Forgot your password?
typodupeerror
Software Windows Technology

Ask Slashdot: Rescuing a PC That's Been Hit By Scammers? 320

Posted by timothy
from the how-much-holy-water-ya-got? dept.
New submitter malcus writes "My father was hit by scammers the other day and even though he has handed over all computer service tasks to me they were able to sweet-talk him into: (1) Running some 'checks' to confirm the 'grave situation' that his computer was heading for (bad). (2) Start some remote-control program (worse). (3) Giving them his social security number (terrible). When they asked him for his credit card information he stopped and is now probably expecting them to call again. Meanwhile I have told him to dump the computer in holy-water or aqua regis and cut the internet cable. I am heading over to his place later and wonder what measures I should take."
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Rescuing a PC That's Been Hit By Scammers?

Comments Filter:
  • Just the obvious (Score:5, Insightful)

    by gestalt_n_pepper (991155) on Tuesday August 28, 2012 @08:56AM (#41148091)

    Bow your head and type "Format C:" Amen.

    • Re:Just the obvious (Score:5, Informative)

      by RivenAleem (1590553) on Tuesday August 28, 2012 @09:10AM (#41148317)

      The 'hurt' caused by the loss of data might also shock him up enough to be more careful.

      • ... or cause him to dump you even quicker as the trustee for "all computer service tasks".
        • by snowraver1 (1052510) on Tuesday August 28, 2012 @09:37AM (#41148779)
          No offence to the OP, but you can't fix stupid.
          • No you can't. My friend got into PC's about 15 years ago. When he need's to do something that requires thought, he calls me. He calls me the other day to show him how to burn a CD. - for the 1,000th time. I said I was busy at the time but it's easy," you can figure it out". Asked him the next day, he said he could not figure it out. (Shortcut to burning software is on his desktop) His solution to the problem was --- Wait for it --- Just not to burn CD's. I told him that was a good idea, if you can't figur
        • Win-Win Situation!

    • Re:Just the obvious (Score:5, Informative)

      by Lord Lode (1290856) on Tuesday August 28, 2012 @09:11AM (#41148347)

      Yes, but make sure you back up any photos and other irreplaceable bits of information first!

      Do not back up anything that's executable though.

      • This. Also write down other software installed and any registration codes to make it all marginally less a pain in the ass. Most will show IDs on the about box or some licensing/registration menu item.

        I haven't had to reinstall the OS of my new Win7 comp, a couple of years old, but I switched to Chrome as IE was dead center as a hacker target.

      • Yes, but make sure you back up any photos and other irreplaceable bits of information first!

        Do not back up anything that's executable though.

        Photos, unfortunately, have been used as re-infection vectors.

        The only sure bet is a 10-lb sledgehammer applied until the machine is completely flattened. Then nuke it from orbit, just in case.

        Unfortunately, however, the worst of the damage isn't in the computer, it's was leaked out onto the Internet. Including, but not restricted to the SSN. Good luck with that.

        • by jhoegl (638955)
          Actually, I would call the FBI and have them use it to track the perps.
        • Photos, unfortunately, have been used as re-infection vectors.

          I imagine that passing a JPEG photo through jpegtran [wikipedia.org], a tool for lossless rotation, flipping, and remultiplexing of JPEG images, would strip out any format oddities through which a photo file can reinfect a computer. What viruses are you talking about that reinfect a host through JPEG images, and did the reinfection vectors survive jpegtran?

      • by greenbird (859670)

        Do not back up anything that's executable though.

        1. Image the drive.
        2. Plug it into a good Linux system.
        3. Only mount it in a VM or booted off ROM (Live CD/DVD).
        4. Profit...errrr...have fun.

        First rule of any damaged system. Image it. You've got a copy of everything. If you don't boot the drive or run any software on it it can't hurt you. If you mount it in a VM you can even enable/disable the network interface at will. Might be fun to backtrack the scammers and mess with'em.

      • The one thing that's always worried me about saving off the personal data from a clueless victim's hosed Windows box: how do you know there isn't a compromised file in that herd - a malicious pdf labeled '2008 Federal Tax Return', or that jpeg called 'Family Reunion' is not quite what it appears? Scan it all yes, but still that nagging concern never quite goes away.
    • Re:Just the obvious (Score:5, Informative)

      by RogueyWon (735973) * on Tuesday August 28, 2012 @09:14AM (#41148397) Journal

      That's definitely the first thing he needs to do, but there's more besides:

      1) Change all passwords. Either do it from a different PC or from that PC AFTER it has been wiped and confirmed clean.

