I was scammed a few weeks ago on my computer. I answered an email that contained a number that I called and it was downhill from there. (Please - I know! I know! Consider how stupid and ashamed I feel). But my question is this: I reinstalled Windows, thinking that if there was a vulnerability that was implanted in the OS, it would be removed and the new Windows would be free of that malware. But if I have the computer on but I don’t have a browser open and I’m not actively connected to the web, am I still vulnerable? I’ve run iobit’s Advanced System Care to check for viruses, etc. But, of course, I’m still freaked by 1) my stupidity and 2) concern that while the computer just sits here, “securely” connected to our wifi, someone can commandeer the thing again. Should I just turn it off every time I’m away from the desk?
What did you or the scammer do on the computer? Do you have Window’s Remote Desktop Connection and was that used?
If it’s vulnerable when you’re not using it (i.e. turned on, but browser closed etc.) then it’s also vulnerable when you ARE using it. So, while turning it off when not in use would indeed prevent new infections then, the next time you use it, it’s vulnerable all over again.
As far as reinstalling Windows: I’m not an expert by any means; you’ll want to make sure that there are no rootkits that can survive that (I genuinely do not know). We once had some kind of rootkit hit our home computer - from something my daughter was doing on the web. Antivirus software would clean up the crap the rootkit downloaded… but it would come right back. I think I worked with someone at malwarebytes to get things cleaned out. Luckily, her computer user did not have admin capability, which limited the damage; it was rather disconcerting to see popups saying “Scam2875CBdh48 dot exe needs admin permission to run, please enter admin password”.
Anyway: make sure you have antivirus / firewall protection on your computer, and make sure your router has some kind of firewall protection (pretty sure most do) to prevent incoming attempts. That should reduce the risk of your computer being taken over remotely if you haven’t done anything to allow it - meaning, if you haven’t inadvertently gone to a dodgy website, downloaded something regrettable, etc.
But yeah, if the computer is on, and connected to the router, and you don’t have firewalls in place, a bad actor could in theory find a way to compromise it. I do not know how common that is (my WAG is that the “did something regrettable” approach is more common, but don’t quote me on that).
In the vast, vast majority of cases, a full wipe and then reinstallation of Windows would be enough to get rid of any malware. Anything less is dependent on what they did.
There is malware that can persist through a drive wipe, but it is extremely unlikely to be used in this sort of situation.
If you did not do a wipe when (or before) you reinstalled Windows, then there is more potential for issues. And, yes, if you are still compromised, they don’t need a browser to be open to do anything.
But if you are clean, then you are indeed as safe as you would be if you were using the computer. You are better off securing the computer than hoping turning it off will help.
The OP said that they called a phone number in a scam email. They did not mention any malware highjacking their computer. Why do they need to take the drastic actions being discussed in this thread?
To the OP: Try not to beat yourself up too much. Anybody can make a mistake.
It is going to depend on the details. Here are some what-ifs
You received an email with a phone number. If you called the number and gave them information about your credit card, bank account, social security, etc. then this scam had nothing to do with vulnerabilities on your computer. It was just a spam/scam/phishing email that exploited a human vulnerability.
If you called the number and were instructed to install remote control software on your computer (go to a website, download the software, click “install anyway”, etc.), then that gave them control of your computer. They probably had control whether a browser was running or not, because their remote control software was always running in the background.
If you completely wiped the computer, and reinstalled the OS, then that probably got rid of the remote control software. Assuming the malware was wiped out, keeping your browser open or closed will make no difference with regard to this malware.
If you did not completely wipe your computer, but just reinstalled the OS, then there is a very good chance the malware was migrated over or automatically reinstalled. In that case your computer is vulnerable whether you are running a browser or not.
The way having a browser open can make your more vulnerable to other exploits is that the browser is constantly reaching out to other places on the Internet, downloading things, and then doing something with them. Almost always what it does is display them for you to read. Sometimes there may be vulnerabilities in the browser that allow something downloaded to be silently installed, or to trick you to installing it by hand.
My advice is run a currently maintained OS (Windows 10 or 11, MacOS 12, 13, or 14) with the most recent version of your preferred browser with an ad blocker. On top of that, you can run a reputable virus/malware blocker. The built-in one on Windows is probably fine.
None of that will protect against you deliberately installing malware, because you’ve been tricked into doing it.
The implication I got out of it was that the “downhill from there” included them following some directions that gave the callers access to their computer. It did not occur to me that the OP would have asked if they had not.
