Do I really need to wipe my HD and start over?

[Muse]

I get a cold call, and this guy says my computer's under attack. This was 5 days ago, Friday Apr. 13, 2012 at about 9:45AM Pacific. He's got a heavy Indian accent (I asked him if he was Indian a couple of times and he said he was in South East Asia), and the noise around him made it sound like he was in a busy call center.

He said my computer was under attack and it was critical that I immediately download and install a program that would rid me of the virus. He said that once I ran this he would immediately turn my over to a Shane Watson of Microsoft, who would guide me in what to do. Since I was having a horrible time understanding him with his heavy accent, I requested that he turn me over to this Shane guy immediately. He ignored that, and I got to absolutely yelling at him, but it did no good. He gave me a 6 digit integer code ("write this down") that I had to enter into the dialog when I ran a download. They appeared to get control of my system with Logmein. I believe the file I ran was Support-LogMeInRescue.exe. I since permanently deleted the installation files. This guy had me download an EXE, write down a 6 digit code and then after a few seconds he says "the file you downloaded won't work now, the virus has transmuted itself and you have to download another file and write down another 6 digit code." What a hustle! So, I later deleted two executables.

They seemed to get control of my system, my screen looked different. They seemed to have control of my mouse. They could draw things on my screen. They purportedly showed me my event viewer and error messages and there were many. Now, I got way suspicious when he tells me that if I have over 5000 items in the event viewer I have to pay a fee to have them clean my system. Someone circles the number of items on the upper left of event viewer (I don't know if that was mine or a mockup they showed me), and it was over 8000. He asks me what the number is, telling me he can't see it. I ask him to call me back and I do some research and decide he's scamming me.

2 minutes into this call I go to ATOT and post, asking if this is apt to be a scam, but the first couple of guys give snarky (not obviously) BS answers: "Sounds legit" and "sounds legit, what do you have to lose?" I'm on the phone with this guy who's hustling me a mile a minute and I don't pick up on the typical ATOT sarcasm, and miss the helpful posts that happened 1/2 a minute later. Some people in the thread (now locked) have told me I should wipe my HD and install everything from scratch, that they might have installed stuff that would steal my passwords, credit card numbers if I bought anything online. Is that true or were they just trying to shake me down for cleaning a virus that didn't exist?

The ATOT thread I started: I get a cold call from a guy who says he's going to save me from a virus!!!

They called me back, which suggests that they didn't accomplish what they wanted. I think they very probably were just trying to hustle me for a charge to make it appear that my system was cleaned, that they didn't leave anything on my system, but of course, I can't prove it.

One guy in the ATOT thread linked me to a thread that sounded exactly like what happened to me: http://www.techsupportforum.com/forums/f10/a-scam-496451.html That thread was started almost 2 years ago and is closed, so I can't post in it.

It's a Windows 7 Ultimate 64 bit laptop with MSE running on it. I did a full scan with MSE after this incident, it only found one evidently unrelated item, which it removed. Some people said I could run eset scanner, which I downloaded and ran and it found 7 more items, including a couple instances of a variant of Win32/InstallCore.D application, all of which were removed. Some people in the thread suggested other things, including running hijackthis and malwarebytes. What is the smart thing to do? It would take me many hours to wipe the HD, install Windows, all the updates for the Lenovo T61 machine and all the programs and utilities I use. Must I wipe my HD or were these people just trying to shake me down with scare tactics and smoke and mirrors?

 

[Muse]

Someone in that ATOT thread I linked in the OP suggested I call the logmein folks, that they might be able to get a handle on these guys. I just called them and I explained what happened in considerable detail. The woman asks if I still have those 6 digit codes I entered during this call on Friday, and I said I thought I did. I find them, call back and another CSR said they'd definitely be able to shut these guys down, although they may be using a trial version. I asked him his opinion on whether or not I have to wipe the HD and he said he could look on my system if I gave him access, and we did a logmein session and he looked in my registry and he said they hadn't planted a module that would allow them access to my machine without my being in attendance and participating. So, his assessment is that I'm OK. However, from his perspective my system was operating extremely slow... i.e. while poking around looking in my registry, so I am wondering why that is.

 

[Jimmah]

Why run the possibility of there being something malicious hidden away, just to keep your current installation? Wipe it and start over, peace of mind and such.

 

[compman25]

Why would you believe a random stranger and why would you let them gain access to your system? I would wipe and start over.

 

[TreyRandom]

It is clear that you haven't learned your lesson about blindly following advice from people over the phone.

1. Stop giving people access to your system.
2. Nuke it from orbit (reformat). It's the only way to be sure. Unless, of course, you are willing to risk that your system isn't compromised. Be sure to remember that when you do your electronic banking or pay bills...
3. Stop giving people access to your system!!!

 

[Chiefcrowe]

Yes, like they said, i would completely wipe it and start over. that sucks what happened, crazy!!

 

[Muse]

It is clear that you haven't learned your lesson about blindly following advice from people over the phone.

1. Stop giving people access to your system.
2. Nuke it from orbit (reformat). It's the only way to be sure. Unless, of course, you are willing to risk that your system isn't compromised. Be sure to remember that when you do your electronic banking or pay bills...
3. Stop giving people access to your system!!!

Well, this guy this morning was a support specialist at Logmein, if I can't trust him who can I trust? I am subscribed (for pay) at a site that on occasion asks to see my screen, and they do something similar, don't know that they have any control of my system, however.

 

[Muse]

Yes, like they said, i would completely wipe it and start over. that sucks what happened, crazy!!

Yes, and AFAIK they won't stop those guys. If they had a trial version, they can get another, likely. If they are in a big call center (it sounded like they were), their superiors will probably get the call from Logmein and there may be no way to trace the codes to the specific perpetrators. Logmein said they'd "shut these guys down" but I have my doubts.

 

[blackangst1]

I don't understand why someone would do this from a cold call. Wow.

But what's done is done. Reformat and start over.



Posted from anandtech forums Reader for Android

 

[Muse]

Why run the possibility of there being something malicious hidden away, just to keep your current installation? Wipe it and start over, peace of mind and such.

Well, I sure can't do it today, very busy. Maybe in the coming days.

 

[alkemyst]

Unrelated, but if you get a voice call from Skype do not agree to furnish your SS#/ credit card info.

 

[VirtualLarry]

crazy!

 

[TreyRandom]

Well, this guy this morning was a support specialist at Logmein, if I can't trust him who can I trust? I am subscribed (for pay) at a site that on occasion asks to see my screen, and they do something similar, don't know that they have any control of my system, however.

4. Stop giving people access to your system, dude!

You don't need to trust anyone! Aren't you an admin?!? Administer it yourself!

That "support specialist" wasn't gonna be able to find out if you've been rootkitted by dinking around in your registry. Yet you still blindly trust that he's giving you accurate info?? Isn't that what got you into the trouble you're currently in?

 

[Muse]

4. Stop giving people access to your system, dude!

You don't need to trust anyone! Aren't you an admin?!? Administer it yourself!

That "support specialist" wasn't gonna be able to find out if you've been rootkitted by dinking around in your registry. Yet you still blindly trust that he's giving you accurate info?? Isn't that what got you into the trouble you're currently in?

OK, I'm getting hipper to PC security basics, thanks.

Now, I posted a thread at Techsupportforums:

I get a cold call, says my computer's under attack

This guy (whose credentials there are "Security Team Moderator, analyst, Rangemaster, TSF Academy") responds with the recommendation to restore Windows 7 from a restore point. Says "Windows 7 has a very robust system restore. Let's try that first." He pastes in very detailed specific instructions in how to go about this. He seems to be saying that doing so insures that my system will be protected from whatever might have been done in that session with the scammers 6 days ago. Is that reasonable/viable?

 

[Muse]

It is clear that you haven't learned your lesson about blindly following advice from people over the phone.

1. Stop giving people access to your system.
2. Nuke it from orbit (reformat). It's the only way to be sure. Unless, of course, you are willing to risk that your system isn't compromised. Be sure to remember that when you do your electronic banking or pay bills...
3. Stop giving people access to your system!!!

You know, it's called tech support. I've done it for years, supporting both laymen and high level professionals, people in my own company and software developers. When people are suspicious of you as a tech support specialist your job becomes that much more difficult. A certain level of trust is necessary in this world at times. My support was for database software, 4th generation.

Granted I fucked up on this one, and I went to the ATOT forum for some guidance, after all this guy had me on the phone talking at me a mile a minute trying to get me to immediately run this stuff. They had a pretty sophisticated approach going on. The first two ATOT responders fanned on what was happening, fuck those guys. In my haste in the OP I guess I didn't make it clear that I was actually on the phone with this guy when I posted it.

