We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
We're aware that dates on the Forum are not currently showing correctly. Please bear with us while we get this fixed, and see Site feedback for updates.

Caught by scam?

I received a call yesterday from a friend who was in the middle of one of those 'Microsoft has detected you have a virus' scam calls.

Now, he's not that tech savvy, but was suspicious and called me via his mobile whilst pretending to fiddle with his PC.

Unfortunately he had already been to a site where the guy tried to install some remote control software.

The scammer was upset because it wouldn't install, he even got his manager involved, but luckily he was also unable to get it to install.

He doesn't use the PC for banking, only a very occasional credit card purchase.

It's mostly used for his one man business, producing estimates and invoices.

He already had Malwarbytes, via phone, I've talked him through up-dating and scanning, both quick and deep scans have been completely clear.

He's read out all the running processes, from Task Manager and also the Add/Remove Programs.

Nothing that I haven't installed.

I've managed to talk him through downloading/installing Hijackthis, then talked him through emailing it to me.

I'm pretty sure he's clean, see log below.

I can't see anything , but.......



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:43:34, on 23/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\xxxxxx\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254043327703
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
Move along, nothing to see.

Comments

  • prowla
    prowla Posts: 13,721 Forumite
    Part of the Furniture 10,000 Posts Name Dropper
    You might try going to the Symantec web site and running their free virus scanner there (there's one there intended for doing a scan of your machine prior to installing their anti-virus product).
  • spud17
    spud17 Posts: 4,424 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    prowla wrote: »
    You might try going to the Symantec web site and running their free virus scanner there (there's one there intended for doing a scan of your machine prior to installing their anti-virus product).

    Cheers, but it took me an age to talk him through basic copy/paste over the phone.

    Probably too much for him un-aided I'll have to wait for the conditions in the back lanes to improve.
    Move along, nothing to see.
  • Looks clean to me. If you want to be extra-sure, just talk him through the process of doing a System Restore to the last point before the guy tried to get him to install the remote control software.
    poppy10
  • GunJack
    GunJack Posts: 11,769 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    looks good spud, not much on there at all, never mind nasties..point him at hitman pro for a double-check :)
    ......Gettin' There, Wherever There is......

    I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple :D
  • spud17
    spud17 Posts: 4,424 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    GunJack wrote: »
    looks good spud, not much on there at all, never mind nasties..point him at hitman pro for a double-check :)

    I set it all up about 15mths back, it's one of my donor ones, built around an existing mobo/processor.

    I tend towards closeds thinking, 1.6GHz Duron and 768MB RAM, keep it lean.

    As I said it's mainly for his business records and the ability to surf the web.

    No Fakebook or kids involved.

    Dared him to install anything without consulting me! :p

    I'll get over and run Hitman Pro as soon as I get a chance.
    Move along, nothing to see.
  • spud17 wrote: »
    I set it all up about 15mths back,
    Dared him to install anything without consulting me! :p
    Hope you've set him up as a non-admin user.
    poppy10
  • spud17 wrote: »
    Cheers, but it took me an age to talk him through basic copy/paste over the phone.

    Know what you mean, i have a friend like that,what a nightmare trying to get him to right click and highlight:rotfl:
  • My 76 year old mother got a call like this fortunately she is very clued up and ended the call, she even called me afterwards to warn me in case I got the same call. :)
  • poppy10 wrote: »
    Hope you've set him up as a non-admin user.
    Was just coming in to post this. Good advice IMO. Whenever I'm faced with a non-techie user who's likely to fall foul of such scams, I put them up as a non-admin user. In fact, it's not terrible practice for us techies to operate from a standard account either tbf.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 348.4K Banking & Borrowing
  • 252.1K Reduce Debt & Boost Income
  • 452.4K Spending & Discounts
  • 241K Work, Benefits & Business
  • 617.3K Mortgages, Homes & Bills
  • 175.7K Life & Family
  • 254.2K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.