But you are right. Sometimes the scam has nothing to do with actually accessing the computer, and, in that case, they would be fine. And if they never followed the directions, they would also be fine.
Hard to confess all the dumb things I did, and while I didn’t give them any information, I did give them access to remote control my computer. When I reinstalled Win 10, however, I did not do a complete wipe, but kept my files. I thought that if the OS was corrupted that reinstalling it would eliminate the problem. So - how do I clean this up?
Another thing to remember is IoT, Internet of Things. While theoretically most devices in your house - Ring Doorbell, Nest Thermostat, security cameras, etc. are fairly impervious to hacks, there is the possibility that anyone who had control of the PC could discover the passwords to those and use that to obtain control or manipulate those.
Your router is essentially a firewall, Packets arriving unsolicited at the router are lost in space, they don’t know where to go beyond that unless your router has port-forwarding instructions. (By default, most don’t)
However, when you go out on the internet - browse, check email, etc. then you start the conversation and the outside replies, which the router forwards back to the device that started the conversation - i.e. your PC - your browser or email program. Devices like ring are accessible from the outside because they have a conversation going with the main server for the device (i.e. Google for Nest). If a hacker can insinuate himself into that conversation, they might be able to use the device to access the rest of your network. Highly unlikely, but apparently some devices with some versions of software have such vulnerabilities. (and like most such install-and-forget devices, rarely get software updates.)
Be aware of what other devices you have on your network, particularly those - like security cameras - that you can access from outside, and if you do get hacked, at least change the passwords that allow you to access those devices.
And verify any port-forwarding on your router is valid.
If it was the OS that was corrupted, then a reinstalling would have been likely to fix it. Problem is that the OS probably was not corrupted, it was just running a program that did undesirable things. As long as that bad program remains, the OS will run it. Sometimes those programs are simple, and depend completely on you following the instructions to run it, and do nothing more. Sometimes they are devious and use lots of tricks to make sure they stay installed and running.
My best advice is to download the free version of Malwarebytes and run that. Also run the builtin Windows Defender on a deep scan. If those find anything, then follow the instructions to cleanup. If they do not find anything, then you might be safe. Other people might have suggestions of other good scanners.
Be sure to change any passwords for sites you accessed while the computer was remotely controlled. Probably best to use your phone or some other known-clean device to change the passwords.
Personally, I’d do what you were told above with the malware scans, but then also back up all your files, do an additional scan to make sure they are clean, and then do a full reinstall from scratch. Then you can bring your files back.
I’m not a security expert, but
- echo the above about scanning with malware bytes or other tools
- download the Microsoft MSRT and run this malware removal tool
- note when you download this executable file, you may get a warning that it could be harmful. It’s from msft and the msft website, so it is legit and you should run the “full scan”.
Note: download this tool each time you want to scan so you have the up to date version
- Do a factory reset of your PC with the “remove everything” option. This nukes everything except for the original factory image, all the drivers for your PC, all the PC mfg files. Then check for updates and install everything so your pc is on the most recent everything from msft. The directions are for Windows 10 but 99% sure it’s the same for Windows 11.
- reload all your scanned files
Indeed even if you have no issues on your computer, it does not hurt to do those scans every so often just for safety and peace of mind.
In that case you definitely need to take some action. There are a lot of good suggestions in this thread. Take your pick.
Again, try not to beat yourself up.
Most likely the first thing they did was plant a surreptitious remote access capability. I preseume AV scans will find those unless the person was excessively technical. (I tend to think the superhackers are not going after random members of the public) However, to be sure, as mentioned the safest thing is to do the complete wipe and reinstall, check for root kits.
That doesn’t seem like a trustworthy solution
https://www.reddit.com/r/techsupport/comments/369myy/iobit_it_really_is_a_scam_right/
I’d only reload the ones i understood. That is, I’d reload the photos and music and spreadsheets and text documents. I’d get new clean copies of the applications i want. (If you bought something, like Windows office, you can probably download a fresh copy from the vendor without paying again.)
I re-reinstalled Windows, following the advice of several helpful posts, and this time, I did a complete wipe. Prior to my doing that, however, I moved all my files, desktop folders, and pictures to Google Drive, i.e. the cloud. I’ve downloaded Chrome and set it as my default browser, I’ve downloaded Malwarebytes and run a scan, and I don’t know if there’s anything else I can do to assuage my residual fear that I am still likely to get some kind of breach. I appreciate the guidance from the Dopers here and hope that my doubts and concerns will diminish sufficiently over time such that I can sleep better. Thanks. SDMB - fighting ignorance, for sure!!!