Ask Slashdot: Rescuing a PC That's Been Hit By Scammers?

New submitter malcus writes "My father was hit by scammers the other day and even though he has handed over all computer service tasks to me they were able to sweet-talk him into: (1) Running some 'checks' to confirm the 'grave situation' that his computer was heading for (bad). (2) Start some remote-control program (worse). (3) Giving them his social security number (terrible). When they asked him for his credit card information he stopped and is now probably expecting them to call again. Meanwhile I have told him to dump the computer in holy-water or aqua regis and cut the internet cable. I am heading over to his place later and wonder what measures I should take."

Just the obvious

[gestalt_n_pepper]

Bow your head and type "Format C:" Amen.

Re:Just the obvious

[RivenAleem]

The 'hurt' caused by the loss of data might also shock him up enough to be more careful.

Re:Just the obvious

[Lord+Lode]

Yes, but make sure you back up any photos and other irreplaceable bits of information first!

Do not back up anything that's executable though.

Re:Just the obvious

[RogueyWon]

That's definitely the first thing he needs to do, but there's more besides:

1) Change all passwords. Either do it from a different PC or from that PC AFTER it has been wiped and confirmed clean.

2) Get a few credit checks over the next few months. Depending on how much information the father has actually given away (and it may be more than he's willing to admit), he may have given the scammers enough to do a thorough identity theft job on him. Picking up any attempts at this as early as possible will be important.

3) Some urgent parental re-education. Using a stout stick if necessary.

Oh, and when going to do the disinfection, if you're taking a personal machine with you, make damned sure before you go that it is NOT set to automatically connect to wireless networks. I got stung with this one a few weeks ago when disinfecting an uncle's PC.

He'd picked up one of those ransomware fake-AV trojans that basically renders Windows unusable. I'd figured it was going to be a wipe-and-reinstall job (which indeed it was), but had taken an old laptop with me in case I needed a "clean" PC for anything. This laptop had been my secondary PC until I replaced it with an iPad and I was going to use my trip "up north" as an opportunity to hand it over to the parents, who would make more use of it than I would. It'd just been flattened itself and had a fresh (though updated) Vista install on it. It also has a network share on it, that I'd used to copy a few drivers and other files over from my desktop to save redownloading them.

Anyway, like a fool I boot the thing up as soon as I get in there, forgetting two important things:

1) The laptop will default to connecting to any wireless network it can find and get onto; and

2) My uncle, being a complete idiot, has an unsecured wireless network.

So the laptop connects immediately to his wireless network - and gets infected within seconds by the trojan on his PC via the open network share. Fortunately, I had the Vista disc with me to do an immediate wipe and reinstall on the laptop as well, but it was still frustrating.

Re:Just the obvious

[Adriax]

Yank the HD.
Slave it to another machine.
Save what you need to.
Format it.
Toss it back into the original machine.
If he can handle it, install your favorite flavor of linux. If not, reinstall windows.
Make sure his account lacks the privileges to get into that much trouble in the future.
Start researching identity theft countermeasures.

Re:Just the obvious

[Joce640k]

Bow your head and type "Format C:" Amen.

Even better ... make him buy a new hard disk, that way you can be sure that:
a) He spends some money (more likely to pay attention in the future).
b) You didn't lose any data files - they're all on the old disk somewhere.

Re:Just the obvious

[ArsenneLupin]

Family members won't let family members use windows...

Re:Just the obvious

[RogueyWon]

The permissions on the share were read/write (though not for the whole of drive c). And it was basically a fresh Vista install that I'd run windows update on, but not been as thorough about as I should have been. My own fault, but that doesn't make it any less frustrating. Some of the ransomware stuff doing the rounds at the moment is absolutely vicious in how it will spread itself and protect itself from removal.

Re:Just the obvious

[snowraver1]

No offence to the OP, but you can't fix stupid.

Re:Just the obvious

[LVSlushdat]

THIS!! Which is why the laptop I take for these kinds of 911 calls to guilible relatives/friends whose Windows machines have been screwed up by malware is a Linux machine. I'm the defacto tech support for my church/neighborhood. I've had several "clients" who are the typical "click on EVERYTHING" types, and who would call frequently when their machines got so slow that they couldn't do anything.. In the first case, the machine was so hozed that only a clean reinstall of windows would be effective. But of course the owner didn't have the recovery disks for XP. The machine maxed out at 2GB, so getting the user to buy Win7 was a non-starter. To save the day, I loaded an Ubuntu LiveCD and showed what Ubuntu looked like, and asked "Can you live with that??" with an unspoken "You have no choice..".. The user said "whatever you say, I gotta have my computer!!".. So I backed up the docs to a USB drive via the LiveCD, and wiped/installed Ubuntu.. After a couple of calls from the user, saying "how do I do X??", I'm not hearing much from her anymore. As far as I know she still clicks on everything in sight, but I've not gotten anymore "my computers slow" issues. In fact, her husband, once he saw how well Ubuntu worked, he wanted to be "upgraded" to Ubuntu, and now he's a happy camper.. Word has spread, and I'm doing a fair number of these "upgrades"... Still using 10.04, as I'm still trying to decide if MATE or Cinnamon OR X/Lubuntu is the best way to replace Unity on 12.04..

Re:Just the obvious

[johnw]

I did much the same for my father. He was continually getting his Windows PC totally overloaded with malware (possibly assisted by grandsons from another branch of the family who liked to play on it).

After recovering it a couple of times I simply scrubbed it and installed Debian. It does everything he needs and has reduced the support calls to pretty much nothing.

He is quite unaware of what operating system he is using - he just needs to be able to access the web, read his e-mails and write some letters.

Re:Just the obvious

[NeverVotedBush]

"Obviously you have never heard of TSR programs or BIOS/UEFI attack vectors. Hardware CAN be infected at the 'metal' level." Um, a TSR doesn't really matter if you reinstall the OS. While BIOS can be infected, you should just be able to update the BIOS to eliminate that infection. You can verify by merely watch the POST to see the before and after BIOS versions. If the system is already at the most current BIOS, down rev it and verify the BIOS level follows and then flash back to the current value and check again.

I would also suggest switching Dad to Linux. While not totally immune to attack, whatever the scammers had him do would probably have had no effect on Linux if the steps could even be duplicated on a Linux box.

The post about contacting the FBI is also a good one. Find out if they are interested in any forensics BEFORE wiping the OS.

Wipe and reinstall.

[Gordonjcp]

Same as for any other compromised machine.

oddly enough

[alphatel]

I had a client do this to his machine. He called an 800 number thinking they were the Yahoo help desk and they performed a similar routine. Oddly enough, they left no traces of their activity and there is no reasonable way to tell if there is an inactive trojan waiting to be launched in the future. Best bet is to copy off the data, wipe, reinstall OS.

Re:Back it up and nuke it! Then scan the backup.

[vlm]

Given the price of drives and the rate of change, you're better off just buying a new $50 drive and upgrading him. Then take the old drive, stick it in an external enclosure, and play around with it on a linux host. Unless his old PC is so old it can't be easily upgraded. Can you still buy PATA from retail stores or is it all SATA now, for example?

A stern son-to-father lecture

[stevegee58]

In addition to the wipe and install suggested over 9000 times, your father needs a good talking-to.

Re:A stern son-to-father lecture

[spacepimp]

I would also remove his administrative privileges. Set up team viewer so you can connect remotely when he needs to install/make changes. My father was the same way. He had some sort of weird skill to always get immediately infected. Almost like he looked for some way to screw up his own life constantly.

Nuke the site from orbit

[necro81]

It's the only way to be sure.

Wipe, reinstall, serious talk about his finances

[SecurityGuy]

Everybody's going to tell you the obvious right answer. You wipe the box and start over with a clean install, fully patched, with a firewall and AV. Anything less is really just asking for whatever happens next.

Subsequent to that, you need to have a serious talk with your dad about sharing control over his finances with someone trustworthy (you, maybe). If he's handing out his social security number to any random nutjob who calls him, he's going to give away his life savings to some scammer someday. The time to prevent that is now, not later. I am seriously planning to do that myself, that is put something in place so that when (not if) I'm no longer competent to handle my own affairs, my kids will have the legal ability to seamlessly keep me from bankrupting myself. I have decades before this needs to happen, but the time to do it is when you are of sound, not failing, mind.

I'd also look into putting a fraud warning on his credit report with all three credit bureaus. I'm not going to pretend that's something I know much about, so research it and confirm for yourself what good it will do and what harm before you act. I do think you want to limit the ability of any random goofball who knows your dad's SSN and name from opening credit in his name.

Re:Format and reinstall

[SecurityGuy]

As someone who does forensic analysis, no, the thing you want to do is not tell an untrained amateur how to try to do it, point them at tools, and hope for the best. It's actually time consuming and can be hard. By far the simplest solution is wipe and reinstall. If you want an actual forensic analysis done, unplug the network cable, step away and DO NOT TOUCH THE BOX AGAIN! Then call a pro.

obvious

[slashmydots]

Combofix, believe it or not, specializes in removing all forms of remote control software. Most people don't know that. In fact, it will even destroy gotomeeting related files whether you want it to or not :-P Also, any system setting viewer like even the ancient HijackThis will list all LSP and protocol changes and all startup entries and all browser plugins. Just get rid of anything you can't identify or that google says is a remote control viewer. If malware scanners can't pick up anything bad, a system restore will definitely destroy any legitimate remote control software so between the two, you should disable any control they had.

So, reset all passwords for all significant accounts, add a fraud alert to his credit report or add a third party lockdown solution like Lifelock (even though I hate them) and you should be set.

Re:This is why backups exist.

[rbrausse]

everyone wants restore, no one make backups...

Victims are stuck cleaning up the mess.

What many of these scammers do is surf the hardrive for login information for financial institutions, bank and credti card numbers, and anything else they can get to commit financial fraud.

Call and write letters to the credit bureaus, your banks, and every other financial institution one does business with.

And keep a sharp eye out for shenanigans and don't pay any bill that's not yours.

File a police report. The cops won't do anything, but at least you'll have something to fax the debt collectors who may be calling.

It sucks but it's up to the victim to clear their name as best as they can.

The banks and other financial institutions just write off any losses and pass on the costs to the rest of us in the form of higher and more fees.

The other thing they do with the information is create phoney IDs for illegals, get medical care for folks who can't pay, and various other things that require an ID - all in the victim's name and SSN. Folks have been arrested in the past because of someone else using their identity to commit a crime, the warrant goes out, and then the victim gets their lciense plate scanned by a cop, pulled over and taken to jail.

Have fun with that.

gave them his ssn?

[v1]

really? And you're worried primarily about the state of his computer?

He should be spending some time on the phone with his credit card companies making sure any security features they offer are fully activated, such as enhanced (not easily guessed based on what was on his computer) security questions, subscribing to a few years of identity theft watch, schedule regular pulls of his credit report watching for new plastic, checking accounts, and loans in his name, etc. The ssn by itself has some limits on abuse, but combined with the information on the hard drive (mother's maiden name, address, workplace, etc) it greatly magnifies the risk because it's going to allow additional verification of identity that a lot of places require.

After that, get him a book or something on how to be less of a sucker on the internet and in the world in general, or he'll just do it to himself again.

This could hound him for years to come. Make sure he understands that. If someone DOES manage to take out say, a loan or a card on his ssn, he needs to deal with it swiftly and decisively. Banks and similar organizations are notorious for not wanting to be the fall guy in cases like this, and will often try very hard to stick your dad with some or all of the bill. Don't be terribly surprised if something requires a lawyer to fix or clear off his record.

MS says reinstall

[InvisiBill]

According to Microsoft's 10 Immutable Laws of Security, "it's not your computer anymore" and you need to revert to a known-good state. This generally translates into a complete restore from backups or a reinstall. If you have a spare drive, it's probably easiest to just save an entire image of the bad drive (just to make sure you don't lose anything) and do a complete wipe. You can recover any needed data from the backup image (just be careful not to actually run any apps from that backup). A current AV installed on the fresh rebuild may be able to help remove some of the junk from the backup image as well, just make sure it doesn't accidentally "clean up" anything important. That should fix the PC itself, but there are other things you may want to consider as well (as suggested by others here).

Your dad may need some training/assistance regarding finances and private info. You'll want to reset any accounts that were accessed via the tainted PC (and any others you think could have been compromised by the infected PC). If he doesn't specifically need Windows, changing to Ubuntu or similar can inherently stop Windows-specific malware (including crap from well-meaning but incompetent remote techs, e.g. unnecessary software from the ISP). I set a previous girlfriend up with a laptop running Ubuntu, and was able to find Linux versions of pretty much any app she needed for what she wanted to do (web browser, office suite, iPod software, etc.). Linux may not do everything he needs, and it won't stop phone-based social engineering, but it can go a long way to help against malware.

Social Security number

[hobarrera]

Why is giving out his SS number such an awfuly bad thing? From what I've read, it's no secret, but rather the contrary. It's just misassumed that the SS number should be secret.

Re:MATE or Cinnamon OR X/Lubuntu

[gestalt_n_pepper]

I really enjoy my Zorin Linux distribution. It's so Window-like that there's almost no cognitive friction in switching. Comes with Wine pre-installed too, if for some reason, running a windows app is absolutely necessary.

Re:Just the obvious - WRONG ORDER

[Apocryphon]

WHOA WHOA Wrong Order....

The blatant identity theft is a ticking time bomb that will not be easy or painless to redress (especially for someone who readily handed over an SSN for ANY reason)....

The computer can sit there (off) just fine while you stop the bleeding.

1. OBVIOUSLY keep computer not only offline but OFF & OFF-SITE (who knows what he might try to do with it).
2. HELP YOUR FATHER start protecting himself with his....
3. banks....
4. ....his insurance....
5. ...credit rating agencies...
6. ...defensive strategies... ....
30. THEN look into addressing the computer problems.

Car analogy:

"My father hit a tree at 50 miles an hour and appears to have a broken collarbone and a punctured lung.... I'm heading over to investigate... Does anyone know if I can use my own AAA membership to get the car towed or should I have my own mechanic work on repairing the vehicle's front end?"

Yes, the computer is the smallest problem

[daemonenwind]

After you call your bank (including any banks you have loans/credit cards/ with) and let them know what happened, do this:
(stolen shamelessly from usbank's website)
1.Call the major credit bureaus:
Equifax: 800-525-6285 or equifax.com
Experian: 888-397-3742 or experian.com
TransUnion: 800-680-7289 or transunion.com
First, ask that they place a “fraud alert” on your credit file. A fraud alert prevents creditors from changing your accounts – or opening new ones in your name – without proper verification. Then, request a free copy of your credit report. If you see any additional signs of fraud, notify the credit bureau and the creditors whose accounts are affected. After the disputed transactions are resolved, request another copy of your credit report to make sure your file has been updated.

2.Call your other creditors – including your phone and utility companies – and let them know that you’ve been a victim of fraud. Close any accounts that may have been compromised. As a precaution, consider resetting all of your passwords.
3.Inform check security companies about the fraud:
National Check Fraud Center 843-571-2153
SCAN 800-262-7771
TeleCheck 800-710-9898
CrossCheck 707-586-0551
Equifax Check Systems 800-437-5120
International Check Services 800-526-5380
Chexsystems 800-428-9623
CheckRite 800-466-2748

4.File a police report if you think your personal information (driver’s license, address) has been compromised or stolen.

5.Call the Federal Trade Commission (FTC) identity theft hotline at 877-438-4338, or file your complaint online at ftc.gov.

6.Be vigilant, patient and persistent. It can take weeks — or even months — to resolve identity theft. Keep a close eye on all of your statements, review your credit reports regularly, and immediately report any discrepancies.

Why so paranoid? Because with nothing more than your SSN and Address, the bad guys can see your free credit report and know about *every line of credit you have*.

The race is on; here comes Pride in the back stretch.