Solved

Netstat showing a virus according to MS

Posted on 2015-02-12
6
185 Views
Last Modified: 2015-02-16
I have a user that called MS tech support and they told him that he has viruses in his computer because they ran a netstat cmd and showed him he had established connections from a virus. I don't buy it because they wanted him to pay for extra support to get rid of it. However when I inspected the computer I tried to download malwarebytes but anything I tried to download froze at 99% and then said failed. I attached the screen shot of the netstat cmd, could someone verify if that's what's happening
image.jpg
0
Comment
Question by:Neogeo147
6 Comments
 
LVL 16

Assisted Solution

by:Shaik M. Sajid
Shaik M. Sajid earned 125 total points
ID: 40607322
it's showing 3 sessions are established ...
the session 161.69.13.92  it's mcafee ip

using the following link you can see the which domain you are connecting ..
http://cqcounter.com/whois/

and go to task manager check the Applications if any unnecessary running if found uninstall then or delete them by finding path..
(select the running application right click go to services. you'll find the service name... search the service name in by search bar in you pc... it'll take you to that application... )

check the high process high memory consuming apps. etc as well..

try download malwarebytes download from other sources.. i.e http://www.majorgeeks.com/mg/getmirror/malwarebytes_anti_malware,3.html

then try ..

still unable to download try to download n safemode with networking...

all the best
0
 
LVL 3

Assisted Solution

by:Stephen Berk
Stephen Berk earned 125 total points
ID: 40607346
If you don't already have an antimalware package on there, you should reimage the machine and install something on all the PCs asap. Even MS' freebie System Essentials (free for noncommercial and possibly small businesses) is better than nothing. Check her call history, she might have been called by someone claiming to be MS or she may have called someone due to a popup saying she's infected and was given a number to call. Either way, you have a PC on your network that may be infecting others. Remove from the network, reimage, take corrective action to prevent recurrence.
0
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 125 total points
ID: 40607636
You definitely need to check how the user "called MS tech support". It's probably the other way around (a supposed MS tech support called him). Ask how he got the number, and if not from the official website, or not by his idea (cold call), maybe he already started a remote session (because the other side asked him to) and the computer is now actually infected because of the session (and files have been put on the PC).

Next, send out an company wide email. IT'S NOT LOGICAL TO HAVE MS CALL YOU and explain you about viruses, and then asking you to do things. MS will NEVER CALL you like this.
You call MS by yourself, if you have a Windows or Office problem AND you're from the IT department. If you have a problem and you're not from IT, don't call MS, call IT (they will call MS if necessary)!!!
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 
LVL 32

Accepted Solution

by:
it_saige earned 125 total points
ID: 40608013
Agreed with kimputer.  There are companies that call *claiming* to represent Microsoft Support.  These companies do not represent Microsoft.
Avoid tech support phone scams

Cybercriminals don't just send fraudulent email messages and set up fake websites. They might also call you on the telephone and claim to be from Microsoft. They might offer to help solve your computer problems or sell you a software license. Once they have access to your computer, they can do the following:

◾Trick you into installing malicious software that could capture sensitive data, such as online banking user names and passwords. They might also then charge you to remove this software.

◾Convince you to visit legitimate websites (like www.ammyy.com) to download software that will allow them to take control of your computer remotely and adjust settings to leave your computer vulnerable.

◾Request credit card information so they can bill you for phony services.

◾Direct you to fraudulent websites and ask you to enter credit card and other personal or financial information there.

Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.
Source

If you need something to ease your brain on the NETSTAT subject.  Use the following netstat command in order to associate the connections with the processes that have the open connections:
netstat -aon

Open in new window

You should see something like this -Capture.JPGNow you can use task manager in order to associate the processes that have open connections.  For example:Here is a connection that I do not recognize, which process is using it?Oh it's Chrome.  That should be an IP address associated with something I am running in Chrome.  Looking up the IP shows it belongs to Google.Another common practice for these scammers is to use the Event Log to indicate MAJOR problems with your computer (no matter what the type of event message it is INFO, WARNING, ERROR).

-saige-
0
 

Author Closing Comment

by:Neogeo147
ID: 40608869
Thank you all for your help, I asked the user for the phone number he called and it ended up being a Non-MS number so I like I thought as you all did that it was all bull.
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 40611939
Don't just ask for the number, try to find out the how he got the number, and the reason why/what/where/when. Then according to this info (probably some flawed reasoning), try to warn the whole company where the flawed reasoning is and a step by step explanation what you should or shouldn't do.
It's not just one flawed reasoning in this case, but a whole range. Education is the best defense in most cases.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now