Friday, April 22, 2011

Microsoft Event Viewer (eventvwr.exe) phone scammers

The local newspaper ran an article about the recent spate of scam telephone calls who tell you your computer is infected with a virus and offer to "help" you get it disinfected.

Internet scam reports increase

Since reading this article, I have taken three calls from these folks, two on Saturday, 16 April 2011 and one today (Fri, 22 April 2011). Each time it is a man with an Indian accent -- "Ronnie", "Shane", and "Jack". Each asked if I have a computer with an internet connection and told me it is downloading viruses and infecting my hard drive. Ronnie and Shane said they were from the "Technical Department of Computer" in Newark, New Jersey. Jack said he was from "Tech 4 PC Support" and gave me a phone number of 631-456-4455, which appears to be an unlisted number in Suffolk County, New York on Long Island.

All three calls had the Caller ID information blocked. The first two hung up after I asked them for their phone number. After each call, I hung up and phoned *57 to capture the caller information at Comcast for potential use by law enforcement.

After the first call, I phoned the county sheriff and filed a report and also filed a report with the Internet Crime Complaint Center, as recommended in the newspaper article.

I kept the third caller on the line a bit longer to find out more about the scam. He had me use Windows-R to pull up the Microsoft "Run" dialog and then "eventvwr" to open the Microsoft Event Viewer. Then he had me go to the "Windows Logs", "Application" pane and look at all of the "Error" and "Warning" lines.

These are all pretty normal entries in an uninfected Windows system, but the scammers hope that the user has never had occasion to use Event Viewer before and is awed that the scammer would know about these errors on their computer.

The third caller asked me to open Internet Explorer and go to "www.teche4pc.com", which I declined to do.

On the next call, I may try putting the phone on speaker and recording it, as these folks have done.

Fake tech support call scam

28 comments:

Anonymous said...

i have just had a phone call from what i believe to be the phone scammers you discribed, they told me to do exactly what they told you (eventvwr.exe)then they passed me on to their so called technitionso they could help me remove the virus. I explained that i had norton installed on my pc and they said no anti-virus can pick this up as it happens over time, alarm bells were ringing from the start now they were giving me a headache, lol so i ask them if they would phone me back in an hour after i had contacted microsoft to check.
Do you think they will.... I WON'T HOLD MY BREATH. lol

Anonymous said...

I am in Kent England and just had the same call. I refused to enter any instructions that I had received on the 'phone and rang off. I tried to recall the phone number, but it was not given.

Jon said...

Thanks for this blog, just had one of these calls,2/2/2012, from Gungerdin aka Brad. Told me to go to "run" put in eventvwr, said it's tea time got to go, so looked up on Google and found this blog, thanks for info, will tell him put Foxtrot Oscar in his English dictionary when/if he phones back Cheers Jon, Robin Hood Country, England.

Anonymous said...

I just kept one of them on the phone for 15 minutes, pretnding to be incompetent and fussing about. When he asked me what I could see when I went to google www.support.me....I told him I could see www.faud.uk.... He didn't understand at first so I spelt it out... He said Oh My God and laughed... I then told him what I thought of him and hung up I was the one laughing... Great game.

Anonymous said...

I am in Calgary (Alberta, Canada) and got this same call today (Feb. 20, 2012). Microsoft would never call in this manner. The red flag went up when they wanted to take control of my computer.

I called the local police and they were already aware, added my input (the name and phone number I was given to verify the accented person who called). Apparently, some people have gone as far as giving out their credit card no's to these people. I hope these people get caught!

It would be nice to know how to contact MS regarding these scams.

Anonymous said...

I'm from Sweden. I just received the same call. I didn't follow his instruction, but told him to call back later, in order for me to check up on the "eventvwr". Obviously it's all a scam.

Age said...

"Shane" is currenty informing me about payment details now. I've known of this scam from the start.

wants me to go to www.logmein123.com

I just end up stringing them along and playing Nyan cat at them until they hang up. http://youtu.be/wZZ7oFKsKzY

Anonymous said...

I just had the same call about 30 minutes ago.

Currently home alone while my parents are in Japan (I'm in Denmark), and this 'person' got me so freaked out I almost started crying.

However alarm bells started going of as soon as he wanted me to start searching for something, and I just tried to see where he was going with it.

By the end I think he was so freaked out by me freaking out and crying that he just said: FUCK it, and he said: I'll call back later.

As soon as I called my dad (PC specialist) he just said - it's a stupid, stupid scam, and you did well for not giving any information, or going to any website.

I was glad I found this blog-post, so I now know what to do when/if he calls back - blast some Justin Bieber at him until his ears bleed.

Btw. my brother said they'd recieved those calls like 5 times before (I currently don't live at home), so they are extremely persistent!

Anonymous said...

I got a call from these guys on August 25, 2012.

The guy was very aggressive, and they tried to keep me on the phone as long as possible, even though I was obviously uninterested.

At the end he tried to guilt me into staying on the line, by saying that he was just trying to help, and it was too bad if I didn't want to be helped.

He tried to get me to visit 1stopesolution.com. Why is it that they are trying to get people to visit different websites? Is this some sort of weird SEO strategy? Or are the websites they are sending us to infecting people with malware, in order to support their case?

Anonymous said...

I too have had such a phone call. Yes Indian voice on line (after a silent gap) saying he's from Microsoft and they had received "error reports" (any time my computer syas "send error reoprt?" I always click "NO". So yes he tried to get me to enter "EVENTVWR" in the "run" box. I told him I wouldn't 'cause i didn't know if he was bonafide. He tried to persuade me he was so I asked him to give me his tel no and name and that i would call back when I had spoken with my "computer guy". He gave me a number starting with "800" I haven't rung it yet (maybe premium rate?) and before I got chance to 1471 and check if it came up as caller witheld someone else had rung my phone so i couldn't do that. I am very wary of folk calling me "unannounced" like this (just as well) especially with Indian accents (by the way i am not being rascist). Beware folks..! Dave in London 26/11/2012.

Anonymous said...

I had exactly the same call today and to be fair I get about 4 a week and each time I use a different approach from not owning a computer to owning an apple mac... however today after he asked me to click windows r and put in eventvwr he also gave me his number as 0808 280 2518 also 07390129 followed by an address and a website... the website being www.companyhouse.co.uk and an adress being
3 midhurst close
highfield
Crawley
West Sussex
RH11 0BS

Feel free to pass any of this information on to be checked as I think these people need prosecuting. They expect people to pay £99.99 for them to sort it .. after they have access to all personal details

George said...

I had the same experiences as those above. I did not enter the eventywr code but told the caller that I did enter it, As I was waiting I asked the caller for my name and she had that and more information on me. Where did they get the information from. I would like to speak to that person ..I hung up.

Geo Florida

Unknown said...

I just got the same one.
was asked to do this too - but I googled it all, made sure to check if anything of this could be a scam.

So it was - thank you google. Thank you Bill Starr's blog!

RAC Massachusetts said...

Glad to have found your blog, and glad that I quit before anything got screwed up....for what it's worth the number calling me was 78--409-4786. Guess they are still getting away with it, as I note these comments go back over a year.
RAC Massachusetts

Anonymous said...

I just rec'd my second call from the eventvwr scammers. I acted like I entered his info in the RUN box and he asked me what it said.
I told him that it said: "some F*****g hacker was trying to get into my computer". My caller id said the caller was AMEYO at 780-409-4786

Curry Leaves said...

Indian accent with three personnel, sound like a long distance echo on the phoneline tried to get me to their site. "Personal or Business use of your computer, your computer is infected, we can help you" Get real with a name Jason Morales for an Indian? Gave him the Blue Screen of Death story when I log onto their site which I did not.My Norton antivirus is going haywire... he did finally let me go.
Cuury Leaves.

Anonymous said...

I got the same phone call. She said they were getting malware events sent from my computer. She asked me to run the eventvwr.exe which I did not. I told her I was not comfortable entering an executable command from a stranger. The caller ID was (222) 555-7777. I told the lady with the Indian (from India) accent that I needed to check them out first. She said the company's name was PCSecure. She asked me to call back the following number: (972)243-7728. I asked her: "How does your company get paid?" No answer to that question

Anonymous said...

I've had this call two days in a row. The first time he called and said he was with MicroSoft I kind of giggled and he got angry! Said, why are you laughing, you laughing to yourself? I mean c'mon, we all know its impossible to get help from MS, they sure are not going to call my house. Second time I played along and googled as he went. I told him to hold on I was googling what he wanted me to do he said, why you google you do not believe me? if you dont believe me why not hang up the phone? LOL I said I hung up on you yesterday and you called me back today! I think the next time he calls I'll start asking him for his personal information. :)

Anonymous said...

Wow. I just got this call from " Steve Smith" whose boss is " John Walker" Calling mr from Brooklyn where the servers are? I asked for his number to call back and verify and got a number 315-688-7303. I'm non New York so I told him that the Brooklyn numbers begin with 718. That should have told him that I was on to him Nope. He said it was the toll free number . I then said I would call back . I got in touch with Microsoft and was reassured that as long as i had not given access then I should beOK. Told me to report to FTC .
Steve Smith asked me to do the same things as above ; Control, R, run dialog box -eventtvwr. Called me thrice that guy. In the end I read info from this blog , asked him why he gave me a different number than the 631 number and used a few choice expletives and told him to never call me again .

