Ex-Wife's Computer Hacked...

mark02tj · Jul 21, 2015

I wasn't sure where else to post this but I know this forum gets a lot of traffic so here I am.

Long story short - I got a panicked / frantic call from the ex-wife the other night. She had "Microsoft Tech Support" on her land line and they were concerned about her computer because it was sending out viruses. I told her it was a hoax and to hang up on the guy and shut the computer off immediately!!

I'm not sure what she opened up to let them on to her system. She's a bit fuzzy on the details. I asked her about "TeamViewer" and "Ammy" but neither of those rang a bell to her. I looked around a bit on her system and found a file called "AeroAdminLog.txt" in the root directory of her C drive. It was dated and timestamped at about the same time she called me. I looked around in her "Program Files" folder and in the other folders, but nothing jumped out at me.

Here's a screenshot of what is in the AeroAdminLog.txt file:

I know enough about this stuff to know the basics of what's in the file. But I'm hoping that some of you super-smart TBN tech guys can give me specifics. :thumbsup:

Fortunately she doesn't use this computer for much more than surfing the web but she does do her online banking on it. She's already changed her online login information (from another computer). There's no pictures to save (all on her phone), no Word docs, etc.

Her computer is an HP Pavillion "G Series" runing Win-7 Home Premium. I noticed that she has a D drive marked "Recovery" (2.24 GB free of 20.7 GB) and an E drive marked "HP_TOOLS (1.89 mb free of 3.95 GB). Do either of those drives contain what I need to wipe the drive, reformat and reinstall the OS? Or should I take it to the little shop in town that has "We'll repair your computer for $69" painted in their front window?

Any help that you can give me would be appreciated. I have the computer for a few days so I can follow up on anything that's asked.

THANKS!

bx25jim · Jul 21, 2015

HP PCs - Performing an HP system recovery (Windows 7) | HP®*Support

Used this site many times for hp problems......
Just follow what it says and all will be good again like new.

bannerd · Jul 21, 2015

I would use the CD\DVD. It's rare but wouldn't take much to modify the HP recovery partition. Reinstall but still have the same remote login. If all she does is surf the internet, download linux, it's free and easy to install.

KiotiKowboy · Jul 21, 2015

A WHOIS search of the 59.162.178.227 in your text says:

address: 6th Floor, LVSB, VSNL
address: Kashinath Dhuru marg, Prabhadevi
address: Dadar(W), Mumbai 400028
address: India
e-mail: ip.admin@tatacommunications.com
abuse-mailbox: 4755abuse@tatacommunications.com

hawkeye08 · Jul 21, 2015

Sorry, no help here, let us know what you figure out, thanks

Fawken · Jul 21, 2015

The text file just looks like a log file. Most new computers don't come with OS & App CD's anymore. The D: Recovery drive is a partition (virtual drive) where the OS and App files reside. If the computer is running OK and you haven't gotten any auto-spam emails from her, I doubt there's an infection. Microsoft does not call users to tell them they've got a BOT. That is a function of the ISP.

zzvyb6 · Jul 21, 2015

With those naked IP addresses, someone could have a whole lot of fun with a revenge game than you could ever imagine. A denial of service action would be my first salvo. Next would be a drone strike.

boggen · Jul 21, 2015

ughs another "microsoft blah blah techsupport call" hoax!!! and scam!!!

not setting at correct pc that has my various "family ware" stuff for cleaning up family member computers right off hand.

spybot search and destroy from... what is it safernetworking.org free version. tends to pull up a lot of extra crud, that "task manager" and file explorer does not show.
--be carefull other companies / scams out there, that list there app as "spybot search and destroy" ya want from safernetworking.org

i don't remember the other program right off, it is a fairly small program. ya download latest version, and run it, and it will make some log files of all the various info on your computer. most tech forums ask for the log to be posted to a forum thread. so they can see it.

i run "avg internet security" so i can get antivirius app and a cheap firewall program. that prompts me when ever something wants to connect to internet. that prompting of the internet firewall software has saved me a couple times from a virus.

Ken73 · Jul 21, 2015

I looked it up - that IP shows to host Conficker B, AB and Sality P2P malware.

Ken73 · Jul 21, 2015

If she doesn't have anything on the computer I'd just wipe it and use the factory install. It'll take a few days to catch up on updates but at least she'd have the computer back. Don't bother trying to uninstall or fix it - far bigger pain than just wiping it.

Use Chrome, but don't use their save password/userID feature as it's entirely in clear text (bad.) Get a password vault like Norton Identity Safe or 1Password. Install AdBlocker as that's where a lot of drive-by malware comes from. Obviously some sort of AV/endpoint protection is necessary too but it's also a good time to explain to her how social engineering and phishing work. As we say in my industry, "there's no patch for stupidity."

Ken73 · Jul 21, 2015

Oh, and once the machine is rebuilt, make sure you set it to automatically download and install patches!

dan ny escarpment · Jul 21, 2015

aeroadmin.com advertises "Aeroadmin - zero configuration free remote desktop software. Use it for quick and easy remote desktop access and PC control" so safe to say the machine has been compromised when the aero admin was installed by "Bob" from "microsoft" in India. Also, McAfee is rating that ip with 59.162.178.227 - IP - McAfee Labs Threat Center medium web risk.

