Telephone scam

Posted on 2011-10-30
Last Modified: 2012-05-12
One of my clients recieved a phone call from a "microsoft" technician, who reportedly had seen some issues with his machine. Without thinking my client ( who is extremely embaressed but admitted to me what he did so fair do's) allowed the bogus technician onto his machine via logmein. Now he watched the techinician take over his machine and didn't see any downloads or anything particularly worrying ( Ha !). After this the caller put him onto the "resolution centre" where he was given the hard sell for some form of Reg cleaner etc. for £250 but today special offer £150 if he bought it know. At which point my client woke up and realised what was going on and terminated the call and closed the machine down. Can i please have some suggestions as to how to ensure that the bogus technician has opened any backdoors or left the machine violated in any particular way. We have run full virus and malware scans and all passwords will be changed shortly.
Any advice will be most gratefully recieved, any suggestions of removing the machine from the user because he is too stupid to have one will be giggled at but then if everyone was clued up we'd all be out of a job.

Question by:oldtighthead
    LVL 15

    Accepted Solution

    This is one of the better malware/virus removal guides I have used.

    In all honestly thou, with the 'technician' have full access to your users computer for a lengthly period of time, there isnt a 100% guarantee your machine will be clean of all backdoor/trojans/rootkits and so on. I would take it off the network ASAP and rebuild it from scratch.
    LVL 77

    Expert Comment

    by:David Johnson, CD, MVP
    treat the machine as being compromised.. look at the company information that is stored on the machine and do a damage assessment. They should consider any personal information on that computer is now in the wild.

    Have you considered a newsletter and advising your clients about this..
    LVL 14

    Assisted Solution

    by:Rob Miners
    The Megabyte Solutions Scam with so called microsoft technicians, has been running over here for a few months now.

    The trick is that they get you to type eventvwr.msc into the run box, open windows logs, select System and then filter for errors. They then tell you that all of the errors are from viral activity and you really need their services to clean your system. I could imagine how someone would feel if they were presented with all of those unfamiliar references and didn't realise that they were being conned.

    Lol the last time I spoke to one of their representitives I was hung up on, when I said I was getting a "pen and paper to take notes, as I didn't own a PC".

    Here is a link to an "excellent artice" by younghv that you can use to check out your clients system.

    LVL 95

    Assisted Solution

    by:Lee W, MVP
    The only way to be 100% safe is to buy a new PC.
    The only way to be 99.9990% safe is to buy a new hard drive.
    The only way to be 99.990% safe is perform a disk wipe using a tool like DBAN.
    The only way to be 99.90% safe is to format the drive.
    The only way to be 99.0% safe is to have a clean install of windows.
    The only way to be 90.0% safe is to scan with known good tools for removing malicious software.

    And REGARDLESS of what option from the above you do, make sure he changes all his online passwords and puts a fraud watch on his credit cards.
    LVL 15

    Assisted Solution

    After a quick re-calc on those numbers. In order as above, they now should read:

    LVL 27

    Expert Comment

    Leew, you are missing something:

    It's not just the operating system that is compromised, but also the data. So the user cannot trust even the documents etc. that might be stored on the PC. All has to be restored from an earlier backup. This is why a backup strategy is so important.

    Given the user moves some data from the infected system to the new PC depending on the content it could reinfect the computer with the same virii, malware etc. this is especially true when not only documents but also setup files are moved and later executed.  

    Regarding the technician, the client should always ask for support contract details and if unsure call his microsoft (key) account manager. If there is no such contract, he should be aware of that MS will never call you for free...


    LVL 3

    Expert Comment

    I've been getting those calls at my house at least a couple times a week.  So much for that do not call registry right?

    Backing up the important user created files then formatting and reloading the machine would be enough.  Its very unlikely that any user created files like pictures or documents are compromised.  This is basically a scare-ware scam and I bet they are getting rich off it.
    LVL 9

    Assisted Solution

    by:My name is Mud
    Remove the computer from the user... oh wait... that's not an option... if the user had access to other computers, then those PCs might have a breach problem... I'll go with alienvoice on that, burn the computer with fire and buy a new one... no wait... that's not an option... have you try Linux??? it has openoffice and this days it looks and feels alot like windows...

    Author Comment

    I have managed to run a copy of Roguekiller on the machine with these results
    RogueKiller V6.1.5 [10/29/2011] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: hxxp://

    Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User: me [Admin rights]
    Mode: Scan -- Date : 10/31/2011 20:30:55

    Bad processes: 1
    [SUSP PATH] wanmpsvc.exe -- c:\windows\wanmpsvc.exe -> KILLED [TermProc]

    Registry Entries: 3
    [DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{DB110174-A2E2-4C46-97E8-CD9322005FA7} : NameServer ( -> FOUND
    [DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{DB110174-A2E2-4C46-97E8-CD9322005FA7} : NameServer ( -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    Particular Files / Folders:

    Driver: [LOADED]
    SSDT[258] : NtTerminateThread @ 0x805D2BDC -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B37E9E)
    SSDT[257] : NtTerminateProcess @ 0x805D29E2 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B37E56)
    SSDT[254] : NtSuspendThread @ 0x805D48F4 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B37F02)
    SSDT[224] : NtSetInformationFile @ 0x8057B034 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B38C40)
    SSDT[213] : NtSetContextThread @ 0x805D173A -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B37F66)
    SSDT[193] : NtReplaceKey @ 0x806261C4 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3C322)
    SSDT[116] : NtOpenFile @ 0x8057A1A6 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B38B2C)
    SSDT[98] : NtLoadKey @ 0x80626314 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3C410)
    SSDT[62] : NtDeleteFile @ 0x80576C50 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B38BD4)
    SSDT[53] : NtCreateThread @ 0x805D1018 -> HOOKED (\??\C:\Documents and Settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\32029\RapportCerberus32_32029.sys @ 0xF3CD05C0)
    SSDT[37] : NtCreateFile @ 0x805790A8 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B38A56)
    SSDT[19] : NtAssignProcessToJobObject @ 0x805D6642 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B37FC0)
    S_SSDT[483] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B38F74)
    S_SSDT[477] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3E828)
    S_SSDT[378] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B39000)
    S_SSDT[298] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3E7B0)
    S_SSDT[292] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3E6CC)
    S_SSDT[237] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3E774)
    S_SSDT[227] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3E726)
    S_SSDT[191] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3E69A)
    S_SSDT[13] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3E64C)
    S_SSDT[7] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3E7EC)

    HOSTS File:       localhost

    Finished : << RKreport[1].txt >>
    And have also run the latest malwarebytes scan which showed the machine clear.

    Ideas please gentlemen , have "we" got away with it ?
    LVL 15

    Assisted Solution

    I have had  machines appearing to be clear and a few weeks later showed similar symptoms. Now whether that was from the previous infection or a new one we could not say.

    You can never be 100% sure, there are rootkits that a virtually impossible to find/remove.

    I would still suggest rebuilding it. But in the end that decision it up to you.
    LVL 27

    Assisted Solution

    Did you install this software?

    \C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

    Trusteer helps you secure
    customer web access against
    financial malware attacks and
    fraudulent websites.

    So there was only [SUSP PATH] wanmpsvc.exe -- c:\windows\wanmpsvc.exe -> KILLED detected?

    Please also check with the free cloud based scanner is successful with detecting rootkits


    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
    This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now