Disconcerting Coincidence or Scam + Malware Infection?

Hi all,

I started this thread because I need the advice of someone with a deeper knowledge of computer security and malware and to alert others to my situation. I will try to provide all the relevant information, if I leave something out just ask.

The Situation:
On March 15 I was targeted by the Ammyy Scam (or something similar).
The scenario was very similar to other peoples' experiences on this forum:

• My father received an early morning phonecall on HIS landline asking for ME (my name has not been associated with that line in quite some time)
• They said they were calling in regards to a virus or security error or something on my computer
• My dad told them to call back later and alerted me to the call
• I briefly searched for scams on the internet and found information on something similar to the Ammyy scam
• A couple hours later I recieved a call from a man with a very heavy indian accent who claimed to be calling from some unknown (to me) tech support service which i couldn't understand due to his thick accent
• told me that they got my information because I was in some windows user database or something along those lines
• at this point i was fairly certain it was a scam but continued to humor the guy (after shutting off my connection to the internet to be safe)
• told me I had serious security problems with my pc and gave me step by step directions to go to the event viewer to view this alleged security problems
• at this point i began to play with guy, I gave him a 'false in' by asking if he was from my AV provider Mcafee (which is not my AV service), he didn't fall for it. Than I began questioning him on how he knew I had these security errors, what application was transmitting this info to him etc,
• at this point he got angry said if i didn't want his help i didn't have to accept it and hung up

No harm done right? I didn't grant them access to my PC or give them any identifying information (or information at all). Here is where the plot thickens.

• a couple hours later I was browsing firefox (on a trusted website) when my computer unexpectedly froze and then shutdown.
• I have a dual-boot system (Win7/Ubuntu) and when I went to reboot I got as far as the grub loader (where you select an OS) I chose win7 and directly after it said something along the lines of "no OS found" or "no bootmgr/bootloader found" (can't remember the exact error).
• I rebooted again and loaded into Ubuntu, this seemed to work fine (or as well as it should being an early Beta release of 12.04). But as I am a linux novice i was not able to explore my windows partition from the linux os.
• I rebooted again and began to perform repair/recovery operations: 1st the automatic windows troubleshooter, than system recovery, and finally memory diagnostic tests. The first two operations didn't solve the problem, and the memory test came back as without errors.
• During all these reboots and repair attempts i received many blue screens with error messages and a couple unfamiliar black screen (1 of which just had the character 'J' on it).
• After all these tests, I tried rebooting one more time and I was able to boot back into windows but when I did I received two error messages immediately. The 1st warned me that my Firewall (Comodo +HIPS) was deactivated and the second told me that my AV (Avast) was deactivated as well.
• This scared the ____ out of me and I immediately severed my connection to the internet and reactivated my security programs.
• First I ran a "quick AV scan," than I reactivated my firewall, connected to the internet and download the latest definitions for my anti-malware programs. Than I ran critical point, quick, and full systems scans including removable media with SAS, Malwarebyes, and Avast AV, as well as a rootkit scan with Kapersky TDSSkiller. All of the Scans came back negative except for a program I use to test my firewall "firewall leak-test"
• However, in the process of all these scans I noticed a couple new folders in my storage drive named "Nqb{)5PT[ElM}q68q{" and "tgJL](qJC!br3atLl1" (and they are huge 1 is 261 GB and the other is 41 GB). The names of the files within these folders are all similar to the folder names (just random characters numbers and symbols) and the file type is "File." Furthermore, all of the files are precisely 221,184 KB and they say they were created on march 2, the phone calls from India were on March 15.
• One last anomaly, I noticed after about a day that my computers clock had been changed forwards by two hours.

As far as I have been able to tell, no other targets of the Ammyy Scam have experienced anything like; this and I am at a loss. The three possible scenarios I have identified are as follows:

1. Since the adversary in the Ammyy Scam does not and did not have physical or remote access to my computer, the Ammyy Scam attempt is not related to the problems I experienced with my computer (disabling of security programs, unknown files, and altered clock). These symptoms were either caused by computer error, user error, or a combination of the two OR were caused by a virus/malware that was unrelated to the Ammyy Scam
2. The adversary (Ammyy Scammer) gained remote access to my computer at some point in the past or directly after the phonecall and was able to plant the malware on my system. What I am dealing with could be a more advanced version of the Ammyy Scam. The files could be explained as either files downloaded onto my system by the malware or files that were encrypted or corrupted/overwritten by the malware ( i have heard hackers will sometimes break into your system encrypt your data and hold it for ransom).

If anything I have said doesn't make sense or makes me sound like I am out of my league it is because I am. I could really use help on this issue. If you need any clarification I will be happy to help you help me


System Security:
Active:
Hardware Firewall/Router
Comodo Secure DNS
Avast AV
Comodo Firewall with Defense+ (running in Safe Mode)
Firefox secured with: Adblock+, Noscript, Request Policy, Cookie Monster, HTTPS everywhere, WOT, redirect cleaner, and Better Privacy

Passive:
TDSSkiller
SAS
MBAM

Any help is greatly appreciated thank you

 

option 1

 

Just a coincidence... Option 1

 

It's hard to say without seeing if you were infected? You have 2 options: Go to one of the Malware Cleaning sites mentioned here to see if there is anything suspicious: https://www.wilderssecurity.com/showpost.php?p=1533481&postcount=3 or reformat and do a clean install of Windows!

TH

 

Total coincidence. Unless you granted access or went to a certain site, I doubt very much it has anything to do with the phone calls. At this point I would figure out what was installed or updated around that time. Try running hitman pro and also either kaspersky or dr web boot disk. Your only other option is to restore an image or fresh install.

 

Can you remember, what you have done on March 2?

 

I'd say it's a coincidence as well. From what you are describing it seems some sort of file system related error/data corruption.

 

As everyone have said i would say it's just coincidence.
If you're still not sure analyze what options you have.
Do you any kind of imaging software for backups?
If not, can you format your PC?
If not, then scan your computer with a few tools, such as MBAM, HMP or Emsisoft Emergency Kit.
If you are still unsure then you can use the links provided by Triple Helix.

 

I agree it is a coincidence. I doubt a phonecall could exploit you, especially if your internet is not through dialup or dsl. If your internet is through the phone line, then maybe while you were talking they could play an inaudible signal which exploits your modem? Its quite a stretch to believe they would be that advanced.

Other possibilities.
1. Maybe you browsed to an exploit site while researching the scam.
2. Maybe these people were for real. If you had contracted malware before, it could be spamming people and launching attacks. All this could be tracked back to your internet account. There could be a group out there trying to help exploited users clean up their computers.

Did they ever ask you to do anything that would be harmful, or was it just system log questions?

 

Yes, probably for some reason Eraser left some of its erasing files on your HDD. It is exactly how Eraser erases free disk space, by creating large files filled with random data. So it seems that the "weird" part of the problem was solved