Big problem. Possibly "hacked" from China.

Okay, I don’t know all the specifics of what is going on here myself because I wasn’t in the room when this happened and this isn’t my personal laptop. It’s a work one - and not mine - which has information on it worth money going into possible millions.

Someone who claimed to be from an online tech support Co. ( told the laptop’s owner to download and use LogMeIn Rescue when it became clear she couldn’t log in to FB. After the program was run, which said in its main window that some support tech got full system access, and the last line of the GUI app said “configuring…” the really freaky stuff started.

A command prompt window opened, at which point Cmd went through a WHOLE $#&#&$[at] BUNCH of tree commands with some files with names that look like a cross between WinSXS backup files and web markup (visible in pic) and the color of the cmd prompt (I first got in front of the computer at this point) changed from white to red. Last line was:

"computer hacked in china… etc "

I deactivated the internet as soon as I saw that, and I’m still here with it offline.
Running Malwarebytes is the only thing I can think of at this point.

Anything else I can do? The user didn’t burn recovery CDs (this is an HP ) and I thought Norton internet security with firewall was on this. Instead it’s protected by Windows Firewall >.< and TrendMicro (even worse IMHO) Titanium.

Run and RunOnce don’t show anything weird - except for “uninstall SkyDrive” entries, which I thought couldn’t be done without breaking Win 8. Should I delete them?

Please help, I don’t know what’s going on. If worse comes to worse I may be in over my head.

(EDIT: I checked the programs menu and it doesn’t say anything about LogMeIn ever having been installed.)

[attachment deleted by admin]

Pulled a format and system recovery, then checked with GMER again and found this:

And it’s calling on at least three pages of .dlls located in the system32 directory. What the hell IS it?

[attachment deleted by admin]

install killswitch and hide all safe files…

this will then show you all the processes running that are not trusted…this will be a good hunting list.

Please see my article about How to Know if Your Computer Is Infected.

Also, I’m not sure about GMER. Hopefully someone else can help with this. By the way, is it possible for you to take screenshots of the results and upload those? Those taken by a camera are much more difficult to read.


Done that. All I see under untrusted processes are RIconMan and Fuel Service, which belong to Realtek card reader and ATI respectively.

Not possible to screenshot the earlier pic, but I can get one of the GMER results. Busy running CCE and I’ll report back with what that says.

(Pic up. I wish it could display the files on the bottom but none of those weird looking entries are.)

[attachment deleted by admin]

written by Chiron :wink: A well written how-to by the infamous Chiron :stuck_out_tongue:

Did you follow all the advice in my article, or were you responding to Melih’s post?

I did both, Chiron.

So far nothing out of the ordinary has shown up post-restore - full CCE scans of the system and USB drives that were attached prior to restore are clean. I have CIS6 on it now and have been up late running still other tests on it.

I’m thinking this might have been a scare designed to get people to pay the company in question money. Scambook has a previous complaint already lodged that runs along these lines.

If nothing came up with any of the programs you have run I’m assuming it was. In that case it’s lucky as many scareware will also infect the system with malware at the same time.

If anything suspicious comes up though, be sure to let us know. That said, hopefully everything’s fine.