      2) Get a few credit checks over the next few months. Depending on how much information the father has actually given away (and it may be more than he's willing to admit), he may have given the scammers enough to do a thorough identity theft job on him. Picking up any attempts at this as early as possible will be important.

      3) Some urgent parental re-education. Using a stout stick if necessary.

      Oh, and when going to do the disinfection, if you're taking a personal machine with you, make damned sure before you go that it is NOT set to automatically connect to wireless networks. I got stung with this one a few weeks ago when disinfecting an uncle's PC.

      He'd picked up one of those ransomware fake-AV trojans that basically renders Windows unusable. I'd figured it was going to be a wipe-and-reinstall job (which indeed it was), but had taken an old laptop with me in case I needed a "clean" PC for anything. This laptop had been my secondary PC until I replaced it with an iPad and I was going to use my trip "up north" as an opportunity to hand it over to the parents, who would make more use of it than I would. It'd just been flattened itself and had a fresh (though updated) Vista install on it. It also has a network share on it, that I'd used to copy a few drivers and other files over from my desktop to save redownloading them.

      Anyway, like a fool I boot the thing up as soon as I get in there, forgetting two important things:

      1) The laptop will default to connecting to any wireless network it can find and get onto; and

      2) My uncle, being a complete idiot, has an unsecured wireless network.

      So the laptop connects immediately to his wireless network - and gets infected within seconds by the trojan on his PC via the open network share. Fortunately, I had the Vista disc with me to do an immediate wipe and reinstall on the laptop as well, but it was still frustrating.

      • Re:Just the obvious (Score:4, Informative)

        by ArsenneLupin (766289) on Tuesday August 28, 2012 @09:31AM (#41148671)
        Family members won't let family members use windows...
      • Re:Just the obvious (Score:5, Interesting)

        by LVSlushdat (854194) on Tuesday August 28, 2012 @09:46AM (#41148941)

        THIS!! Which is why the laptop I take for these kinds of 911 calls to guilible relatives/friends whose Windows machines have been screwed up by malware is a Linux machine. I'm the defacto tech support for my church/neighborhood. I've had several "clients" who are the typical "click on EVERYTHING" types, and who would call frequently when their machines got so slow that they couldn't do anything.. In the first case, the machine was so hozed that only a clean reinstall of windows would be effective. But of course the owner didn't have the recovery disks for XP. The machine maxed out at 2GB, so getting the user to buy Win7 was a non-starter. To save the day, I loaded an Ubuntu LiveCD and showed what Ubuntu looked like, and asked "Can you live with that??" with an unspoken "You have no choice..".. The user said "whatever you say, I gotta have my computer!!".. So I backed up the docs to a USB drive via the LiveCD, and wiped/installed Ubuntu.. After a couple of calls from the user, saying "how do I do X??", I'm not hearing much from her anymore. As far as I know she still clicks on everything in sight, but I've not gotten anymore "my computers slow" issues. In fact, her husband, once he saw how well Ubuntu worked, he wanted to be "upgraded" to Ubuntu, and now he's a happy camper.. Word has spread, and I'm doing a fair number of these "upgrades"... Still using 10.04, as I'm still trying to decide if MATE or Cinnamon OR X/Lubuntu is the best way to replace Unity on 12.04..

      • 2) Get a few credit checks over the next few months. Depending on how much information the father has actually given away (and it may be more than he's willing to admit), he may have given the scammers enough to do a thorough identity theft job on him. Picking up any attempts at this as early as possible will be important.

        This, and even more proactive, call the three credit reporting agencies and ask for a fraud alert be attached to the name/SSN. This makes anyone trying to get credit have to jump through some more hoops - some difficult or impossible (without removal of the fraud alert first). It'll make obtaining new-credit for your father a big headache (although he should already be pretty established there), but could make credit a non-starter for an ID thief.

    • by scubamage (727538)
      Backup everything first. If you want to poke around first, make sure the damn thing is off the intertubes.
    • Re:Just the obvious (Score:5, Informative)

      by Adriax (746043) on Tuesday August 28, 2012 @09:18AM (#41148459)

      Yank the HD.
      Slave it to another machine.
      Save what you need to.
      Format it.
      Toss it back into the original machine.
      If he can handle it, install your favorite flavor of linux. If not, reinstall windows.
      Make sure his account lacks the privileges to get into that much trouble in the future.
      Start researching identity theft countermeasures.

