McAfee "Lifesave" failed to save my computer!

[Mando]

1 minute ago, warwagon said:

What user going to password protect their AV?

every webroot customer  and iirc doesnt symantec retail products also allow the feature?, SEP deffo does, the default is "symantec"

[+Warwagon MVC]

Just now, Mando said:

every webroot customer  and iirc doesnt symantec products also allow the feature, SEP deffo does, the default is "symantec"

I guarantee this guy would have voluntarily disabled webroot per "Dells" instructions.

[Mando]

On 2/15/2018 at 11:23 PM, techbeck said:

You can literally type in any service tag on Dell's site and get the warranty/order info.  And service tags are not hard to figure out.  A lot of time, you just need one service tag number and another can just be one character different.

Yup, its a great feature for sys adms but so open to abuse, esp as Dell Service tags are only what 8 chars max?

Just now, warwagon said:

I guarantee this guy would have voluntarily disabled webroot per "Dells" instructions.

not in future he wont  

[+Warwagon MVC]

1 minute ago, Mando said:

not in future he wont  

2

indeed..err...well.. that has yet to be seen.

[Jim K Global Moderator]

19 minutes ago, Mando said:

thats exactly whats happened mate, they get into the system, "fix it" while dropping the real backdoor payload and your now a dormant bot machine for them to C&C whenever they need.

 

if it was me personally or professionally, id be nuking that system from orbit, low level format the drive and do a clean install and use good paid for AV mate.

 

Also add Warwagons advice to what else to do.

Yea, I would nuke Windows and start fresh. Never really know what they left behind...

[bikeman25]

Yeah after something like that i'd wipe the system even myself, reinstall everything, and make sure had a good Av installed and kept up to date.  Though don't think Av would've been much help with this issue 

 

 

[Mando]

5 minutes ago, Jim K said:

Yea, I would nuke Windows and start fresh. Never really know what they left behind...

exactly any payload dropped before replacing the remove mcafee (lets say rootkit for a giggle) a lot of then installed platforms can miss these, depending how smart the rootkit type is.

 

workwise id probs dispose of the drive to be safe, due to my industry.

[+Warwagon MVC]

Also change your bank password immediately, as in yesterday. There was one person who let these people on their computer, I heard about it but never actually saw the computer (it was a bartender who told me his wife was on the phone with a Microsoft, I was actually out on the town at the time), I told him to her it was a scam hang up and not to pay it. Well, she paid it and after the credit card paid it she thought it must be legit.

 

They must have left team viewer or some other remote assistance app running on their computer. She must have also saved her banking login and password in internet explorer. They called back a month later to tell her that "they feel bad and want to give her a refund, but oops they accidentally gave her $25,000" So they would like it if she could send that money back to them.

 

Long story short, there was $25,000 extra in her checking account. They logged into her bank and transferred $25,000 from her savings to her checking. She did not transfer the money to the scammers.

 

Once I finally looked at her computer it got formatted and I think she even upgraded to an ssd.

 

So ya, change your bank password immediately. 

[bikeman25]

Long Long Time ago while testing Live One Care, i got system very infected with a rootkit virus,  accepted a file from so called friend in a game i was playing, opened the file, program did not alert on it,  so i figured yay safe lol, Moral of this story don't accept files from strangers,  make sure passwords changed periodically,  in the end due to shop at the time not able to get rid of that infection permently, ended up having to downgrade parts from AMD XP 2500+  to AMD Sempron at the time.    

 

This is main reason why i stick with Avast antivirus lately,  a little uneasy when i use Defender,  I guess i was scammed then to or stupid clicker one or the other lol.  

 

 

[nekrosoft13]

3 hours ago, Mando said:

Yup, its a great feature for sys adms but so open to abuse, esp as Dell Service tags are only what 8 chars max?

not in future he wont  

in future Microsoft will call and he will...

[Howard Davis]

On 3/6/2018 at 10:28 AM, Vince800 said:

So after slating both McAfee & Dell - Nothing to do with either. Being duped into a very obvious scam (iTunes Vouchers) you still seem to come across as if you think that this is really Dell.

Definitely having to do with Dell - if not, HOW did the scammers get my personal Dell customer data with which to convince me they were NOT scammers? Either they are or were Dell employees, or have hacked Dell - which Dell had an obligation to make publicly known if it did occur!  Others here have also expressed a low opinion of McAfee, so go argue with them. The fact is that "McAfee Lifesave" DID NOT warn me of the presence of malware, no less protect me from it!

[Mando]

14 minutes ago, Howard Davis said:

Definitely having to do with Dell - if not, HOW did the scammers get my personal Dell customer data with which to convince me they were NOT scammers? Either they are or were Dell employees, or have hacked Dell - which Dell had an obligation to make publicly known if it did occur!  Others here have also expressed a low opinion of McAfee, so go argue with them. The fact is that "McAfee Lifesave" DID NOT warn me of the presence of malware, no less protect me from it!

Can I ask Howard, what personal Dell data of your customer info did they have?

I work in Infosec and i have a genuine professional interest.

 

It troubles me to know someone has been scammed like this.

[Howard Davis]

22 hours ago, Jim K said:

Yea, I would nuke Windows and start fresh. Never really know what they left behind...

I downloaded and ran Malwarebytes, which I did not have previously. It found over 40 questionable files, two of which were definitely spy/malware. All are now quarantined. All sensitive passwords were changed after doing this. I never have done online banking and never would. I also did an in-depth scan with McAfee which gave me an all-clear, but I don't trust McAfee alone. I am more knowledgeable than the typical computer user, though not an expert. I can only conclude that MOST people have malware they are not aware of.

[Howard Davis]

4 minutes ago, Mando said:

Can I ask Howard, what personal Dell data of your customer info did they have?

I work in Infosec and i have a genuine professional interest.

 

It troubles me to know someone has been scammed like this.

Thank you for your concern. They told me a few things that I don't specifically recall, but what convinced me most was that they had the service tag number. I conclude they are or were Dell employees, or have hacked Dell for this information. 

[Mando]

11 minutes ago, Howard Davis said:

Thank you for your concern. They told me a few things that I don't specifically recall, but what convinced me most was that they had the service tag number. I conclude they are or were Dell employees, or have hacked Dell for this information. 

Thanks, hmm trying to think how to obtain someones Service tag, via Dell, and you know what you have a point fellah, you can only enter a service tag, you cant check with anything else for a machine.

 

unless....if the first malware payload was a  RAT (remote access trojan) its easy to extract the Service tag from a  BIOS lookup on the hardware. 

 

Or

have you ever entered your dell service tag into Dells website, if so it could theoretically be gleamed from that from temp internet files.

 

outwith those two possibilities, im really struggling to figure out how it would be possible without what you have claimed in all honesty.

[Howard Davis]

35 minutes ago, Mando said:

Thanks, hmm trying to think how to obtain someones Service tag, via Dell, and you know what you have a point fellah, you can only enter a service tag, you cant check with anything else for a machine.

 

unless....if the first malware payload was a  RAT (remote access trojan) its easy to extract the Service tag from a  BIOS lookup on the hardware. 

 

Or

have you ever entered your dell service tag into Dells website, if so it could theoretically be gleamed from that from temp internet files.

 

outwith those two possibilities, im really struggling to figure out how it would be possible without what you have claimed in all honesty.

I don't recall ever inputting my service tag number. 

[Howard Davis]

NEW PROBLEM - possibly related to malware? To my knowledge it is all quarantined. I've scanned again with Malwarebytes and nothing was found. 

 

Recently I've had the experience of the screen going black and the monitor indicating no signal is reaching it. After a brief interval, it would be OK.

Today this happened again and it took several minutes until the screen restored itself. 

My cables/connections seem OK. 

[Brandon H Supervisor]

it could be a remote session or something trying to take over the main display but that's just speculating

 

I'd highly recommend you to backup important files and format/reinstall windows.

since you know you were compromised by a scammer there's a high possibility there are other hidden files that malwarebytes can't find or the virus/malware may have modified system files causing bugs.

