I get a cold call, says my computer's under attack

dMuse · #1 16 April 2012, 21:32

This happened Friday morning, Apr. 13 about 9:45AM Pacific. This guy says it's urgent that I act quickly and run software that will rid my system of this galloping virus that's very crafty and morphing to evade attempts to stop it. He has me enter a string in a Run dialog and tells me to write down a digit integer code that I have to enter in a dialog to let an executable run. He has me download a file:

Support-LogMeInRescue.exe

I'm trying to stall the guy and simultaneously I post at the Anandtech Off Topic forum, knowing that knowledgeable people post there and that there's a high amount of traffic and I'll likely get an instant response. Unfortunately, the first two responders are snarky without being obviously so and just say "sounds legit" and "sounds legit, what have you got to lose." I don't pick up on the snarkiness and I am sucked into this thing. The guy on the phone (he's got a strong southeast asian accent) says he's going to hand me over to a Microsoft technician, a Shane Watson, as soon as I run this downloaded EXE. He says the download I just did won't work now, because the virus has craftily detected it and I have to download another, and he gives me a different 6 digit integer to enter as a code to enable the connection. IOW, he makes it seem very urgent to run this thing NOW!

I run it and it seems that my machine is taken over by remote to a considerable extent. I see stuff drawn on my screen, things look different, my mouse control is gone or compromised.

This guy shows me Event Viewer data (I think maybe it was a mock up, not my actual Event Viewer... this is a Windows Ultimate 64 bit laptop), and it says at the top left how many events are there. He or someone circles the number in red, as if with a crayon drawing tool, and he says he can't see the figure and asks me what it is. He says that if it's over 5000, it's not a big deal and they don't do anything (!) but if over that they charge a fee to fix the problem. It's over 8000, and I tell him so. I start thinking this is likely a scam and I tell him I have to go to the bathroom, can he call me back. How soon, he says, and I say an hour.

Then I go back to Anandtech and people are telling me I've been scammed and how can I be such an idiot.

I delete the two downloaded files. I see nothing amiss on the computer but many people at Anandtech say there could be files planted on my machine that will compromise my integrity, could steal my passwords, if they weren't stolen already (my browser remembers many), and I should not do any online purchasing or banking, etc. until I wipe my hard drive and reinstall Windows from scratch. Other people are less drastic and some say I should run software that will check out the computer.

I have a wireless network in the house and several computers run on it, the others being XP machines, one of which acts as a file server and is on all the time.

Should I really wipe the HD and start over on the Windows 7 laptop that I was using when I got this call? I have a ton of stuff I'd have to reinstall. Unfortunately I never made an image of the drive.

Or is it really reasonably for sure that these guys didn't plant a trojan virus or sniffer or gather my passwords and were just trying to get me to fork over money to make it appear that I am safe from what they were warning me against? The guy did call me back later and I yelled at him that he should be ashamed of himself and he should get a real job. It sounded like he was in a busy call center.

Thanks for your help.

dMuse · #2 16 April 2012, 21:41

More info:

The machine runs MSE, and I did a full scan later in the day and it only found one item, req-scheduler or something like that, I think that's something different, and I let it remove it.

I then downloaded and installed eset scanner (recommended in the Anandtech thread) and it found some stuff, here's the final report:

C:\Documents and Settings\Dan Musicant\AppData\Local\Temp\babylon.exe Win32/Toolbar.Babylon application deleted - quarantined
C:\Documents and Settings\Dan Musicant\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1. 5.3.17\BabylonToolbar4ie.exe Win32/Toolbar.Babylon application deleted - quarantined
C:\Documents and Settings\Dan Musicant\AppData\Local\Temp\CFEF3957-BAB0-7891-955A-5F3D2C410A6F\MyBabylonTB.exe Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\Documents and Settings\Dan Musicant\AppData\Local\Temp\FEE80C77-BAB0-7891-A1AC-BFBFDFE0FCC4\MyBabylonTB.exe Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\Documents and Settings\Dan Musicant\AppData\Local\Temp\ICReinstall\cnet2_tagscan5_1_611 setup_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\Documents and Settings\Dan Musicant\Downloads\cnet2_tagscan5_1_611setup_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
D:\Data\DL\1 Video Utilities\AnyDVD installations\SetupAnyDVD3921.exe probably a variant of Win32/Adware.Agent.JQKDIQW application cleaned by deleting - quarantined

What had me wondering was the InstallCore.D application warnings (2 of them), don't know if this is involved with the logmein rescue farce here, but I don't think so.

#3 16 April 2012, 23:11

Nobody is going to phone you out of the blue to say your PC is under attack. How would they know? Even if it were true, there are MILLIONS of PC's on the planet with infections, how could they cope?

In short, it is a ruse to install any number of nasties on your computer, which you have just done.

Detection software only works on 'known' baddies, you could have installed something not known, which is unseen and could be stealing anything from your email contacts to your credit card details or banking passwords.

Switch off, unplug, take it to a specialist and have it wiped and reinstalled.

dMuse · #4 17 April 2012, 03:07

OK, I guess I'll reinstall, but I think I'm capable of doing it all myself, I never have anyone else work on my computers and I've been doing it for 20 years. I'm good enough to do that. I will reformat the entire HD, both the OS and data partition, and reinstall everything. I blew it.

dMuse · #5 17 April 2012, 03:13

Is there no way to edit your own posts here? It is pretty odd to not have that functionality in a forum, however I can't find it here.

I think there's a really good chance these people are not into installing baddies on people's systems but are instead into tricking them into thinking that they need a fix and they pretend to fix, make it seem like they do and extract a fee from the poor deceived client. (Why else would they call me back, if they'd already laid their parasite egg in my system?) However, I suppose I can't take that chance. I'll chock it up to experience and next time make an occasional image of the drives.

Dodobird · #6 17 April 2012, 12:34

Quote:

Originally Posted by dMuse

Is there no way to edit your own posts here? It is pretty odd to not have that functionality in a forum, however I can't find it here.

I'm afraid not. This function has been removed because of the scammers who frequently visit us. If there is anything that you feel needs editing, please don't hesitate to ask one of the support members via private message.

dMuse · #7 17 April 2012, 14:35

Quote:

Originally Posted by Dodobird

I'm afraid not. This function has been removed because of the scammers who frequently visit us. If there is anything that you feel needs editing, please don't hesitate to ask one of the support members via private message.

Hopefully I'll be more vigilant than usual to reread and edit my posts before committing when posting here. I generally do try, but here it's pretty necessary to get it right the first time.

Well, does anyone think I don't really have to reinstall everything on my Windows 7 Ultimate 64 bit laptop? It's not as though I don't already have a million things to do. Having 1,100,000 things to do is that much tougher. Anyway, thanks all for the help.