We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Virus Scam
fld14
Posts: 463 Forumite
in Techie Stuff
My husband had a phone call today from a man saying he was from LOGIN 4 SPEED . He knew my husbands name. He asked if we had any virus' on our computer and my husband said we had had as i mentioned something about a virus the other day. My husband is not computer literate so the guy got him to turn on the computer and lo and behold there was a virus box which was not there yesterday. He then took my husband through the computer for 2 hours telling him what to do and then said he would pass him onto his technician and said to get a credit card to pay even though we hadnt asked for his services and were unaware of any need to pay. Has anyone else had a similar experience. They keep calling for payment but we wont answer the phone. I have turn the computer off and have unplugged it from the phone line.
Thanks to all competitions posters and answer finders
:T
Don't squander time its the stuff lives are made of
:rotfl::rotfl::rotfl::rotfl::rotfl:
0
Comments
-
You possibly have spyware installed on your PC. Use malwarebytes and check the sticky at the top of the forum. Don't give them any card details and hang up every time they call again - they are simply trying to scam you out of money.0
-
Many many many people get these scam calls from "Microsoft, Tech Support," and numerous other fake "companies"
The hope you do have a problem (many PC owners do have problems and fool for their scam) but they'll basically offer to remotely 'fix' the problems. At best they'll clean out some junk but probably won't clear infections should you have them.
Just search Google or these forums for 'pc phone calls' or similar and see the many thousands of people that have had the same calls.
Never trust information given by strangers on internet forums0 -
I managed to spin one out for a while but he gave up when I told him I couln't find the Windows button anywhere.
Possibly because I was using Linux, he lost interest.0 -
You possibly have spyware installed on your PC. Use malwarebytes and check the sticky at the top of the forum. Don't give them any card details and hang up every time they call again - they are simply trying to scam you out of money.
Thankyou for your help what is the sticky please?Thanks to all competitions posters and answer finders:TDon't squander time its the stuff lives are made of:rotfl::rotfl::rotfl::rotfl::rotfl:0 -
Stickies are the posts stuck to the top of the board.
Incidentally, why did your husband think that a completely unknown company would be wanting to spend 2 hours of their time 'fixing' your computer for free?
If someone phoned up telling you that your wiring was faulty, but that he would spend 2 hours putting it right without wanting payment, would you not be suspicious?
I appreciate that he may not be knowledgeable about computers, but it's also about the application of some basic caution.
Your name and phone no. are available from numerous sources, and the fact that a caller knows them hardly guarantees them as genuine.
There is no such thing as a 'virus box'. What he showed you was probably something called event viewer, which showed a lot of supposed error messages that are in fact quite normal.
Do a Malwarebytes scan as advised to clean up your system, and remove any remote access software that may have been installed.No free lunch, and no free laptop
0 -
Login4Speed have a website, claim to fix computers through remote administration. A quick google search shows they have cold-called others. You'll have to treat that computer as compromised. I wonder what they did for 2 hours on it - they've probably done their worst already.
What security or antivirus software is on the compromised computer? What operating system is the compromised computer running, i.e. Windows XP, Vista, Windows 7, etc?
1. If it is Windows XP, follow this guide to disable remote administration (http://netsecurity.about.com/od/securingwindowsxp/ss/disable_remote.htm).
2. Secondly, press Start, Run, and type in services.msc and press enter. Look for 'Remote Registry' and set it to disabled.
3. Run the DCOMBobulator to make sure port 135 is okay as I've seen XP machines get a worm through this port (http://www.grc.com/freeware/dcom.htm).
4. On the compromised computer, please run the 'all service ports' scan at Gibson Research to see if there are any open ports (https://www.grc.com/x/ne.dll?bh0bkyd2). Let us know which ports are open.
5. Run Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam.php), update it, then run a quick scan. Please post a log here.
6. Run HiJackThis! (http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html) and post a log for Rik et al to look at. It might show if they've left any software to remotely control the system which is very likely.
7. Run SpyBot: Search and Destroy (http://www.safer-networking.org/en/spybotsd/index.html), don't install SDhelper or teatimer though. Update it, do the Immunise function, then run a scan. Let us know if it finds anything.
Feel free to run these tools as well while you wait, but they will take longer to complete:
Microsoft Malicious Software Removal Tool (http://www.microsoft.com/downloads/en/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en)
Dr Web scanner (https://www.freedrweb.com/download+cureit/gr/?lng=en)0 -
Stickies are the posts stuck to the top of the board.
Incidentally, why did your husband think that a completely unknown company would be wanting to spend 2 hours of their time 'fixing' your computer for free?
If someone phoned up telling you that your wiring was faulty, but that he would spend 2 hours putting it right without wanting payment, would you not be suspicious?