Anonymous said...

Wow. I just got this call from " Steve Smith" whose boss is " John Walker" Calling mr from Brooklyn where the servers are? I asked for his number to call back and verify and got a number 315-688-7303. I'm non New York so I told him that the Brooklyn numbers begin with 718. That should have told him that I was on to him Nope. He said it was the toll free number . I then said I would call back . I got in touch with Microsoft and was reassured that as long as i had not given access then I should beOK. Told me to report to FTC .
Steve Smith asked me to do the same things as above ; Control, R, run dialog box -eventtvwr. Called me thrice that guy. In the end I read info from this blog , asked him why he gave me a different number than the 631 number and used a few choice expletives and told him to never call me again .

Anonymous said...

Just got the same call just now (11 Dec 2014) from an Indian guy calling himself David - not much of an Indian first name if you ask me; but who knows. Same story wanted me to run eventvwr.exe from the run box. I played along as far as I could before I had to admit I run on Ubuntu (Linux) and therefore I couldn't tell him what happened when I ran the program! He stayed on the line for a while wanting me to go adn open my other computer on which I somtimes run windows XP. I asked him to explain what the program sis and what it was for - he said it was very complicated and I wouldn't understand - that it checked for nasty files that had been downloaded from the internet without me knowing about it (perhapshe thought I'd never heard of a "virus" before). Anyway, I decided to google eventvwr while he was on the phone and found this site. Thank you. When I told him what I was reading he said - well, I'm going to leave you now, goodbye, and hung up!
He was calling from 0045 756 10916

Anonymous said...

January 3 2015 Carol in Georgia USA

Just got same kind of phone call. India accent, gave me phone no. 888-893-9341 x001. told me he was with MS and was seeing errors on my pc. told me to alt+r to run eventvwr, enter. I already knew what this would be so I told him I was not keying anything into my PC until I checked with MS to see how they can see my PC and how they got my phone number....He said I could check him out at www.itecalert.com. I told him I would wipe my drive and reload my recovery and he said it would not work, boy he is dumb. Did not fall for it SCAM. Oh, I also told him while he was talking I had keyed in the phone number and it showed a scam ... Just hang up, not worth listening to his garbage.

Anonymous said...

I've received so many calls from these folks that I have started to ask them if they need help with their dialer. I mean, how many times can you call the same number, be told to take a hike and still come back? I've run them around the mill a few times, gathering their information and getting their site black-listed, but the game is getting very old.

Anonymous said...

Got a call from them earlier today, poor phone connection, thick indian accent. I knew it was a scam within the first 10 seconds of the call, but stayed on for giggles, while I googled eventvwr.exe (finding this and a couple other similar forum threads). I had some free time so for fun I tried to run him around in circles as long as I possibly could, trying to sound very interested in his help while reading through these threads. He had forwarded to me to his superior after I confirmed I was in front of my computer and willing to listen. After a while of jerking him around playing dumb and trying to waste as much of his time as I could, he caught on and started threatening to rape and kill my family. Same kinda stuff I've read other people hear from these guys going back as early as 2011 lol.

Anonymous said...

they are using a new number 271-386-4976 just getting the work out there on this scam

Anonymous said...

Got my third calls from them yesterday and when I told him that I knew it was a scam, and the guy lost it. He started insulting me, threatening me, told me he was going to make my life hell. I hung up. But the Ahole was done with me, he called back and told me he was outside my house right now, that I should go look out the window, that he was coming to rape me. I started laughing hysterically, all those crazy insults with that Indian accents was just too much for me.
He got vexed and hung up

Cygni said...

Yep. Indianbguy named Ryan hehhehe. Called. Showed me eventvier with yellow and red marks. Your computer will crash because my software warranty had expired
Cost $149 yr , $249. 3yrs and $349 lifetime and lifetime is transferable to other computers too

Anonymous said...

So far, two of these calls in 2016. Today I kept them on the phone for over 21 minutes. Then hung up. Do my best to be a confused dumb old lady when I reply.
"Is your computer running?"
Me: Which one? --OR-- Which operating system"
"The personal one"
Me: I'm retired, don't have a business one.

etc, etc. Don't know why they keep trying. The letter "v" is impossible for Hindi speakers to pronounce. That instruction on what to type in the Run field can take me a long time. "You mean 'v'? The letter 'v'?"
I'm a Windows user since 1987. I run ancient XP deskto, new Win10 notebook. And do not care one bit.
Little Old Lady in Texas