How to secure laptop after a 'hacking'?

[nate80]

Hi guys.  This isn't a topic I ever thought I'd be writing about on a multi rotor forum but, that's life: full of surprises!   

As is probably the case for quite a few of us I'm my parents I.T. manager. I'm no coding/hacker expert but I know more than them about computers and that seems to have made me their tech guru. But the latest issue's left me unsure of the best course of action. My Mum rather foolishly gave someone brief remote access to my parents laptop. Before anyone decides to be too hard on her (!) she knows it was stupid, she can't believe she fell for a scam and she's pretty choked up about it right now. But she's been under immense pressure since my Dad had a stroke just before Christmas and everything's just got too much for her which led to her having a silly moment, like we all can have at various stages of life.

Anyway, an indian scumbag rang her house saying he was from BT and that he was calling because the internet was running slowly and that they needed to check the computer to fix it. As I'm sure you've gathered it wasn't BT. But it just so happens the internet IS running slowly where they are (out in the sticks) and an engineer really has been working on the telegraph pole that serves their community during the past few days. Again, this is pretty silly but, she initially agreed to follow the so called BT technician's instructions and at his request typed some code (which she can't recall) into the command prompt (CMD). She tells me that this allowed him access and he then installed a piece of software called Team Viewer - that I see is a Remote Access software solution. She gave the caller my Dad's name and told him which bank they used to pay BT. She refused to give the scammer anything else.

At that point she asked the caller exactly what he was doing and he was reticent to answer. He then put her onto his so-called supervisor who asked my Mum for her bank account details so that they could provide a refund. Fortunately for her he sounded really dodgy which further roused her suspicions (again, she's had a really hard time lately and she wouldn't normally fall victim to this kind of scam) and she said she wasn't handing over any bank details because if they were BT they'd already have her bank details on file. She then said she was hanging up at which point the scammer said: "If you do your computer will never work again". She hung up.

She rang BT who confirmed it hadn't been them that called her and that she should delete the Team Viewer software from the computer. At the advice of BT she also deleted some other programs (from the Apps list of Windows 10 I guess) which had an icon of a blue crab. One was called 'Card Reader' (so I'm told) and BT thought it sounded dodgy. I think that the blue crab icon programs could possibly have been authentic Realtec audio drivers - and so were safe - and necessary to the correct running of the laptop?

As a graphic designer since the days that Apple machines were the only logical solution (it wasn't that long ago!) I'm primarily a Mac user although I also own and occasionally use a Windows 10 laptop. I have a limited understanding of networks and remote access solutions, but I've never really needed to learn more than what I needed to know to setup my home network etc.

I advised my Mum to turn off her WiFi router and wait for me to come take a look before she does anything else. Thing is, it's a 200 mile round trip for me to visit my parents and I definitely don't want it to be a wasted trip. I'm not entirely sure how far I will need to go with their laptop to ensure it's secure and that there is no way the scammer can access their machine again.

Is there a way I can check to make 100% sure it's safe and that no changes my Mum or the scammer scum made in the Command Prompt will continue to allow the scammer remote access? Or do I have to securely format and reinstall the whole laptop (which is only 4 months old) from scratch in order to make sure it's safe?

Thanks for reading. Advice from those in the know would be greatly appreciated.   

[pheasant_plucker]

personaly i would format and reinstall. Win10 will automatically recognise the hardware and install the registered key.

Gerry

[ched999uk]

Reformatting will be safest but I wonder if you could roll back things with a restore point win10?
Problem is there is no knowing what was installed and what data it could be passing back. It could be a key logger that could send passwords and websites. That might enable the nasty people to do all sorts of horrible things.

Thinking about it I would reinstall even though Mum hung up and didn't get to the end of their evil plan. They could have installed spy-ware and then tried the quick way to get bank account numbers and passwords etc by just asking for the details.

Good luck.

[Gaza07]

Google the make and model of the laptop and lookup factory reset its normaly a number of key presses on bootup and will totaly earase the hard drive and re-install the computer back to what it was the day it was bought 

[Bajadre]

I think that the blue crab icon programs could possibly have been authentic Realtec audio drivers

Yeah matey that's a well known driver for sound cards etc should be fine.

If it was me personally id format the lot just to be safe some Trojans/malware wont be removed with a factory reset or restore point.
if they managed to get your parents to install any software it could be a keylogger which will record inputs on certain sites ie banks,ebay etc

[nate80]

Wow, thanks for all the advice guys!  That was super quick and really helpful.      

Yet more proof that this forum rocks.   

I'll Google the laptops make and model when I get to my folks place tomorrow and perform a factory reset or a full format and system restore.

Their phone's been ringing off the hook for the past couple hours.  A 'technician' keeps calling and won't give up.  The number has a German code but I guess it's just being routed through there from India or wherever.  Hopefully BT will agree to block the nuisance number.

[Cheredanine]

I have had the bit calls the last three days.
I usually play along to a point just to waste their time (I am a Technical Archiect)

Agree with above, reformat and reinstall, you have no idea what they have installed on there, and don't connect to Internet until you have sorted.

If it is easier it may not be uber expensive to take to local pic repair shop or similar, they will probably do it at a small cost

[ched999uk]

Good Luck. Make sure you take an alternative machine in case you have to download some drivers etc and a usb memory stick to transfer files (but be careful what files) and maybe back up photos etc.

[DarrellW]

Unless you do a low level format a boot sector virus would survive, I think that you may be able to do a format followed by
fdisk /mbr but you would also have to delete any partitions that had been created, a popular place to put nasties is on the recovery partition, sneeky!!!

[Fletch]

Wipe it ... and start again!

Might even give a new lease of life!

[Cheredanine]

Unless you do a low level format a boot sector virus would survive, I think that you may be able to do a format followed by
fdisk /mbr but you would also have to delete any partitions that had been created, a popular place to put nasties is on the recovery partition, sneeky!!!

lol I think you are showing your age a bit there mate, boot sector viruses went out about 20 years ago once ntfsdos was developed and you had the ability to clean boot and read from another storage device

Far more likely to be key logger, bot or something to acquire  data

[DarrellW]

Prolly right, there again I don't do Windoze and haven't done for a few years Linux is the way - so that might explain why

[Cheredanine]

Prolly right, there again I don't do Windoze and haven't done for a few years Linux is the way - so that might explain why

All you have to worry about is Mad Cows!

[Bajadre]

Tell them to keep a whistle by the phone they will soon stop calling lol 

[orfordness]

OK first off where is your mum? I've been in IT since leaving the RAF in 95 and I'd be happy to help if she's anywhere in Kent or SE London?

Like others have said a wipe and factory install is the only way. issue will be that any factory install will be to the original OS, ten a install off Windows 10 all o a slow connection? that's a day and a half's work!
I'm also Microsoft certified...PM if you want to talk over your options....you could pre-arm yourself with things like the Win10 files if at home you have faster broadband etc

Steve

[Powernumpty]

If nothing else I'd run Belarc Advisor to recover software keys before you start, read the report and think of anything you need to have to reinstall paid software.

Consider imaging the disk with something like Macrium Reflect or Clonezilla, label it as infected and stick in a dark cupboard then if later you realise you lost critical images or documents you have a backup. Only access that backup with a Live Linux distro after at least a month (let the AV vendors catch up with anything likely to be on there) take care to only recover individual files then scan the hell out of them before letting them near a new install.

[Two-Six]

Actually, I do this for a job.  I know all about these muppets.  Usually they aren't too dangerous, just horribly deceitful and coercive.   Its normally pretty much just one company that does these calls and they are an "official" outfit.  Although they have nothing to do with BT or Microsoft.

These guys usually only want to provide a "Maintenance service" and charge people about £200 per year.  The usual thing they do is install some crappy computer checking software which says it finds lots of things wrong then offers "fixes" for the "problems" it finds. 

They also want to be able to log in via team viewer to provide their "services" and install said crappy softrware.  They probably haven't got that far.  If you don't see it, in this case it isn't installed.  If it was you would certainly see it.  Its very obvious.

The only thing wrong with your laptop is their dodgey software.  Its like the many other "PC Fixer" type malware.  Like "Windows PC Repair", stuff like that, the name changes, its all the same old junk.

It might actually help...maybe....a bit....with something or other.  It usually isn't too terrible, at worse just annoying as it will nag/scare the hell out of the user to pay for a "fix".

Team viewer is used by millions of people and is fine, you could use it to access her PC and ran some scans on it.  I use it a lot, its great and very secure.    They won't be able to access her machine using it, she will need to give the other person who wants to connect remotely the code it produces EVERY time to the other person to allow remote access.

If these guys do anything illegal, its deceive and intimidate people into agreeing to pay them.

It is just possible that other people, not this big company, might take the opportunity when logged into somebodies machine to rummage through their stuff to see if they can find anything like bank details or passwords to use later.  This is very rare. 

I wouldn't worry too much about it, just run a scan with:

Malwarebytes Antimalware
https://downloads.malwarebytes.com/file/mb3/

I also like Trend Micro Housecall
http://housecall.trendmicro.com/uk/

These apps will detect anything harmful.  They are really good, safe to use and it usually they won't miss anything.   There are a couple of other hard-core spyware removers but you won't need them.  Unless Malwarebytes or Housecall finds something and then they cannot remove it.  Then you might need a bigger hammer...

Next time they call, you mum will need to get the home owner, who is obviously down in the wine cellar, which is a LONG way away....Hang on...I will go and get him.....

You really won't need to do a re-install and DO NOT DO A LOW LEVEL FORMAT, it will destroy the recovery partition.  This is BAD.....

I bloody hate these guys, I hear from my customers all the time that get calls from them, I get calls from them too....Which is fun.

[nate80]

I'm 'popping' to the folks place today so will have a better idea of what's gone on then.

Cheers for your offer of help Steve, that's really good of you.     My parents are up in Cambridgeshire so I'll see what I can do for them today/tomorrow and go from there.

Thanks Powernumpty and Two Six.     Cheers for some really good and helpful advice.  I'm looking forward (if that's the right wording!) to checking out the lappy later today and to see what's what.  I'll look at downloading the malware programs.  I feel better prepared with all the advice.

Thank you everyone.   

[orfordness]

Actually, I do this for a job.  I know all about these muppets.  Usually they aren't too dangerous, just horribly deceitful and coercive.   Its normally pretty much just one company that does these calls and they are an "official" outfit.  Although they have nothing to do with BT or Microsoft.

These guys usually only want to provide a "Maintenance service" and charge people about £200 per year.  The usual thing they do is install some crappy computer checking software which says it finds lots of things wrong then offers "fixes" for the "problems" it finds. 

They also want to be able to log in via team viewer to provide their "services" and install said crappy softrware.  They probably haven't got that far.  If you don't see it, in this case it isn't installed.  If it was you would certainly see it.  Its very obvious.

As do I!, unfortunately its moved ona bit since just semi harmfull selling you something you don't need.... the last couple I've dealt with they had actually managed to find enough information and emptied the victims bank account! And one of those scammed was a magistrate!
You'll also be aware then that you can actually setup Teamviewer to allow automatic access with a password, no end user interaction required! as I do for my out-laws!

Going back to the OP the fact that your Mum got suspicious probably means it's probably limited the damage done...

All the Malwarebytes info is good and probably one program actually worth paying for

Check put Sophos who are also now offering a free Antivirus that you can administer remotely.
https://www.sophos.com/lp/sophos-home.aspx
And if you bank with Barclays, free kaspersky antivirus
http://www.barclays.co.uk/Helpsupport/FreeInternetSecuritySoftwarefromKasperskyBarclays/P1242557966961

Steve

[Powernumpty]

The Barclays offer is a good one, if you pay about a tenner it will cover five devices, the free is one or two from memory.

I always hesitate when someone asks this sort of question as often machines were compromised to some level before the Indian call centre ring, there may be more than one problem.
If I have the time I like to scan the machine with various software to try and find out what has been done but rarely will clean something up that has more than a few issues found. It's just a shame it takes so long to install windows these days (with updates) I assume it will be out of actrion for two days, compare that to 20 minutes for a Linux install and full updates.
Got my dad on Linux since his Win8 decided to ignore keyboard and mouse input and he has not looked back (he's too far away for me to nip down there and fight MS).

Stating the obvious -
Just because and antivirus doesn't find something doesn't mean it's clean, it just means that AV at that date does not have the capability to detect anything, tomorrow could be different.
As a rule I tell anyone with an email they are 90% sure is OK but still have a lingering concern "open it tomorrow or next week". The company I work for has public support addresses that gets some nasty scams sent to it, often I'll upload a file that sets alarm bells off in my head to virustotal.com and it comes back as clean but not the next day. Fresh viruses created for us are flattering and annoying.

Teamviewer is excellent but I'm not sure I'd say totally safe without caveats, there was a fairly recent spate of compromises to machines running unattended access and they were quick to blame the users but something else was possibly behind it as so many people with decent passwords saw the connections in the logs.
I use it but don't set it to unattended access unless I really intend to use it daily.

[DerbyshireDrones]

Yeah, by the sounds of it she should be fine, if you go into control panel (not settings as windows 10 likes shuffleing people into) and go to uninstall a program, you can sort it by install date, so anything that was installed recently is listed at the top and what ever you don't recognise can be removed directly from their.

As you say, you have removed team view, its not a virus or anything, but because its free, its scammers first port of call for remote access software.

Realteck drivers (Blue Crab) should be fine, if not they are easy to find, she may have only uninstalled the crappy Realtec Audio Manager.

I don't think reformatting is necessary, install a decent antivirus, i recommend Kaspersky, and certainly don't get Mcafee (i wouldn't wish Mcafee on my worst enemies). Run a scan, it will automatically remove anything that's dodgy.

