• Text Only
Voting History
rated:
A family member of mine (seriously, it wasn't me) fell for a windows tech support scam.  She received an error message on her screen telling her that her computer had been infected and she needed to call an 800 number immediately.  So, she then proceeded to call the 800 number and allow the person on the phone, who identified themselves as Microsoft technical support remote access to her computer.  (Yes, she now knows this was a horrible mistake.)  After allowing them to control the computer for a few minutes, she turned it off.  What should her next steps be?  It's probably worth noting that her tax returns were stored on this computer.  She didn't give them any credit card info other than they might have been able to get themselves from the computer.

I figure at the very least:
-  change passwords to everything
-  monitor credit card statements
-  establish a credit freeze

Questions:
-  Should she just go ahead with cancelling the credit cards?  
-  Any thoughts on whether Life Lock or similar id prevention services are worth it?  I see reviews all over the map from 1 to 5 stars.

Then, from a technical perspective, is running an antivirus/malware scan good enough?  Or should the whole drive get wiped?

Anything else I'm missing?  Thanks.

Member Summary
Most Recent Posts
Over the last year or so all of the IT folks I've talked to that have had their systems infected have had users without ... (more)

minidrag (Aug. 17, 2016 @ 5:32a) |

A Software Restriction Policy, or now AppLocker, will stop randomly downloaded executables from running, which stops mos... (more)

marsilies (Aug. 18, 2016 @ 11:05a) |

SRP with whitelisting is the way to go, no doubt about it.  Applocker requires Enterprise versions of the Desktop OS, wh... (more)

minidrag (Aug. 19, 2016 @ 5:52a) |

Staff Summary
Thanks for visiting FatWallet.com. Join for free to remove this ad.

It's possible that they installed a trojan/ransomware on the computer. I would find a security expert who can scan the hard drive. Do not start up the computer again. If they have, it may be too late and much more difficult to fix.

ETA: If you don't critically need the documents on the drive, you can certainly wipe it, but again, don't start the computer up using that drive. If you have to, make sure it is not connected to the internet or any network (turn off the wireless router).

I doubt they did any damage.. just scan it with mbam and call it a day.

These people are too inept and don't have the time to sabotage PCs beyond putting on a syskey pass or trying to extort cash from stupid people.

Cancel the cards!!

Office Depot and Staples routinely provide free virus scan. Definitly don't restart it while connected to the internet without first making sure it's clean.

Disconnect internet
Turn off Remote Access
Copy sensitive docs to USB drive then delete from computer
Wipe free space from hard drive
Scan system using various programs

First thing is to disconnect the network connection of the computer. If it's wireless, then the easiest is to change the router's wireless password so the computer will not be able to connect. If it's wired, then simply unplug the ethernet cable.

Download combofix on to a thumb drive from another computer and disconnect that computer from the network and run it.

Luniz97 said:   Download combofix on to a thumb drive from another computer and disconnect that computer from the network and run it.
  http://download.cnet.com/Combofix/3000-8022_4-75221073.html

 

alamo11 said:   I doubt they did any damage.. just scan it with mbam and call it a day.

These people are too inept and don't have the time to sabotage PCs beyond putting on a syskey pass or trying to extort cash from stupid people.

  This is likely to be correct.  Have some fun watching a u-toob video of folks intentionally walking through the scripts.  They are so incredibly insipid as to be nearly unbelievable and all of it boils down to one thing...syskey based ransoming.  Of course, they try to get the victim to volunteer their name/CC info along with the CCV code, address, etc before they go all syskey on them, most times anyway.

Better warn her of this popular scam as well at this point:

</phone ringing>

Caller in Indo-english accent:

"Hello this is John Davis, agent of the Internal Revenue Service calling from San Francisco about a law suite against your name. For verification purposes, please state your name."

...later

"Would you prefer to proceed to court or make payment today in the amount of $2,412?"

