Dad just called and said he had been speaking for half an hour with a man with an Indian accent who claimed he was from “Windows” and that Dad’s computer had a lot of problems that he could fix.
Fortunately, Dad didn’t give him a credit card or anything, but he had given the scammer remote access to his computer somehow. I immediately checked the computer remotely with TeamViewer, looked in the Control Panel and didn’t see any new software installed, or any obviously suspicious entries in Startup or running processes. But I assume that clever malware wouldn’t show up in such obvious places.
I started running a full scan with Anti-Malware, and had him shut off the DSL modem while it ran. It’s running now.
What is the standard procedure with these sorts of scammers? Are they only trying to get the mark to pay for useless software “fixes”? If dad didn’t give them money, is that the end of it?
Or would they have installed some malware to search for CC numbers or other useful info, or to turn the machine into a bot, or wipe the hard drive?
All these things are possible, of course, but what is the most likely, and what can I do to find signs and fix them? Unfortunately, he’s in Maryland and I’m in Nevada, so I can only work via TeamViewer.
I’d also welcome links to more info about this sort of problem.
How far do you live? Because the safest course would be to wipe the hard drive and reinstall Windows and his applications. (Or if you’re really paranoid, replace the hard drive.)
Was there any credit card information, or any kind of personal information on the hard drive that could be used to take over or create accounts in his name?
Before wiping, go through his system and see what personal information it contains. If there’s enough to fill out a credit card application in his name, take out a bank account or anything else of that nature, you may have to make some phone calls.
Computer guy who gets this call several times a week.
The VAST majority of these guys are basically just looking to run a CC# they are not handing out viruses, but given half a second, plenty of them are not beyond sabotaging a machine by shutting off things like network services so at next reboot the machine will not get online anymore.
They are assholes, but in many ways, the guys making the initial contact are little more tech saavy than their victims. They have been given a script and a bunch of canned answers. They often hand off to a “technician” who generally is more windows fluent and can do real damage if you jerk them around.
There is a lovely youtube video of a malwarebytes programmer getting one of these calls.
warning, he did this with a Virtual machine, do not try to play this game at home with them unless you know exactly what you are doing.
Go through tens of thousands of files? Of course there’s enough information, there would be on anyone’s computer.
As I have already made clear, wiping the system myself is not an option, and Dad doesn’t have the technical skill to do it. What I’m looking for at this point is ways to check if there is some malware loaded.
Anti-Malware discovered something called PUP.Optional.InstallCore.A, but that doesn’t appear to be particularly dangerous.
What’s bothering me now is that I can’t get into his machine with TeamViewer. I was in for a while, then the connection dropped, and now I can’t get back in.
You should probably assume the worst. A custom root kit or boot sector virus has been installed and it will be extremely difficult to remove. There’s no way to tell what exactly he did. Even if a virus scanner comes back clean, you can’t assume it’s clean. You can’t trust the virus scanner because he may have installed a virus which is not in the virus database. The virus scanner may not catch it.
The best thing to do is install a new drive and reinstall. Use the old drive as a backup. You can copy off the files you need like pictures and stuff, but don’t pull of any of the programs.
You can clean the tainted drive. It would need to be a complete wipe including the boot sector. It’s not hard to do, but you’ll have to figure out someplace to backup any important files since you’ll lose everything.
The issue probably isn’t any added malware. Rather it’s probably what have they gotten off the computer already? I recommend that he submit a police report. Report the issue to his bank(s). Have new credit and debit cards created. Also watch his credit card and bank statements like a hawk for at least a year. Oh! Do the same thing with his credit reports monthly.
You want to nip identity theft in the bud.
If they had control of that computer for a half hour, there’s a lot of stuff that they could have downloaded such as Outlook PST files and Word docs.
Something else that wouldn’t hurt (but might not help) is changing your IP address. In the simplest case, this just involves a modem/router reset but might require contacting the ISP and asking them if they can do it on their end.
Are all you people speaking from personal experience with this type of thing, or are you just suggesting how to handle the worst case scenario? Because, as I keep saying, wiping and reinstalling the OS and all the programs (a laborious and time consuming project in the best of circumstances) is not an immediate option. And I’m not sure it’s worth the trouble to suggest to Dad that he contact all his banks and credit card companies just because there’s a possibility his info was compromised.