[nate80]

Just thought I'd give a quick update on the laptop for anyone interested.  When I got to my folks place I had a proper sit-down talk with them to try unravel exactly what had gone on and then I took a good look at the machine whilst the router was turned off.  I couldn't see anything obviously dodgy and running a scan with Norton brought up no issues.  Norton expired the day I arrived, so I removed it and installed Kaspersky using my phone as a temporary hotspot.  Kaspersky found no threats, nor did Malwarebytes or Trend Micro House Call.  I kept running database updates and them full system scans and 0 threats were found.

I checked the apps list by installation date and (apart from Team Viewer that my Mum already deleted) there was nothing installed on the day of the scam phone call other than an update to Mail and Calendar.  An unfortunate coincidence I think.  I couldn't see any evidence of it being a dodgy version remotely installed by the scammers. I also checked the task manager to see what programs were installed and running.  They were all legit and fine.  The data traffic for WiFi was normal too with no large packets of data being sent or received.

The audio had stopped functioning properly (because my Mum had deleted the sound card drivers thinking they could be dodgy) so I downloaded new drivers and got the sound working fine again.  I checked everything I could think of, everything mentioned here, and lots I read about online too and I couldn't see anything odd or dodgy at all.  So after 3 days (today) we decided to use it cautiously with Kaspersky (which is GREAT by the way and so much better than norton) and will keep an eye on things for any suspicious activity.

The auto backup had completed to the external HD after the scammers had been on the phone so I deleted it and reformatted the drive - just to be safe - and created a new backup.  And now everything seems to be a-ok.   

The scammers called back over and over again on the Wednesday Night. I think they hadn't had access long enough to install any dodgy software because my Mum hung up on them before they'd had the opportunity.  I reckon they were trying to gain access again and used threats and fear mongering. They were relentless so I blocked the number.  Since then everything's been quite so fingers crossed that it.

Thanks again for all the advice and guidance.  Me and my folks really appreciate it.   

[Bajadre]

Good to hear nate 

[DarrellW]

Your mum should get max brownie points for disconnecting before any damage was done!!! My experience with incidents like this have been almost catastrophic, that's why I suggested extreme measures!!! The worst incident I've had to deal with is where the HDD had been encrypted, they unfortunately lost a lot of personal info and pictures, it's all too easy when their computer literacy is seriously lacking!!!

[Two-Six]

I knew it would be clean.  Glad it actually was.

I have cleaned up loads of virussed-up computers, its very much my speciality.  I can kill anything and fix pretty much any damage that viruses have done without needing to re-install.  That really is the last resort. 

In fact I have only found one REALLY bad virus and that was working as an SMTP relay sending out THOUSANDS of emails in an hour.  It was so bad the customer's ISP (Demon) demanded that they disconnect it from their network or they would disconnect it for them.

That was a very sneeky clever one, I hit it with everything, Root-Kit scanners the lot and I still couldn't find it. 

Usually most infected computers are infected with lots of different things, some mal-ware just greatly increases getting more evil-ness downloaded and installed..Often the users don't notice until the infections become a real show stopper.  Sometimes all the mal-ware does so much damage that even when they are clean Windows is still broken.

Those drive encryption ransom-ware viruses, they are new. I have never seem one of them yet and wow are they nasty.  They are network aware so they can spread to other machines in your domain or work-group encryption any partitions they find in seconds 

I get lots of spam email with dubious .zip files attached, usually with subjects like "Here is you Bill" "Invoice number 87639 queery" "Your parking fine" Your payslip"....This is apparently how they are spread most commonly. 

Watch out!

[Powernumpty]

It's like returning to a dud firework, most of the time you'll be OK but it's a really good idea to approach it with caution 

[DarrellW]

Drive encryption is a nightmare, my usual Linux live USB stick approach won't work, the only way I could fix it was by physically replacing the HDD.

[Dougal1957]

My Wife Laptop has developed an interesting mind of it's own?

Now it can take upto 10-15 mins just to input the Password in the logon screen it's as if the Mouse has a life of its own and is just flying around etc away from whatever you want to do.

It is one of these relatively cheap HP Convertible W10 machines where you can pull the screen away from the Keyboard part and use as a tablet so wonder if it may be an issue with the touch screen membrane or something.

Anyway it is ready for the Bin and will get her a Macbook i think I know they are very expensive but when you relate them to windows there really is no comparison and before anyone mentions Linux there is now way she could get a grip on it.

If anyone has any ideas to sort out the HP I would love to hear it may save me a grand lol I will even put Team Player on it for someone to have a gander at (from here that is not from some of these so called PC people)

Doug

[ched999uk]

Doug, I assume you have tried un-installing touch pad drivers, reboot and then reinstall?

[DarrellW]

If you have only ever used a PC Linux is no more difficult to get used to than Mac these days, both are different to PC.