Slashdot Mirror
Ask Slashdot: Rescuing a PC That's Been Hit By Scammers?
New submitter malcus writes "My father was hit by scammers the other day and even though he has handed over all computer service tasks to me they were able to sweet-talk him into: (1) Running some 'checks' to confirm the 'grave situation' that his computer was heading for (bad). (2) Start some remote-control program (worse). (3) Giving them his social security number (terrible). When they asked him for his credit card information he stopped and is now probably expecting them to call again. Meanwhile I have told him to dump the computer in holy-water or aqua regis and cut the internet cable. I am heading over to his place later and wonder what measures I should take."
Bow your head and type "Format C:" Amen.
Please do not read this sig. Thank you.
Same as for any other compromised machine.
What operating system? Also check what programs were run...and prepare for worst case: Reinstall.
Format it and start over..how is this news?
What else were you expecting?
Give me Classic Slashdot or give me death!
Install a VM with a godawfully infected version of Windows 98 on it and turn them loose on it... for the lulz.
I had a client do this to his machine. He called an 800 number thinking they were the Yahoo help desk and they performed a similar routine. Oddly enough, they left no traces of their activity and there is no reasonable way to tell if there is an inactive trojan waiting to be launched in the future. Best bet is to copy off the data, wipe, reinstall OS.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
This is why you have backups. Reinstall the OS, restore your backups and do not give him an administrator account this time.
Get him to change all of his passwords, especially banking passwords. Preferably from a network that hasn't seen the computer in question (and of course not on that machine). You know that they've executed foreign code, you have to assume that the machine is pretty much forever compromised.
Then don't forget eau de kathy lee...
Back up all the data and then re-install the OS from scratch. Before restoring the data, do a thorough threat scan on it, to make sure there are no nasties lurking in there. If the machine has been rooted, then you simply can't guarantee that anything else you do to clean it up will get rid of all threats. Hope that helps! (I missed a chance there to evangelise on Linux!)
In addition to the wipe and install suggested over 9000 times, your father needs a good talking-to.
It's the only way to be sure.
Everybody's going to tell you the obvious right answer. You wipe the box and start over with a clean install, fully patched, with a firewall and AV. Anything less is really just asking for whatever happens next.
Subsequent to that, you need to have a serious talk with your dad about sharing control over his finances with someone trustworthy (you, maybe). If he's handing out his social security number to any random nutjob who calls him, he's going to give away his life savings to some scammer someday. The time to prevent that is now, not later. I am seriously planning to do that myself, that is put something in place so that when (not if) I'm no longer competent to handle my own affairs, my kids will have the legal ability to seamlessly keep me from bankrupting myself. I have decades before this needs to happen, but the time to do it is when you are of sound, not failing, mind.
I'd also look into putting a fraud warning on his credit report with all three credit bureaus. I'm not going to pretend that's something I know much about, so research it and confirm for yourself what good it will do and what harm before you act. I do think you want to limit the ability of any random goofball who knows your dad's SSN and name from opening credit in his name.
Disconnect the PC from the internet, so it's only useful for Word/Excel and maybe Turbotax.
Get him an iPad for day-to-day web surfing.
Unless he's a real gamer or his bank is from the 19th century, this should solve most of his problems.
After booting a Linux live CD, your choice of cleaning, reformatting or installing Linux. Within the Live CD session, there may exist rudimentary tools to scan for malware, but mostly you'll be able to mount the old disk and rescue data off to an USB key or disk. Once your data has been rescued, make a full reformat/reinstall of your choice OS.
This is what you need to do:
dd if=/dev/zero of=/dev/sda bs=4096
I find writing in 4KiB chunks performs slightly better than the default 512 bytes.
Or:
shred -z /dev/sda
Or:
Download and burn DBAN then type AUTONUKE at the prompt.
If there is any data that is hard to lose, you may wish to back it up. You may consider it all as suspect, however.
Combofix, believe it or not, specializes in removing all forms of remote control software. Most people don't know that. In fact, it will even destroy gotomeeting related files whether you want it to or not :-P Also, any system setting viewer like even the ancient HijackThis will list all LSP and protocol changes and all startup entries and all browser plugins. Just get rid of anything you can't identify or that google says is a remote control viewer. If malware scanners can't pick up anything bad, a system restore will definitely destroy any legitimate remote control software so between the two, you should disable any control they had.
So, reset all passwords for all significant accounts, add a fraud alert to his credit report or add a third party lockdown solution like Lifelock (even though I hate them) and you should be set.
Is there a reason your father MUST be on Windows? Is he primarily browsing and using office productivity applications? If he does not have specific requirements (such as gaming, high end graphics/video production, ect) then he should not be running Windows to begin with.
Get thee to Linux Mint, good sir, and do have that son to father talk regardless. Giving out personal info to strangers is insane.
Computer related items would be better served if we had more info, so here's a few suggestions otherwise. Have your dad (or you) monitor his credit reports to keep an eye out for new accounts that open and charges to his credit card/bank accounts/etcetera. If you feel that something might have been opened against his will, make sure he gets his credit frozen (How to) and closes the affected account if there is one. I've never taken stock in monitoring services personally, but this may not be a bad situation to hire one.
Also watch his mail for anything that looks suspicious, such as credit card informationals. The worst thing that can happen is somebody running up a criminal record using his info. It's not common and somewhat hard to pull off, but it could be painful.
The Consumerist (liked above) also has tons of other info you can use about this stuff.
For those who seek perfection there can be no rest on this side of the grave.
Don't quit your day job, Cicero.
Do you think your father could do everything he needs by using desktop Linux? If so, you could consider switching him to Ubuntu or some other distro. This could be a good turning point as you need to wipe the machine anyway.
Failing that, you need to treat the entire system as compromised, because it probably is. Do the following:
Bring a Linux live CD and an external hard drive. Boot ONLY into Linux, copy necessary files (documents, photos) over to the external hard drive.
Wipe the computer and reinstall everything from scratch. EVERYTHING. DBAN is your friend here. In fact, if he needs a bigger hard drive anyways, do that - just get a completely new hard drive.
Restore his data files from the backup you just made.
Yes, it's a pain, but at this point the system could contain something that anything short of this wouldn't clear out. (In fact, it's *possible* for malware to make it through even that, but AFAIK those are still just research demos, not in the wild).
Boot From System Recovery Disk
Backup data files to DVD
Reinstall BIOS
NUKE MBR
Zero the hard drive
Reinstall everything.
-or-
Boot From System Recovery Disk
Backup data files to DVD
Zero Hard Drive
Put Computer in Trash
One could think that hiring another father is a bit overkill solution...
I have to deal with this from time to time, and working in a security organization has taught me to NEVER trust a system after a compromise of ANY kind.
Think you can just run the already installed antivirus on all files and catch it? Unfortuantely, No. Malware can hook into the antivirus itself. I found this out the hard way (in particular, during an exercise with some DoD participants. They did that the first day and were just toying with us at that point. Imagine someone who actually cares about getting your private data).
It can also affect the boot-loader, which means if it hooked into files an antivirus can scan, it will still load at OS start up into memory
Run an up-to-date anti-virus scan on the drive from an independent source, such as hooking it into another machine (with that machine set to scan all drives before mounting them).
Malware can attach itself to media files, word files, etc. If those check out by an independent scan, back them up to a disk.
Then, wipe the old drive and re-install the OS (if it's Windows 7 and a machine with no disc, you can download the ISOs online as they are from Microsoft. You'll still need the product key which should be on the side of the machine).
Hope this helps ya.
What many of these scammers do is surf the hardrive for login information for financial institutions, bank and credti card numbers, and anything else they can get to commit financial fraud.
Call and write letters to the credit bureaus, your banks, and every other financial institution one does business with.
And keep a sharp eye out for shenanigans and don't pay any bill that's not yours.
File a police report. The cops won't do anything, but at least you'll have something to fax the debt collectors who may be calling.
It sucks but it's up to the victim to clear their name as best as they can.
The banks and other financial institutions just write off any losses and pass on the costs to the rest of us in the form of higher and more fees.
The other thing they do with the information is create phoney IDs for illegals, get medical care for folks who can't pay, and various other things that require an ID - all in the victim's name and SSN. Folks have been arrested in the past because of someone else using their identity to commit a crime, the warrant goes out, and then the victim gets their lciense plate scanned by a cop, pulled over and taken to jail.
Have fun with that.
Why do people think that?
Because many, many, many organizations treat it exactly like it's a password. You are very right that it should NEVER be treated as an authenticator. You are very wrong that it ISN'T treated as exactly that.
2. Have him save all his data to a cloud service.
3. As for the data on the hard drive, consider it all suspect. Only read it on a readonly environment such as Knoppix or other live Linux CD. I'm sure there are online virus scanners out there (Panda was one I used a couple times several years ago - are they still going?) that can be used to scan individual files, which can then be moved to flash or online storage.
4. Microsoft Windows should be considered a niche platform.
Operation Guillotine is in effect.
http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline Download it on another machine, boot with it and clean up the mess. I will recommend installing the free Microsoft Security Essentials, and avoid using administrative login. Also not using any browser plugins will help as well.