...and eventually after buying Green Dot or similar at CVS...

"Please read me account number printed on your receipt."

I've run into the same thing, surprisingly at my job in a large IT shop.

The employee pretty much did the same, and then called/paid them. We told them to change their passwords and cancel the affected card.

Though it doesn't deal with a web pop-up, like the OP states, this should be required reading for anyone on the internet.

http://arstechnica.com/tech-policy/2012/10/i-am-calling-you-from...

Disconnect the old disk
Install a new disk
Install a clean copy of Windows
Connect the disk and copy over your data
in the future put anything important on a cloud provider
(Two is better)

For me, I'd skip wasting time scanning drive. She, and perhaps you, will always worry you'd didn't clean it all. Month later printer acting strange...oh no do i have a virus. No maybe not, but why not just yank out the old drive, toss in nice SSD and do clean win 10 install. Then attach old drive and scan, copy back what is really needed. Sure you spend all night doing it, but then you know you're done.

Better yet, does she really need windows? Chromebooks have become very good. What can't you do in a browser for most users? Sure need to adapt a bit, but then no more forgetting to backup. Doc's, music, photos are already stored at google. Virus...nope. Tech support scam...nope. Browser hijack? Power wash reboot in under 2 min. Login and back up and clean.

Remember When they call Saul, give them the answer they need, not what they say they need. Protect them from themselves.

Wipe, reinstall, force autobackup on them, try to force them to chromebooks. If you really think they must use windows or OSX, after clean install image their machine to external USB and keep copy with you. If room, leave image also on their drive.

ask relative to give you all of her credit cards to check for fraudulent activity.

charge up all the credit cards.

blame tech-support scam.

rinse & repeat often, as relative is an obvious dimwit.

I would wipe the whole drive. Monitor all my finances. Although I doubt they did any real damage.

Wow. Remote access to the computer. Wipe it. Wipe it good!

allowingtoo said:   Wow. Remote access to the computer. Wipe it. Wipe it good!
  
Windex or soap and water?  LOL 

Anyway........... IMO, plug this HDD into a clean computer and backup the data only... than put the drive back and OEM the whole thing and restore the data.

+1 on the credit monitoring...... while at it, do the identity thief thing too.

flyingroach said:   For me, I'd skip wasting time scanning drive. She, and perhaps you, will always worry you'd didn't clean it all.

 

That's how I felt when my computer caught a similar bug.  I wasn't naive enough to give out any credit cards or call any numbers.   I don't believe information on my computer was compromised because I disconnected the network immediately.  The bug I got was pretty nasty.  Every time I turned it's service off it spawned a new one with a new name and I didn't want to go through the whole registry.  It made it through McAfee(not saying much).  I'm not a fan of McAfee and I only had it because it was the free trial on a new computer.  I always switch to AVG but that's another thread.  I left the computer air gapped and ran it through some other tools.  Long story short like flyingroach said I knew I would never trust the PC on a network again so I wiped it.

So here are my suggestions:

  1. Wipe the computer or replace the drive.  Someone said with an SSD and I can say I love my SSD(Solid State Drive) they are much faster.
  2. How you move the files are up to you but make sure you are careful not to reinfect the new/wiped drive.  Only grab the important stuff.
  3. I would not worry about credit cards too much unless she gave them a CC number.  On that front I would simply monitor the bills closely.
  4. I WOULD cancel debit cards linked to bank accounts that could have been compromised.  Federal regulations don't offer as much protection against fraud with debit cards as they do with credit cards.
  5. Lifelock is something you should research before even considering.  I've heard a LOT of complaints.
  6. Finally,  it doesn't hurt to do this for anyone.  Check credit reports once a year.  I've seen stuff on my credit report for places I've never been.  I just had a house of "mine" that I never owned foreclosed on in a state I have never been to.  If an Identity is compromised it can take a while for it to show up on paper so regular monitoring long term.
  7. If you replaced the old drive with a new one properly dispose of it so it can not be recovered.  There are tools to wipe the drive so that old data is not recoverable.  Any idiot with some freeware can recover a drive that was simply formatted instead of properly wiped.  I have used those tools to recover information myself that was accidentally deleted.


Drill
Disclaimer
If you toss any drive, this wipes everything easily...

 

giqcass said:   

  1. How you move the files are up to you but make sure you are careful not to reinfect the new/wiped drive.  Only grab the important stuff.



And just how do you know the important stuff isn't infected?

My concern would be that the "tech" installed a keylogger, so I'd do a disk wipe (or replacement, if the current one is more than a few years old) to be sure.

I'm a computer crime expert specializing in malware. Anyone suggesting you scan the system is only fooling themselves. They almost 100% certainly installed malware and the chances of finding it all or cleaning it are slim to none. First this to do is remove the system from the Internet. DO NOT RECONNECT UNTIL THE SYSTEM IS WIPED!!! Hopefully they have backups of any files they need. If so, the safest thing to do is to format the drives and do a clean install from the original disks. If they absolutely need data and don't have backups, I'd recommend using a CD to burn any needed files to disk. Then, format the drives. LESS IS BETTER!!! Under no circumstances move any executable files. Stick to photos and documents. Everything else can be rebuilt. I recommend using DBAN to wipe the drives, it's free and will effectively wipe all the drives and completely remove any malware. It's possible they have installed more advanced malware, like a BIOS infection, but the chances are infinitely smaller. The vast majority of these guys install simple keyloggers or data harvesting software. Honestly, if they have any desire to upgrade drives it's not a bad idea to just start with a fresh one. Under no circumstances would I ever log into anything on that system until it was fully wiped.

atikovi said:   
giqcass said:   

  1. How you move the files are up to you but make sure you are careful not to reinfect the new/wiped drive.  Only grab the important stuff.



And just how do you know the important stuff isn't infected?

  The most common mistake people make all the time.....    People assume because they wipe the drive they are safe.  The problem is, if you take data off the drive and reload it later, you never really know that you're safe.  Some file types are safer than others.  Still, you're gambling with each file you move. 
 

CD burner? that won't hold all my porn. Buy a cheap $15 external drive enclosure and put your drive in there. Much faster to transfer the file.

WorkerAnt said:   CD burner? that won't hold all my porn. Buy a cheap $15 external drive enclosure and put your drive in there. Much faster to transfer the file.
  Exactly, much faster at moving the malware that's going to infect the drive the moment you plug it in.  Same goes with thumb drives.   The CD lets you control what's being moved and validate before you burn.



 

Going back 2008, my wife's windows computer got infected. I bought her a Mac from a deal right here on FW. Upgraded to MacAir after few years. No nonsense to deal with since then.

When Elliot on Mr. Robot feels the need to purge all of his data, he drills holes in his drives and throws them in random dumpsters, and he cooks his SD cards in his microwave. 

start doing disk images every so often,,,then its an easy task to restore back in time...try Macrium Reflect,,its free...

king0fSpades said:   Going back 2008, my wife's windows computer got infected. I bought her a Mac from a deal right here on FW. Upgraded to MacAir after few years. No nonsense to deal with since then.
  False sense of security.


Expert alert
Disclaimer
drodge said:   I'm a computer crime expert specializing in malware. Anyone suggesting you scan the system is only fooling themselves. They almost 100% certainly installed malware and the chances of finding it all or cleaning it are slim to none. First this to do is remove the system from the Internet. DO NOT RECONNECT UNTIL THE SYSTEM IS WIPED!!! Hopefully they have backups of any files they need. If so, the safest thing to do is to format the drives and do a clean install from the original disks. If they absolutely need data and don't have backups, I'd recommend using a CD to burn any needed files to disk. Then, format the drives. LESS IS BETTER!!! Under no circumstances move any executable files. Stick to photos and documents. Everything else can be rebuilt. I recommend using DBAN to wipe the drives, it's free and will effectively wipe all the drives and completely remove any malware. It's possible they have installed more advanced malware, like a BIOS infection, but the chances are infinitely smaller. The vast majority of these guys install simple keyloggers or data harvesting software. Honestly, if they have any desire to upgrade drives it's not a bad idea to just start with a fresh one. Under no circumstances would I ever log into anything on that system until it was fully wiped.
  

