Jump to content

Featured Replies

Posted
  • FPCH Staff

I'm looking at a computer where someone called the user, told them that there was a problem with their computer. The user allowed them remote access and gave them the password to get into their machine. We've since changed the password.

 

I see that the scammer put three files on this Windows 10 machine:

 

1) AnyDesk.exe onto the Desktop

2) FixMeit Client.exe into the Downloads folder

3) An MS Access file titled "New Microsoft Access Database.accdb"

 

It doesn't look like any executables were installed.

 

What piques my curiosity is that MS Access file. What would that be for?

Hi Tony,

 

I see that the scammer put three files on this Windows 10 machine:

AnyDesk.exe onto the Desktop

AnyDesk is a popular Remote Desktop application and no administrative privileges or installation is required.

 

FixMeit Client.exe into the Downloads folder

With FixMe.IT, connecting to a remote desktop becomes as simple as a mouse click.

You can direct the client to your website to start a support session or you can easily manage unattended machines from your account console.

 

An MS Access file titled "New Microsoft Access Database.accdb"

The title doesn't give anything away.

It's been a long time since I wrote or used Access databases..... but New Microsoft Access Database.accdb is the generic title for a new database.

.accdb files are related to versions of Access since 2007.

The database could include any number of things.... even macros ( which can be used for malware purposes)

If this was placed by the scammer it may well be password protected. ( as this is possible with these files)

Does the user have M$ Access 2007 or newer installed?

 

Have you tried deleting these files and then running a malware scan?

76c90dd0e79a714317a8daeecc1584d2.png

  • Author
  • FPCH Staff

Thanks Pete, It has MS Office Home and Student 2010. Looks like it also has or had Office Professional 2010 Trial edition which has expired.

 

You confirmed my findings on AnyDesk, I hadn't researched the FixMeit Client yet.

 

I thought I sent all three of those files to VirusTotal. Results were clean.

 

MBAM found only PUPs.

The installed McAfee found nothing.

ESET found one item in AppData\Local\Mozilla\Firefox\Profiles\ks412v3u.default\cache2\entries\ some long alpha-numeric file name

Threat name: HTML/FakeAlert.DQ trojan

Hi Tony,

 

It has MS Office Home and Student 2010.

Looks like it also has or had Office Professional 2010 Trial edition which has expired.

Either way, the MS Access file is useless.

As you can see neither the trial (Starter) version or the H & S version have Access installed.

 

8c5ff74dd0ea606c3160e25ce9679cdb.png

76c90dd0e79a714317a8daeecc1584d2.png

  • Author
  • FPCH Staff
Thanks, I think it's clean. MBAM shows the usual: MindSpark, loloSC, RegCurePro, Conduit. They've been quarantined.
Guest
Reply to this topic...