has determined that your computer is infected with a virus."
His opening line makes me VERY glad I answered this phone call - I
can already tell this is going to be good. This person has no idea who
he is talking to. Instantly I put my "Dumb Guy" persona on. My wife has
one too, she calls hers "Dumb Dora". To the best of my recollection,
here is the conversation, screen shots, and other interesting tidbits.
ET: "Evil Tech" <-- Person trying to do something
bad with my computer
DG: "Dumb Guy" <-- My borrowed persona
ET: "We have detected your computer is infected with some kind of
malware or virus. If you want, I can show you how to see how it is
DG: "Wow, really? Sure!"
ET: "Can you go over to your computer?"
DG: "Yes, I'm there now."
ET: "What is the key on the bottom right of your keyboard?"
DG: "It says 'C T R L'"
ET: "What key is to the right of that key?"
DG: "It is a key that looks like the windows logo. I don't really use
ET: "Yes, you have an older computer, right?"
DG: "Why yes, it is older." <-- I lied - the keyboard is older, but
the computer isn't.
ET: "I can show you how to see the infection and remove it. Press the
key that looks like the windows logo, and then press the R key."
DG: "Ok. I pressed it."
ET: "What came up on your screen?"
DG: "A window that says 'Run'
ET: "Good. Is there anything in the Open box?"
ET: "Ok. Click the mouse into that box and type 'eventvwr'."
DG: "Ok, I did that. Now what?"
ET: "Now press OK"
ET: "Did a new window open up?"
DG: "Yes, it says Event Viewer."
ET: "Good. Now read me the items in the first column."
DG: "Event Viewer (local), Custom Views, Windows Logs, Application
and Services, and Subscriptions."
ET: "Good! Now double click Custom Views and tell me what you see."
DG: "I see Cisco, ServerRoles, and Administrative Events."
ET: "Very good. Now click on Administrative Events.
ET: "Did you click it?"
DG: "Yes. I'm reading some of these errors. There sure are a lot of
ET: "Let me check if these are your virus or not. Can you click on
one of them and read me what it says?"
DG: "Ok, I have one - it says Log Name: System, Source: Schannel,
eventID 36887, level Error, User SYSTEM, and there are a lot of them."
ET: "Let me look that up ... yes, that is the error. Lets try and
clean it for you. Can you right click on one of these errors and tell me
what the menu says?"
DG: "It says Event Properties, Attach task to this event, copy, save
selected events, refresh, and help."
ET: "Is there a delete option?"
DG: "<sad inflection in my voice> No..."
ET: "How about a 'Clean' option?"
DG: "<sadder inflection> No, I don't see a clean option either."
For the less technical, you are looking at events in the "Event
Viewer" and there are no delete or clean options in it no matter what
you do. Where they sent me is a place that collects up any internal
error that windows finds, and most of them are totally harmless. Really.
But to the less technical user, they can be scared easily into thinking
something is wrong.
ET: "Hmmm.... this is a bad virus. I'm going to have to connect you
with one of our techs online and they'll be able to further help in
cleaning this virus."
At this point, I had to stall him - I needed to spin up a virtual
machine so I could let him 'fix' a computer that I didn't care about and
one that also wouldn't have access to the rest of my network should he
load something really bad on it. I'll spare you the lame excuses
dialogue I threw at him to stall ...
DG: "Ok, sorry about that - I'm back now. Can you help me?"
ET: "Yes, hit the window button and R again. Then type
'www.computerprotection.webs.com' and press Enter."
I did and got this screen:
It is a website created on a free website hosting company that puts
its ads on the bottom. On it were 4 tools for remote control.
DG: "Yes, I did that."
ET: "Do you see the Ammyy Admin 3? Please click on it."
I did so and got a security warning as I'm downloading a program:
DG: "I have a file download - security warning. It is warning me that
files from the internet can potentially harm my computer."
ET: "This is not a file. It is software. Go ahead and click Run."
DG: "I'm not sure about this - it looks like it could harm my
computer. I've had people tell me not to download things - Are you sure
it is safe?"
I needed some time to get the network sniffer running in case this
was some bot client that I was about to infect my system with, so I
looked for excuses not to press Run and go with the flow. Eventually,
all I heard was:
He was gone. Apparently I wasn't cooperating quickly enough.
Some quick research reveals more details about the scam:
Read from others that were victims - read the comments and stuff
So there you have it.
Maybe they will call me back soon ? Hmm.... I would love to have them
hork up a virtual machine of mine, get nothing, and have the whole scam
documented for the world to see. Maybe I should answer more of those
junk phone calls.
UPDATE 11/11/2014: They (or another set
of scammers) called me back! And I was ready for them!
It wasn't 100% the same, but I was able to run things to a conclusion
- so here are the highlights of the differences.
The caller ID did read a number: 21-277-7888 (yes, the area code
wasn't complete). This is confirmed as they called me the next day to
try to follow up and the guy identified himself as the same name as the
First up was "Kevin" - when I asked him for some details, he
described himself as "I work for the windows help and support department
- we are a service provider of Microsoft. We provide services associated
by them." <-- Kevin's exact words.
He wanted to read me a serial number to confirm that his number
matched mine to confirm the computer that was sending them these virus
reports. He had me open up a CMD prompt and type "assoc" and hit enter,
then look for the line that started with ".ZFSendToTarget", claiming
that he would read the serial number that was on his screen and if it
matched mine then he was looking at the report for my computer.
He read me:
"That serial number is your Target ID and your system sends it to us
to identify you. Did that match your number?"
I just smiled and said "Yes, it does!"
The truth of the matter is, that is the exact same line present in
almost every PC when you ask for the file associations, which is what
the 'ASSOC' command does. Here are some screen prints of the output from
the ASSOC command from my main work system, 3rd line down - windows 7 64
Windows 7 32 bit notebook:
Windows 7 32 bit virtual machine I had him playing in:
Windows Server 2003:
Suffice to say, this was his method of trying to convince a
non-technical user that indeed he is getting reports from my system,
which is a total and complete lie.
So now he wanted me to use the service showmypc.com to let him see my
Since I was on a virtual machine set in a sandbox that he could trash
with whatever he wants and I wouldn't care as I could delete all this
changes and restore it to a snapshot taken from before he started
molesting my machine, go right ahead! Control it all you want!
Meanwhile, I was capturing all the data just to see if he was going to
try and infect me with something or not.
Once connected, he ran task manager and showed me the evil process
that was running on my computer:
"Do you see the last line? csrss.exe? That isn't describing itself
and it isn't running as you, this is malware that is waiting for you to
do your online banking [which of course I had already said I do] and
access any sensitive information."
To prove this, he searched for csrss.exe on Google and look what came
up as the number 1 hit:
Now in reality, while other systems could have had this infection, I
know this system is clean.
For those of you following along at home - a bit more technical stuff
for a second - if you check the box that says 'Show processes from all
users" you'll see it is a SYSTEM process and does have a description:
You can also run Process Explorer, pick that process, and verify the
digital signature matches the digital signature that Microsoft
When I hit the Verify button, it greyed out and the image's digital
signature was calcualted and compared and it verifies.
Ok, exiting geeky mode - sorry for the slight divergence.
Now he passed me over to "Andrew" who is one of their "senior
technicians" who will assist me further.
In reality, he is one of their senior scam artists... SORRY FOR THE
SPOILER - I'm getting ahead of myself.
Andrew runs a "netstat -a" command to show me all the connections my
system was making to outside services and help identify the "bot" that
had taken over my computer.
Netstat does indeed show you what connections your computer is making
with anything else as well as everything your computer is listening to.
He pointed out a couple of lines and IP addresses that my computer was
connected to. At this point we were probably 45 minutes into the call
and I was actually getting hungry, so I decided to stop playing Dumb
David and pose a challenge to him.
"That line you say is the malware / bot that is making a connection
out to the internet - isn't that the program you are using to see my
screen? Isn't that using my internet connection?"
"Oh, no sir! We are connecting to your computer via our Windows
Server and not using the Internet. That line shows your system is
infected with malware and when you next log into your bank account it
will send that information into the botnet where people can then access
There is no nice way to say this - but his line was total bullshit.
There is no way he could see my screen if my system wasn't making a
connection to someplace else, with the exception of if he was standing
over my shoulder.
So they finally got to the close of the sale - they offered to
install software on my system that would protect me from malware,
viruses, spyware, botnets, speed up my PC, and bring peace to all the
countries of the world - all that could be mine for $199 for 1 year,
$249 for 5 years, or $299 for a lifetime of protection and security.
I said "Well, considering this is a virtual machine that I regularly
trash and don't care about - which is why I was willing to let you look
at it - I don't think I want to buy the product right now" and
terminated the call.
To their credit, I was guessing they were going to infect me with
something. I guess it is more lucrative to collect $200-300 from people
that don't know any better than to use this method to spread infections.
I can't say if the product they would install is good or not, but I can
say they lied about everything up to that point -
My system wasn't sending them any data at all
My system wasn't
infected with anything
What they identified as malware / bot
connection was really their connection to me
Their connection to me
was using the Internet
With all those lies, why should I believe anything coming out of
There is a joke in poker:
Q: "How do you know when a poker player is lying?"
A: "His lips
Q: "How do you know when a poker player is telling the
A: "When he is calling the poker player next to them a liar."
Don't fall for scams like this one!
If you found this helpful, please send me a brief email -- one line
will more than do. If I see people need, want, and / or use this kind of
information that will encourage me to keep creating this kind of content.
Whereas if I never hear from anyone, then why bother?
If you have experienced the same thing, please share your story!
I can be reached at:
das (at-sign) dascomputerconsultants (dot) com
(C) 2014 DAS Computer Consultants,
LTD. All Rights Reserved.