In addition to the great advice above, once restored I would get some form of anti virus/anti malware protection installed and configured for updates.

Mace Canute · Jul 21, 2015

I don't know why people insist on using their browsers outside of a "sandbox". Install Sandboxie and always run your browsers inside that.

KiotiKowboy · Jul 22, 2015

dan ny escarpment said:
In addition to the great advice above, once restored I would get some form of anti virus/anti malware protection installed and configured for updates.

Free from Microsoft:

Windows Essentials - for use through Windoze 7
Windows Defender - for use with Windoze 8

cdaigle430 · Jul 22, 2015

I work as a Windows System Admin for one of the largest banks in the world so let me chime in on sound advice on computing online.

Sounds like the iYogi scam call. She was scammed for sure-NEVER let anyone call you to tell you have a computer problem or a virus. Glad she changed her passwords because thats the first and smartest thing you can do.

Never store passwords on computer at least unencrypted. If your strapped for cash download a free AV in the least. I have been using AVAST! Free AV on all my computers and smart phones for 15 years now and it really does work better than any other free AV out there, tried them all.

Change password every 90 days if you can. Backup all your essential data on an external drive or CD\DVD and lock it in a safe (more of a disaster recovery prevention but also keeps clean data in the event of a hack\worm or visus).

Keep your home router locked-never leave it opened to public-in fact hide it all together (from broadcasting SSID)

Take advantage of online security sights new security features like secret questions etc. Even if they hack you and get your secret answer you will at least get notified that you changed your workstation or device by email.
Hotmail, yahoo, gmail offer free email so always carry at least two-one for play(make sure email name has nothing to do with your name or lacation) and the other for family communication etc.

There are more security measures like free Spybot, Adaware programs but staying diligent in websites you visit and never allowing anyone into you computer or device is the key to less headache later on.

boggen · Jul 22, 2015

boggen said:
ughs another "microsoft blah blah techsupport call" hoax!!! and scam!!!

not setting at correct pc that has my various "family ware" stuff for cleaning up family member computers right off hand.

spybot search and destroy from... what is it safernetworking.org free version. tends to pull up a lot of extra crud, that "task manager" and file explorer does not show.
--be carefull other companies / scams out there, that list there app as "spybot search and destroy" ya want from safernetworking.org

i don't remember the other program right off, it is a fairly small program. ya download latest version, and run it, and it will make some log files of all the various info on your computer. most tech forums ask for the log to be posted to a forum thread. so they can see it.

i run "avg internet security" so i can get antivirius app and a cheap firewall program. that prompts me when ever something wants to connect to internet. that prompting of the internet firewall software has saved me a couple times from a virus.

hijackthis is the program i was thinking of. right off hand i don't remember correct main website, to grab it from.

xzcVAbc5 · Jul 22, 2015

Might not hurt to download and install Malwarebytes Anti-malware free version and do a full scan.

KubotainNH · Jul 22, 2015

I like Malwarebytes and Superantispyware, they seem to find different things but may not find that sort of program. Only download programs from the manufacturer or someone like Cnet. If nothing much on the PC then restore it using the HP recovery tool. Usually you can get it by hitting something like F11 when it first powers on.

How do I RESTORE my system to the original factory settings - HP Support Forum - 50113

PhysAssist · Jul 23, 2015

boggen said:
ughs another "microsoft blah blah techsupport call" hoax!!! and scam!!!

not setting at correct pc that has my various "family ware" stuff for cleaning up family member computers right off hand.

spybot search and destroy from... what is it safernetworking.org free version. tends to pull up a lot of extra crud, that "task manager" and file explorer does not show.
--be carefull other companies / scams out there, that list there app as "spybot search and destroy" ya want from safernetworking.org

i don't remember the other program right off, it is a fairly small program. ya download latest version, and run it, and it will make some log files of all the various info on your computer. most tech forums ask for the log to be posted to a forum thread. so they can see it.

i run "avg internet security" so i can get antivirius app and a cheap firewall program. that prompts me when ever something wants to connect to internet. that prompting of the internet firewall software has saved me a couple times from a virus.

It prolly stinger you're thinkin of...

Here is a McAfee source page for it:
https://community.mcafee.com/docs/DOC-2168

Good luck
T

PhysAssist · Jul 23, 2015

KubotainNH said:
I like Malwarebytes and Superantispyware, they seem to find different things but may not find that sort of program. Only download programs from the manufacturer or someone like Cnet. If nothing much on the PC then restore it using the HP recovery tool. Usually you can get it by hitting something like F11 when it first powers on.

How do I RESTORE my system to the original factory settings - HP Support Forum - 50113

A decent and usually updated place with both good information and comprehensive links to some of the best antiviral and antimalware resources is:

Security Tango?

The web site of a local NPR IT/Computer Guru Nick Francesco.

T