alamo11 said:   I doubt they did any damage.. just scan it with mbam and call it a day.

These people are too inept and don't have the time to sabotage PCs beyond putting on a syskey pass or trying to extort cash from stupid people.

  I agree with this.
 
Download MBAM on another machine - and install it onto the infected machine.  Unplug it from the router / wireless etc.  Install MBAM - and run a thorough scan.

 

drodge said:   
WorkerAnt said:   CD burner? that won't hold all my porn. Buy a cheap $15 external drive enclosure and put your drive in there. Much faster to transfer the file.
  Exactly, much faster at moving the malware that's going to infect the drive the moment you plug it in.  Same goes with thumb drives.   The CD lets you control what's being moved and validate before you burn.



 

  
Tell me if I'm wrong:

1)  the malware cannot execute itself
2)  the malware cannot move itself unless something is moving it.

So, the external HDD is just a storage.  All the actions are coming from your clean system.  So how does that malware get move too unless the idiot user is still trying to copy that "awesomefreepornclickhere.exe"?  There is a small chance the firmware for the HDD get infected to execute the malware.

As for CD, the autoplay sometime get trick into executing the malware.  The many things I do preparing a new system is to turn off all these autoplay/auto-update/autoupgrade/auto-etc.

I saw on the news they just busted some guy for getting 120k out of some women, they got a holder of her account and started transfering all the money out, then they asked her for cert checks, the fbi got in on it and asserted the guy when he came to pick them up.  They really need to bust more of these people, all these scams are getting worse

EradicateSpam said:   If you toss any drive, this wipes everything easily...

 

  serious question.. what sort of drill bit do you use?

i have a handful of old drives lying around that i'd rather toss than store for security reasons.

related.. can i use a huge magnet to wipe a drive and render it inoperable?  i have this fantasy kill switch where i rig up one of those door-locking magnets and place it on the external drive.  in an emergency i hit the switch that activates the magnet and everything on the drive goes poof.  works in reality or am i dreaming?

The magnet is a joke unless it's specifically designed for degassing. It's just not reliable enough to delete sensitive data.

Just about any drill bit will work fine. The case is aluminum. The platters were traditionally metal, but light gauge. Beware that many manufacturers have been using glass or composites for the platters. They can explode when you drill them. If they are inside the HD case it's no big deal. If you open the case and drill, it can be extremely dangerous.

WorkerAnt said:   
drodge said:   
WorkerAnt said:   CD burner? that won't hold all my porn. Buy a cheap $15 external drive enclosure and put your drive in there. Much faster to transfer the file.
  Exactly, much faster at moving the malware that's going to infect the drive the moment you plug it in.  Same goes with thumb drives.   The CD lets you control what's being moved and validate before you burn.



 

  
Tell me if I'm wrong:

1)  the malware cannot execute itself
2)  the malware cannot move itself unless something is moving it.

So, the external HDD is just a storage.  All the actions are coming from your clean system.  So how does that malware get move too unless the idiot user is still trying to copy that "awesomefreepornclickhere.exe"?  There is a small chance the firmware for the HDD get infected to execute the malware.

As for CD, the autoplay sometime get trick into executing the malware.  The many things I do preparing a new system is to turn off all these autoplay/auto-update/autoupgrade/auto-etc.

