Posted on March 12, 2013 10:54 am

When fake malware phones

Below is written by a Microsoft MMPC person, to which I had to copy it because it is verbatium the same situation I encountered awhile back.  The FTC and FCC have made it clear that these are scams, even going as far as shutting down the money flow for these scams to work.

In a nutshell, I went as far as allowing the “David” caller to remote using a TeamViewerQS client, within a virtual machine setup just for this scam.   I did find out who the person really was, and where they were coming from.  While watching the remote session run, I was able to trace the connection to India, but at the same time I informed TeamViewer of the session (Partner IDs) the scammer was using.   Well, onto the post….


The other day I was hard at work trying to find and stop actual computer viruses and other malware when my home phone rang. A pleasant man, who gave his name as “David” with what sounded like an Indian accent, said that he had a report about my computer being infected with a virus at their website.

I was immediately very interested, because I work in the Microsoft Malware Protection Center (MMPC), and I’ve heard of these calls. What luck that I would happen to get one myself?

David was very concerned that my computer had viruses and junk files slowing things down. He would make a good support engineer; he was very clear about how to proceed to find viruses and junk files slowing down my computer. Which I happened to be sitting in front of, happily.

He helped me find my keyboard and the Windows key – between the Ctrl and Alt keys at the lower left – and helped me run “eventvwr” from the Explorer run dialog. I’ve probably done this thousands of times myself, but he helpfully spelled out the letters in US military style: Echo Victor Echo November Tango Victor Whiskey Romeo. Once there, he guided me to the Custom Views->Administrative Events to show all the recent errors in the event log.

I had an Internet Explorer crash caused by a plugin, a couple of errors from my printer which was powered off, some cryptic SideBySide loading errors, and the DCOM errors that are in every event log I’ve ever seen. Now, errors in the event log could indicate malware infection, it’s quite true, but the mere presence of random event log errors does not. David asked if I knew what these were, and I said too much and said yes. Happily, he ignored me and said this proved I had a virus and should close the event log, go back and hit Windows-Run again.

This time, I simply had to type “INF” into the box and hit enter. David asked if I knew what these files were, and again I said “yes, they’re setup files and logs for Windows”. “Not so,” David said. He claimed they were junk files caused by malware.

At this point in the call I got rather impatient I’m afraid, and asked David when we’d get to the part of the call where he tries to commit fraud, since that’s what the call was about. I had not given my phone number to any website to check my computer for malware, my computer was not exhibiting any signs of infection – despite David’s attempts to prove I had a virus – and I’m protected by Microsoft Security Essentials with up-to-date signatures. He insisted I had malware. I identified myself as a Microsoft employee working in the MMPC. David gamely asked for my employee ID, which of course I refused to give. I asked him to go to to see what we’re all about.

He hung up on me.

I do regret not going deeper into the script. If my call was like others, David would have asked to log remotely into my computer and “clean” the problem – probably by clearing event logs and deleting the \Windows\Inf folder – and then ask for my credit card. However, I wouldn’t let somebody who called out of the blue login to my computer, and neither should you.

For more information on computer fraud, visit the Microsoft Safety and Security Center: