr
     

    Attached Files:

    • JRT.txt
      File size:
      917 bytes
      Views:
      1
  13. dbreeze

    dbreeze Malware Specialist

    Joined:
    Oct 5, 2014
    Messages:
    431
    First Name:
    David
    Malwarebytes' Anti-Malware
    Please download the latest version of Malwarebytes' Anti-Malware from here .

    Double Click on the mbam-setup.exe file to install the application.

    Do not check on the Trial of Professional version. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

    If an update is found, it will download and install the latest version.

    When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link
    [​IMG]

    Once updated, please select Settings > Detection and Protection. Please ensure that "Scan for Rootkits" is selected along with Non-Malware Protection PUP and PUM are set to "Treat detections as malware"
    [​IMG]

    Once the program has loaded and updated, select "Scan Now >>" to start the scan.
    [​IMG]

    The scan may take some time to finish, so please be patient.
    [​IMG]

    If any malware is found, you will be presented with a screen like the one below.
    [​IMG]

    Please click on the Export Log button and select the As text file from the dropdown list. I would suggest you save the file on your desktop (as we need the report attached here for review and it is easy to find on the desktop).

    After you have saved the report file, return to the Potential Threats Detected page and click on Cancel. You can close MBAM after that.

    Please attach the report file to a post here; I will review the file and script what needs to be removed.
     
  14. bobr1940

    bobr1940 Thread Starter

    Joined:
    Apr 10, 2015
    Messages:
    13
    Attached is the mbam.txt file.

    Thank you.

    bobr
     

    Attached Files:

  15. dbreeze

    dbreeze Malware Specialist

    Joined:
    Oct 5, 2014
    Messages:
    431
    First Name:
    David
    This next step may take a while (just to warn you) .....

    ESET Online does not work with IE 11 (Internet Explorer) at the moment (a few weeks ago anyway) so if you have IE 11, Chrome or Firefox has to be used instead. ESET Online does work with IE 10 and earlier.

    You can leave Norton Enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same

    Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Stop and ask if you have any questions.

    Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.

    -------------------------------------------------------------------------------------------------------------------

    Hold down Control key and click on the following link to open ESET OnlineScan in a new window.

    Link =>> ESET Online Scanner <<

    Click the Run ESET Online Scanner located on the left side of the page (not the free trial).

    [​IMG]

    For browsers other than Internet Explorer only: (Microsoft Internet Explorer users can skip this step)
    Click on the esetsmartinstaller link in the popup window that opens. Save it to your desktop.

    [​IMG]

    Double click on the icon on your desktop.

    [​IMG]

    Check (accept) the Terms of Use.

    [​IMG]

    Click the START button.
    Accept any security warnings from your browser.

    Now in the Computer scan settings window that appears:-
    Make sure that the option Enable detection of potentially unwanted applications is selected.
    Now click on Advanced Settings and configure the options as follows:

    Remove found threats is Not checked
    Scan archives is checked
    Scan for potentially unsafe applications is checked
    Enable Anti-Stealth Technology is checked


    Now click on: Start
    [​IMG]



    ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

    [​IMG]


    [​IMG]

    When the scan is finished, if any threats are found you will see the screen below. Click to view the found threats.

    [​IMG]

    At the bottom of the listed threats, there is an option to save the results to a text file. Please do this so you can attach the results here for review and removal of the items that are not false positives (these will be scripted out so do not worry).

    [​IMG]

    Once the log text file is saved, return to the Scan Finished screen by clicking "<<Back", then click on the uninstall button and click Finish.

    [​IMG]

    Attach the saved log file in your next reply please. Thanks.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1146388

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice