Looking for answer

Mountain_Man · 29 January 2024 20:08

I’m probably overstepping my bounds here, but this is the only place I could find that in all my searching referenced a scam that, hopefully, my mother (in her 80s) avoided.

She got an email for paypal charge from > alisha hall [email protected]
addressed to a TON of similar spelled emails (probably sequential off a list)

The text of that email is below.

They got her to open a browser and open a page gxcare.cc (refering to this url is how I found you guys with some other keywords) that had her enter a code, my guess is that probably gave them access to her computer (like tech support)

She then had a google docs page that honestly was a pretty piss poor paypal looking thing but she entered a lot of personal information there, no routing numbers or anything crazy but still NOT GOOD. (using history i found this again and subsequently reported via google links and its been removed)

They then wanted her to open another tab and log into her bank, she said the whole time she was questioning them, but at this point she hung up on them and got me.

I shut her computer off. Can anyone give me an idea of what exposure she has? It seems that most of the google docs stuff might have been just a part of the ‘confidence game’ and the real damage would have been with logging into bank but could the have been something installed or other issues.

Any help is appreciated.

Mountain_man

"PayPal® Alert!!

Date: 01-29-2024

Your Subscription with Geek Squad will Renew Today. This is a receipt for your recent purchase.

Your card linked with your PayPal® account has been auto-debited for $327.86 and your annual subscription has been auto renewed successfully.

Receipt ID : WIAYTZXEACWZART

Product : Geek Squad Deluxe Protection

Product Key : NQUS-821J-SI82-XIHA
Amount : $327.86

Description:-

Geek Squad SECURE™

Geek Squad PROTECTION (Including Tax)

TAX RATE : $10.00

Total : $337.86

If you don’t authorised this charges you have 24hrs, to cancel and get an Instant refund of your

annual subscription by contacting our customer support team:+1(866) 898-1667

THANK YOU FOR PURCHASING

Case of cancellation reach us here: +1(866) 898-1667

PayPal® Support. 38780, Tempe, Arizona, United States
PayPal® Inc, All right reserved Privacy - Security - Terms of Service

Copyright @ 2024"

FIREFIGHTER619 · 29 January 2024 20:22

866-898-1667 Austin Monday 1-29-24 3:21PM EST

FIREFIGHTER619 · 29 January 2024 22:20

866-898-1667 Still Active Kevin Monday 1-29-24 5:19PM EST

Jhawk · 29 January 2024 22:32

Make sure there’s no “screen connect/connectwise” software on her pc. It hides when running so below is how to find and remove it from her system. It’s imperative to get rid off as it is NASTY!

Open Program and Features, Control Panel > All Control Panel Items > Programs and Features
Search for “ScreenConnect Client” in the list of software installed.
You should see something similar to “ScreenConnect Client (xxxxxxxxxxxxxxxx)”, where “xxxxxxxxxxxxxxxx” represents the unique thumbprint. Note this thumbprint down somewhere as you will need it for the rest of the steps.

Delete all traces of ScreenConnect Client (xxxxxxxxxxxxxxxx) from C:\

Open File explorer
Search, find and delete any folders named “ScreenConnect Client (xxxxxxxxxxxxxxxx)” in the following directories:

C:\Program Files
C:\Program Files (x86)
C:\ProgramData

Do a search through the c:\ for “ScreenConnect Client (xxxxxxxxxxxxxxxx)” to confirm all traces have been removed.

Delete all traces of ScreenConnect Client (xxxxxxxxxxxxxxxx) from Registry Editor

Open “RegEdit” with Admin privileges
Do a “CTRL+F” to bring up search bar
Search the registry for any traces of the ScreenConnect instance “ScreenConnect Client (xxxxxxxxxxxxxxxx)” & “xxxxxxxxxxxxxxxx”, where “xxxxxxxxxxxxxxxx” represents the unique thumbprint.
Delete these entries from the registry

Delete the ScreenConnect service from Windows Services

Open an elevated command prompt
Run the following command (where “xxxxxxxxxxxxxxxx” represents the unique thumbprint):

sc delete “ScreenConnect Client (xxxxxxxxxxxxxxxx)”

Open Services and confirm the ScreenConnect service has been deleted. This may take a few minutes for the command to process after running it

Remove app from Programs and Features

Confirm that the ScreenConnect app was removed from the Program and Features list. If not try to uninstall it from Program and Features. If you run into an error do the following:

Download Microsoft Uninstaller Tool
Run the tool and use it to check/uninstall the app “ScreenConnect Client (xxxxxxxxxxxxxxxx)”

After this the ScreenConnect app should be fully uninstalled. One reboot for save measure and…

That’s it! ScreenConnect should now be removed and ready for re-installation.

Mountain_Man · 29 January 2024 23:33

Thank you very much for the assistance. She didn’t have any of this software on her computer nor registry.

Sol · 30 January 2024 00:26

Blessings to you and your mom. Welcome to the community! @Mountain_Man

The page gxcare.cc is to specifically download connectwise, so if she input the code, double and triple check that program is off like @Jhawk explained. It is a hidden program and we cannot stress that enough, it’s a dangerous and nasty program.

Thank you for sharing your and your mom’s experience!

drwat · 30 January 2024 05:16

gxcare.cc one instance Sept 2023 PayPal scammer Benjamin Watson 844-627-2104

Jhawk · 30 January 2024 15:14

Thank goodness @Mountain_Man, helping each other is what we do here…Welcome to our community btw. If she were my mom, I would also disable the Remote Desktop Services within Control Panel>Admin Tools>Services. It’s what I do for all my elderly neighbors.