Current UK 'Windows' phone scam!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by kickshaws, Oct 20, 2011.

  1. kickshaws

    kickshaws Private E-2

    I have just been subjected to the 'Windows phone scam' but unfortunately they got bored with me disbelieving everything they said and they rang off [after a quarter of an hour!] before getting to the nitty gritty. But arising I have a few questions.

    Scam went something like this. Caller claimed to work for a company licensed by Microsoft. Call arose because of error messages logged by MS indicating my pc had been hacked. To 'prove' they were bona fide they would read to me a SECRET and UNIQUE number known ONLY to MS and my computer. This number referred to by caller as the CLSID

    Stage 1 of the scam was to RUN: cmd then at the prompt enter: assoc which produces a screen of stuff towards the bottom of which is a long string something like this where x= a letter and 1= a number: <111xxx11-xx1x-11xx-1x1x-11x11xx1x111>

    Caller read out the string and I confirmed it was correct. [I had meanwhile booted up another computer and gone through same rigmarole and noted the CLSID was exactly the same! so not very unique.] As further 'proof' that my system was 'hacked' I was instructed to RUN: inf then asked did I recognise any of the files displayed! No I dutifully answered. How many are there? Hundreds I said. "Ooooh my goodness gracious me how terrible!" they said. "There you are; all those naughty files are hacking files!" "Blimey" I said.

    Next told to RUN: eventvwr and double click 'application' and later 'system' and to scroll to bottom of screen. "Look at all those warning files! and all those errors! All hacking errors. Your system in imminent danger."

    But that's where they got fed up with my lack of co-operation and rang off.

    Questions:

    1. What is CLSID?
    2. What are all the files displayed after the inf command?
    3. What are all the warnings and errors shown in the event viewer?
    4. Where was the scam leading? What were they after
     
    kickshaws, Oct 20, 2011
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    CLSID - is a globally unique identifier. It is normal to have thousands of these in your registry. See:

    http://msdn.microsoft.com/en-us/library/windows/desktop/ms691424(v=vs.85).aspx

    http://en.wikipedia.org/wiki/Globally_unique_identifier


    Inf (stands for information). These files are Setup Information files used when installing various software, drivers, and configuring your PC. They are all typically normal. Some malware will create a few here but it is quite normal to have many of these in your Windows\inf folder.

    The event logs is where Windows saves and kind of event ( errors, crashes ) for any applications running on your PC. It is normal to things here. Sometimes there are serious problems within Windows and you can debug by making use of the Event Viewer logs.

    See: http://support.microsoft.com/kb/308427


    They were going to get to the point to have you install their software giving them remote access to your PC. They would then charge you to help you fix all of these none problems and they would also be stealing information off your PC.
     
    chaslang, Oct 20, 2011
    #2
  3. kickshaws

    kickshaws Private E-2

    Thanks for all the answers chaslang. The only thing I find odd is you say
    and yet the string on my machine is exactly the same as that on another computer I have here and I have seen a screenshot since my original post which also shows the exact same string! The poster of the screenshot thought it was 'unbique' to Windows 7 but both my machines here are XP.

    Anyway, thanks again for the info.
     
    kickshaws, Oct 20, 2011
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is not that it is unique to every PC. It is unique for the software application itself. So no matter where you install an application, it will still have the same CLSID. So for example the below is always related to Flashplayer's Flash9.ocx

    HKEY_CLASSES_ROOT\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}
     
    chaslang, Oct 20, 2011
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds