KWSN Orbiting Fortress

[The Knighty NI]

Hi Kniggets and Kniggetesess

I seriously hope that an ADMIN reads this and does Two things:

1. Denies access to me on the ORBITING FORTRESS until I can get this sorted out. How we can sort this out for access in the future will probably have to be via a telephone call which is in the body of the web access chat record below.
2. Deletes my password to KWSN as this has been compromised.

I am very upset by today’s events and want to warn you of a possible telephone and internet scam launched in tandem.

Sadly I fell victim and am very, very disturbed to find that quite a number of files on my PC have been accessed and feel that I should warn you of a potential similar attack on members of KWSN. I will try to be as plain as possible so you know the facts of what happened and what has been done on my PC. If you reply to this thread I should be able to see it as a public viewer.

However, I suggest that as a DC orientated organization we take steps to ensure our members are not targeted.

If this is tedious due to a blow by blow account of what happened please, please take this seriously because they have basically screwed up my PC for the time being until I can get it sorted out. On a light hearted note Lol don’t worry they won’t bust my Butt over this and I don’t want any of you getting busted as well.

Let me say that I am seriously PISSED about what has happened and will take my revenge sweetly in some way because I feel like I have been raped. They asked me to switch on my computer and access the internet. 1ST CLUE (Doh Always on? – Like they didn’t know that? Or What operating system I use and other such stuff that can be garnered very easily with the right tools)

I received a telephone call this morning from a company purporting to be a Microsoft Accredited service provider. They convinced me that my computer was making unwarranted calls to their server in the US and wanted to help me sort out the problem. In support of their claims they asked me to hold the windows button down and press R. This brings up the windows run command.

Once this was open I was asked to type in EVENTVWR

This brings up your event logs for a variety of tasks on your PC. Basically it’s a standard MS tool that I had forgotten about 

They then asked me to look at the left-hand panel and double click on the Application and System options to see if there were any Yellow warning signs and Red Error messages and to give an estimation of how many of these events had occurred.

Dutifully I complied. ARRGH and that is where I was sucked in for a short time, (However, it was long enough to have damage done to my PC). They then asked for remote access to my PC (God What a SUCKER I am – due to remote access in a previous job and it being the norm - I hasten to add) allowed full access to my PC.

Once access was allowed I felt that I was naked with little in the way of reassurance from the representative using the web interface about what he was doing on my PC.

Below follows the Web Interface session:



10:47 AM Checking configuration...
10:47 AM Connecting...
10:47 AM Connected. A support representative will be with you shortly.
10:48 AM Support session established with Alex Murphy.
10:48 AM Alex Murphy restarting application as Windows system service
10:48 AM Connecting...
10:48 AM Connected. A support representative will be with you shortly.
10:48 AM Support session established with Alex Murphy.
10:48 AM You have granted full permission to Alex Murphy. To revoke, click the red X on the toolbar or press Pause/Break on the keyboard.
10:48 AM Remote Control started by Alex Murphy.
10:49 AM Password entry cancelled. Unattended reboot will not be possible!
10:50 AM Logon password has been set for unattended reboot.

10:50 AM Alex Murphy: Hello & Welcome.

Help me with your Name, Landline Number & Email.

10:50 AM Customer: Greg
10:51 AM Customer:
10:52 AM Customer:
10:53 AM Alex Murphy: Thanks for the info........

Let me check your computer.
10:57 AM Alex Murphy:
Your computer is at very high risk.

The software warranty of your computer has expired.

Your computer is compatable to renew the software warrenty for 3-5 years from now.

11:05 AM Alex Murphy:

Once you renew the warranty what services and benefits you will get.
1] You don’t need to buy anymore antivirus from the market, because you will get it under the warranty free of cost.
2] We will provide you a blocker in your computer which will never allow these types of infections to come back.
3] All the damaged software’s of your computer will be replaced right now with the latest one which will help your computer to run 10 times faster.
4] Any migration required by you will be done on your computer without charging any extra cost. [Latest version of word, excel, office of 2010]
5] All minor to major problems of your computer will be fixed by us; you don’t need to go to the local technician.
6] This warranty covers up 3 computers in the house which means in future if you buy any other computer than you don’t have to buy anything for that computer. Everything will be given by us.
7] Lastly any software’s, programs, movies, games, songs you wish to install in your computer will be given free of cost.

11:07 AM Alex Murphy: By renewing for 5 years you will get 10 bonus years 312GBP. By renewing for 3 years you will get 3 years bonus for 179GBP.
11:07 AM Customer: i will have to do this another time as I don't have that kind of money
11:08 AM Customer: basically I am out of worh ATM
11:08 AM Alex Murphy: When you want my agent to give you a call back.
11:09 AM Customer: give me at least a month please
11:10 AM Alex Murphy: Ok. My agent will give you a call in 15 days. Don't use your computer till then.
11:11 AM Customer: whats your telephone number please
11:11 AM Alex Murphy: 2032869751
11:12 AM Customer: thanks and the name of the company?
11:12 AM Alex Murphy: Please wait i will fix the computer for 15 days.

11:12 AM Alex Murphy has sent a link: www.globalpcprotection.com

11:24 AM Customer: humm this is fairly recent Pop up ads have recently started to appear again despite the AD Blocker being switched on
11:25 AM Alex Murphy: Yes, once you renew the warranty, I will fix evry problem of this computer.
11:27 AM Customer: Getting a call from you was a surprise I must admit
11:27 AM Alex Murphy: But once you register, you will be very satisfied with the services.
11:28 AM Customer: I hope the telephone people receive better training. I am a professional tele marketeer taking a break
11:29 AM Customer: maybe your company could use a highly skilled IT Professional marketeer to help with some training
11:30 AM Alex Murphy: Ok sir.









Further to the above:

Program downloaded to the PC.
Removal is difficult. System Restore seems to be affected as well and restore points do not remove the program effectively over a short timeframe e.g 2-3 days. Going to try a longer time frame of 1 week.


Application is in 3 parts called:

1. unattended

Under File Properties:

Company: LogMeIn, Inc.
File Version: 6.3.377
Internal Name: Rescue
Language: English (United States)
Original File Name: unattended.exe
Product Name: LogMeIn Rescue
Product Version: 6.3.377


Under File Properties:
2. LMI_Rescue_srv
Company: LogMeIn, Inc.
File Version: 6.3.377
Internal Name: Rescue
Language: English (United States)
Original File Name: LMI_Rescue.exe
Product Name: LogMeIn Rescue
Product Version: 6.3.377

3. lmi_rescue

Under File Properties:
Company: LogMeIn, Inc.
File Version: 6.3.377
Internal Name: Rescue
Language: English (United States)
Original File Name: LMI_Rescue.exe
Product Name: LogMeIn Rescue
Product Version: 6.3.377

Icon: Rescue

Currently due to the above I am disconnected from the internet until I can get my PC issues sorted out. I have informed the Police in the UK, Fraud Squad, Bank, Paypal and Microsoft.

I am also alerting other teams we have good relationships with.

Decided to edit this and remove my email address and tele No
_________________
What is that in the Shrubbery?

[The Knighty NI]

Forgot to add Tele No:

Edited to remove my Tele No.

Dam I feel so vulnerable
_________________
What is that in the Shrubbery?

[Plomos]

Sorry to here that they got you Greg. Apparantly you are not the first and only victim of this scam. I did a bit of research over it just now and found two articles about it

http://www.computerworld.com.au/article/314295/windows_event_viewer_phishing_scam_remains_active/

and

http://www.computerworld.com.au/article/383261/microsoft_loss_over_event_viewer_scam/

I hope you get it all sorted out with your own pc. This unfortunate event should remind everyone that the only way to get a real antivirus program and protection for your computer is to download and install it yourself. Also make sure that you keep everything up to date as well as all those pesky windows updates.

Anyways I really hope you can get it all sorted quickly Knighty so you can come back to us
_________________

[The Knighty NI]

Thanks Polmos

Its not just antivirus these days, its also being alert to phishing telephone calls.

I really feel very, very disgunteled about this and just want to help the team to avoid any further occurrences.

If I didn't think my passwords had been compromised it would not be an issue.

Stay safe everyone.

In the words of the Terminator:

I'll be back
_________________
What is that in the Shrubbery?

[The Knighty NI]

Some interesting comments on the links:

that because the telemarketers seem to be based in India,

Far Eastern in my case so be aware:

They sounded like they might be Thai, Malaysian, Vietnamese, Phillapeenes or from that part of the world.
_________________
What is that in the Shrubbery?

[Blurf]

Knighty NI---there's nothing "we" can do to "protect our users".

This is a common scam, and I am sorry, but you got nailed. You should know better (as well all should) than to do something like this that someone unknown to you asks you over the phone. Microsoft NEVER calls like that.

I deal with this 3-5x a week now.

You simply got scammed. It's frustrating and upsetting as hell but there's not a lot you can do. Clean out your system, change your credit cards and file a report with the authorities. Just take your lumps and move on.
_________________

[The Knighty NI]

Cheers Blurf

Didn't take any Lumps on my credit or debit cards thankfully.

Reported to the Authorities already. Just hope they have not downloaded a keylogger or trojan to my PC.

That would be a disaster
_________________
What is that in the Shrubbery?

[Hal9000x86]

The easiest thing would be to just wipe the drive and reimage it, you might have to get a physical disk from the oem. Then once its set up get a cloning software like acronis or ghost and make a proper image. So if something similar happens again, you have the recovery image. If you have saved data you want to keep, move it to a external hard drive and have your antivirus scan it first before putting it back on.
_________________

[The Knighty NI]

Strewwth HAL

I have almost 0.5 TB of data, and that's not image and other tough compression data to deal with.

As for a drive from the OEM, ERRK I build my own PC's for my own personal spec's, what suggestion's do you have?
_________________
What is that in the Shrubbery?

[Sir Papa Smurph]

Just buy another hard drive and reinstall your OS. then delete the windows file on the old drive.You will not loose any of your files and you will have a clean install.
_________________
a.k.a. Licentious of Borg.........Resistance Really is Futile.......
and a Really Hoopy Frood who always knows where his Towel is...

[Hal9000x86]

I was just saying doing a clean install(from your operating system disk in this case) would be the easiest way after a format. I normally do a small partition for windows/programs and an second one for data, so the images are smaller for the operating system.
_________________

[tiberius]

Sorry Knighty, but Hal's right - the good operators will have you rootkitted (often in the MBR) and in their botnet not long after you've given them access

The only REALLY safe way is to start again with a new hard drive, and to use a separate bootdisk to recover the data on the old.
_________________
Shrubbing inconsistently since 1999

[The Knighty NI]

Sorry if I have over reacted.

Fortunately I have a couple of TB's of drive still in their shiny wrappers.

I am more concerned about being key logged and my passwords being compromised so that anyone could come in here and do damage.

The reason for my concern is that I did a check on files accessed and my folder containing files for KWSN was turned over completely. They obviously were looking for more potential victims.

Hence I feel it is my duty to alert the all KWSN members and members of The Musketeers.


_________________
What is that in the Shrubbery?

[Gemjunkie]

Perhaps you could use a Linux liveCD to copy your data to an external drive, then pull the HD and keep it for evidence should the police ever apprehend anyone, put in a fresh HD and reinstall your OS. Change your passwords.

I can't imagine how angry you are. Just hearing this I'm ready to renovate that guy's place into a smoldering crater.



_________________




(older, before split CPID)

[Duke of Buckingham [TeaM]]

_________________
Friends are like diamonds and diamonds are forever.

Together we stand - Divided we fall.

[Grizzly]

Ni !

The real problem here is the "compromised" data (passwords , banking details etc yadda, yadda ) NOT a screwed hhd , just format (NO Remove - replace!!) and reinstall OS and apps (On a NEWLY Fdisked and Formated HD ) (use a NEW hdd and keep the old one for foresic(*) stuffs)

Change EVERY Bloody password you can remember (ON the new hd installation , or on a different "uncompromised" PC , and make an image (of the new inst of a virus cheked , root-kit ckecked , spyware checked etc [but of course you would have installed a Virus checker of multiple choosy on the new installation BEFORE you acessed the internet - you do have a copy somewhere???? of the new installation !!! ) Take your original hd (compromised) and set it as a slave drive , and then CHECK it with anti virus etc (USE more than one supplier , free or otherwise see above , yadda etc )

Don't do this again , but probly lesson learned

Learn how to speak "Far East"

Hope this is not a reply to a "Troll" post , but , if you need help on sorting this out , PM me

Regds Grizz
_________________
Oh Bugger Forgot again - or is it Oh Father Reboot again ?

Ps Grizz in his second childhood - but not his last !

Edihtor of the KoKC (excused spel;l checher'er)

AND NI !!! Tophat 10e

[img]http://www.katrinashome.com/grizzly_counter.php[/[url=http://www.katrinashome.com/] ][/url]

[Plomos]

Oh well i may be able to help a bit with the password problem. If you use Firefox to do your browsing then there is an extension called KeeFox that goes along with a program called KeePass. It has you set up a database to save all your passwords too and you can then secure the database with a unique password so that not everyone gets to them. Once you're logged into it then when you go to a site you have saved login info for you can just click the mouse and it will enter the info for you and log you in. I've been using it for a couple of years now after i got hit with a nasty bugger of a keylogger and have not had issues since.

Also you can have it create really complex pws for you to use to make things more secure. Anyways enough of my babble, if you want to check it out follow the link

http://keepass.info/download.html - download version 2.16

http://keefox.org/ - this installs the firefox part

ps. Just found that on the keepass site in the plugins area they have plugins to make it work with chrome and IE as well

P.P.s.s. if you have any questions about it I will be more than happy to try and help
_________________

[The Knighty NI]

Thanks Plomos and Grizz

Getting checked out with the GeekPolice. They are very helpful with the technical stuff they do and are all professionals volunteering their time.

Although I have spare HDD's my Windows disk has gone missing and been searching for it high and low since this happened. Sometimes I wonder if I actually have a brain in this noodle of mine.

Once I am sure this system is clear I might look into the password store you mention. Normally I keep my passwords in me head with different very strong ones for each place I visit. Due to this I have built an exceptionally strong one and am using for everything for the time being.
_________________
What is that in the Shrubbery?

[Plomos]

Not a problem mate, use if you want, don't use it, it doesn't bother me either way. Good luck with the CD hunt and the nerd squad
_________________

[PhastPhred]