Wife's PC got hacked, now what?!

[Thaleia]

Try not to judge (too harshly).

Overheard wife at the family PC talking on the phone with "Mircrosoft tech support". My BS alarm went off immediately and I disconnected the call. Yeah, she fell for it and had been online being told to change various settings.

Apparently a window opened up earlier (I'm sure you know the routine) saying she's been compromised and to call for help etc..

As you can tell, she is extremely tech illiterate. I'm not much better. Unfortunately she doesn't remember precisely which settings were changed, but when I intercepted she was in her google account settings.

So we've been able to change all of our pertinent passwords (not on the this compromised pc of course) and am wondering what are the next steps.

Does this originate from a virus? I'm not clear on how the message originally appeared.

Looking in Add / Remove programs, I can see that Microsoft Edge along with Microsoft Office and Visio were installed today. Currently uninstalling these as we don't use them and I'm not sure if they're malicious or if it was an automated update type thing.

Anything else I can be checking? Or burn the whole thing with fire and move on?!

[Cisco Kid]

When my wife did the same thing, My Son in Law who works in computer tech security told her to toss the computer and get a new one.

[m2711c]

good computers are cheap these days.


https://www.newegg.com/Computer-Systems/Store/ID-3

[hawkgt]

[AK47bp]

[evdog]

My parents are completely illiterate now but I've been harping on them for so many years I've got them completely paranoid about computer scams and phone scams. They've had "microsoft" warning screens pop up a few times and they just turn the computer off immediately. That usually seems to get rid of it. They used to have a tech kid they could call to come out but he moved away.

Can't help with the current problem, but do recommend finding some youtube vids that show how common computer scams and viruses/trojans work. Same with phone scams. Lots of people are completely clueless and it might open eyes and avoid future problems. I have an aunt who has had a computer infected or been scammed multiple times.

[riser4]

When my wife did the same thing, My Son in Law who works in computer tech security told her to toss the computer and get a new one.

This. Also, force remote logout everything you can, like Gmail, etc. Change passwords. All from a different computer. Stat.

[riser4]

And if you want to save the computer, but not what's on it, find some kid to wipe it and reinstall it.

[neckdeep]

And if you want to save the computer, but not what's on it, find some kid to wipe it and reinstall it.

I don't think you need to "find some kid". Doing a factory reset is pretty straightforward.

[jackstraw]

I hate assholes. My kids friends parents just go taken on Craigslist. I don't trust anyone or anything when it comes to computers/phones.

AI is going to make it extremely difficult to keep your shit safe.

[t-the-east]

Looking in Add / Remove programs, I can see that Microsoft Edge along with Microsoft Office and Visio were installed today

How long was this phone call? I put Microsoft office on 2 of our work computers a few weeks ago, it took me forever. I would at least disconnect it from the internet and do a full virus scan, but destroying it seems like a safer option

Also, try a reverse phone number lookup?

[dan_pdx]

Factory reset or formatting the drive might not take care of any sneaky viruses they were able to install. If you keep the computer, you want to use a tool to completely overwrite all the data on the HDD like https://dban.org/. Then you can reinstall from a DVD with the OS, or if you don't have a DVD, download the installation media from Microsoft and put it on a thumb drive: https://support.microsoft.com/en-us/...f-40c3b507420d. This is being extra-paranoid, but I would create the installation media on a different PC than the one that got hacked.

You'll need your product key (20 digits and letters, or maybe it's 25, I don't remember) to activate Windows. For some computers, typically corporate purchases, this is actually part of your hardware and Windows will pick it up automagically. For other computers, you might have a key on a sticker on the back / underside of the computer, or with your manuals. If you don't see it anywhere, you should be able to get it from the registry, but that's getting above my paygrade.

You should run a virus scan on every computer on the same network - again, don't know how sophisticated they are, but maybe they were able to infect other devices in the household. Then, as others have said, change every password that might have been compromised.

[johnnyg82]

Try not to judge (too harshly).

Overheard wife at the family PC talking on the phone with "Mircrosoft tech support". My BS alarm went off immediately and I disconnected the call. Yeah, she fell for it and had been online being told to change various settings.

Apparently a window opened up earlier (I'm sure you know the routine) saying she's been compromised and to call for help etc..

As you can tell, she is extremely tech illiterate. I'm not much better. Unfortunately she doesn't remember precisely which settings were changed, but when I intercepted she was in her google account settings.

So we've been able to change all of our pertinent passwords (not on the this compromised pc of course) and am wondering what are the next steps.

