Disconcerting Coincidence or Scam + Malware Infection?

Discussion in 'malware problems & news' started by JackReacher, Mar 17, 2012.

Thread Status:
Not open for further replies.
  1. JackReacher

    JackReacher Registered Member

    Joined:
    Mar 17, 2012
    Posts:
    67
    Location:
    South of the North Pole
    Hi all,

    I started this thread because I need the advice of someone with a deeper knowledge of computer security and malware and to alert others to my situation. I will try to provide all the relevant information, if I leave something out just ask.

    The Situation:
    On March 15 I was targeted by the Ammyy Scam (or something similar).
    The scenario was very similar to other peoples' experiences on this forum:
    • My father received an early morning phonecall on HIS landline asking for ME (my name has not been associated with that line in quite some time)
    • They said they were calling in regards to a virus or security error or something on my computer
    • My dad told them to call back later and alerted me to the call
    • I briefly searched for scams on the internet and found information on something similar to the Ammyy scam
    • A couple hours later I recieved a call from a man with a very heavy indian accent who claimed to be calling from some unknown (to me) tech support service which i couldn't understand due to his thick accent
    • told me that they got my information because I was in some windows user database or something along those lines
    • at this point i was fairly certain it was a scam but continued to humor the guy (after shutting off my connection to the internet to be safe)
    • told me I had serious security problems with my pc and gave me step by step directions to go to the event viewer to view this alleged security problems
    • at this point i began to play with guy, I gave him a 'false in' by asking if he was from my AV provider Mcafee (which is not my AV service), he didn't fall for it. Than I began questioning him on how he knew I had these security errors, what application was transmitting this info to him etc,
    • at this point he got angry said if i didn't want his help i didn't have to accept it and hung up

    No harm done right? I didn't grant them access to my PC or give them any identifying information (or information at all). Here is where the plot thickens.

    • a couple hours later I was browsing firefox (on a trusted website) when my computer unexpectedly froze and then shutdown.
    • I have a dual-boot system (Win7/Ubuntu) and when I went to reboot I got as far as the grub loader (where you select an OS) I chose win7 and directly after it said something along the lines of "no OS found" or "no bootmgr/bootloader found" (can't remember the exact error).
    • I rebooted again and loaded into Ubuntu, this seemed to work fine (or as well as it should being an early Beta release of 12.04). But as I am a linux novice i was not able to explore my windows partition from the linux os.
    • I rebooted again and began to perform repair/recovery operations: 1st the automatic windows troubleshooter, than system recovery, and finally memory diagnostic tests. The first two operations didn't solve the problem, and the memory test came back as without errors.
    • During all these reboots and repair attempts i received many blue screens with error messages and a couple unfamiliar black screen (1 of which just had the character 'J' on it).
    • After all these tests, I tried rebooting one more time and I was able to boot back into windows but when I did I received two error messages immediately. The 1st warned me that my Firewall (Comodo +HIPS) was deactivated and the second told me that my AV (Avast) was deactivated as well.
    • This scared the ____ out of me and I immediately severed my connection to the internet and reactivated my security programs.
    • First I ran a "quick AV scan," than I reactivated my firewall, connected to the internet and download the latest definitions for my anti-malware programs. Than I ran critical point, quick, and full systems scans including removable media with SAS, Malwarebyes, and Avast AV, as well as a rootkit scan with Kapersky TDSSkiller. All of the Scans came back negative except for a program I use to test my firewall "firewall leak-test"
    • However, in the process of all these scans I noticed a couple new folders in my storage drive named "Nqb{)5PT[ElM}q68q{" and "tgJL](qJC!br3atLl1" (and they are huge 1 is 261 GB and the other is 41 GB). The names of the files within these folders are all similar to the folder names (just random characters numbers and symbols) and the file type is "File." Furthermore, all of the files are precisely 221,184 KB and they say they were created on march 2, the phone calls from India were on March 15.
    • One last anomaly, I noticed after about a day that my computers clock had been changed forwards by two hours.

    As far as I have been able to tell, no other targets of the Ammyy Scam have experienced anything like; this and I am at a loss. The three possible scenarios I have identified are as follows:
    1. Since the adversary in the Ammyy Scam does not and did not have physical or remote access to my computer, the Ammyy Scam attempt is not related to the problems I experienced with my computer (disabling of security programs, unknown files, and altered clock). These symptoms were either caused by computer error, user error, or a combination of the two OR were caused by a virus/malware that was unrelated to the Ammyy Scam
    2. The adversary (Ammyy Scammer) gained remote access to my computer at some point in the past or directly after the phonecall and was able to plant the malware on my system. What I am dealing with could be a more advanced version of the Ammyy Scam. The files could be explained as either files downloaded onto my system by the malware or files that were encrypted or corrupted/overwritten by the malware ( i have heard hackers will sometimes break into your system encrypt your data and hold it for ransom).

