Windows Support Telephone Scam – Part 2 – What To Do

There are still plenty of reports coming in on the Microsoft Support Telephone Scam since I wrote the original article. A good repository for people’s experiences can be found here:

A number of people have been conned into letting the scammers in to control their PC. Firstly let me say that there is no shame in this whatsoever. It’s a convincing scam, playing on the fears of people, and hooking in even the most suspicious.

Secondly, don’t panic. There are a number of things you can do to safeguard yourself.

One of the respondents, Chrisalisuk gave some useful advice, which I’ll reproduce here:

For anyone who’s interested on the technical side of this – I run a small IT company and have had a couple of calls from puzzled customers who have been “caught out” by these pond lifers; mercifully, no money has changed hands, but I did have one guy who asked me to go and check security on his machine AFTER the “fix”.

I found evidence of installation – “advanced system registry cleaner” plus a folder and a number of registry keys referring to logmein rescue. The folder was in the windows folder, called “LMI2.tmp”. Rather frighteningly, logmein rescue can now be set for reconnection WITHOUT user permission – so there is a RATHER LARGE security problem RIGHT THERE!

Some interesting stuff in the LMI2 folder! – the virtualpcdoctor registration for logmein. A quick call to logmein has blocked one small revenue stream for them at any rate! The guys there were happy to listen and help, and had prior knowledge of the scenario – they asked me to mail the relevant logs, and thanked me greatly for my time.

Chrisalisuk was also kind enough to give some advice as to what to do:

…if you look at the posting IMMEDIATELY before yours, you’ll find that I mentioned the lmi2.tmp folder nestling in the wndows folder – look for that. If you find AND DELETE it, you SHOULD be OK. If you aren’t confident doing this, I suggest that a factory reinstall is your best option “just to be sure” – unless you have a trusted local company that can have a look. Whichever way, it will probably cost you money, but you gain experience – which is priceless. Don’t feel bad – these bastards are GOOD at what they do (con and extortion). Live and learn!

Let’s look at this. A factory reinstall is quite draconian, but will fix the problem for sure. But, it’s quite simple to look for the lmi2.tmp file. Click on the Windows menu (normally this will be in the bottom-left of your screen). Under this you will see an option labelled ‘Search’ or ‘Find’. Go here and type in lmi2.tmp and perform the search.

If it finds something, click on the item and then hit the ‘Delete’ button. Gone…

Oh, and change ALL your passwords – REGARDLESS. I would also place a stop on ANY credit/debit cards you have EVER used on the internet on that machine (the companies will understand). Better that, than a negative bank balance.

One last thing – report the scums to the bizzies. It makes you feel as though you’ve done SOMETHING to get back at them, and hey – somebody just MIGHT do something about the problem if enough pieces of paper land on their desk.

Yeah, this is hassle, but I’d certainly recommend doing it. If nothing else, it will give you peace of mind.

One thing I would also add is to perform a full and comprehensive virus scan on you PC. If you have more than one virus scanner, then use both. Run any anti-spyware/malware tools you have as well. I’ve also heard good reports about Hitman Pro which seemingly downloads quickly and runs effortlessly.

Do all this, and you’ll have nothing to worry about. And, most importantly, tell everyone you know, and do it face-to-face or over the phone if you can. Some people are generally suspicious of email chains that warn of impending doom in some way.


The Guardian newspaper seem to be onto this. This commented was posted on the Digital Toast forum above on 29/06/2010:

If anyone has been caught by this scam, or knows someone who has, then I’d be grateful if you could tell me the name of the company *whose name appears on your credit card*. It’s clear this company uses loads of different sites and different names, but I suspect it’s the same one (or ones?) behind it. Email me please

Charles Arthur, editor, Technology, The Guardian

Other Articles

This is one of an ongoing series of articles that I have written following this scam. You can find them under the following tag group:

3 thoughts on “Windows Support Telephone Scam – Part 2 – What To Do

  1. Hey not sure if this the right platform, just tryin to get as much answers as possible. I received a similar call yesterday and went along not thinking straight. I was eventually asked to go to not realising it was logmein allowing remote access. I did go as far as keying in the 6 digit pin but as soon as a connection was established I closed the chat box and hung up.

    Now my question is whether my information has been compromised since I did not allow them to take control? I have disabled anything doing with lmi.exe on my firewall an disabled remote access.

    Please help! Appreciate it..

  2. Just cleaned this off my Mother-In-Laws computer. They hid the LMI2.tmp folder in a hidden folder under c:\Users\username\AppData\Local.

    Thanks for the information. Really would like to know how they got the initial contact and install done.

  3. Thank you for posting this information. It helped me clear things up for my mom. Thankfully she had the right mind to call me when she was on the phone with them, and i got her to hang up and unplug her computer before too much time had passed. Luckily, the legit company who’s software the crooks had used to access her computer has agreed to help her take it off, and clear the machine of any further access by anyone using the portal. Thank you Again!

Leave a Reply