Does this originate from a virus? I'm not clear on how the message originally appeared.

Looking in Add / Remove programs, I can see that Microsoft Edge along with Microsoft Office and Visio were installed today. Currently uninstalling these as we don't use them and I'm not sure if they're malicious or if it was an automated update type thing.

Anything else I can be checking? Or burn the whole thing with fire and move on?!

Things can be hidden within add/remove programs, so you may need to dig deeper; https://woshub.com/how-to-hide-insta...-and-features/

Microsoft defender is sufficient, and should be able to keep you protected, I wouldn’t bother with third party alternatives.

Password managers are a must now, I use 1Password, and may add the extra of a Yubikey along with that soon.

If you want to clean the disk, diskpart will do that an is already built-in to Windows: https://winaero.com/securely-wipe-di...indows-10/amp/

[Thaleia]

Hey thanks everyone for all the input - I think realistically we'll just get a new pc.

Good call on the youtube common scam educating, will do that tonight.

All passwords have been changed from a different device. Well, all but my TGR account lol, haven't been able to update that password in years. There will likely be a Thaleia version 2 in the near future.

I'll try a reverse phone number search when she's back home.

Dan and Johnny thanks for the detailed drive info - this is a super low end machine, at this point I'm going for the easy option of getting something new and up to date.

[GiBo]

Hey thanks everyone for all the input - I think realistically we'll just get a new pc.

Good call on the youtube common scam educating, will do that tonight.

All passwords have been changed from a different device. Well, all but my TGR account lol, haven't been able to update that password in years. There will likely be a Thaleia version 2 in the near future.

I'll try a reverse phone number search when she's back home.

Dan and Johnny thanks for the detailed drive info - this is a super low end machine, at this point I'm going for the easy option of getting something new and up to date.

Do you actually use it for stuff? I find 95% of people just use their home PC to surf the internet. I use a $200 Chromebook at home. Not a lot of hacking going on on that OS. I get MS 365 from work for free, but I think it's like $99 a year. I'm done with PCs.

[Thaleia]

That's a really good point. Yeah it's almost exclusively used to surf. I do some basic photo editing every now and then and sometimes use it to play / mix music files. Pretty basic stuff. I'll look into those, thanks.

[RShea]

SO interrogate her and ask how much was done- probably tried to remote into the system via software, maybe asked for payment for the cleaning and scam via credit card (hopefully not something like Paypal, or Gift cards?)

On that computer- complete at least 3 or 4 virus scans while off the internet and local network, Do a backup of important stuff and maybe even just back it up and reformat the drive and do a complete reload if they got into it for too long of a time with a remote access.

Virus scanning if you do not want to go through the reformat and reloading- The antivirus software on the system already, then maybe Kaspersky Rescue (download and boot to the software on a flash drive or thumb drive, and then connect to the internet and do the update. Others include Microsoft Offline Scanner, Malwarebytes and maybe a few others if infections are found of some sort. Do a sfc /scannow and maybe check DISM restore health also to verify system files. Look at the Control Panel and Programs and Features and sort by the date of software installs. See if any software you do not use or recognize is listed on the system and newer dates, Google search and maybe uninstall anything you do not use or know especially if Google search talks about being unsafe...

Financial- if you had any credit card, banking or similar financial information and logins and the like on that system immediately change passwords (hopefully you have 2 factor authentication turned on and you would be challenged or get notification if a login was done. Notify the bank or credit card company if she did provide any information on that.

[riser4]

Factory reset or formatting the drive might not take care of any sneaky viruses they were able to install. If you keep the computer, you want to use a tool to completely overwrite all the data on the HDD like https://dban.org/. Then you can reinstall from a DVD with the OS, or if you don't have a DVD, download the installation media from Microsoft and put it on a thumb drive: https://support.microsoft.com/en-us/...f-40c3b507420d. This is being extra-paranoid, but I would create the installation media on a different PC than the one that got hacked.

You'll need your product key (20 digits and letters, or maybe it's 25, I don't remember) to activate Windows. For some computers, typically corporate purchases, this is actually part of your hardware and Windows will pick it up automagically. For other computers, you might have a key on a sticker on the back / underside of the computer, or with your manuals. If you don't see it anywhere, you should be able to get it from the registry, but that's getting above my paygrade.

You should run a virus scan on every computer on the same network - again, don't know how sophisticated they are, but maybe they were able to infect other devices in the household. Then, as others have said, change every password that might have been compromised.

