"Take On Support" Scam

[Arfer]

I was running the free version of AVAST V5 on my PC Windows 7 Ultimate 64bit all fully up to date with windows updates and AVAST was also fully up to date both engine and virus database.

I booted the PC yesterday morning and picked up something very nasty.  Not on any dodgy sites and no dodgy downloads when suddenly the PC became VERY slow and unresponsive.  AVAST reported nothing but every thing was VERY VERY slow.  Shutdown is normally about 11 seconds but was now nearly 10 minutes.  Unplugged PC from network as soon as it went slow.

About 15 minutes later I received a call from an Indian call center saying or intimating that they were calling on behalf of microsoft spieling a story about a serious problem with windows.  To cut a long story short they want to extract GBP60 per year for a support contract to sort out the PC.  They are calling on a witheld number but if you want their help you call them back on 01865521065.  Needless to say I didn't bite.

Problem is this got right by AVAST.

PC is now very sick, AVAST cant seem to find the problem.

I have managed to unload the AVAST free version and have just loaded the latest AVAST Internet Security suite which I eventually got to install but the firewall wont come up and the scan does not fix the problem.

Anyone got any ideas how to sort my PC as I have a lot of data in my MyDocuments folder that I don't want to loose.

[essexboy]

Hi lets see if I can find the culprit

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:
• Reg - Shell Spawning
• File - Lop Check
• File - Purity Scan
• Evnt - EvtViewer (last 10)

• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
  
• To the left is an additional options click this
  
• Browse for the attachment file you want to upload

[polonus]

Hi Arfer,

Apparently you were a near victim of pre-fetch logmein123.com virus scam
Was what you experienced similar to this?: http://www.digitaltoast.co.uk/supportonclick-systemrecure-scam
Did you report the incident here?:
Also, report it to: https://secure.consumerdirect.gov.uk/reportascam.aspx

There are also threads on http://forums.moneysavingexpert.com/showthread.html?t=1613667 and
http://www.hotukdeals.com/item/502631/call-from-microsoft-maintenance-dep

The Register have an article about it:
http://www.theregister.co.uk/2009/04/10/supportonclick_scareware_scam/

Note: The Staffordshire Police have also issued a warning about this:
http://www.staffordshire.gov.uk/NR/rdonlyres/3ECA6489-52AC-4A64-A48E-4E44743CB9CB/90090/TelephoneComputerSupportWarning.pdf

http://www.dslreports.com/forum/r22222049-Scam-Supportonclickcom-scareware-scam

Also read here about this worst scenario scam: http://hphosts.blogspot.com/2009/12/techonsupportcom-click4rescuecom.html

And let our friend essexboy handle the cleansing of the malcode on your machine...

polonus

[Hermite15]

@ the OP: you said they called you >>> how they got your phone #

[polonus]

Hi Logos,

There is a discussion going on here: http://forums.malwarebytes.org/index.php?showtopic=11156

The callers are based in India and the pose as MBAM support team,do not go here:
http://www.siteadvisor.com/sites/supportonclick.com
http://www.mywot.com/en/scorecard/supportonclick.com

polonus

[Hermite15]

there's a video here:
http://www.youtube.com/watch?v=jfFqgTuPKRM&feature=PlayList&p=ACD9A8922BBBFE4C&playnext_from=PL&index=0

edit: Polonus the thread on MBAM isn't goin' on, it's from 2009 ...but okay the topic is still current.

[Arfer]

Thats what I'm most worried about how they got the phone number unless it was just pure chance but I fear not.  The guy said his name was Kevin.  Spun them a line about the phone line on the computer had just gone faulty so could not connect to internet to "Let him in to PC to fix problem" spun him along for 90 minutes waiting for wife to come home from shopping with credit card, she was ironing in the kitchen  :-)

Essexboy do you want that run in safe mode or normal mode ?

Thanks guys, shure is a good one I have been fixing PC's for 26 years and this one is a bitch shame I cant trash the drive as always no backup files......

[Hermite15]

yeah, I asked because they seem to know who they're calling, since that's people with already infected PCs (by them somehow), like in your case...

[Arfer]

Here is the output file from OTS

http://www.mediafire.com/file/uhmazmrxmin/Arfer_ots_output.txt

Hope you are able to work out whats going on,  THANKS

[essexboy]

The scan looks clean

I was talking to the wife about this and she then mentioned that she got a call a few weeks ago similar to this, she told them to get lost 

It appears to be a cold call system based on scare tactics, let them in at your peril. 

With your 64 bit system you are fairly secure at the moment as no known malware yet hits the 64 bit area.   

Lets run MBAM though to ensure that I have missed nothing and follow up with a GMER scan, these can be run in normal or safe mode

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
.
THEN

GMER Rootkit Scanner - Download - Homepage

• Download GMER
• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.

• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
  
  Click the image to enlarge it
  

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" 
  
• Save the log where you can easily find it, such as your desktop.

**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

[Arfer]

Here are the results two files.

One thing that I noticed that when I launch the root kit scanner or click on start within it I get this message.

C:\Windows\system32\config\system: The process cannot access the file because it is being used by another process.

It was almost a year ago that I switched to AVAST.  Before that I used to use SpyBot which I made donations too, also Zone Alarm which I used to be a beta tester for but stopped using them when I changed to AVAST.

I am more than a little dissapointed that this got through.

Do you think it was down to the fact that I was only running the free version.

[Arfer]

Got the PC connected to the internet again today. 

AVAST was blocking nut I deleted the network adaptor and reinstalled it and back on line again.

AVAST was doing a full scan at 18Mb/s now its back up to 389Mb/s

I have lost a little faith in AVAST over this incident, what other protection do you think I ought to be running on Windows 7 Ultimate 64bit besides AVAST Internet Security for maximum protection.

Thanks for all your help and suggestions Guys especially EssexBoy  (by the way I am originally and Essex boy)

[Hermite15]

there's no resident security solution I would advise to run together with Avast, this could lead to conflict. Either you trust it, either you switch to something else.

[Arfer]

Tried most over the years and I am sticking with AVAST till something better comes along.

I was thinking more along the line of SpyBot and Ad-aware both of which I stopped using when I moved to Windows 7 64bit and AVAST.

[Altarir.]

you can use MBAM free in addition to avast

also, you can use NoScript extension in case you use Firefox so scripts don't run until you allow them to do so. This really helps to prevent getting infected(unless you download and execute infected file by yourself ).