• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 492
  • Last Modified:

Telephone scam

One of my clients recieved a phone call from a "microsoft" technician, who reportedly had seen some issues with his machine. Without thinking my client ( who is extremely embaressed but admitted to me what he did so fair do's) allowed the bogus technician onto his machine via logmein. Now he watched the techinician take over his machine and didn't see any downloads or anything particularly worrying ( Ha !). After this the caller put him onto the "resolution centre" where he was given the hard sell for some form of Reg cleaner etc. for £250 but today special offer £150 if he bought it know. At which point my client woke up and realised what was going on and terminated the call and closed the machine down. Can i please have some suggestions as to how to ensure that the bogus technician has opened any backdoors or left the machine violated in any particular way. We have run full virus and malware scans and all passwords will be changed shortly.
Any advice will be most gratefully recieved, any suggestions of removing the machine from the user because he is too stupid to have one will be giggled at but then if everyone was clued up we'd all be out of a job.

7 Solutions
This is one of the better malware/virus removal guides I have used.


In all honestly thou, with the 'technician' have full access to your users computer for a lengthly period of time, there isnt a 100% guarantee your machine will be clean of all backdoor/trojans/rootkits and so on. I would take it off the network ASAP and rebuild it from scratch.
David Johnson, CD, MVPOwnerCommented:
treat the machine as being compromised.. look at the company information that is stored on the machine and do a damage assessment. They should consider any personal information on that computer is now in the wild.

Have you considered a newsletter and advising your clients about this..
Rob MinersCommented:
The Megabyte Solutions Scam with so called microsoft technicians, has been running over here for a few months now.

The trick is that they get you to type eventvwr.msc into the run box, open windows logs, select System and then filter for errors. They then tell you that all of the errors are from viral activity and you really need their services to clean your system. I could imagine how someone would feel if they were presented with all of those unfamiliar references and didn't realise that they were being conned.

Lol the last time I spoke to one of their representitives I was hung up on, when I said I was getting a "pen and paper to take notes, as I didn't own a PC".

Here is a link to an "excellent artice" by younghv that you can use to check out your clients system.


Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Lee W, MVPTechnology and Business Process AdvisorCommented:
The only way to be 100% safe is to buy a new PC.
The only way to be 99.9990% safe is to buy a new hard drive.
The only way to be 99.990% safe is perform a disk wipe using a tool like DBAN.
The only way to be 99.90% safe is to format the drive.
The only way to be 99.0% safe is to have a clean install of windows.
The only way to be 90.0% safe is to scan with known good tools for removing malicious software.

And REGARDLESS of what option from the above you do, make sure he changes all his online passwords and puts a fraud watch on his credit cards.
After a quick re-calc on those numbers. In order as above, they now should read:

Leew, you are missing something:

It's not just the operating system that is compromised, but also the data. So the user cannot trust even the documents etc. that might be stored on the PC. All has to be restored from an earlier backup. This is why a backup strategy is so important.

Given the user moves some data from the infected system to the new PC depending on the content it could reinfect the computer with the same virii, malware etc. this is especially true when not only documents but also setup files are moved and later executed.  

Regarding the technician, the client should always ask for support contract details and if unsure call his microsoft (key) account manager. If there is no such contract, he should be aware of that MS will never call you for free...


I've been getting those calls at my house at least a couple times a week.  So much for that do not call registry right?

Backing up the important user created files then formatting and reloading the machine would be enough.  Its very unlikely that any user created files like pictures or documents are compromised.  This is basically a scare-ware scam and I bet they are getting rich off it.
My name is MudCommented:
Remove the computer from the user... oh wait... that's not an option... if the user had access to other computers, then those PCs might have a breach problem... I'll go with alienvoice on that, burn the computer with fire and buy a new one... no wait... that's not an option... have you try Linux??? it has openoffice and this days it looks and feels alot like windows...
oldtightheadAuthor Commented:
I have managed to run a copy of Roguekiller on the machine with these results
RogueKiller V6.1.5 [10/29/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: hxxp://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: me [Admin rights]
Mode: Scan -- Date : 10/31/2011 20:30:55

Bad processes: 1
[SUSP PATH] wanmpsvc.exe -- c:\windows\wanmpsvc.exe -> KILLED [TermProc]

Registry Entries: 3
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{DB110174-A2E2-4C46-97E8-CD9322005FA7} : NameServer ( -> FOUND
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{DB110174-A2E2-4C46-97E8-CD9322005FA7} : NameServer ( -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver: [LOADED]
SSDT[258] : NtTerminateThread @ 0x805D2BDC -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B37E9E)
SSDT[257] : NtTerminateProcess @ 0x805D29E2 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B37E56)
SSDT[254] : NtSuspendThread @ 0x805D48F4 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B37F02)
SSDT[224] : NtSetInformationFile @ 0x8057B034 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B38C40)
SSDT[213] : NtSetContextThread @ 0x805D173A -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B37F66)
SSDT[193] : NtReplaceKey @ 0x806261C4 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3C322)
SSDT[116] : NtOpenFile @ 0x8057A1A6 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B38B2C)
SSDT[98] : NtLoadKey @ 0x80626314 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3C410)
SSDT[62] : NtDeleteFile @ 0x80576C50 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B38BD4)
SSDT[53] : NtCreateThread @ 0x805D1018 -> HOOKED (\??\C:\Documents and Settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\32029\RapportCerberus32_32029.sys @ 0xF3CD05C0)
SSDT[37] : NtCreateFile @ 0x805790A8 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B38A56)
SSDT[19] : NtAssignProcessToJobObject @ 0x805D6642 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B37FC0)
S_SSDT[483] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B38F74)
S_SSDT[477] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3E828)
S_SSDT[378] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B39000)
S_SSDT[298] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3E7B0)
S_SSDT[292] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3E6CC)
S_SSDT[237] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3E774)
S_SSDT[227] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3E726)
S_SSDT[191] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3E69A)
S_SSDT[13] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3E64C)
S_SSDT[7] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xF3B3E7EC)

HOSTS File:       localhost

Finished : << RKreport[1].txt >>
And have also run the latest malwarebytes scan which showed the machine clear.

Ideas please gentlemen , have "we" got away with it ?
I have had  machines appearing to be clear and a few weeks later showed similar symptoms. Now whether that was from the previous infection or a new one we could not say.

You can never be 100% sure, there are rootkits that a virtually impossible to find/remove.

I would still suggest rebuilding it. But in the end that decision it up to you.
Did you install this http://www.trusteer.com/# software?

\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Trusteer helps you secure
customer web access against
financial malware attacks and
fraudulent websites.

So there was only [SUSP PATH] wanmpsvc.exe -- c:\windows\wanmpsvc.exe -> KILLED detected?

Please also check with www.prevx.com the free cloud based scanner is successful with detecting rootkits


Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now