44 replies to this topic

[arrowspace90]

Yesterday on my remote controlled from home mini pc at a dark site, I tried to download a program to help me see what device is on my Com Ports.  Instead I accidentally (as bad guys planned) on a virus program called PC App Store.

It covers my whole remote screen and cannot be removed   I can see the process tray but when I try to move them to the screen to remove the app (it's in the programs file) the process just reverts to process tray.

All I can access is Task Manager, and I haven't figured out a way to delete it from there because I cannot re-start in Safe Mode remotely with Google Remote Desktop.

Gosh, I am not a coder at all, and rows of command prompts usually defeat me with spaces, brackets and backslashes.  Anyone know how to kill this evil thing?  I can't get to my desktop!  I looked in Task Manager for the PC App Process and it is not there.

Edited by arrowspace90, 08 May 2025 - 03:30 PM.

[deSitter]

Hold down the Windows key and press R. Type "control" in the text box you will see. Click on "Programs and Features". Sort by date installed, descending (click on that column head). Uninstall it.

 

This isn't a virus, it's a program with misleading information, a type of phishing.

 

-drl

[arrowspace90]

Hold down the Windows key and press R. Type "control" in the text box you will see. Click on "Programs and Features". Sort by date installed, descending (click on that column head). Uninstall it.

 

This isn't a virus, it's a program with misleading information, a type of phishing.

 

-drl

Hi, thank you.  This is a remote PC 200 miles away that I reach via google remote desktop.  When I hold down the windows button, and go to uninstall an app, it shows me apps here on my house desktop.  So I see the PC App Store in programs, and I click on "uninstall".  Nothing happens and I am returned to the tull, blocking screen on my remote pc.

[bignerdguy]

Are you still able to install software on the machine?  if so download and install malwarebytes and run it.  it might clean up the issue if its malware.

[arrowspace90]

No I’m unable to get to anything except Task Manager. There is a usb stick on my camera down there and I will have to ask them to delete the data on it and download the Malwarebytes rescue to it.

[madmandrews]

Similar thing happened to me when trying to download WinJupos on the fly in the field and accidently clicked on a fake site. Tried many recommended remedies before finally giving up and reinstalling the operating system. 

[vpastro]

If you still have access to the task manager, you can try to run a new task from in there.  If you click run new task, and then type appwiz.cpl , it should bring up the add and remove programs box.  You can then sort by date, and uninstall everything installed on that date.  Hopefully this will work.  If not, you could try and run rstrui.exe as a new task which should start up system restore.  Hopefully you can go back a few days to fix the issue.

Hope this help,

Andrew

[deSitter]

Hi, thank you.  This is a remote PC 200 miles away that I reach via google remote desktop.  When I hold down the windows button, and go to uninstall an app, it shows me apps here on my house desktop.  So I see the PC App Store in programs, and I click on "uninstall".  Nothing happens and I am returned to the tull, blocking screen on my remote pc.

 

There is probably a way to make the Windows key act on the remote machine.

 

But you can also do this.

 

Open a command prompt in administrator mode - find the icon for Command Prompt, right-click, select "More.." and choose "Run as administrator". Then just type "control" at the prompt and Control Panel will appear.

 

Command Prompt is under "Windows System". Click a letter on the start menu, click on W, and then open the list below Windows System.

 

-drl

[deSitter]

Similar thing happened to me when trying to download WinJupos on the fly in the field and accidently clicked on a fake site. Tried many recommended remedies before finally giving up and reinstalling the operating system. 

 

This is almost never required. You'd have to have a really bad malware attack to necessitate it. More ill-founded folklore.

 

-drl

[deSitter]

Hi, thank you.  This is a remote PC 200 miles away that I reach via google remote desktop.  When I hold down the windows button, and go to uninstall an app, it shows me apps here on my house desktop.  So I see the PC App Store in programs, and I click on "uninstall".  Nothing happens and I am returned to the tull, blocking screen on my remote pc.

 

Another solution is to create another account with administrator privileges, and then temporaritly switch to that account. That's also in Control Panel under User Accounts. After it's fixed, you can remove the new account.

 

-drl

[gmiller123456]

The steps vpastro gave above would be your best bet at running the uninstaller.  But I doubt it will help.  Once you've given a program control, the only way to get rid of it for sure (without physical access) is for it to voluntarily give up control, though some are more persistent that others.  No malware is going to have a real uninstaller.

 

You might be in luck though, the Reddit thread below suggest using Task Manager to kill a process called "fa_rss", then find the file on the hard drive and delete it.

https://www.reddit.c...p_store_adware/

 

But, if this were a system where you had any sensitive data, the only way to know you've gotten rid of everything is a complete reinstall from the OS level up.  Since it's just a telescope control unit, it's probably not worth that level of effort though.

[madmandrews]

This is almost never required. You'd have to have a really bad malware attack to necessitate it. More ill-founded folklore.

 

-drl

And you were here at my house to make your skilled evaluation?

"Folklore" or not, it happened - malware reloaded every time the unit booted up. Reinstalling OS was the only way to be sure that it was completely eliminated.

[deSitter]

And you were here at my house to make your skilled evaluation?

"Folklore" or not, it happened - malware reloaded every time the unit booted up. Reinstalling OS was the only way to be sure that it was completely eliminated.

 

Really bad malware does not pester you, it blows PCs up. This sounds like pesterware, and may in fact just be a browser window of a particular sort. Anyway do the above and you'll be fine.

 

-drl

[arrowspace90]

Nothing I am trying works.

Here is a phone photo, you can see the offender highlighted at the bottom.  If I click in it for main screen it doesn’t happen.  I can’t click uninstall.  
when I get control panel from task manager, it appears to show programs from my home desktop, not the remote computer.  PC App Store isn’t in the list.

the same thing seems to be happening with system restore

Attached Thumbnails

• 

[arrowspace90]

Here is my remote  program list, and highlighted is the PC App Store.  I can’t click on this, it disappears.

This awful thing has apparently been upgraded from what I see on the internet.

Not sure I can reach it remotely?

Attached Thumbnails

• 

Edited by arrowspace90, 09 May 2025 - 10:21 AM.

[arrowspace90]

If you still have access to the task manager, you can try to run a new task from in there.  If you click run new task, and then type appwiz.cpl , it should bring up the add and remove programs box.  You can then sort by date, and uninstall everything installed on that date.  Hopefully this will work.  If not, you could try and run rstrui.exe as a new task which should start up system restore.  Hopefully you can go back a few days to fix the issue.

Hope this help,

And

The task manager seems to be pulling up programs from my desktop instead of the remote.  

[deSitter]

The task manager seems to be pulling up programs from my desktop instead of the remote.  

 

Again, Ctrl-Alt-Del will be intercepted by the local keyboard handler on the local machine, like the Windows key. As I said, there are ways to inform the local client to pass special keys to the remote host, but it is not necessary. Follow the instructions for starting a command prompt with elevated privileges. That will all happen on the target machine. If you can get that going, someone will hold your hand while the mess is cleaned up.

 

-drl

Edited by deSitter, 09 May 2025 - 10:51 AM.

[arrowspace90]

Again, Ctrl-Alt-Del will be intercepted by the local keyboard handler on the local machine, like the Windows key. As I said, there are ways to inform the local client to pass special keys to the remote host, but it is not necessary. Follow the instructions for starting a command prompt with elevated privileges. That will all happen on the target machine. If you can get that going, someone will hold your hand while the mess is cleaned up.

 

-drl

C'mon, everyone is not an IT guy.  I have malwarebytes on my home computer.  I used "control/shift/escape as I was instructed to do.  I got to control panel but it was my desktop control panel..  I went to "file/create new task/control" and I checked the box for administrator.  

I typed in appwiz.cpl and this is what it pulled up.  These are programs on my home, desktop computer, not on the remote one.

Attached Thumbnails

• 

[arrowspace90]

The steps vpastro gave above would be your best bet at running the uninstaller.  But I doubt it will help.  Once you've given a program control, the only way to get rid of it for sure (without physical access) is for it to voluntarily give up control, though some are more persistent that others.  No malware is going to have a real uninstaller.

 

You might be in luck though, the Reddit thread below suggest using Task Manager to kill a process called "fa_rss", then find the file on the hard drive and delete it.

https://www.reddit.c...p_store_adware/

 

But, if this were a system where you had any sensitive data, the only way to know you've gotten rid of everything is a complete reinstall from the OS level up.  Since it's just a telescope control unit, it's probably not worth that level of effort though.

 

The steps vpastro gave above would be your best bet at running the uninstaller.  But I doubt it will help.  Once you've given a program control, the only way to get rid of it for sure (without physical access) is for it to voluntarily give up control, though some are more persistent that others.  No malware is going to have a real uninstaller.

