Help me, please.
It may be out of topic for this forum but I don’t know what to do and I desperately need help… please help me.

I recently had call from those phone fraudsters claiming they are MS security and fell for it.
They told me there was problem in my computer that is keep on sending messages to them and asked me to download the remote access program (which I later found out)
While they were in remote access, they showed me the prefetch, msconfig, eventvwr and they turned on cmd.exe and asked me to type "cd" (\appeared as dashed W) enter, and “scan” and enter.
whole bunch of words flew through cmd screen for few seconds and “hacker found” showed up at the very bottom of the screen.
Then, they directed me to this “pcpestfix.com” and told me to buy the plan.
At that time fortunately I did not have any means of payment so I did not buy the plan.
but they kept me on the line and did not let me go from the remote access thing for awhile.
after awhile they let me go.

I did not realize it was a phone scam but I thought it was creepy so I went through full system scan and booting scan using the Avast free antivirus program.
After a week, today i got another phone call from them, which I hung up on, and researched about this and finally realized it was a phone scam.

I am so scared and I dont konw what to do.
Was the full scan and booting scan enough to solve the problem?
Can they access my computer after this?
I deleted the program and went through full system scan number of time.

I do not do much using my computer but I moved some video files yesterday (after many full scan and boot scan) to my dad’s computer and I am worried sick about my dad’s computer.

Please help me. Please…
I am worried sick. I can’t even sleep. please.

Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.06.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Kim :: KIM-PC [administrator]

Protection: Enabled

2012-08-06 오전 2:52:47
mbam-log-2012-08-06 (02-52-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195449
Time elapsed: 8 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCR\AppID{FCF9C839-34AD-499C-A9CE-CE4226E66EE9} (Adware.KorAd) → Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Kim\Downloads\neodiary19054_full.exe (PUP.Adware.RelevantKnowledge) → Quarantined and deleted successfully.
C:\Users\Kim\Downloads\wrar393k_fsetup_349_25.exe (Adware.Kraddare) → Quarantined and deleted successfully.

(end)

here are those reports from OTL

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-06 03:31:06

03:31:06.231 OS Version: Windows x64 6.1.7601 Service Pack 1
03:31:06.231 Number of processors: 4 586 0x2A07
03:31:06.231 ComputerName: KIM-PC UserName: Kim
03:31:09.413 Initialize success
03:31:10.645 AVAST engine defs: 12080600
03:31:17.088 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
03:31:17.088 Disk 0 Vendor: TOSHIBA_ GT00 Size: 715404MB BusType: 3
03:31:17.151 Disk 0 MBR read successfully
03:31:17.166 Disk 0 MBR scan
03:31:17.166 Disk 0 Windows VISTA default MBR code
03:31:17.182 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
03:31:17.197 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 673742 MB offset 3074048
03:31:17.229 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 26105 MB offset 1382897664
03:31:17.260 Disk 0 Partition 4 00 17 Hidd HPFS/NTFS NTFS 14056 MB offset 1436360704
03:31:17.291 Disk 0 scanning C:\windows\system32\drivers
03:31:26.620 Service scanning
03:32:48.395 Modules scanning
03:32:48.411 Disk 0 trace - called modules:
03:32:48.957 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
03:32:48.957 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa80081cb060]
03:32:48.972 3 CLASSPNP.SYS[fffff8800160143f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa80062b8050]
03:32:50.673 AVAST engine scan C:\windows
03:32:53.730 AVAST engine scan C:\windows\system32
03:35:37.874 AVAST engine scan C:\windows\system32\drivers
03:35:48.685 AVAST engine scan C:\Users\Kim
04:19:18.003 AVAST engine scan C:\ProgramData
04:21:00.687 Scan finished successfully
04:23:25.522 Disk 0 MBR has been saved successfully to “C:\Users\Kim\Documents\MBR.dat”
04:23:25.528 The log file has been saved successfully to “C:\Users\Kim\Documents\aswMBR.txt”

This is aswMBR scan log.
What else do I need to do?

Now you’ve to wait a bit.

Nothing readilly apparent there, what programme did they download to access your system ?

I will dig deeper though

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL FF - prefs.js..browser.search.selectedEngine: "?¤ì´ë²? O2 - BHO: (no name) - {0A4ABCA7-7612-4BA1-B1D3-4D56D964D3F4} - No CLSID value found. O3 - HKU\S-1-5-21-137632020-889758999-164455875-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKU\S-1-5-21-137632020-889758999-164455875-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found. O4:64bit: - HKLM..\Run: [] File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here is OTL log

After the reboot by the combofix, every time I try to start any program, message popped up saying “illegal operation attempted on a registry key that has been marked for deletion,” and program did not run.
So I rebooted, and it seems it works normal. When I was typing the very first sentence in this reply, there was a short time lag but it works fine now so I guess I did not wait enough for all the start program starts.

The program I downloaded… I deleted right away so I cannot remember the name of the program they used.
It was on the website “pcpestfix.com” and when I clicked the link “connect to the technician” it was automatically downloaded.
The website is still there but little scared to go check what was the name of the program.

While I was waiting for the reply, I ran Microsoft Safety scanner as suggested by Microsoft for ones who got phone scammed and it found the “Win32/Obfuscator.XY”, which Avast did not detect. Microsoft Safety Scanner says it cannot cure it. What should I do?

This won’t be a popular reply, but if I were you, I would reinstall Windows. Do you at least have any restore points prior to this? How about a system image? Again, if it were me, I would never be able to trust the machine, so I would reimage or reinstall.

Hindsight is always easy but in this case,I totally agree with DBone.

Sorry guys, but I strongly suggest to let Essexboy decide.

I am not sure but I don’t think there is any restore points prior to this. I checked the recovery section of the control section and it only lists today which created by OTL program thing as I followed the instruction above.
I do not know how to create the restore points and I have not done anything before hand.
Mine’s labtop and the windows came with it when I bought it so I am not sure about the system image either…

Please wait for Essexboy’s reply. He’s the expert on such issues…!!

c:\programdata\AMMYY c:\programdata\AMMYY\hr c:\programdata\AMMYY\hr3 c:\programdata\AMMYY\settings3.bin c:\windows\apppatch\AppLoc.exe c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb

To be really sure, although I feel it has all gone now

You may not get all options for this programme

Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

Download GMER Rootkit Scanner from here or here.

[*] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
[*] If it gives you a warning about rootkit activity and asks if you want to run scan…click on NO.

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[] In the right panel, you will see several boxes that have been checked. Uncheck the following …
[] IAT/EAT
[] Drives/Partition other than Systemdrive (typically C:)
[] Show All (don’t miss this one)

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “Gmer.txt” or it will save as a .log file which cannot be uploaded to your post.

[*]Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
[I]Caution
Rootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries

[i]-- If you encounter any problems, try running GMER in safe mode.
– If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning

Can the type of problem I had for my computer have infected my dad’s computer in process of moving some video files using external harddrive?
I am worried about his computer (he is right now at different place where there is no internet connection) which he uses many personal information on.

I faced an problem using gmer. On the right panel, everything except last three “service”, “registry”,“files” are grey boxed and i cannot select. This happens both the normal window and safety mode

That is OK as dependant on the version of windows you are running will dictate what options are available so run GMER with what shows

Nothing would have been transfered as the programme that you downloaded was purely to access your system and I can see no sign of a replicator

I ran GMER and it said there hasn’t been a modification. The white screen of GMER stays as blank and the file I save under name GMER.text was blank. I am not sure it is a good sign or bad sign. ??

Nope that means there is no rootkit activity … How is the computer behaving ? Anything unusual or weird ?