    If anything I have said doesn't make sense or makes me sound like I am out of my league it is because I am. I could really use help on this issue. If you need any clarification I will be happy to help you help me :)


    System Security:
    Active:
    Hardware Firewall/Router
    Comodo Secure DNS
    Avast AV
    Comodo Firewall with Defense+ (running in Safe Mode)
    Firefox secured with: Adblock+, Noscript, Request Policy, Cookie Monster, HTTPS everywhere, WOT, redirect cleaner, and Better Privacy

    Passive:
    TDSSkiller
    SAS
    MBAM

    Any help is greatly appreciated thank you
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    option 1
     
  3. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Just a coincidence... Option 1
     
  4. JackReacher

    JackReacher Registered Member

    Joined:
    Mar 17, 2012
    Posts:
    67
    Location:
    South of the North Pole
    That is what my intuition tells me, but i still can't explain those large unidentifiable files. For anyone familiar with encryption, do you think these could be files that were either encrypted by an attacker, or accidentally encrypted by myself (I have no recollection of using any encryption software on this drive or any other drive)?
     
  5. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
  6. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Total coincidence. Unless you granted access or went to a certain site, I doubt very much it has anything to do with the phone calls. At this point I would figure out what was installed or updated around that time. Try running hitman pro and also either kaspersky or dr web boot disk. Your only other option is to restore an image or fresh install.
     
  7. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Can you remember, what you have done on March 2?
     
  8. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I'd say it's a coincidence as well. From what you are describing it seems some sort of file system related error/data corruption.
     
  9. JackReacher

    JackReacher Registered Member

    Joined:
    Mar 17, 2012
    Posts:
    67
    Location:
    South of the North Pole
    Thanks for the answers guys, I'm working on some of the solutions you all recommended.

    Can anyone tell me whether the file's I described in the original post sound like they could have been encrypted??

    Also I scanned my computer using F-Secure online Scanner and it found a file called "Runnow.exe" which it labeled as "Suspicious:W32/Malware!Gemini" The file is located in my C drive's program files folder and is in the "system scheduler" directory which is a program I downloaded off of a reputable site. This sounds to me like it could be a false positive. any thoughts?

    Thanks guys
     
  10. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    As everyone have said i would say it's just coincidence.
    If you're still not sure analyze what options you have.
    Do you any kind of imaging software for backups?
    If not, can you format your PC?
    If not, then scan your computer with a few tools, such as MBAM, HMP or Emsisoft Emergency Kit. :rolleyes:
    If you are still unsure then you can use the links provided by Triple Helix. :D
     
  11. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    I agree it is a coincidence. I doubt a phonecall could exploit you, especially if your internet is not through dialup or dsl. If your internet is through the phone line, then maybe while you were talking they could play an inaudible signal which exploits your modem? Its quite a stretch to believe they would be that advanced.

    Other possibilities.
    1. Maybe you browsed to an exploit site while researching the scam.
    2. Maybe these people were for real. If you had contracted malware before, it could be spamming people and launching attacks. All this could be tracked back to your internet account. There could be a group out there trying to help exploited users clean up their computers.

    Did they ever ask you to do anything that would be harmful, or was it just system log questions?
     
  12. JackReacher

    JackReacher Registered Member

    Joined:
    Mar 17, 2012
    Posts:
    67
    Location:
    South of the North Pole
    @badkins79 He just told me to browse to the event viewer and then told me all the security warnings were Malware infections, I became uncooperative and he hung up. his directions corresponded exactly to the scam victims accounts of their conversations.

    I think i got to the bottom of the large and unusual random files on my storage drive. On march 2nd (the day the files were last modified) the secure file deletion program 'Eraser' performed a schedule free space wipe of that same drive. I think this accounts for the large files with random characters.
     
  13. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Yes, probably for some reason Eraser left some of its erasing files on your HDD. It is exactly how Eraser erases free disk space, by creating large files filled with random data. So it seems that the "weird" part of the problem was solved :)
     
Loading...
Thread Status:
Not open for further replies.