 

You might be in luck though, the Reddit thread below suggest using Task Manager to kill a process called "fa_rss", then find the file on the hard drive and delete it.

https://www.reddit.c...p_store_adware/

 

But, if this were a system where you had any sensitive data, the only way to know you've gotten rid of everything is a complete reinstall from the OS level up.  Since it's just a telescope control unit, it's probably not worth that level of effort though.

I saw this Reddit entry yesterday.  All of these posts assume you are working on a PC that you can access directly, physically.  Not remotely.  But thank you very much.

[arrowspace90]

If you still have access to the task manager, you can try to run a new task from in there.  If you click run new task, and then type appwiz.cpl , it should bring up the add and remove programs box.  You can then sort by date, and uninstall everything installed on that date.  Hopefully this will work.  If not, you could try and run rstrui.exe as a new task which should start up system restore.  Hopefully you can go back a few days to fix the issue.

Hope this help,

Andrew

I just tried this exact thing.  It brought up programs from my home desktop computer, not the remote one.  Apparently this makes a crucial difference.

[deSitter]

C'mon, everyone is not an IT guy.  I have malwarebytes on my home computer.  I used "control/shift/escape as I was instructed to do.  I got to control panel but it was my desktop control panel..  I went to "file/create new task/control" and I checked the box for administrator.  

I typed in appwiz.cpl and this is what it pulled up.  These are programs on my home, desktop computer, not on the remote one.

 

Go to the remote session and click the start button. Click on any captial letter visible. This will bring up all the letters and numbers. Click on W. Expand the list under "Windows System". Right-click on Command Prompt. Click on "More...". Click on "Run as administrator". In the command prompt window, type "control" (no quotes) and enter. Click on "Programs and Features". Sort by date, descending (click on the "Installed On" column until the dates are descending). Look near the top of the list and you will see your baddie, assuming that's how it was installed.

 

If that doesn't work because it's not actually an installed program, create a new account with administrator privileges, then remove the compromised account.

 

Like it or not, you ARE an IT guy for your own equipment.

 

-drl

[gmiller123456]

I saw this Reddit entry yesterday. All of these posts assume you are working on a PC that you can access directly, physically. Not remotely. But thank you very much.

No, those steps don't require physical access. But, from your other posts, it seems you've got an upgraded version that interferes with the process.

[arrowspace90]

No, those steps don't require physical access. But, from your other posts, it seems you've got an upgraded version that interferes with the process.

Yeah, this thing is obviously smarter than I am, of course that's not saying much regarding computers.  But I have tried everything people have suggested including system restore from task manager using control/shift/escape, selecting "file" and then checking the administrator box.  They bring up my desktop, not the remote.  Any way to get around this?

I have sent a message to support at my remote site, asking them to physically restart my computer in "safe mode" so that the PC App Store malware can be deleted.  Failing that, I have a usb stick on my camera down there, they can delete the old data on it and download the malwarebytes rescue and put that into the physical mini pc on my scope.

It's hard to fathom what these hackers think they will gain by making the computer unusable instead of just hiding on it to steal data (ha, in this case, star images).  There are some twisted ugly minds out there.

[deSitter]

Yeah, this thing is obviously smarter than I am, of course that's not saying much regarding computers.  But I have tried everything people have suggested including system restore from task manager using control/shift/escape, selecting "file" and then checking the administrator box.  They bring up my desktop, not the remote.  Any way to get around this?

I have sent a message to support at my remote site, asking them to physically restart my computer in "safe mode" so that the PC App Store malware can be deleted.  Failing that, I have a usb stick on my camera down there, they can delete the old data on it and download the malwarebytes rescue and put that into the physical mini pc on my scope.

It's hard to fathom what these hackers think they will gain by making the computer unusable instead of just hiding on it to steal data (ha, in this case, star images).  There are some twisted ugly minds out there.

 

If you start in Safe Mode you will not have remote access.

 

Anyway when you get around to trying what I've mentioned 3 or 4 times, call out.

 

-drl

[arrowspace90]

If you start in Safe Mode you will not have remote access.

 

Anyway when you get around to trying what I've mentioned 3 or 4 times, call out.

 

-drl

I give up, what did I miss?  I tried to follow EXACTLY what you said!  What did I not do????

True, I cannot restart the remote in "Safe Mode" without physical access to it.

Edited by arrowspace90, 09 May 2025 - 11:58 AM.