Helping people with computers... one answer at a time.

Several current scams center around gaining remote access, often in the guise of fixing problems on your machine. Be it for money or other reasons, one thing is clear: it's a trap!

About a year ago, I took out a lifetime subscription to SUPERAntiSpyware and I have used it without any problems until the last ten days or so. Now, I find that I am unable to activate the scan feature; I click on it just I have done for the past year, but nothing happens. I called the phone number listed on my receipt, but there was no answer and I wonder if you know whether or not they have gone out of business.

I am not particularly worried about this as there are other applications that I can download. However I thought I would let you know what happened when I went to their website.

I called a number that I thought was the support center and was immediately connected with a technician who skillfully asked my permission to allow him access to my computer so that he could diagnose the problem and I agreed. After he informed me that I had over a thousand errors that needed to be erased and that he could do this for me for only $250.00 I realized that this was some kind of scam and I promptly ended the call. What kind of risk have I exposed myself to?

I have windows Vista and my computer is about six years old. Thank you for all you do and keep the answers coming.

First, good on you for terminating that call. While it may have obviously been a scam to you and me, I'm sure that many people are falling for it.

To the best of my knowledge, SUPERAntiSpyware is alive and well. However, the approach you took to contact them is worth reviewing. Sometimes, finding appropriate contact information can be confusing and in some situations, it can lead to questionable territory, as you've seen.

But the big question is ... you let a stranger with clearly malicious intent use your machine remotely. Just how worried do you now need to be?

The bad news is that there's no clear answer.

SUPERAntiSpyware

I've never used SUPERAntiSpyware, but I've heard it mentioned from time to time and it appears to have a good reputation.

The website – http://www.superantispyware.com/ – is most certainly up. Their blog is woefully out of date, but I do see current posts by "SAS Customer Service" in their support forum, which I take as a good sign of life.

But that leads us to the approach best taken to find support.

"First, understand that telephone support is rare, even for many paid products. "

Finding support

You started with the phone number on your receipt. That's typically not what I would start with for a couple of reasons.

  • A phone number on a purchase receipt is typically completely unrelated to product support. More often, it's a number specifically about billing questions or questions relating to the actual process of purchasing the product, not using it.

  • It's extremely common that the actual sale of the product is handled by a completely different company than the company that manufactures it. This is particularly true of software downloads. The phone number listed may not even be for the company that you really want to talk to. And of course, if the payment processor changes or goes out of business, old phone numbers can sometimes lead to new and less than appropriate places.

My approach to finding support comes at it from a completely different angle.

  • First, understand that telephone support is rare, even for many paid products. The problem is very simple: it's extremely expensive – even when outsourced. Products would need to be significantly more expensive than they are to be able to cover the costs and in general, the market isn't willing to pay that price. Bottom line: I don't even bother looking for phone numbers and I recommend that you not waste your time on that either.

  • The official product's website is always the first place to start. I head there first.

  • I typically look for a "knowledgebase". Like Ask Leo! articles, these are often collections of answers to common questions written by the product's own support or development staff. Most of the time, the most accurate answers are to be found here.

  • Next, I look for a discussion forum or "community" link. Peer-to-peer support (users helping other users) are often the next best thing to official support and can be a great source of information. Some companies actually will task their support staff with participating in these forums, so you may very well find official answers to common and current questions. (It appears that SUPERAntiSpyware falls into this category.)

  • Something that says "contact us" is next on my list. Once again, it's not likely to be a phone number, but a form that you would fill out describing your issue and submitting it to the support staff. Eventually, you would get an answer via email.

The quality of support varies widely from company to company and doesn't always correlate with the quality of the actual product. In my opinion, understanding your support options should be an important part of the process of deciding what software to use and install – perhaps even more important than the latest whizzy features a product might offer.

What could that "technician" have done?

Regardless of how we got here, you've allowed someone with clearly malicious intent access to your machine.

What to do?

There's no simple answer.

For the paranoid and for those with super-sensitive information, there's really only one choice: assume that the machine has been compromised and backup, reformat, and reinstall from scratch. That's the only absolute way to know that your machine is really your machine and not under the control of some remote hacker.

That's also very extreme, often highly impractical and in all honesty, probably not necessary.

The problem is that there's no way to really turn that "probably not necessary" to "definitely not necessary.

So, we basically end up playing the odds.

He could have done nothing...

This is perhaps the most likely scenario.

The technician was probably only after your money in the form of your purchasing his "services" to clean your machine. It's possible, and in my opinion likely, that this was the extent of the scam. By not falling for it and disconnecting, nothing was done.

The reason I say this is likely is that from the scammer's point of view it's the easiest and the safest from their perspective. Beyond commonly available remote access software, no additional hacking tools are required.

As long as enough people fall for the scam and hand over money or additional personal information, the scam is a success without anything else being needed.

He could have done something you'd see...

Most remote access utilities actually allow you to see what the remote user is doing to your machine.

Surprisingly, it's my understanding that it's these common tools that the scammers are using – in part so that they can "show you" all the errors in your machine, usually by exploiting the mess that is the event viewer's log. But that also means that you would be seeing whatever else they were doing.

So, if the technician downloaded or transfered software onto your machine, you'd probably see it being done.

If they ran a program, you'd probably see it.

If they ran a setup, you'd probably see it.

Now, of course, you'd have to understand (or at least have a rough idea of) what it is you're seeing as it happened, and of course, they would be relying on most people not being able to do that.

If they downloaded and installed anything, then you need to assume that what they installed was malware of some sort.

He could have done something you wouldn't see...

Here's where it gets difficult.

It is certainly plausible that the remote connection set up by the scammer included connections that you would not see.

Perhaps a quick sleight-of-hand move while they're confusing you with the Event Viewer allowed them to run a program to set up a back-door connection. Perhaps the type of remote connection they've set up allowed them to bypass your firewall. Perhaps, perhaps, perhaps...

Perhaps the entire time they had you on the line, they were quietly and surreptitiously loading your machine up with all sorts of malware.

Possible. Plausible. Not common, from what I've heard, but ... it could happen.

Assume you're infected

The safest thing for you to do, of course, is assume your machine is infected.

Just how drastic the steps you need to take next depend on what you experienced, what we find, and your own level of security and/or paranoia.

As I said, the extreme is to assume the worst and reformat/reinstall, backing up first so as to be certain not to lose anything.

That's not would I would do. At least not initially.

Instead, I would:

  • Immediately run full anti-spyware and anti-virus scans, first making sure that their databases were up-to-date.

  • Run a full scan of the free version of Malwarebytes Anti-malware

  • Seriously consider running a full scan using Windows Defender Offline – particularly if you're having problems with either of the first two steps.

  • Keep a close eye out from then on for anything that looks the least bit like suspicious or incorrect – or most importantly new behavior by the computer.

If that all comes up clean, then it's probably enough.

But I can only say "probably."

If you do encounter problems, then stronger measures might be called for.

Article C5581 - July 13, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

18 Comments
Robert R
July 17, 2012 8:39 AM

Sounds like the writer may have been hit by the company iYogi. Sounds a lot like their tactics. See http://www.infoworld.com/t/cringely/the-downward-dog-spiral-iyogi-exposed-189712 for examples.

Lucy
July 17, 2012 8:50 AM

Another great answer Leo!
I use the free version of SuperAntiSpyware, along with free versions of Malwarebytes, Spybot Search & Destroy, and AVG, plus Microsoft Security Essentials.
I am still able to update the SuperAntiSpyware and run scans weekly. They often try to entice me to purchase the paid version, but I believe that I am fine with the unpaid version.
If it was me, I would go with Leo's option of returning the computer to factory condition and reinstalling everything, but then I am a nervous ninny looking for bad guys around every corner :-)
I hope you have a backup from before this incident.

sirpaul2
July 17, 2012 10:01 AM

I regularly use both Malwarebytes and SuperAntiSpyware. They both seem to get the job done.
I bought SAS based on personal results. If I ran Mbam and then immediately ran SAS afterwards, SAS would often find a couple of tracking cookies Mbam did not detect. Inversely, Mbam never found anything after running SAS.
I agree with Leo. A 'reinstall', at this point, is kind of drastic .
1) Run SAS in 'Safe Mode'.
2) Reinstall SAS, (have the registration code handy - although you won't need it just to 'scan').
3) Give Mbam a try (full program trial).

Kevin
July 17, 2012 10:32 AM

Hi Leo
Another very good article
But in this I have a lot of sympathy for sirpaul2 as he did try and do all by the book
What really worries me is that I seem to smell collusion here in some form or another. Know ya mentioned what might have happened in the article, but my nose is still twitching. Could it be that companies have colluded to defraud ???
Only once have I come across anything like this and in that instance fraud was the overriding factor
Hope he has an image backup as that is as ya said the best answer. If not he should do as ya suggested, but to concentrate on root-kits, as they are the only malware that now worry me
Thanks for the articles, which I look forward to and in return I have stopped blocking ad's on your site

Fred
July 17, 2012 10:49 AM

What is a Lifetime Subscription? I thought they only had a free version, and a Pro version, but never heard of a Subscription. Wonder if he paid for the free version at a 3rd party site?

Kevin
July 17, 2012 11:19 AM

Ahhhh !!! Fred's post seems to perhaps unravel the mystery
Can ya comment please Leo ???

Strydrdenis
July 17, 2012 12:06 PM

Leo wouldn't you say that if he can't run a scan with his existing anti-malware,SUPERAntiSpyware in this case, that there is a good chance that he already been compromised.
In my experience this is one of the first things viruses and malware would do disable your protection.
If this happens it might be a good idea to try reinstalling your anti-malware software and try running it again. If the program doesn't work there is a good chance you are infected.

Gwyn
July 17, 2012 12:23 PM

"there's really only one choice: assume that the machine has been compromised and backup, reformat, and reinstall from scratch." If you backup, will you not be backing up any malware that the enemy may have downloaded on to your pc?

Absolutely. That's why you'd never completely restore using such a backup. But you would have it available to restore individual files.
Leo
18-Jul-2012

Mark J
July 17, 2012 1:07 PM

@Gwyn
Slight correction in wording. If there is malware on the system, it is backed up along with everything else. If you only restore the date, then the virus won't be copied tho the new computer.

johnpro2
July 17, 2012 1:55 PM

Rouge security software & phone scams are now is the criminals tool of choice.
Once infected warnings constantly pop up and it is often hard to tell if they are genuine or not. The frequency is usually the tell tale sign.

In addition to other advice from Leo, ensure your remote access control is unchecked.
With Vista go to control panel,click system,remote settings{top left under tasks} then uncheck "allow remote assistance"
Also go to task scheduler{click all programs ,accessories,system tools,task scheduler} and disable {right click} any unusual entries.

Jp

johnpro2
July 17, 2012 3:51 PM

correction: rogue security software ..
Jp

BaliRob
July 17, 2012 9:09 PM

With regard to SUPERAntiSpyware - I have used this product for over four years now as a result of its ability to remove a problem that so-called 'big names' could not solve. Since then, I have found SAS to efficiently update and inform regularly and efficiently - all for free. Also, for the non-techs, it is extremely easy to understand and to operate.

Snert
July 18, 2012 12:51 AM

Is there any way to monitor, in real time, what someone with remote access is doing with your computer?
I'm curious and another reader might find it useful.

Not easily, no. That's why it's so important not to let them in in the first place. You can watch carefully what they do on screen in most cases, but that doesn't tell you if something else is happening that you can't see.
Leo
20-Jul-2012

Bonita
July 18, 2012 8:19 AM

Many people like Remote Assistance, but I do not. Twice after R.A., my computer got buggy. They move too fast for me to see everything they are doing, much less make notes, which I want to do, so that if the problem comes up again, I can fix it myself. I stick to my guns on this, and am finding more and more issues I can now fix.

johnpro2
July 18, 2012 1:51 PM

@snert "Is there any way to monitor, in real time, what someone with remote access is doing with your computer?"

