Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

this will sound really paranoid but...something weird done by avg tech support


  • Please log in to reply
13 replies to this topic

#1 rp88

rp88

  • Members
  • 3,060 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:02 AM

Posted 04 August 2014 - 03:22 PM

today i had to contact avg to ask a few questions about an update issue i was having with my antivirus(it seems all fixed now) but they used LogMeInRescue (a remote control system) and it did one or two weird things. I've had to run it from avg before but this time it asked to be let through the firewall(which i did accept  but think i managed to disable after it was done) and also to provide my computer password(the support person's reason for this was because i would need to restart the pc and they wanted it to log on quicker, i didn't give them my login password). is there any chance that the online chat system had somehow been compromised and it wasn't avg running it? for anyone who has used avg tech support have they asked for your computer's login password when using "Support-LogMeInRescue.exe"? it just started to feel suspicious after i had finished, especially when i remembered that previous use of their service had never asked for a password or to be let through the windows firewall. 

i know i sound paranoid here but when something acts differently to the last time i used it i always perceive something fishy could be going on. to clarify this was me visiting avg's site for support, not some spammer trying to trick me over the phone.

thanks


Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 AM

Posted 04 August 2014 - 03:48 PM

First of all, since you initiated the conversation, it's less likely that this is malicious.

 

It's not clear to me who asked you for your password? Was it a person on the phone, or LogMeInRescue?

 

The LogMeInRescue executable should have a digital signature. I suggest you check that.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 scotty_ncc1701

scotty_ncc1701

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 04 August 2014 - 04:34 PM

This smells like a dead, rotting rat to me.  If they need to enter your userid/password, like in the task scheduler, then they can ask you to do it.  Just one more reason not to trust AVG.

 

DS..to me it sounded like AVG.

Have a great day!
:bananas: :bounce:


Edited by scotty_ncc1701, 04 August 2014 - 04:36 PM.


#4 rp88

rp88
  • Topic Starter

  • Members
  • 3,060 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:02 AM

Posted 04 August 2014 - 04:47 PM

i initiated the conversation through their website. they asked me to run logmeinrescue, i downloaded it checked it with two antiviruses and ran it. i was using the online chat facility on avg's site (the online chat facility is at an address beginning https://livechat.boldchat.com/aid/ (that link isn't supposed to work i'm just providing the first bit of the address)though it is linked to directly from avg's own site) to speak with them, once i had downloaded and opened the logmeinrescue exe file it asked for firewall permissions and then the woman i was in contact with asked for my password(the one i input to login to my local account on my pc) via what she said was a box which she wouldn't see but which would automatically input it when i restarted. i didn't give her that password but the fact she even asked is creepy. it's made more creepy by the fact that when i used the online chat facility before(and the remotesupport service) it didn't ask for firewall permissions and the person didn;t want the pasword. could they have been trying(or succeeding) in planting some virus on my system? the logmeinrescue file (Support-LogMeInRescue.exe) is signed, but by logmeinrescue not avg.

sorry i failed to clarify earlier, no phone was involved. i was "talking" to her through the online chat facility then through a chat console built into the "remote control" program's window.

 

"This smells like a dead, rotting rat to me.  If they need to enter your userid/password, like in the task scheduler, then they can ask you to do it.  Just one more reason not to trust AVG.

 

DS..to me it sounded like AVG.

Have a great day!"

does this mean you think that the person i was chatting to was trying something malicious or that you don't trust avg as a company?


Edited by rp88, 04 August 2014 - 04:51 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 AM

Posted 04 August 2014 - 06:22 PM

Can you read this: http://help.logmein.com/selfserviceknowledgerenderer?type=FAQ&id=kA030000000DGD7CAO

Does it sounds like they used Request Windows Credentials?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 scotty_ncc1701

scotty_ncc1701

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 05 August 2014 - 07:57 AM

"This smells like a dead, rotting rat to me.  If they need to enter your userid/password, like in the task scheduler, then they can ask you to do it.  Just one more reason not to trust AVG.

 

DS..to me it sounded like AVG.

Have a great day!"

does this mean you think that the person i was chatting to was trying something malicious or that you don't trust avg as a company?

 

 

Yes on both questions.  I've helped many people remotely, and I've never had to ask them for their userid/password combination.

I've tested AVG a number of times, and each time their detection rate was only around 5%, when I scanned hundreds of files, with KNOWN viruses.  Thus the lack of trust in AVG.

Yesterday evening, on my isolated test computer, I tested AVAST, McAfee and AVG with hundreds of known viruses on a CD.  The detection rates were:

1.  AVAST = 100%.
2.  McAfee = 42%.
3.  AVG = 4.75%.

The steps were:

1.  Full format of the hard drive.
2.  Applied a known, virus free, base system (OS and updates only) image.
3.  Ran Windows updates to catch any missed.
4.  Scanned the hard drive, after installing the program.
5.  Scanned the CD, and got the results above.
6.  Full format of the hard drive.
7.  Applied the image from step #2.
8.  Repeated 1-7 with each program.

Please don't ask were I downloaded the hundred of viruses from, because I won't say.  I don't want to be the one that "gets" your computer infected.

Finding viruses are easy, but remember, I have an isolated, test computer, that I use intentionally to test programs I want to use, and like in this case, test out anti-virus/anti-malware programs keeping my live computer virus/malware free.  This is how I've been able to keep my live computers virus and malware free for about 19 years.

In this case, since I knew there would be a possible infection, before I applied the virus/malware free image each time, a full disk format was done.

Finally, the only viruses the programs detected was on the CD, not the HDD, but the HDD format was for safety reasons.

Have a great day!
:bananas: :bounce:



#7 rp88

rp88
  • Topic Starter

  • Members
  • 3,060 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:02 AM

Posted 05 August 2014 - 08:03 AM

Can you read this: http://help.logmein.com/selfserviceknowledgerenderer?type=FAQ&id=kA030000000DGD7CAO

Does it sounds like they used Request Windows Credentials?

that sounds like it

 

as for your comment scotty, that's terrifying. seeing as i use avg in combination with malwarebytes (as an on demand scanner) should i be safe? five percent sounds utterly pathetic, is it even possible for a detection rate less than that? is avast free like avg is?


Edited by rp88, 05 August 2014 - 08:06 AM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#8 scotty_ncc1701

scotty_ncc1701

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 05 August 2014 - 09:24 AM

I know that some folks will disagree with my statements in my other post and that perfectly OK.

There are two versions of Avast, free and paid.  I have the free version, and it works great.  From what I've read, the AV engine and definitions are the same, which is the key points.  But Avast (free) also allows you to scan incoming/outgoing e-mails, block sites, and other stuff.  I don't know about AVG, but Avast allows for scanning of everything that comes from the Internet, in real time.  I know one of the reasons that I told SYMANTEC/NORTON to take a hike, was in their 2007 or 2008 Internet Security, they stopped doing the real time scanning.

I tested Avast Internet security, and it isn't as good as others.  My recommended combo is Avast and PrivateFirewall ( http://privacyware.com/ ).  I recently abandoned Comodo (see my other posts), and went with PrivateFirewall.  Although the interface looks Windows 95'ish, that doesn't matter to me, it's the functionality.

Although Avast has the ability to block sites, I use PrivateFirewall, and Firefox's Blocksite Plus.  The only difference between PrivateFirewall and Firefox's Blocksite Plus is that Firefox's Blocksite Plus can block specific pages if you want, where as PrivateFirewall you only can block the entire site.  For instance, in Firefox's Blocksite Plus, I block the spanish part of a site, so I don't accidently go there (I don't speak spanish).

Finally, on Avast, if you go to it, keep this in mind:

1.  You can't have AVG and Avast on the computer at the same time.  Specifically no two ANTIVIRUS programs (e.g. Avast, AVG, McAfee, etc).  Malwarebytes and SAS can be.

2.  Registration is required for a free license.  However, on registering, you can use a fake e-mail.  It is my understanding they use it only to tell you in advance when it is going to expire.

3.  You will get occasional popups in the lower right corner from them.  I have no problems with it.  This means offers.  Since this is free, and they're not that often, I deal with this.  If you pay for Avast, you can disable this feature.

4.  Updates checks are every 240 minutes, but you can change it, if you want.

5.  I suggest you go through each section and check out the settings, and change them if you want.  Once done, you can export the settings to a file for use if you have to reinstall the program.

Have a great day!
:bananas: :bounce:
 



#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 AM

Posted 05 August 2014 - 09:26 AM

 

Can you read this: http://help.logmein.com/selfserviceknowledgerenderer?type=FAQ&id=kA030000000DGD7CAO

Does it sounds like they used Request Windows Credentials?

that sounds like it


 

 

OK, then this explains it: you were asked to type your credentials in LogMeInRescue's dialog box so that the operator could reboot your computer and regain access after reboot without your intervention.


Edited by Didier Stevens, 05 August 2014 - 09:27 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 AM

Posted 05 August 2014 - 01:08 PM

Please don't ask were I downloaded the hundred of viruses from, because I won't say.  I don't want to be the one that "gets" your computer infected.
 

 

 

Can you share the MD5 hashes of your collection Scotty? I've a tool to look them up on VirusTotal.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 scotty_ncc1701

scotty_ncc1701

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 05 August 2014 - 04:55 PM

 

Please don't ask were I downloaded the hundred of viruses from, because I won't say.  I don't want to be the one that "gets" your computer infected.
 

 

Can you share the MD5 hashes of your collection Scotty? I've a tool to look them up on VirusTotal.

 

 

 

DS, I wish I could, but that would violate number 8 of my computer rules.  Rule 8 states states: "Sample viruses/malware - Do not release the location(s) of where I downloaded the sample viruses from or any information concerning them, regardless of how innocuous it may be, except test result percentages.  This is to protect not only myself (liability reasons), but others from getting their computers infected, because proper preventative steps weren't taken.  This rule forces the individual(s) to find sample viruses/malware on their own, and thus makes them solely responsible".

Have a great day!
:bananas: :bounce:
 



#12 rp88

rp88
  • Topic Starter

  • Members
  • 3,060 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:02 AM

Posted 06 August 2014 - 06:59 AM

so is it at all likely that the tech support woman was not actually tech support and tried to/succeeded in putting some sort of malware onto my system? 

thanks


Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 AM

Posted 06 August 2014 - 07:48 AM

so is it at all likely that the tech support woman was not actually tech support and tried to/succeeded in putting some sort of malware onto my system? 

thanks

 

No, not at all. With your help, we have established that what you witnessed is a feature of LogMeIn Rescue.

 

Furthermore, I talked to someone at AVG (he asked support about this): this is standard procedure. LogMeIn Rescue is used, and when they need to restart your machine, they use LMI's "Request Windows Credentials" feature to prepare a restart.

The credentials you provided do not leave your computer.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#14 rp88

rp88
  • Topic Starter

  • Members
  • 3,060 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:02 AM

Posted 06 August 2014 - 11:07 AM

thanks for the advice


Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users