I appreciate that he may not be knowledgeable about computers, but it's also about the application of some basic caution.
Your name and phone no. are available from numerous sources, and the fact that a caller knows them hardly guarantees them as genuine.
There is no such thing as a 'virus box'. What he showed you was probably something called event viewer, which showed a lot of supposed error messages that are in fact quite normal.
Do a Malwarebytes scan as advised to clean up your system, and remove any remote access software that may have been installed.
He is 65 and usually very suspicious but the way they wormed their way in was by saying that many people have had virus' on their computer. It was very gentle and got my husbands trust. He thought this company were the ones who were providing our anti-virus. He has learned his lesson :rotfl:Thanks to all competitions posters and answer finders:TDon't squander time its the stuff lives are made of:rotfl::rotfl::rotfl::rotfl::rotfl:0 -
Login4Speed have a website, claim to fix computers through remote administration. A quick google search shows they have cold-called others. You'll have to treat that computer as compromised. I wonder what they did for 2 hours on it - they've probably done their worst already.
What security or antivirus software is on the compromised computer? What operating system is the compromised computer running, i.e. Windows XP, Vista, Windows 7, etc?
1. If it is Windows XP, follow this guide to disable remote administration (http://netsecurity.about.com/od/securingwindowsxp/ss/disable_remote.htm).
2. Secondly, press Start, Run, and type in services.msc and press enter. Look for 'Remote Registry' and set it to disabled.
3. Run the DCOMBobulator to make sure port 135 is okay as I've seen XP machines get a worm through this port (http://www.grc.com/freeware/dcom.htm).
4. On the compromised computer, please run the 'all service ports' scan at Gibson Research to see if there are any open ports (https://www.grc.com/x/ne.dll?bh0bkyd2). Let us know which ports are open.
5. Run Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam.php), update it, then run a quick scan. Please post a log here.
6. Run HiJackThis! (http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html) and post a log for Rik et al to look at. It might show if they've left any software to remotely control the system which is very likely.
7. Run SpyBot: Search and Destroy (http://www.safer-networking.org/en/spybotsd/index.html), don't install SDhelper or teatimer though. Update it, do the Immunise function, then run a scan. Let us know if it finds anything.
Feel free to run these tools as well while you wait, but they will take longer to complete:
Microsoft Malicious Software Removal Tool (http://www.microsoft.com/downloads/en/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en)
Dr Web scanner (https://www.freedrweb.com/download+cureit/gr/?lng=en)
Thanks so much for your help on this. I will do it tomorrow afternoon as its late now and i have only just read your reply.:D
I have no clue what they have done. The computer is working fine but i have not reconnected it to the internet yet. They have tried to call twice today but we dont answer. We have Mcafee as part of the BT package and its windows XP.Thanks to all competitions posters and answer finders:TDon't squander time its the stuff lives are made of:rotfl::rotfl::rotfl::rotfl::rotfl:0 -
Thanks so much for your help on this. I will do it tomorrow afternoon as its late now and i have only just read your reply.:D
I have no clue what they have done. The computer is working fine but i have not reconnected it to the internet yet. They have tried to call twice today but we dont answer. We have Mcafee as part of the BT package and its windows XP.
No worries, let us know how you go. I found some other tips as well which may help:
(http://www.ehow.com/how_5832151_detect-remote-desktop-snooping.html). For point #2 he means 'system tray' but you get the point.
After you have gotten through everything (and please feel free to ask any question in getting through the lists, no matter how silly it may sound to you), I would strongly recommend removing McAfee and replacing it with free Avast, as McAfee cannot adequately protect computers. I'll give you some instructions on how to do this safely if you like, as it's not recommended to just use the normal uninstall to get rid of McAfee as it tends to leave remnants behind that can cause conflicts.0 -
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:09:23, on 27/03/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ASQN2XJI\DCOMbob[1].exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QXKOIK88\HijackThis[1].exe
C:\WINDOWS\system32\msiexec.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101210011535.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DriverScanner] "C:\Program Files\Uniblue\DriverScanner\launcher.exe" delay 20000
O4 - HKCU\..\Run: [EPSON Stylus DX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE /FU "C:\WINDOWS\TEMP\E_SCF.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Auto EPSON Stylus DX8400 Series on USER-PC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE /FU "C:\WINDOWS\TEMP\E_S6F.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Blue Coat K9 Web Protection (bckwfs) - Blue Coat Systems, Inc. - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
--
End of file - 8641 bytesThanks to all competitions posters and answer finders:TDon't squander time its the stuff lives are made of:rotfl::rotfl::rotfl::rotfl::rotfl:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.7K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.7K Work, Benefits & Business
- 600.1K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.3K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards