Parent's PC virus pls halp - The Bear and Badger

ZMM

My mother needed to reset her Yahoo mail password, so decided to google "yahoo password reset" and got a random 0800 number, which she then called, and then allowed some indian guy remote access. He then proceeded to say that her pc was infected with viruses, and there's a notepad file on there called CAY or something. It was probably uploaded to her PC by this guy. Anyway, I'm guessing we're going to have to reinstall Windows on this laptop now because we don't have the technical expertise to fix it.

My concern is that my laptop is also on this network, and I was online whilst she was making this phonecall, and I didn't have a firewall or antivirus active.
Could he have got into my pc too or would I have had to click on something, like an "allow" prompt?

Another concern is that if someone has remote accessed your pc can they just do it again at any point in the future?

igorgetmeabrain

Oh dear.

fullspectrum

This is what happens when you search the sort of sites you do for your pictures.

beano

How was remote access "allowed" again?

Effectively, a machine needs remote connections natively enabled to allow a connection or a third party programme/service.

There's no way of targeting specific computers on network without some established port forwarding and open ports.

ZMM

She just says "he was getting me to click on loads of things".

"he was sending me messages to click on".

That's all she can remember, and then he said "you can't reset your yahoo password because your computer is infected with viruses".

Roujin

My guess would be that it was through logmein or something similar.

beano

Go into control panel, install/uninstall programmes and sort by date.

Take note of the dates.

Then load system recovery and restore the machine to before any recent installs.

If there is no restore point then manually uninstall the offending programmes with http://www.revouninstaller.com/

Ensure you remove registry, directories etc...you'll be prompted by REVO.

igorgetmeabrain

Oh this is real? I assumed you were joking. Didn't think it was possible to be that inept.

beano

Don't rip the lad's ma, that's not on.

djchump

Goes without saying, but I'll say it anyway, make sure to actually change yahoo passwords and any other logins and passwords that she might have given the scammers.

Also, on Googling "yahoo password reset", why did she not click on the first/top links that give the actual yahoo webpages?

davyK

Check for other obvious stuff such as docs containing contact lists or other useful info that could have been browsed. You have to assume all docs , emails, browser history, cookies etc. on the drive are compromised.

Shows what a little bit of knowledge can do. Someone can have the gumption to google for a solution, but then be naive enough to ring up a dodgy number and follow instructions.

djchump

TBH, I don't get how a dodgy scam number came up as a top hit on the google search.

mistercrayon

A virus?

Back in the day I had a virus which replaced page 1 of Google with bullshit advertises.

ZMM

beano wrote:

Go into control panel, install/uninstall programmes and sort by date. Take note of the dates. Then load system recovery and restore the machine to before any recent installs. If there is no restore point then manually uninstall the offending programmes with http://www.revouninstaller.com/ Ensure you remove registry, directories etc...you'll be prompted by REVO.

I did this, couldn't see any dodgy programs, just Chrome that I had installed for her today. I did system restore back to the 10th of April. I checked in Windows and the CAY notepad file filled with expletives like "fuck you your pc is infected haha" has disappeared, which I'm assuming was somehow remotely uploaded by this guy in India, is that possible if he has remote access?

@djchump I think they used Yahoo search, I have googled the number that they called and it took me to a very poorly designed site featuring promises of virus removal and protection, and a picture of a frustrated Indian in the corner, and the 0800 phone number and company address (in India).

djchump

Weird, I would have thought even a crappy yahoo or bing search would have thrown up the correct pages first... Who else uses that computer, just your mum? It seems much more likely to me that a website popup claiming "your PC is infected etc." came first. I'm not trying to be mean or owt, it's just that however it first occurred is kinda important because you need to make sure it doesn't happen again (or similar).

You'll need an antivirus and malware scanner - IIRC the Microsoft one and malware bytes are pretty wel regarded:
http://www.microsoft.com/en-gb/security/pc-security/malware-removal.aspx
https://www.malwarebytes.org

Run those on all the pcs you want peace of mind for - should pick up any nasty stuff left installed/left behind (plus maybe any other crap that has collected over the years).

Then install and turn on antivirus and tell your mum to only ever trust popups from whatever antivirus you've installed; if the antivirus says it's dodgy/dangerous, don't click it. I've always paid for Eset for me, the wife and her mum's pcs, just cos it was always highly rated and clean/simple to use - ymmv, pick whichever looks good, I hear sophos do a free one these days, and that Microsoft's own is okay as well. Avoid Norton and especially McAfee like the fucking plague.
Oh, and turn on the firewalls!

IanHamlett

Triple stating to change all passwords for all accounts accessed from that machine.

Protip. Buy a Chromebook for anyone in your life that doesn't also work in sever admin.

ZMM

Thanks for the help everyone, much appreciated.

[Deleted User]

Parents around computers are like toddlers around hi fi equipment.

GooberTheHat

Malware bytes is very good. Had to use it last week to get rid of some shit on my father in law's desktop. It did seem to reset the browser settings to use a proxy server though (it didn't try to specify a particular proxy server, just that the browser should be using them) so I had to switch that back before it would work properly.

hunk

Haha gotta love ransomware scams.
I got called by these fuckers once while home a Friday afternoon, claiming my PC was infected and sending out signals over the net. I told him politely to kindly fuck off and hung up the phone.

Ars Technica did an article on this a while ago. Will see if I can still find it.

Edit:
http://arstechnica.com/tech-policy/2013/01/in-which-windows-technical-support-scammers-call-me-again/

davyK

There are many splendid youtube renderings of scammers being strung along. Enjoyable.

tin_robot

hunk wrote:

Haha gotta love ransomware scams. I got called by these fuckers once while home a Friday afternoon, claiming my PC was infected and sending out signals over the net. I told him politely to kindly fuck off and hung up the phone. Ars Technica did an article on this a while ago. Will see if I can still find it. Edit: http://arstechnica.com/tech-policy/2013/01/in-which-windows-technical-support-scammers-call-me-again/

They've rung me 3 or 4 times now. I've done everything from politely telling them to get lost, to arguing with them. (Like the guy in the article this got me nowhere. The scammer just found it all totally hilarious, though at one point I riled him enough to threaten me, at which stage I pointed out that we were both completely powerless to do anything about the other, at which point he agreed and just started laughing again. Pathetic cliche that I am, I actually uttered the words "seriously, how do you sleep at night?" to gales of laughter.)

They once phoned my mother. She's on Linux, and simply decided not to explain this to them, and had a wonderful time playing at "old lady doesn't understand simple instructions".

Howdy, Stranger!

Categories