Solved Concerned about bots

[dchrisma]

Recently I have received numerous calls from someone claiming to be from the Windows Support Team. I have always hung up on them because I suspected they were phishing. However, the last call said that my PC was being taken over and used as a bot. Has anyone else been receiving these calls?

 

[richc46]

Its a hoax. They want to take over your machine. You probably have bought something on line. Given your phone number or put the information on line in other ways. When putting info online, always be sure that the http is https. In addition, if putting the information online and it is not a secure location, use a different format, for example with email mrgood xxxx at xxxx gmail dot com. You do not need to worry about your current situation. Check with AV, Malwarebytes etc. Keep your eyes open for any changes to important online accounts, such as bank or stockbroker, for any changes in balances, but no need to worry.
Question for you, how would Windows Support even know? They are not monitoring individual computers.

 

[Layback Bear]

Microsoft is way to busy to monitor over a billion computers.

Those callers want in your computer to steal from you.
It could be as simple as a rolo auto dialer. It just keep dialing numbers until someone falls for their trickery.

 

[LMiller7]

I have received many such calls.

Pay no attention to anything these callers tell you. They are trying to scare you into paying for their "services" (which they have no intention of providing). They have no knowledge of your computer or even that you have one. Many people who have never owned a computer receive these calls.

 

[z3r010]

Avoid Phone Scams | Cybercriminal Tech Support Scam | Security Threats

 

[dchrisma]

That's what I thought, but I wanted to check. I am very careful about what I download to my PC and keep my Security software up to date. But, based on my past experiences there are always new viruses and malware being created. I was specifically going to ask how would I detect a bot if I had one?

 

[richc46]

The first thing that I would do is run Malwarebytes, my Antivirus then download and use the MS, Malicious software tool
Download Malicious Software Removal Tool from Official Microsoft Download Center

 

[Tookeri]

how would I detect a bot if I had one?

There are signs to look for. You could start with this: https://www.shadowserver.org/wiki/pmwiki.php/Information/BotnetDetection

You could also try an online service like this one to check your IP address for anomalies: https://www.check-and-secure.com/start/

And check all running processes: http://www.sevenforums.com/tutorial...er-virustotal-check-all-processes-50-avs.html
But you shouldn't trust that anti-virus products can detect it, so watch out for not verified signatures(step 11) and strange or missing descriptions and Company names. Any purple colored processes are also suspicious, it means they are packed/encrypted. And submit any "unknown" files(step 6).

Besides that I have a batch file I run every now and then to check important files and settings on my system. Even if a malware manages to hide from scanners etc it still needs a way to start every time you boot up, so you should check the registry keys Run + Runonce + Winlogon. These parts should be general I think and needs to be run as admin to be able to read all registry keys for Local Machine(HKLM) and Current User(HKCU):

@echo off
echo ***** Checking IP, DNS etc...

ipconfig /all | find "IPv4 Address"
ipconfig /all | find "DNS Servers"
ipconfig /all | find "Default Gateway" | find /V "::"
ipconfig /all | find "DHCP Server"
echo.

echo ***** Checking Winlogon-Userinit...
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" | find "Userinit"
echo.
pause
echo.

echo ***** Checking Runonce commands...
reg query "HKLM\Software\Microsoft\Windows\Currentversion\runonce"
reg query "HKCU\Software\Microsoft\Windows\Currentversion\runonce"
echo.

echo ***** Checking Run commands...
reg query "HKLM\Software\Microsoft\Windows\Currentversion\run"
reg query "HKCU\Software\Microsoft\Windows\Currentversion\run"
echo.
pause
echo.

echo ***** Checking shell open commands...
reg query "HKLM\Software\Classes\exefile\shell\open\command"
reg query "HKCR\exefile\shell\open\command"
echo.
pause
echo.

echo ***** Checking hosts file...
echo.
type C:\Windows\System32\drivers\etc\hosts
echo.
echo ***** Done!
echo.
pause

Verify that the DNS point to your router or ISP, and that the Winlogon/Run/Shell commands don't include any strange or unknown programs, and that your hosts file haven't been modified. The normal setting for Winlogon is only userinit.exe. Runonce should be empty unless you just installed something that requires a restart. The Run keys will likely include several programs though. The Shell open commands are usually "%1" %* (normally no file names should be specified).


How Safe Mode works
When you boot to Safe Mode the Run and Runonce keys will be ignored (except for Runonce if it has a value with an asterisk (*) as prefix).
When you boot to Safe Mode With Command Prompt the Winlogon key will also be ignored. Normally it means it won't run userinit.exe which is the process that starts explorer.exe (the desktop). But any other programs including malware specified here or in any of the Run keys won't be started either.
So if you check these registry keys, at least no malware should be able to start in any of these ways. You could also check the integrity of system files with SFC - System File Checker. Or add the sfc command to the batch file.