The autoplay is a much bigger problem with thumb drives as many have manufacturer software designed add functionality.  The CD can't autorun if you don't have it setup to do so.   If you burn a blank CD with the files you're saving, the system isn't going to run those files when you pop it back in.    The CD is generally safer in most cases when used like I suggested.  

Hard drives are treated differently by the OS, and the OS may well have system level access.  If the system is infected and you pop a hard drive in, the malware has the ability to write anything it wants to the disk.   It can hide the files and the average user will never know they are there.   It could even create a new partition and hide whatever it wants there.  Again, most people aren't going to see that.  As far as file types go, it's not as simple as looking for exe files.   Obviously anything that is executable is not a good idea.   It's pretty easy to hide executable code in an office document, for example.   It's fairly easy to copy infected files over to a clean drive and the moment you connect them back to a clean system you're asking for trouble.  No, they aren't typically going to run by themselves.  However, clicking on an infected PDF is going to cause the associated viewer to open, and it will gladly run the code for you without asking.   I personally wouldn't ever copy any Abobe files unless it was absolutely critical and I had no other choice.  In that case, I'd use a clean VM to scan them before I did anything else with them.   Malware infections are tricky to deal with and there is a LOT of bad advice out there.  Most of it go something like "Run tool XYZ and if it comes back clean you're good to go."   That's pretty bad advice in a lot of cases.   The only surefire way to get rid of it is a clean install.  

The card involved is certainly compromised, cancel it.

The machine--it depends on the skill level of whoever attacked it. If they're good the only fix is to pull the drive, reinstall everything to a new drive and then carefully copy **data** and only data--no programs--from the old drive.

Short of doing this I would never do anything like banking on the machine.

drodge said:   WorkerAnt said:   CD burner? that won't hold all my porn. Buy a cheap $15 external drive enclosure and put your drive in there. Much faster to transfer the file.Exactly, much faster at moving the malware that's going to infect the drive the moment you plug it in.  Same goes with thumb drives.   The CD lets you control what's being moved and validate before you burn.I think he means to plug the infected drive into an enclosure that's connected to an uninfected computer.

You weren't recommending that they use a CD burner on the infected computer, were you?

Dilbertic said:   I saw on the news they just busted some guy for getting 120k out of some women, they got a holder of her account and started transfering all the money out, then they asked her for cert checks, the fbi got in on it and asserted the guy when he came to pick them up.  They really need to bust more of these people, all these scams are getting worseLOL. Between your username and this topic I can't tell if "asserted" was a typo or a new term for catching computer criminals

Skipping 40 Messages...
marsilies said:   
minidrag said:   
drodge said:   The vast majority of those initial infections come from from clicking on links that in turn run java script in the browser. The encryption portion still requires a sandbox escape and privilege escalation to run. Each of those steps is infinitely harder with user level credentials. it's not a cure-all by any means, but it would still stop a huge percentage of attacks.
  Over the last year or so all of the IT folks I've talked to that have had their systems infected have had users without admin rights.  It's either been an email attachment or a link on a site and the user stupidly clicked away.  Lacking admin rights made no difference at all.  Again, I completely agree that users should never have admin rights, for many reasons.  I've not seen a crypto infection that requires admin rights to run, though.  Every version I've seen has run in the user space, mostly from the User %appdata% folder.

  
A Software Restriction Policy, or now AppLocker, will stop randomly downloaded executables from running, which stops most malware in Windows.

  SRP with whitelisting is the way to go, no doubt about it.  Applocker requires Enterprise versions of the Desktop OS, which most people and SMBs don't have.  Though I guess there's an alternate method for single use on 10, but that won't help with multi PC management in business.  Looks like it might be good for home use though.
https://msdn.microsoft.com/library/windows/hardware/dn920019.asp...



Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.

Thanks for visiting FatWallet.com. Join for free to remove this ad.

While FatWallet makes every effort to post correct information, offers are subject to change without notice.
Some exclusions may apply based upon merchant policies.
© 1999-2017