There are full motion & sound screen recorders recorders available.These are often used to make tutorials.

Advise the person assisting that you have screen capture running otherwise they might disable it.
Free examples are My Screen Recorder,BB Flashback Recorder.
Paid examples ones are Camtasia Studio & Ashampoo Snap 5.
These can be downloaded at a safe site I use regularly called Snapfiles.com
Jp

steven
July 20, 2012 2:29 PM

copied from suerantispyware page.
SUPERAntiSpyware Professional includes Real-Time Blocking of threats, Scheduled Scanning, and Free Unlimited Customer Service via e-mail.
As you can see, they only use email, not remote assistance. Maybe the victim mistyped the address and was taken to a fake site and got attacked

Peter Wall
July 26, 2012 1:19 PM

Hi Leo & folks.

June 13 last, I had a problem on my laptop. MS Security Essentials simply would not start up, automatically or manually! Of course I didn't access my e-mail (Outlook Express# nor the internet per se #IE8#. The evening before there had been a large number of updates from Microsoft Update, so my initial suspicion was that one of these had somehow messed up my system. From there, I started IE and accessed the Micrsoft support site. After spending the whole day and a good part of the evening perusing all kinds of very interesting stuff that didn't resolve my issue, including downloading Windows Defender Offline and running it, which showed nothing, I opened a support request to Microsoft. As they would respond via e-mail, I had no choice but to start up my e-mail program #with fingers crossed). Sure enough, I received a response within about an hour, with a support case number and an 866 number to call. I sat on it for a day - too tired from the day before and too busy with other non-computer related issues. The following morning, I called the 866 number, and "Angelo" picked up the phone. I explained the situation and he asked me to enable "Remote Assistance" which I did. I watched what he did quite carefully. After cursory checks of various registry settings and the event log, he was sure I had a virus. He explained he would download and run "AntiMalwareBytes, and I watched him do it. It did not detect anything wrong. Next he decided to reset IE to all default settings and reboot the machine. He did it all himself, except for entering my BIOS password! Really weird, because he said he had buttons on his end that would do that! Should have asked him "Are those hardware or software buttons?" Any way, once up and running he explained he would download a tool from Kapersky and run that. The tool was TDSSKiller and sure enough it found a problem with the Windows file SHLWAPI.DLL. He did something to replace that file though it was difficult to understand exactly what it was he did. All I can say is that the old file was dated 2012-??-?? and the replacement 2009-12-08. Interestingly, there are copies of the same file with more recent dates in other directories on my system.

After this, he rebooted and sure enough Security Essentials started as it should. Thanked him, disconnected Remote Assistance, etc., and went on my merry way to investigate what exactly the TDSS virus was.

Well, it turns out it is a virus that "redirects" web sites, that is you request site x and you get site y that looks like site x. Indeed, I had had what I thought was a misdirection some while before that, but being too busy at the time I did not realize it - I thought I had just typed something wrong or clicked the wrong place. So the virus probably got in a few days prior from somewhere.

Now the question: "How can I know I was really engaged with Microsoft Support?" Afterall, the TDSS virus redirects sites, and I requested support through a site. It looked like Microsoft Support, but was it really? I surmise that "Root Certificates" may play some role in assuring scammers have a very hard time mimicking Microsoft Support, but how can I be sure, other than to rebuild my system from scratch or a previous backup? For all I really know, Angelo installed TDSS v2.0!

Your comments are very much appreciated.

Clarissa Culp
April 5, 2013 9:44 AM

I had this EXACT situation happen to me when I called for tech support for adaware. I didn't even know I was giving him remote access when I clicked OK, but I did. I saw him open my "run" feature which now terrifies me. I obviously didn't buy his $250 service, but I'm now terrified he did something.
I also ran a windows defender full scan, and all came up clean.

Help!

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.