Parents PC Was Accessed Remotely by a Scammer

original15 on 03/10/2021 - 16:39

Hey all,
Looking for some recommendations/advice on checking a PC remotely.

Parents gave a scammer remote access to their PC after navigating to an incorrect canon printer website, which then called them after accessing the help chat (seems to be a known scam as even canon have a page about this scam). Scammer flashed something on screen that looked like CMD (have screen grab) and told them their network had been compromised by hack attempts, and they needed to install Network Privacy Shield. During the install they’ve called me and I’ve had them terminate the remote access and uninstall the Network privacy shield. The guy who called them tried to convince them to keep going, but didn’t put up too great a fight/get aggressive.

Seems the scam normally plays out that they show a virus on the system once the software is installed, and then hold you ransom for a few $100 to remove it.

I had my folks remove the remote access software, remove the privacy shield, and have reviewed for any other programs or files installed during the interaction and found none.
I’ve also gone through their task manager looking for anything suspicious, and run a full scan via MS security/defender

Any tips on what else I can do to double check PC hasn’t been left with some back door access?

The fact the scammer brought up something suss on CMD (altho it could have been a still image tbh) and the fact he didn’t fight harder to get them to stay around concerns me
They don’t have their banking details saved on the Pc which is something

Computing

Comments

  • Bafranz on 03/10/2021 - 16:41
    +36

    Wipe it, could have downloaded a key logger or anything while they had access.. to be safe

  • Hithere on 03/10/2021 - 16:48
    +2

    advice on checking a PC remotely.

    Risky, if they have download a virus or malware accessing their computer remotely could end up with your computer being infected also.

    Format their computer and start again restoring important data from their backup - they do have a backup?

  • AndyC1 on 03/10/2021 - 16:54
    +1

    NEVER EVER rely on just one AV product after something occurs. Checkout the top say 3 AV companies and grab their trial /free versions and run them. If after the 3 if you get no hits then go to the next level and check out the top 3 malware companies and install them (there may be an overlap).

    The next thing is to ensure that Windows is up to date.
    Then sumo (https://www.kcsoftwares.com/?sumo) and check that all of the apps are up to date.

    Did you do the following:
    1) Use the latest CCleaner slim to check what apps are in startup as follows, if not do it:
    windows
    scheduled tasks
    Windows services
    2) Use the latest CCleaner to check for suspect registry entries? If not do it.

    If this is too much then reinstall.

    • deme on 03/10/2021 - 19:03
      +2

      Will any AV detect that someone installed teamviewer, ngrok+rdp?

      • AndyC1 on 03/10/2021 - 20:14
        +1

        You know the answer for these dev/support apps.

  • mickyb80 on 03/10/2021 - 17:07
    +2

    Rebuild the OS…

    The end…

    Or better still - good excuse for a new PC?
    I hear there is a site called OzB with a heap of 'propellor heads' that would be happy to help you spend your money! :)

    • FireRunner on 03/10/2021 - 17:13
      +3

      Don't throw the baby out with the bath water.
      Maybe add an SSD if it doesn't already have one and install Windows on that
      Otherwise a fresh Windows re-installation on existing hardware will do

  • giu on 03/10/2021 - 17:19
    +7

    Unless 100% sure of what they may have accessed, probably best to reset most/all passwords - especially banking, browser (google).
    Backup PC - files, photos, etc.
    Rebuild.

  • 87percent on 03/10/2021 - 17:39
    +11

    Disconnect it from the internet, format the machine

  • scrimshaw on 03/10/2021 - 17:40
    +4

    You can spend a lot of time debugging the system but it's often just easier to just re-image the system with a fresh install of Windows.

    And by fresh, I mean completely nuking the drive (but backup first) and rebuilding the OS, not using the "Reset this PC" feature. That may not get rid of the backdoor entirely.

    Extra thing to note: Some scammers may install ransomware that encrypts your data at a future date, so it's a good idea to make sure you have multiple copies of important data. That could either be offsite backup or on cloud backup such as Onedrive or Google Drive.

  • bazingaa on 03/10/2021 - 18:02
    +1

    format and reinstall windows

  • trustnoone on 03/10/2021 - 18:08
    +1

    I think they try to blank out your screen, they then check your typical folders/files as well as chrome/firefox for typical password locations.

    There's a few youtubers who call the number to troll the scammers, you might find a few will go through a similar process as your parents so you know what to check?

    https://www.youtube.com/c/JimBrowning/videos
    https://www.youtube.com/channel/UCm22FAXZMw1BaWeFszZxUKw

  • deme on 03/10/2021 - 19:01
    +4

    While you can write malware to persist through wiping a drive and reinstalling the OS, the only solution for that is to toss everything out.

    Given you are dealing with a tech support scammer and not some spooks: wipe the drive and reinstall the OS (formatting is not enough). Far better idea than running AV.

    Then change your password on important sites, and check them for an additional access, eg.OAuth, Email Forwarders to do that with Google: https://myaccount.google.com/intro/security-checkup?hl=en-US

    Why change passwords? Most sites will invalidate cookie based (and some all others) sessions when a password is changed. Effectively logging out and cookies that were stolen or other sessions the attacker created.

    What do I mean wipe vs format?
    https://dban.org/ is a tool (free, open source) that will write over the entire drive (minus any parts that are corrupted) the aim of this tool for virus removal is not to delete everything but destroy places a format will not delete eg. MBR/GPT.

    • Zachary on 05/10/2021 - 11:44

      dban looks like zeroing the drive with seatools or wdtools but doesn't a full (not quick which is what you do when you straight up reinstall windows) format does too anyway?