 

[TreyRandom]

You know, it's called tech support. I've done it for years, supporting both laymen and high level professionals, people in my own company and software developers. When people are suspicious of you as a tech support specialist your job becomes that much more difficult. A certain level of trust is necessary in this world at times. My support was for database software, 4th generation.

Granted I fucked up on this one, and I went to the ATOT forum for some guidance, after all this guy had me on the phone talking at me a mile a minute trying to get me to immediately run this stuff. They had a pretty sophisticated approach going on. The first two ATOT responders fanned on what was happening, fuck those guys. In my haste in the OP I guess I didn't make it clear that I was actually on the phone with this guy when I posted it.

Yes, it is called tech support. And ya know what? Those of us who administer computers tend to not use (or need!) tech support. Know why? Because if they knew as much as we administrators do (or, at least, should), they'd have OUR jobs. And on those rare occasions that I do need tech support, I dang sure don't let them run rampant in a system that I am responsible for securing and maintaining!

Sophisticated approach? Someone with a thick Indian accent blindly calls you and you decide to do what they say? Dude, that's not sophisticated. That's called social engineering, and a good admin won't fall for it. Those who do won't fall for it a second time. Are you gonna keep sticking your hand on the burner to see if it's still hot?

No, trust isn't necessary. Figure out the symptoms, diagnose those systems on your own by doing online research (using multiple sources - not blindly trusting the first link you find!), and fix the problem. That's what a good administrator does. So stop getting all butthurt at the advice you're being given and start doing things the right way, man!

The first two ATOT responders didn't fan on what was happening... that was sarcasm, and your sarcasm meter is broken (though hopefully not beyond repair). But let's assume for a moment that it wasn't sarcasm. You're gonna blindly accept the advice of two random dudes who you don't even know on an Internet forum? Seriously? Whose word are you NOT gonna accept? Do you seriously not see a pattern of behavior here?

Okay, listen... I'll help you out of this situation. But first, I'm going to need the name of your bank, your public IP address, and your mother's maiden name. And if you give it to me, I'm gonna whack you upside the back of the head! Stop trusting people who you don't know from Adam!

 

[TreyRandom]

OK, I'm getting hipper to PC security basics, thanks.

Now, I posted a thread at Techsupportforums:

I get a cold call, says my computer's under attack

This guy (whose credentials there are "Security Team Moderator, analyst, Rangemaster, TSF Academy") responds with the recommendation to restore Windows 7 from a restore point. Says "Windows 7 has a very robust system restore. Let's try that first." He pastes in very detailed specific instructions in how to go about this. He seems to be saying that doing so insures that my system will be protected from whatever might have been done in that session with the scammers 6 days ago. Is that reasonable/viable?

Do your own research and see if Windows 7's restore features can eliminate nasty things that might have been installed on your system... such as rootkits. Thing is, rootkits hide themselves from the operating system (do your own research on how this works). So, in my opinion, it is doubtful that Windows 7's system restore is going to automagically delete something that isn't part of Windows 7's file structure and cannot even be seen by Windows 7.

The thing that you're not doing is you're not doing your own research when people give you advice or tell you to do something. If you had done your research on rootkits when I brought up that point in an earlier post, you'd know how rootkits work and you'd already know that Windows 7's system restore isn't gonna help you.

Just want to make sure we're on the same page... by "doing your own research", I don't mean "ask an Internet forum and accept the first few replies that you are given". Because if you do that, you're STILL blindly following Joe Internet's advice on what you should be doing! What I mean by "doing your own research" is that you need to collect information from dozens of (legitimate) sources, analyze ALL the information provided, and come to a logical conclusion. Otherwise, you're gonna keep putting yourself in unfortunate situations.

People on forums mean well. But they don't always give the best answers. For what its worth, I'm a member of TSF (under a different username). The guys at TSF will often take a "remove first" mentality. I used to as well... until I encountered a rootkit on a computer on a network I administered. After that experience, I realized that it doesn't matter how clean I think a system is... if it has been compromised, I can no longer trust it to be 100% clean, no matter what a slew of antimalware apps say (because I've seen them pass right by rootkits). If security is important on that system, I'll salvage data, wipe the drive, repartition, reformat, and reinstall.

Again, this is just my opinion. By all means, do your own research, and make your own decision. Don't blindly trust what I say, either.

EDIT: I just read that post on TSF. The user named "amateur" isn't telling you that Windows 7 system restore is gonna protect your system. Sure, it will remove SOME malware. But you're missing the part of the post where he tells you to run a script called dds (again, do your research on what it does before you blindly run some script some dude tells you to run!!) which he says will check out what you've got running on your system so the guys on TSF can give you some advice. But, remember, this is the thing: they can only give you advice on what they see. You are basically entrusting the security of your computer from here on out to whether a script you haven't analyzed and written by someone you don't know is gonna catch ALL the malware on your computer, and that some random dudes on the Internet are gonna find ALL that malware for you. I guess the question really boils down to this: are you gonna blindly believe?

 

[Muse]

TreyRandom, you are way ahead of me. I've done a bit of network administration, the people who did it at my last full time job (where I was the sole database administrator and developer for their mission critical business database) told me that it's something you just learn by doing it. I did some, picked up some things, what I know has been garnered piecemeal on a do it as needed basis. Currently, I'm just maintaining my own home network, 5 computers, one of them a 24/7 server.

I really appreciate that you're trying to help me and I understand that I've taken a way too passive approach here, at least at times. I don't always give a problem the attention it deserves. I figure I have to prioritize. I understand that the security of my computers is a high priority, and what happened 6 days ago has thrown the proverbial monkey wrench into my goings on. I suppose the easiest thing to do is just do what you suggest and wipe/repartition/format. I have two partitions on the HD, the 2nd being a data partition. Do you think I can copy that data to a backup USB HD and then copy it back later, or should I regard that data as suspect? I don't believe there is anything there I don't have elsewhere, however it would be more work to just wipe it instead of the copy/rewrite scenario I mentioned.

I googled Rootkit and hit a site that has a free anti-rootkit tool:

http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx

I know you probably think I shouldn't just ask you but should do in depth research myself, and I'll try to do that, but I'd appreciate your opinion of whether this tool can be relied upon to find and remove a rootkit that might have been put on my machine last Friday.

 

[TreyRandom]

Yep, it is something you learn by doing it... and by making mistakes. Lord knows I've made plenty. There was this one time that I pushed the self-test button on a UPS that provided power to both of the servers at a small bank. You know the sound that servers make as they're spinning down when they're powered off? Yeah, that sound. During the lunch rush. The color absolutely drained out of my face.

The main thing I was wanting to impress upon you is that YOU are the last line of defense for your computers. And the only one you can truly trust to take care of those systems is you. That means nothing gets installed on my systems unless I deem it to be absolutely necessary. For example... I love Google. But when I'm prompted, "Install the Google Toolbar?" Not a chance, dude. "Would you like to link your mobile phone to your Gmail account?" Uh... no. Why would you possibly need that? "Store all your pictures and important documents in THE CLOUD!" No thanks... someone other than me has administrative access to your servers. "Put all your personal information here on Google+! It's FREE!" Dude, please understand, I'm not a private person; in fact, most of my friends and family can read me like a book. But there's no reason that I should be negligent with computer security, with my data, or with my personal information.

So... that's where I'm comin' from. I'm not saying you should distrust the world or never install an app. I'm simply saying that you need to be vigilant about the protection of your data by being careful, particularly when you don't KNOW someone.

And, if I were trying to sell you something at this moment, you ought to be careful about the advice I give as well.

Back to the problem at hand. Your computer might not be infected by a rootkit. It might not be infected by anything at all. But how do you KNOW? Sure, you can scan it with any number of anti-malware and anti-rootkit apps (be careful - some of these apps are cleverly disguised malware themselves!!!), but there's still no guarantee you'll remove EVERYTHING. Look at online reviews of anti-malware and anti-rootkit apps. None of them find everything. Some find things that others miss, and vice versa. And even when they find stuff, most are pretty bad at removing them (you'd only know that through experience... seeing with your own eyes that things aren't removed despite the app's assurance that it was).

The question is... how good is "good enough"? Nobody can answer that but you, and the answer will depend on how important security is on the target system. I'm pretty good at removing viruses. But if I'm not pretty certain that a system is clean, I'll reinstall if security is important. If it's on a computer that my kids use to play Flash games... maybe a quick cleaning is good enough. If it's a system I type ANY security or credit card info into... I'm probably startin' over. It may not be "easiest"... but it is the only way to be certain.

I would not copy the whole drive (and I definitely wouldn't do a bit-by-bit backup of the partition... that just copies any malware over too). I would copy only the data you want salvaged. If the entire drive is truly nothing but data, then sure, copy all the files. If you want to ensure you're not gonna lose data, it's a good idea to copy the data, pull the drive insert a new one (assuming you've got a spare one laying around), and install onto the new drive, keeping the old drive as a backup in case you missed copying something. Then you can repartition and reformat that old drive only once you are certain you've got everything back to normal.

Not trying to bust your balls, man. Just want you to be safe... and the only way to do that is to point out the flaw in your approach so you don't make the same mistake again and again and again. Hope this has helped.

 

[SecurityTheatre]

I suggest viewing one of the hundreds of YouTube videos about this:

http://www.youtube.com/watch?v=sAXkO-Us4Ds


I also suggest not allowing someone to do something on your computer unless you know DAMN well they work for a reputable company.

This scam is both common and basic.

Personally, I'd wipe it. You don't strike me as a paranoid person, so you may not want to. You could try using a restore point, sure. I guess if they're only after your credit card numbers and aren't actually trying to steal anything, that it will probably be fine.

If it's a rootkit or something similar, a restore won't do anything but give you a false sense of security.

Odds are good that it's not, but it's not impossible, I guess.

 

[SecurityTheatre]

Here's a news report about it from Australia in 2010.

http://www.youtube.com/watch?v=u7NYs3Mz6pQ

 

[Muse]

What happened with me 6 days ago was slicker than the videos I'm seeing at Youtube.

I can wipe the drive and probably will. However, I doubt there's anything on it from those guys. Still, best to be safe. This time I'll make an image. I'm going to image my other machines too with Acronis.

 

[VirtualLarry]

If it's a system I type ANY security or credit card info into... I'm probably startin' over. It may not be "easiest"... but it is the only way to be certain.

For internet operations that involve bank or CC details, or gov't online forms that require identity information, I advocate that everyone should have a bootable USB drive with Linux on it, and then you install Windows 7 into a VM on Linux.

Ubuntu lets you encrypt the home directory, which is where you will store the Windows 7 VM disk file.

If you're really paranoid, you can install TrueCrypt onto the Win7 VM install too, and enable the FDE.

This way, you have a bootable OS, that will let you run Windows on virtually any PC. And you can carry it with you to ensure your OS's security against physical access. This way, you pretty-much know that it is safe to use.

 

[Muse]

Did some internet searching and found a thread at Microsoft Live forums (where I just registered, but haven't posted yet) and there's just dozens and dozens of posts by people who have gotten calls, many of them sounding very similar to the one I got 6 days ago. One post has me convinced I really have to wipe and reinstall. It's by a Microsoft MVP, and goes like this:
- - - -
Since you did what they told you and let them into your computer, you
are now vulnerable to all sorts of problems. I highly recommend doing
both of the following *immediately*:

1. Change *all* your passwords

2. Reinstall Windows cleanly.

Ken Blake, Microsoft MVP
- - - -

http://answers.microsoft.com/en-us/windows/forum/windows_vista-security/logmein123-scam-received-a-call-saying-my/b57b5f1d-d99a-4b3f-9ecf-e0770464190b?page=5
- - - -
I already had a ton of things on my plate, but this will get priority attention in the morning, which will be one week since this happened.

 

[Muse]

For internet operations that involve bank or CC details, or gov't online forms that require identity information, I advocate that everyone should have a bootable USB drive with Linux on it, and then you install Windows 7 into a VM on Linux.

Ubuntu lets you encrypt the home directory, which is where you will store the Windows 7 VM disk file.

If you're really paranoid, you can install TrueCrypt onto the Win7 VM install too, and enable the FDE.

This way, you have a bootable OS, that will let you run Windows on virtually any PC. And you can carry it with you to ensure your OS's security against physical access. This way, you pretty-much know that it is safe to use.

May I ask a few questions? Is all this going on on the USB drive? When you say it's portable, I'm thinking a thumb drive. All this on a thumb drive? If so that obviously requires that the PC you boot from it is configured to boot from USB. I suppose it's all possible, 16GB and 32GB thumb drives are out there now and not very expensive. However, to do any of these _secure_ activities you'd need to boot from this thing, and if not already booted from it, you'd need to reboot the machine.