Lots of good advice so far, but one more item -- since your father has turned sysadmin tasks over to you, once you wipe and re-install, set up his account on the computer so that it is a restricted user account, not an admin account. If he isn't doing sysadmin tasks then he doesn't need the privs and this limits the amount of damage that a scammer can do to the computer. (Although getting his SSN and other info is still really bad.)
--Paul
1) Boot from a DVD (Non-Writable Drive) and Backup hard disk, NO APPLICATIONS!!! 2) Then format and reinstall. 3) Reset router Firm Ware 4) Rest any and all passwords from a secure terminal (You Boot disk should be sufficently secure if you force https) 5) Monitor you local Credit Record, Bank Accounts and such, with a fine tooth come for the next 6 months
"You are still innocent until proven guilty. What's changed is what they do to innocent people." by notnAP (846325)
The windows CDs now contain a "recovery" console that copies required-to-boot files back into the install.
It works pretty well, I was quite surprised when I used it the first time, and it's been a great help (as in, saving time) several times.
That said, any compromised machine still needs to be wiped, but the damage they did by deleting files isn't unrecoverable. So, if you need to walk someone through it on a phone or something it may be worthwhile to know.
I can't believe no one has recommended a credit freeze:
http://en.wikipedia.org/wiki/Credit_freeze
really? And you're worried primarily about the state of his computer?
He should be spending some time on the phone with his credit card companies making sure any security features they offer are fully activated, such as enhanced (not easily guessed based on what was on his computer) security questions, subscribing to a few years of identity theft watch, schedule regular pulls of his credit report watching for new plastic, checking accounts, and loans in his name, etc. The ssn by itself has some limits on abuse, but combined with the information on the hard drive (mother's maiden name, address, workplace, etc) it greatly magnifies the risk because it's going to allow additional verification of identity that a lot of places require.
After that, get him a book or something on how to be less of a sucker on the internet and in the world in general, or he'll just do it to himself again.
This could hound him for years to come. Make sure he understands that. If someone DOES manage to take out say, a loan or a card on his ssn, he needs to deal with it swiftly and decisively. Banks and similar organizations are notorious for not wanting to be the fall guy in cases like this, and will often try very hard to stick your dad with some or all of the bill. Don't be terribly surprised if something requires a lawyer to fix or clear off his record.
I work for the Department of Redundancy Department.
Back up just his data then blow away windows entirely and upgrade him to Linux.
Not only is linux more secure than windows anyway, but if his recovered data includes places where virusses can hide (such as any Microsoft Office files or PDF files) then they most likely wouldn't be able to do harm or even run in that environment either.
You can setup alerts with equifax and experian here:
equifax
experian
it's the only way to be sure.
dd if=/dev/zero of=/dev/sda bs=1M
According to Microsoft's 10 Immutable Laws of Security, "it's not your computer anymore" and you need to revert to a known-good state. This generally translates into a complete restore from backups or a reinstall. If you have a spare drive, it's probably easiest to just save an entire image of the bad drive (just to make sure you don't lose anything) and do a complete wipe. You can recover any needed data from the backup image (just be careful not to actually run any apps from that backup). A current AV installed on the fresh rebuild may be able to help remove some of the junk from the backup image as well, just make sure it doesn't accidentally "clean up" anything important. That should fix the PC itself, but there are other things you may want to consider as well (as suggested by others here).
Your dad may need some training/assistance regarding finances and private info. You'll want to reset any accounts that were accessed via the tainted PC (and any others you think could have been compromised by the infected PC). If he doesn't specifically need Windows, changing to Ubuntu or similar can inherently stop Windows-specific malware (including crap from well-meaning but incompetent remote techs, e.g. unnecessary software from the ISP). I set a previous girlfriend up with a laptop running Ubuntu, and was able to find Linux versions of pretty much any app she needed for what she wanted to do (web browser, office suite, iPod software, etc.). Linux may not do everything he needs, and it won't stop phone-based social engineering, but it can go a long way to help against malware.
Why is giving out his SS number such an awfuly bad thing? From what I've read, it's no secret, but rather the contrary. It's just misassumed that the SS number should be secret.
So.... what happens when these scammers call someone who actually knows something about computers, or runs a Macintosh, or run Linux? Or are these scammers only targeting retirement communities, because an awful lot of people these days are computer literate. And many kids aren't even running PCs anymore, they are using tablets.
If telephones are outlawed, then only outlaws will have telephones.
There's (at least) two sides to this:
Personal:
Credit agencies: So, this is a tech site, but before getting down-and-dirty with trying to fix his computer I would strongly suggest contacting the credit bureaus and put a hold on things. This will protect him from someone trying to open a new credit account in his name.