I don't think you need to "find some kid". Doing a factory reset is pretty straightforward.

Dan articulated what I was too lazy to write out. Find some kid was shorthand. There's sneaky shit that can infect the recovery partition. And most computers don't ship with actual physical recovery media for a long time. Most normal people don't take the time to create recovery media immediately upon unboxing. They should. Once Microsoft Department gets ahold of the machine, it's fucked. Personally, I suggest a new drive, don't even reuse the old one.

[thedude2340]

That's a really good point. Yeah it's almost exclusively used to surf. I do some basic photo editing every now and then and sometimes use it to play / mix music files. Pretty basic stuff. I'll look into those, thanks.

How do we even know this is really you?

[RShea]

Try not to judge (too harshly).


Apparently a window opened up earlier (I'm sure you know the routine) saying she's been compromised and to call for help etc..

Does this originate from a virus? I'm not clear on how the message originally appeared.

Looking in Add / Remove programs, I can see that Microsoft Edge along with Microsoft Office and Visio were installed today. Currently uninstalling these as we don't use them and I'm not sure if they're malicious or if it was an automated update type thing.

Anything else I can be checking? Or burn the whole thing with fire and move on?!

So a few comments and further recommendations:

It could have been a web site that was typed wrong- misspelled a common site she goes to and get some Infected drive by trojan or just the Beeping and WARNING YOU ARE INFECTED- please call this scammer's telephone number (to make it worst)... If she was using a specific browser, clear the cache (history) and cookies and check to see what passwords may have been saved for sites on that browser. It could have been an infection- free coupons download this malware package and install it, or a few other possible situations- but the above are the leading contenders usually.

Microsoft Edge is of course Microsoft's newest browser for web sites. It probably was an update, but since you uninstalled it, you could reinstall if your system is cleaned and you are not going to reformat the system and do a reload after wiping the disk.

Office again could be legitimate if you have either a Microsoft 365 subscription or purchased the Office 20xx version that is one time. Visio is a pretty unique package from Microsoft for diagramming and flow chart type of stuff. It is not included in most Office Subscriptions, so if nobody in the house knows anything about it, leave it off. Doubt a scammer would put something like that that on the system, but uninstalling probably did not hurt anything unless someone in the family has a legitimate license (like a school or education version for some school project or you or your wife using it for work purposes.

Educate all the members of your house- if something like your infected and call this number type of warning comes up, close out or just shut down the computer if they can't close out the warning (typically comes with audio and someone talking to you also) Going into Task Manager and ending the stuff running can work sometimes also. If it has a cable for the internet (ethernet patch cable) pull that out also, if on Wifi - disable the wifi so internet access is disabled also until it can be scanned, even if they did not call the number, better safe than sorry.

[riser4]

when I intercepted she was in her google account settings.

This is actually sort of serious and worth revisiting. Go double check to make sure additional recovery methods weren't set up. Pronto. Remove them stat. Check the whole account settings. Getting control of an email account and knowing the cell phone number can lead to a SIM hack and is used to gain control of bank accounts. For this reason, whenever possible don't use SMS for 2FA on bank accounts. And I highly advise having your bank account and other sensitive financial accounts use a secure email service that you pay for, not Google. Don't use that email for anything else, including car dealer loans or really anything that is not strictly with the bank. Switch immediately. Maintain strict hygiene with that email account.

[k2skier112]

This is actually sort of serious and worth revisiting. Go double check to make sure additional recovery methods weren't set up. Pronto. Remove them stat. Check the whole account settings. Getting control of an email account and knowing the cell phone number can lead to a SIM hack and is used to gain control of bank accounts. For this reason, whenever possible don't use SMS for 2FA on bank accounts. And I highly advise having your bank account and other sensitive financial accounts use a secure email service that you pay for, not Google. Don't use that email for anything else, including car dealer loans or really anything that is not strictly with the bank. Switch immediately. Maintain strict hygiene with that email account.

^this!

They were most likely in it for bank account access and not installing viruses

[SumJongGuy]

Shit, they got her google stored passwords for EVERYTHING. Vibes.. They might have yours too if she showed them what happens when she logs off then to the sign on options since it's a shared PC..

Log in to that google account and print a screen shot of ALL the websites with stored passwords. You'll have to change ALL of them.. hopefully before they do before you and lock you out..

[riser4]

Who still stores passwords in google???

[AK47bp]

Will need some pics of your wife so I can scrub the dark web, make sure her image isn’t plastered about.