[Howard Davis]

Warwagon stated:

"I'd recommend a reinstall or at the very least roll that system back before you were scammed. Also check the programs and feature list for any remote assistance apps still installed on your computer, these may include.

 

Thanks - I did find a few of those you listed and they are gone.

By "roll back the system" I assume you mean a system restore to a date preceding the incident?

[Mando]

12 minutes ago, Howard Davis said:

Warwagon stated:

"I'd recommend a reinstall or at the very least roll that system back before you were scammed. Also check the programs and feature list for any remote assistance apps still installed on your computer, these may include.

 

Thanks - I did find a few of those you listed and they are gone.

By "roll back the system" I assume you mean a system restore to a date preceding the incident?

you could yes, but id lean more towards a deletion of the drive partitions and a fresh install of Windows via install media.

[Brandon H Supervisor]

yes i recommend a full format of the hard drive, some malware can hide itself directly in the partition table itself so it can't be removed easily without a full format. I've had this happen to family members, it's a pain to even detect.

[Ve7878]

5 hours ago, Howard Davis said:

Definitely having to do with Dell - if not, HOW did the scammers get my personal Dell customer data with which to convince me they were NOT scammers? Either they are or were Dell employees, or have hacked Dell - which Dell had an obligation to make publicly known if it did occur!  Others here have also expressed a low opinion of McAfee, so go argue with them. The fact is that "McAfee Lifesave" DID NOT warn me of the presence of malware, no less protect me from it!

You're only basing your malware assumption based on what the scammers told you. Knowing how easily you gave in & purchased iTunes vouchers, it's not that far fetched that you may have fell foul of a phishing scam too. 

[Mando]

2 hours ago, Howard Davis said:

Warwagon stated:

"I'd recommend a reinstall or at the very least roll that system back before you were scammed. Also check the programs and feature list for any remote assistance apps still installed on your computer, these may include.

 

Thanks - I did find a few of those you listed and they are gone.

By "roll back the system" I assume you mean a system restore to a date preceding the incident?

Howard, if you would like i would happily give the machine a once over remotely if you wish, i would understand totally however if you were apprehensive doing so mate  

 

If you would rather try some of the tools yourself, ofc im happy to guide you.

 

I would suggest something like Avira bootable Linux distro on a usb stick, boot from that and scan windows as flat files (windows is offline at this point in time), bit like running an ubuntu live distro CD from disk.

[Howard Davis]

On 3/6/2018 at 1:56 PM, Mando said:

thats exactly whats happened mate, they get into the system, "fix it" while dropping the real backdoor payload and your now a dormant bot machine for them to C&C whenever they need.

 

if it was me personally or professionally, id be nuking that system from orbit, low level format the drive and do a clean install and use good paid for AV mate.

 

Also add Warwagons advice to what else to do.

I've eliminated all malware found by Malwarebytes, scanned again with McAfee, deleted all programs that could be used to take control of the computer, and changed all significant passwords. Along with two definite spyware/malware items, Malwarebytes found about 40 other suspicious files - all now quarantined. I'll do a system restore if considered advisable by a consensus of experts as we have on this forum. I see no need to do something as radical and risky as reinstalling the OS. I think the computer is 99% likely to now be secure. 

 

One other thing - I was told by the scammer that the IP address has been changed, and upon request he gave it to me. 

 

[Howard Davis]

18 hours ago, Mando said:

Howard, if you would like i would happily give the machine a once over remotely if you wish, i would understand totally however if you were apprehensive doing so mate  

 

If you would rather try some of the tools yourself, ofc im happy to guide you.

 

I would suggest something like Avira bootable Linux distro on a usb stick, boot from that and scan windows as flat files (windows is offline at this point in time), bit like running an ubuntu live distro CD from disk.

Thank you for the offer. What would you charge for the service?

Given what I have already done (outlined in my last post, above), I think it safe to assume the computer is now secure - at least enough so, given that I do not do online banking and have changed my passwords. Your last sentence above recommends work I would not feel comfortable doing, as it is a bit beyond my level of expertise.