Credit cards and Banks: Depending on your level of paranoia, have him contact his credit card companies and banks and ask them to issue new cards. Of course, that may in turn require updating any pre-authorized billing he may have set up.
Authorities: Consider contacting the police and/or your Attorney General. They may be interested to hear a report of this.
Technical:
Forensics. If there's any question about needing to retain documentation about this, consider pulling the compromised drive and storing it. If access to existing data is necessary, put in an external enclosure, mount it read-only under Linux, and copy data from it.
Passwords: change passwords on all on-line accounts from a non-compromised system.
History: Look in whatever history information you can get. Take a look at his browser history, firewall log, command line history, registry, etc. This may help you to assess what level of damage you're dealing with.
Clean or Fresh? One can probably get away with formatting the drive and reinstall. But, in full paranoia mode, have him buy a new PC (cost of this provides reinforcement of prior warnings that were ignored.) Restore data from malware-scanned backups or from read-only access from pulled drive. I've read reports about malware hiding in USB keyboards and printers, so a reformat and restore onto the original machine may not be sufficient.
Family:
Possibly the hardest part of this is the fact that you're dealing with a parent. They were (hopefully) patient when you were learning all about the world as a child. It's helpful to try and bring an attitude of patience and tolerance to this situation. Let him face the consequences of his actions by having him make the phone calls to banks, credit agencies, etc. Let him pay for the cost of a new drive or PC. (Negative reinforcement) But also thank him for being honest with you about what he had done. Better this than to find out later he'd been scammed out of thousands of dollars because he was afraid to tell you what he had done. (Positive reinforcement.)
Finally: good luck!
Cool, I didn't know Linux had anti-malware tools built in. I'm gonna try that righ
Lubuntu, thanks!
The computer part is easy I would worry more about your dad giving out his SS. My mom got her SS stolen and we put a credit freeze on her file. I had to pay $10 each credit reporting agency but that stop the thiefs from getting too many credit cards. They did manage to get a Macy's CC.
First smack him upside his head. He really needs it.
Have him talk to his bank(s) immediately, freeze his accounts.
Next have him get a hold of every credit reporting agency and tell them to put a stop on all Credit checks immediately and inform them that he does not wish to have unsolicited credit card applications sent to him. This will prevent a scammer from opening a new credit card in his name in the future.
Call all of his Credit card companies and have holds put on his cards.
Go to SSN office immediately and change his SSN, and explain what happened.
Speak with every credit card company he's ever dealt with, and tell them to change his credit card number, explaining Fraud and report to them the new
SSN if they have to have it.
Talk to someone for each stock trading account he holds.
Talk to a credit lawyer about how to minimize further damage.
Get a shredder to shred all documents with SSN or Credit card companies offering credit.
Once you've helped him through all that, smack him upside his head again for good measure.
You have a very busy year ahead of you to help your father get through this crap.
Good Luck
Life takes interesting turns, but the most interest is when you're off the beaten path.
Unless you know exactly what the scammer did I don't think you can assuredly undo the damage. A format + reinstall really is the only 100% guaranteed thing to do the trick. And be sure to change all the passwords.
IMO the bigger problem is the social security number. He needs to setup fraud alerts with the credit reporting agencies. http://www.usatoday.com/money/perfi/columnist/block/2005-03-28-ym_x.htm They have links to do it for each of them.
A hacker (or spammer) with access to the PC is probably only a minor inconvenience in the scheme of life, identify theft could be devastating for years to come!
As far as the computer goes, many have already answered that a format and reinstall of the OS is a good cure, and really isn't very hard to do.
Here is an explanation of what to do if your SSN gets compromised, courtesy of the Federal Trade Commission.
okay
A 1on your system download WSUSOFFLINE and build a patch set
2 download (but don't run) http://ninite.com/.net-7zip-air-chrome-firefox-flash-flashie-foxit-java-pdfcreator-shockwave-silverlight/
B 1 at your fathers house Dissconnect the Router
2 Wipe the Harddrive and reinstall Windows (you do have a record of the key right??)
3 run the WSUSOFFLINE update installer
4 do whatever other settings fixes you need to (enable Windows defender??)
5 reconnect the Router
6 run Ninite
7 spend the time Ninite is running explaining things to your father
8 Run FireFox and install AdBlock (or do the same to Chrome)
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Actually... whichever, just set up a separate /home partition from /, so it's easy to toss on a different install later without losing their stuff.
WHOA WHOA Wrong Order....
....his insurance.... ...credit rating agencies... ...defensive strategies... ....
The blatant identity theft is a ticking time bomb that will not be easy or painless to redress (especially for someone who readily handed over an SSN for ANY reason)....
The computer can sit there (off) just fine while you stop the bleeding.
1. OBVIOUSLY keep computer not only offline but OFF & OFF-SITE (who knows what he might try to do with it).
2. HELP YOUR FATHER start protecting himself with his....
3. banks....
4.
5.
6.
30. THEN look into addressing the computer problems.
Car analogy:
"My father hit a tree at 50 miles an hour and appears to have a broken collarbone and a punctured lung.... I'm heading over to investigate... Does anyone know if I can use my own AAA membership to get the car towed or should I have my own mechanic work on repairing the vehicle's front end?"
Someone who comes to me with their tech problems got suckered by this one. But luckily the person is quite stubborn and regularly ignores me so they ended up telling the scammers that they were doing it wrong and did it their own way. The only thing that was changed was the default home page which this person translated as installed a virus.
The big danger here is if they have enough info to open new lines of credit in his name. With the SS# and whatever they gleaned from his computer, they might. A security freeze will prevent anyone else from accessing his credit report without his express authorization. He'll have to contact TransUnion, Experian, and Equifax each, and directly. I think they waive any fee if he's over 65.
Good luck with that.
Many of us who have parents are are getting a little older have to deal with this kind of stuff. They're often not very computer savvy, and don't have the natural paranoia many of us have developed.
But they're going to want to maybe run tax software, the software for their camera, maybe run Office, maybe sync their eBook and a few other things. They're not going to be interested in running Linux, because the first thing they try to install that doesn't work they're going to be pissed off. I wouldn't foist Linux on my parents, and having seen the software they use, Linux wouldn't really be suitable for them. Because they do just enough as to make Linux more trouble than it's worth because there are things they need to do you can't do on Linux at all, and other things for which there is a piece of software which does most of what you want, but not al of it.
When my parents got their PC a couple of years ago, I sat them down and explained to them how you shouldn't always trust the internet, you definitely shouldn't trust someone calling you out of the blue claiming to be ... well, anybody really unless you can confirm it, and that I live sufficiently far enough away that being their tech support isn't practical. So they really needed to take to heart the risks.
Once I'd impressed upon them just how serious I was and what could go wrong, they then went forth with an understanding that they need to keep their wits about them. They've learned to be wary of unsolicited calls, and never to discuss any of that stuff unless they initiated the conversation with a number they verified from an official location.
Have you met any older people? I'm talking anywhere between 60 and 90. Many of them simply never developed the kind of watchfulness we have, and impressing upon them how important it is.
My great aunt in her late 90's fell for a couple of scams here and there (chump change, really). The problem was that somehow they figured out that if they could imply they were from her church then she'd be likely to open her wallet to them.
It's, for lack of a better word, that they're not sophisticated/worldly/cynical enough about people. Given how often I get calls from people claiming to be all sorts of things, I can completely see how someone who is in their 70's just don't realize to not trust someone by default. If you grew up in a rural area, or grew up before TV ... that level of distrust is just not natural to you.
Even a lot of the media targeted towards seniors try to give good coverage of the issues here. But you'd be surprised at how many older people really don't know what we consider to be fairly basic stuff.
Hell, I've gotten to the point that if I don't immediately recognize the phone number, I simply don't answer since most of my incoming calls are fraudulent. It's just like spam, cast a wide enough net, and even if you only get 1% response, it's pretty lucrative.
But it's actually quite difficult to really get all of this through someone's head.
Lost at C:>. Found at C.
yup.. Even on the XP to Ubuntu upgrades I do, the default Ubuntu sudo for the users account is removed.. In other words, they CANNOT do ANY root-ish thing.. yeah I know, a bit more work for me, which is why I have Teamviewer on each system AND a user account for me which has the sudo creds.. I determine when setting up the machine what things the user is most likely going to need that will trigger a gksu dialog and add the user to those groups, and pre-install most of the apps the user will need from the repositories.. So far has worked swimmingly..
THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
It's called the Social Security Death Master File. It has about 90 million records. You didn't say they had to be for living people.
Please deliver my Internets to 127.0.0.1. Thanks!
Photos, unfortunately, have been used as re-infection vectors.
I imagine that passing a JPEG photo through jpegtran, a tool for lossless rotation, flipping, and remultiplexing of JPEG images, would strip out any format oddities through which a photo file can reinfect a computer. What viruses are you talking about that reinfect a host through JPEG images, and did the reinfection vectors survive jpegtran?
