Missing RAM after a call from a "Microsoft" tech

JoeEkaitis

Certified Gray Haired Geek
Kind Benefactor
Super Member
Registered
Joined
Mar 13, 2005
Messages
2,324
Reaction score
750
Age
69
Location
A wondrous land whose boundaries are that of imagi
An acquaintance from church asked me to perform my computer tuneup on his HP Pavilion laptop after he realized the heavily accented caller on the phone wasn't really from Microsoft. The caller had maneuvered him into installing GoToAssist which includes unattended remote access. I took off GoToAssist, ran Adwcleaner and Junkware Removal Tool (both available from bleepingcomputer.com). Adwcleaner rightly reported PCKeeper as a PUP (potentially unwanted program) which I removed.

The computer was still agonizingly slow, so I checked Task Manager for rogue services and processes but found none. Instead, the Memory tab reported less than 1GB of RAM. The computer Properties reported 6GB of installed RAM but the same paltry amount of usable RAM.

A boot into Safe Mode (what a pain on Windows 8) reported the same numbers. I shut down the laptop, opened the back and pulled and reseated the RAM.

And there it was, all 6GB installed minus the 128MB for the Intel integrated graphics.

And now, for the $64,000 grand prize:

Can a fake PC tech plant code that stays in RAM as long as the RAM sticks are in their slots or was this just a hardware fluke?

What say you, world?
 

Matera the Mad

Bartender, gimme a Linux Mint
Super Member
Registered
Joined
Jan 6, 2008
Messages
13,979
Reaction score
1,533
Location
Wisconsin's (sore) thumb
Website
www.firefromthesky.org
AFAIK nothing can be permanently persistent in RAM if power is cut off. RAM also has a way of being godawfully fluky. I've been doing the RAM-dance a lot with a recent eBay prize catch. (My critter is not only like OCD about its RAM, it also chewed up and spit out a brand new 2T harddrive.)

You done good, be happeh.
 
Last edited:

WriteMinded

Derailed
Super Member
Registered
Joined
May 16, 2010
Messages
6,209
Reaction score
775
Location
Paradise Lost
Interesting story. The fake Microsoft techs call me at lease once a week. They are fun to play with for a while.
 

BradCarsten

practical experience, FTW
Super Member
Registered
Joined
Sep 23, 2010
Messages
1,179
Reaction score
96
Location
Johannesburg South Africa
Windows 8 has that fast startup feature that stores the kernel memory image for a faster bootup. Perhaps someone's found a way to exploit that.
Although that wouldn't explain why removing the ram would sort it out. Maybe it was hibernating instead of shutting down? Who knows why computers do some of the things they do.
 
Last edited:

AW Admin

Administrator
Super Member
Registered
Joined
Apr 19, 2008
Messages
18,772
Reaction score
6,285
Can a fake PC tech plant code that stays in RAM as long as the RAM sticks are in their slots or was this just a hardware fluke?

What say you, world?

Yes, it's possible. Keep in mind that a modern computer has memory in chip form in places other than RAM now. PRAM. Battery memory.


Or a malicious file that you removed but the RAM wasn't flushed.

There's in the wild malware that attacks printers and then uses that as a backdoor.

And it's possible it's just a fluke, too.
 

cbenoi1

Banned
Joined
Dec 30, 2008
Messages
5,038
Reaction score
977
Location
Canada
Your culprit is called SMA (Shared Memory Architecture).

http://en.wikipedia.org/wiki/Shared_memory_architecture


Many laptops don't have separate memory for graphics, because of space, price and power consumption. The graphics card therefore 'reserves' a chunk of memory out of system RAM for its own purposes. If you had checked the amount of dedicated RAM the graphics card driver reserved, you would have probably seen it use like 15GB of system RAM. Desktop users seldom have this issue because most systems are fitted with a graphics card proper and thus have separate memory chips.

I'm guessing your hacker changed the default graphics driver allocation in order to increase disk swapping (hence the huge slowdown) and thus justify the help call.

-cb
 
Last edited:

Reziac

Resident Alien
Super Member
Registered
Joined
Dec 20, 2010
Messages
7,451
Reaction score
1,177
Location
Brendansport, Sagitta IV
Website
www.offworldpress.com
GoToAssist is a perfectly legit program from a perfectly legit company. But Citrix doesn't go door to door looking for customers (they're in the enterprise market, not the consumer market). I'd guess whatever was installed 'borrowed' their good name, or possibly used a hacked version to gain access (since that's what it's for -- remote desktop assistance) and then they had their way with the affected computer.

cbenoi1's guess about the culprit changing graphics allocation is probably spot-on. I'd guess that reseating the RAM made the system reset allocation to the default.

BTW I'm on about every tech company's mailing list known to man, and I still don't get calls asking me to buy or install anything. I think it's safe to assume that all such calls are bogus.
 
Last edited:

Robert Dawson

Getting The Hang Of It
VPX
Super Member
Registered
Joined
Oct 22, 2014
Messages
286
Reaction score
32
Website
cs.smu.ca
When the Microsoft Hell Desk phones:
*Tell them you will check if there is a virus. Ask them to hold. Go do something else.
* Come back and ask if they are sure, because you have not seen one. When they say yes, go do something else.
* Come back and say the computer is not responding to the keyboard. Ask what you are meant to do. Ignore answer and go do something else.
*Come back and ask if computer was meant to be turned on. Try not to giggle.
*Go do something else. A short story of about 3000 words would be about right.
*Hang up.

If you do not have time for this, when the caller tells you in a Mumbai accent that he is "Justin" from the Microsoft Help Center, inform him kindly, as if talking to a beloved but absent-minded relative, that, no, he isn't, and hang up. It is always possible that he wasn't quite sure.

You do not have my permission to swear at him unless he swears first. He is earning a living, and politeness is free.
 
Last edited:

Ketzel

Leaving on the 2:19
Super Member
Registered
Joined
Feb 12, 2005
Messages
1,835
Reaction score
262
My phone number is associated with the work I do at Senior Centers and so I get a lot of phone calls specifically aimed at scamming the elderly. I don't like the way "Justin" is earning a living and I have no problem telling him so. If I have the time when the call comes in (about once or twice a week) I listen to the spiel (every Microsoft computer in the world, running every form of Windows, is infected with a virus that must be repaired or you are at risk of losing all your life savings is the usual one.) Sometimes I ask him if his mother knows what he does for a living and how proud she must be that he's scamming the elderly. Sometimes, if he's particularly good at selling the fear, I swear at him, no permission required.
 

Reziac

Resident Alien
Super Member
Registered
Joined
Dec 20, 2010
Messages
7,451
Reaction score
1,177
Location
Brendansport, Sagitta IV
Website
www.offworldpress.com
My phone number is associated with the work I do at Senior Centers and so I get a lot of phone calls specifically aimed at scamming the elderly.

That would do it :( Look on the bright side, you're kept up to date on all the latest scams, so you can keep your Seniors apprised and wary!