      • deme on 05/10/2021 - 13:32

        A "full format" when you install windows does the same thing as a quick format but then scans the disk for errors.

        I'm sure some software refers to wiping the disk as "full format", but why bother trying to figure out what the software is doing, just do it properly with DBAN etc. and relax.

        The other issue is that Windows 7 and lower (unsure about later versions) would read the disk and load files off it before install, so malware could persist through reinstalls using that method. HAL.dll is one of them.

        Screenshots of Windows 11's reinstall feature show "clean the drive", but again suffer from the fact you are using the infected system to disinfect it.

        Your HDD/SSD manufacturer will likely have software that can erase or issue ATA Secure Erase commands.

        dban looks like zeroing the drive with seatools or wdtools

        These are good tools too.

        • Zachary on 08/10/2021 - 17:26

          So if you've buying second hand drives, best to zero with dban or seatools or wdtools and then install windows? Or just buy brand new drives which are obviously fresh and clean?

  • knightslay2 on 03/10/2021 - 19:18
    +1

    I'd agree with the others with wiping the computer (reinstall windows). Make sure you backup your files though without being connected to the internet

  • fad on 03/10/2021 - 20:05
    +6

    Nuke it from orbit, it's the only way to be sure.

    Seriously reinstall Windows. If you can to a brand new drive, that way you can keep the files without having to worry about them.

  • r2160 on 04/10/2021 - 08:24

    Rebuild pc change all passwords including bank etc and do it straight away

  • skillet on 04/10/2021 - 11:25
    -2

    Just disconnect the internet, don't need to reformat. If you do, install Linux confuse the scammer to the max.

    • smalltime0 on 04/10/2021 - 22:51

      I had a scammer call where I worked, And he claimed he was from Microsoft, calling about an infection on my machine.
      I played along for a bit, he gave me instructions like "press the windows key and R at the same time" and I said "I can't find the windows key", he then switched to opening the start menu, which I said I didn't know where it is.
      He, of course, said it was at the bottom left, I then revealed I was using a Mac and told him to do you-know-what.

      Not that Macs don't get viruses, just that Microsoft doesn't call you if you have one.

  • Series4Episode10 on 04/10/2021 - 12:21

    Previous to NT based systems there were viruses that persisted in memory and would re-infect an installation, that was remedied by designing a clear the Random Memory action upon shut down, During 2002 for a few years Windows 2000 and XP suffered from HDD BIOS rookkits, this is no longer possible due to hardware changes, also during this time some viruses started to brick mobos by flashing the BIOS, this can no longer happen due to hardware and BIOS changes, for Malware to persist now it's commonly written to UFEI … so perhaps those recommending a new system are correct, using a restore point from before the situation may fix your problem if the UEFI is clean, it would be recommended to flash the UEFI/BIOS

    Look up Linux Lite, it's similar to WinXP and has a lot of out of the box options to make it easy for Windows users, it's also an Aus distro.

    • smalltime0 on 04/10/2021 - 22:46

      There are all of two confirmed UEFI persistent virus families, both require physical access to the machine.
      And the greatest thing is, UEFI viruses would work on Linux distros. If you have physical access to the machine you can do almost anything.
      Restoring from a restore point might do jack shit if the virus has a replicator in the right spot, even if the UEFI is clean.
      Boot using a pre-loader AV, verify that anything recent is legit, keep your AV up to date.

      Tell your parents to never download anything without you calling them.

      • deme on 05/10/2021 - 13:35

        both require physical access to the machine

        Well you can write to DSDT via X or some shitty drivers allow ioctls from userspace to write to it. You don't need physical access to persist in either BIOS or UEFI.

        keep your AV up to date.

        AV is shit.

        Tell your parents to never download anything without you calling them.

        Configure app locker and Chrome policy and prepare for them to be upset if you want to do that.

  • Ramrunner on 04/10/2021 - 14:11
    +1

    Reformatting definitely best option and would say do that.

    If you decide against that at least grab something like Malwarebytes and get a second opinion on that virus scan. I wouldn't feel fully comfortable with that though TBH.

  • WT on 04/10/2021 - 15:24
    +1

    would doing a roll back to the last restore point be an option rather then fresh install?

  • Tigercjn on 04/10/2021 - 17:55
    +1

    Install a Virus scanner like Nortons and scan PC.
    Install a Malware scanner like Malwarebytes (free for personal use.) and scan PC.
    Run updates.

  • original15 on 04/10/2021 - 20:16

    Thanks all, I floated idea of a reformat and didn’t get much buy in, I’ll see if I can convince them to get a new machine (am pretty sure a 3080 system would do it hehe) but take as many of the recommendations that you’ve made on board.
    Appreciate all the comments, was thinking someone would surely offer to access their PC remotely to check their bank :)

    • smalltime0 on 04/10/2021 - 22:32
      -1

      The key here is to look to see if there is a boot loader installed.
      Most AV systems, including Avast and Kaspersky, have a way of boot loading and checking everything before the OS is even deployed.
      Use that.
      The only other thing is to see if new drivers were installed via event logger or device manager, do it in safe mode.

      Wiping everything is just stupid, but manually check in the temp files to see what was added recently after the scan.
      UEFI viruses are theoretical from the OS, and are only contingent on hardware access, in a practical sense.

    • OZBargainer in SA on 05/10/2021 - 08:37

      The amount of work needed to back up, install Windows and restore their data will be trivial compared to losing money from their bank account and/or headache from identity theft. It's not difficult for a "dumb" scammer to run a sophisticated root kit. If your patents are confident that they know what the scammer did and operating system does not have any infection, then go right ahead and keep using it as it is……

Login or Join to leave a comment
Login Join