Linux IS easier and MORE Robust and Definetly MORE Secure then windows
Especially if you, as the "system admin" of Dad's system, put Teamviewer on the system, then remove dad's account's sudo privs, make an account for yourself with the sudo privs. Yes, I know it will be more work for you, but if you pre-install nearly everything you can imagine he'll need from the repos, then if he gets a gksu prompt for something, you can be somewhat sure its a bogus attempt by some malware, or, something he's trying to do that requires privs, such as perhaps a scanner.. Again, its a bit more work, but the system is oh-so-much-more secure...
THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
bring a new hard drive with you. Your father should first change all his passwords. You install Linux on the new drive (enable ssh for remote administration). Mount the old windows drive as read only and leave the task of retrieving his data to your father.
Nuke it from orbit - it's the only sure way. I'd recommend any decent Linux distro..
Organization? You must be joking..
zOMG!@ he got a virus!
we need the witness protection program~!!@$
-- This space for lease, low setup fee, inquire within!
there can be some dreadful cruft left behind by some of the snakey charmers out there, even if you format the drive. bogus partitions of evil, and the like. I have gotten into the habit, thanks to some 90s viruses that created a reinfect partition every time the PC got reinfected (once found 19 partitions of evil!) of blowing the drive away by installing Linux in a clean "wipe it all" install. then if you have to put the Microsoft Virus back on, again do a clean "wipe it all" install of Windows. if the little darlings haven't hosed the BIOS, that should do it.
until the next time. instruct your pigeon that they need to "practice safe hex," and not hook up with characters they don't know.
(the punchline used to be "... and wrap all your floppies in condoms," but who has floppies any more?)
if this is supposed to be a new economy, how come they still want my old fashioned money?
Having recently gone through the process of protecting my wife from ID theft, her info was swiped from work (most likely) I can offer the following suggestions:
1) File a police report, even if your dad feels dumb
2) Check ALL financial institutions for transactions
3) Place a Fraud Alert with the three credit rating companies - it's free
4) Change ALL passwords and security questions
5) Sign up for credit monitoring services such as IdentityGuard.com
This slip up will follow your dad for many years to come. Acting swiftly will minimize damage to his credit.
It's amazing what info is freely available through public records: addresses, family members, date of birth, etc. Combine that with a SSN and people will be opening lines of credit EVERYWHERE with your dad's identity. I know first hand from what recently happened to my wife.
You wipe the box and start over with a clean install, fully patched, with a firewall and AV. Anything less is really just asking for whatever happens next.
Be sure to completely wite the hard drive or SSD, including the Master Bot Record (MBR).
Also, you need to replace the BIOS flash-ROM (which probably means replacing the motherboard). You can't simply re-flash the BIOS ROM in place because the infected BIOS will infect anything you boot, no matter what kind of media you boot from - and no matter what OS the re-flashing tool uses. (with the right equipment, it might be possible to re-flash the BIOS in place. This involves connecting an in-circuit debugger to the CPU's debugging interface. Or plug in a CPU emulator in place of the CPU (assuming the motherboard uses a socketed CPU).)
Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
An anti-virus program is a bad idea, especially today when they fail to catch up to the present day when it comes to virus definitions. A much better idea is to create a whitelist of programs and allow nothing else to run.
Seriously. If he's that vulnerable, it will probably happen again. I have had good success with the "basic computer users" I support. They are motivated to climb the learning curve because I explain that even if I reformat their hard drive and reinstall all the AV software, I cannot guarantee it won't happen again. Then I tell them that the AV software chews up some of their processor bandwidth and if we run Linux, they won't need it. So they will be getting more out of the machine. And to rescue the machine? USB drive, bootable Linux live CD and copy the data from the original HDD onto the USB drive, nuke the original drive, reformat, install OS of your choice and copy the data back.
Right, cause you can't possibly work on the computer between phone calls and working hours.
There's an inherent delay in the system in trying to do your 2-6; they can't be done immediately. And doing them immediately will just have you waiting on hold and impatiently working through the automated phone systems.
There's no reason the computer can't be worked on at the same time.
1. Get him a new e-mail address & don't associate it with any social media apps, especially facebook
2. Change his phone number, unlisted
3. backup data to a HDD
4. repartition & format primary HDD, install OS (assuming win32)
5. install an "Internet Security Suite" from either: Kaspersky, BitDefender, Eset
6. install SOHO Deep Packet Inspection Firewall with VPN (~$300), ie. Sonicwall TZ100 (recently acquired by Dell):
http://www.sonicwall.com/us/products/TZ_100.html
- review of TZ100: http://www.techrepublic.com/blog/products/review-sonicwall-tz-100-router/989
- this might be astroturf comparison of Sonicwall vs. Cisco, but worth a read:
http://www.firewalls.com/sonicwall_vs_cisco
The one thing that's always worried me about saving off the personal data from a clueless victim's hosed Windows box: how do you know there isn't a compromised file in that herd - a malicious pdf labeled '2008 Federal Tax Return', or that jpeg called 'Family Reunion' is not quite what it appears? Scan it all yes, but still that nagging concern never quite goes away.
After you call your bank (including any banks you have loans/credit cards/ with) and let them know what happened, do this:
(stolen shamelessly from usbank's website)
1.Call the major credit bureaus:
Equifax: 800-525-6285 or equifax.com
Experian: 888-397-3742 or experian.com
TransUnion: 800-680-7289 or transunion.com
First, ask that they place a “fraud alert” on your credit file. A fraud alert prevents creditors from changing your accounts – or opening new ones in your name – without proper verification. Then, request a free copy of your credit report. If you see any additional signs of fraud, notify the credit bureau and the creditors whose accounts are affected. After the disputed transactions are resolved, request another copy of your credit report to make sure your file has been updated.
2.Call your other creditors – including your phone and utility companies – and let them know that you’ve been a victim of fraud. Close any accounts that may have been compromised. As a precaution, consider resetting all of your passwords.
3.Inform check security companies about the fraud:
National Check Fraud Center 843-571-2153
SCAN 800-262-7771
TeleCheck 800-710-9898
CrossCheck 707-586-0551
Equifax Check Systems 800-437-5120
International Check Services 800-526-5380
Chexsystems 800-428-9623
CheckRite 800-466-2748
4.File a police report if you think your personal information (driver’s license, address) has been compromised or stolen.
5.Call the Federal Trade Commission (FTC) identity theft hotline at 877-438-4338, or file your complaint online at ftc.gov.
6.Be vigilant, patient and persistent. It can take weeks — or even months — to resolve identity theft. Keep a close eye on all of your statements, review your credit reports regularly, and immediately report any discrepancies.
Why so paranoid? Because with nothing more than your SSN and Address, the bad guys can see your free credit report and know about *every line of credit you have*.
The race is on; here comes Pride in the back stretch.
fdisk /mbr /dev/hda
or with Linux & grub:
grub-install
Both overwrite the master boot record. It's not some magical thing. Stop acting like it's some unknown religious artifact.
-- This space for lease, low setup fee, inquire within!
How about establishing laws such that if some idiot bank gives credit to some random in my name, the default legal position is that the debt is invalid and does not attach to me merely by my denying I opened it. Require the issuer to have actual PROOF that the debt is mine before they can say word one to me (or my credit report) about it.
The credit industry has spun this thing to be "identity theft", but it isn't. My identity is still attached to me, right where I left it. YOU nitwits were defrauded. I was not involved until some creditor attempted to attach a debt to me that was not mine.
Unless your father is a geriatric and/or suffers from some mental impairment I'm really struggling with the idea that he shouldn't just be left to suffer his fate and clean up his own mess. Survival of the fittest can be a good thing.
In any case the very first thing that needs to happen and as soon as possibly possible is to lock his credit file . It will make life more of a pain for him later should he need to use a service requiring a credit inquiry but it will effectively prevent anyone from using his identity to establish credit. Then this incursion needs to be reported to every financial institution he does business with, banks, credit cards, investment, etc.. After that you can start to care about his computer. Which by the way if you wish to be paranoid you might as well throw away and replace. Unless you/he is sentimental and/or budget sensitive the time you'll invest scanning each an every bloody JPEG, PDF, wiping the hard drive(s) with DBAN, and flashing the BIOS, etc. might well not be worth it.
Two of my imaginary friends reproduced once
The question reminds a of an old joke:
A man comes with Chicken McNuggets to a veterinarian and says "Doctor, Doctor, isn't there anything you can do?"
Seriously: Any infected PC should be treated as it would contain contact poison. I would at least low format the hard disk and completely rebuild the system. In doubt i would rather loose data than allowing the infection to spread.
#1 on a Windows PC: Run combofix and Norton Power Eraser to check for rootkits. Maybe run malwarebytes as well.
#2: Create a new Admin user account with password protection
#3 Create a new Standard User account, and move his data from his old account's Favorites, My docs, Pics, Music, and Videos, etc. Data folders only. He will get fresh temp folders and fresh setting folders for software.
#4 Delete old user account
#5 If he is able to run Firefox with no script, I would highly recommend that move. If he is not able to manage noscript permissions, then just firefox.
Try to copy pictures, documents, EMail to an external drive, then zero out the drive, format and reinstall.
Put the PC in the trash and buy him a $399 iPad and allow him to participate in digital culture.
There is NO EXCUSE for putting a non-consumer PC in front of a consumer. Windows PC's cannot be safely attached to the Internet. The US government advises citizens not to use Windows PC's for banking or store any private data on them. Further, they are obsolete and end-of-lifed. Windows is transitioning to cheaper ARM hardware over the next few years and to a new interface and the Intel version is being abandoned because people are literally not willing to pay that much for Windows anymore. ASP for a Windows PC is below the entry-level $399 iPad price, and the Intel parts have to go to get the ASP down lower and stop the Windows platform from shrinking. So you are wondering why his PC cannot deal with the modern world? Because it is a relic. Trash it.
Today, you can go to the fucking iPod Store and buy a virus-free, malware-free, scam-free, training-free, no-I-T required consumer PC for $399 and it has $5 video editors from the 2 leading vendors, $10 best-of-class office apps, $1 games, video calls, iTunes, Netflix, Hulu, and all kinds of apps that Microsoft is pleading for developers to port to their office PC's.
Hey Slashdot, how can I fix a cardboard door that has been kicked in by scammers? You fix it with a fucking impregnable metal door that costs the same or less than the cardboard door you bought from a vendor that took advantage if you. Stop putting in cardboard doors.
My father, when he was able to use the computer, could fall into just about any kind of pitfall. You'd give him specific guidance, but he'd just forget.
If I was advising somebody with a father like mine. I'd create a custom Linux recovery disk that would easily restore his computer to a known state.
He'd always lose his data when the system was restored, but if that was what he expected to happen when he routinely crashed the system, that would be no big deal.
I used to try and recover compromised machines until about 2 years ago. Thats when I realized that no matter what you do with a compromised disk...there could easily still be some nugget of stuff thats been encrypted where scanners wont find it. Then I heard a lot of the recovery experts saying the same thing...format it, better still toss the drive and start over...the 'nuke it from orbit, its the only way to be sure' method.
The mistake is to stick the drive in another running machine or an enclosure and try to read it with another machine. Good chance you might infect that one too. Best to burn media files to a dvd on the compromised machine, throw the rest away. Ideal, restore from a backup to a new drive.
... before you destroy all the evidence doing what the other posters suggested, you should be taking care of your elderly father and CALL THE POLICE.
Where I work, we do a 3 pass secure wipe and then re-image the system for any malware due to security reasons. You should do the same. DO NOT attempt to save the OS, it is far too compromised; especially with god knows what they installed.
Better yet, put him in a home; he's clearly too senile to think well enough to keep himself out of trouble.
BIOS is 'metal'?
In the context of reformatting or replacing a hard drive for a clean operating system reinstallation, anything that runs before reading the boot sector from the hard drive is "metal". And in this case, the claim is that some boot-time rootkits infect the BIOS or UEFI.
This isn't Metal Storm.
Are you talking about the weapons company or the 1990 NES platformer?
If you have to ask the question then you shouldn't be messing with it in the first place and should leave it up to the professionals.
Eradicate every bit of data on that drive. Start over. There should be zero debate on this.
---- Booth was a patriot ----
To be safe you should do what other are suggesting. I moved my parents to Linux and have never had a problem since.
The interesting thing is I have played with a couple of these scammers in VMs and in both cases it was clear they know very little about computers and really just want to get you to buy a 'support' package. To show how dumb some of them are when I told one I couldn't actually seen any problems he proceeded to try and format my C drive at a command prompt but he could not get the syntax right. After 5 minutes of trying he gave up and used the GUI to delete the C drive. So while dumb they can be vindictive, so be careful. He hung up before I could show him how a VM can be restored in seconds.
Give it an Enema.
So ... since you've been diligent in your entrusted tasks :
Where is the problem?
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
The moment the remote control program was activated, all bets were off. They could have done literally anything at that point.
Phone rings. You answer to hear the phone ringing. Dude in a bull pen picks up. "His servers show that my machine has a serious error." Suspicious I asked which one, I have many. "The windows machine." Uh huh. I abused him for a bit and made sure I wasted some of his time. He clearly had no clue what I had. Beware of Greeks... er Geeks calling offering free services. They are probably not your friend.
I removed this same malware using this disk http://support.kaspersky.com/viruses/rescuedisk
It boots into Linux and offers malware removal tools. Another option is to remove the drive from the machine and us an USB to SATA adaptor. Plug it into a good well protected working machine and use the anti-virus tools on your machine to scan and clean the attached drive. Since you do not boot from or run code from the drive your machine should be clean. Of course you could us a Windows VM running under Linux to clean the attached drive as well but I have never needed to go that far.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Shocking I know but my US Bank, CC, their processors and most annual AV subscriptions ALL steal more money than ever malware has from me... One needs to re-think precisely who ALL the thieves are.
May the lies we live by make us strong, healthy, happy and wise - Kurt Vonnegut.