I’m aware of all the paranoid possibilities, but what I’m looking for is evidence for a reason to be paranoid. How can I find signs that they have installed malware (that Anti-Malware and MSE haven’t detected) or somehow obtained access to files that might have the information needed to set up phony accounts in his name.
It’s all very well to say “wipe the hard disk” when you’re not the one who would have to travel 2,500 miles and spend a couple days doing it. Put yourself in my place and offer me ideas that can eliminate the need to do so.
Do you know that scammers do this kind of thing or are you just assuming that they could? Can you think of any way we could tell?
This is probably a good idea, and not too difficult.
I know that scammers can do this type of thing. There is no way to know for sure if they did it or not to your dad’s computer. Even a computer security expert would have a hard time saying for sure.
Chances are, your dad’s computer is fine. However, how much risk are you willing to take? If they installed a keylogger and he logs into his bank, they would have his account info.
If you’re not too worried, then just run antivirus, malware check, and boot virus scan. If they come back clean, he’s probably okay. But he should closely monitor his accounts to make sure there is no suspicious activity.
The only way to be 100% sure is to reinstall. But you can probably be 95% sure if the scans come back clean.
IMO I wouldn’t be too paranoid about viruses & root kits just yet. Or identity theft either (though keeping an eye on your dad’s credit card & bank statements for a while is not a bad idea). I recently had a particularly virulent piece of malware on my mom’s PC and what finally got rid of it was booting with a Windows Defender Offline CD. This works pretty well because you never boot from the hard drive so nothing on it can load and none of its files will be in use, so the small OS that the bootable CD-ROM loads into memory can access, scan, and clean it (though this will takes several hours).
It’s not even that difficult to create the repair CD, your dad could probably do it with just you talking him thru it on the phone (without you having to actually see his screen). You just download the right install file (32 or 64 bit), put in a CD-R and follow the instructions. However, you shouldn’t create the disc on the PC you want to scan. So unless your dad has access to another PC this may be a problem. You could just go ahead and try it anyway.
Or you could create the disc on your PC for him (make sure you know whether he has the 32 or 64 bit version of Windows) and then FedEx the CD to him!
Just keep in mind as others said - they could download anyting - all his “My Documents”, his email database, etc.
If he told the browser to store his passwords - I don’t know how easy it is for them to download and attack this storage, but I would not be surprised. he should change any critical passwords relating to money - bank, paypal, apple store, etc.
His familiar email correspondents should be notified to watch out for the old scam along the lines “Hey, Joe, I’m stuck in Omaha and the car broke down and my credit cards were stolen, can you wire me some money?” After all, they have all his email for the last how many years? Learn a lot if he’s the chatty type, for the purposes of impersonation.
Download and run programs like Malwarebytes, Trend Housecall, ec. do full scans. Often one picks up something the others don’t.
Reset DSL modem/router (depending on setup) to factory defaults, change password, in case they managed to get into that too. Or you can look at the port forwarding settings to make sure there is nothing allowing incoming connections.
Go to ammyy.com if you don’t know about it, and you can be Bombay support of the month and do all this for your dad remotely if he’s not up on how to do it all.
How about hiring somebody to go to your dad’s house and help him?
(I’m assuming the father is elderly and doesn’t drive or can’t carry a PC to a repair shop.)
I know that there exist computer technicians who make house calls.
You dont need a genius; any kid who works at a computer store can can hook up an external disc and make a backup of everything not in the Windows folder. Your father can tell the technician where he keeps his data and pictures and stuff. Then erase and re-install. And then get on the phone to the help line of his ISP and help Dad get re-connected to the internet.
Pay somebody for 4 or 5 hours of work…and you’ll be able to sleep easier.
Thank you SDMB. I just got a call from someone who wanted to help me with my computer system. I went along for a while, but when it got to the point of the caller telling me to go to the teamviewer site, I hung up. Then had to tell him to go away twice before he stopped calling back.
Can someone clarify - teamviewer - that allows someone else to access my computer remotely?