      • Before anyone takes your advice as a solid plan, just remember that formatting doesnt touch the MBR, which for a few years has been a favorite place to hide out for viruses.

        dd if=/dev/null -of=/dev/sda bs=512 count=1

        Will handily wipe out your bootsector (including, I believe, your partition table, so make a backup before running this).

        Alternatively, if you want to try disinfecting, you can re-write it using the program "ms-sys", which I believe is on sourceforge and can rewrite a Windows MBR. Generally fixing the MBR is going to be necessary before

      • by Apocryphon (1849660) * on Tuesday August 28, 2012 @10:40AM (#41149827)
        WHOA WHOA Wrong Order....

        The blatant identity theft is a ticking time bomb that will not be easy or painless to redress (especially for someone who readily handed over an SSN for ANY reason)....

        The computer can sit there (off) just fine while you stop the bleeding.

        1. OBVIOUSLY keep computer not only offline but OFF & OFF-SITE (who knows what he might try to do with it).
        2. HELP YOUR FATHER start protecting himself with his....
        3. banks....
        4. ....his insurance....
        5. ...credit rating agencies...
        6. ...defensive strategies... ....
        30. THEN look into addressing the computer problems.

        Car analogy:

        "My father hit a tree at 50 miles an hour and appears to have a broken collarbone and a punctured lung.... I'm heading over to investigate... Does anyone know if I can use my own AAA membership to get the car towed or should I have my own mechanic work on repairing the vehicle's front end?"
    • But when you plan to do this, bring sure to bring a Ubuntu CD :-)
    • Re:Just the obvious (Score:5, Informative)

      by Joce640k (829181) on Tuesday August 28, 2012 @09:28AM (#41148635) Homepage

      Bow your head and type "Format C:" Amen.

      Even better ... make him buy a new hard disk, that way you can be sure that:
      a) He spends some money (more likely to pay attention in the future).
      b) You didn't lose any data files - they're all on the old disk somewhere.

      • by Hatta (162192)

        b) You didn't lose any data files - they're all on the old disk somewhere.

        Just sitting there waiting to reinfect the new machine.

    • Thats no longer enough. Formatting targets the partition; modern threats target the bootsector. Using dd or gparted to wipe out the MBR may be necessary at this point, as may reflashing the BIOS.

      Thats assuming, of course, that you want to have any confidence in the computer ever again.

  • Wipe and reinstall. (Score:4, Informative)

    by Gordonjcp (186804) on Tuesday August 28, 2012 @08:57AM (#41148097) Homepage

    Same as for any other compromised machine.

  • by Robert Zenz (1680268) on Tuesday August 28, 2012 @08:57AM (#41148099) Homepage
    What operating system? Also check what programs were run...and prepare for worst case: Reinstall.
    • I'd also change passwords on any sites he was using, especially ones that store credit card details etc.

  • What else were you expecting?

    • by vlm (69642)

      What else were you expecting?

      Probably, "as of August 2012 the best forensic analysis boot disk/usb image is ..." and the URL of a web page at SS.gov or maybe some consumer organization most likely titled something like "Your SS number is now public knowledge... what should you do now?"

      Some anecdotes of what someone has RECENTLY found in a forensic analysis of something owned like this might be interesting, although not terribly useful.

      • by SecurityGuy (217807) on Tuesday August 28, 2012 @09:10AM (#41148325)

        As someone who does forensic analysis, no, the thing you want to do is not tell an untrained amateur how to try to do it, point them at tools, and hope for the best. It's actually time consuming and can be hard. By far the simplest solution is wipe and reinstall. If you want an actual forensic analysis done, unplug the network cable, step away and DO NOT TOUCH THE BOX AGAIN! Then call a pro.

        • GP obviously didn't mean forensic as "will stand up in court", but only as "will satisfy my curiosity about what the scammer did to the PC, so that maybe I can get around a complete wipe".

          Victim's father is not accused of a crime here (unless the scammer also dumped some kiddy porn on the disk..), so "preserving the chain of evidence" is not a necessity here.

          And preserving evidence in order to haul the scammer into court is not necessary as well, because:

          • police already knows about these scams, so no add
        • by vlm (69642)

          It's actually time consuming and can be hard.

          Sounds like the definition of a hobby. I'd strongly suggest OP poke around for fun, but no one wants to help him by telling him "the best free downloadable forensics boot disk as of aug 2012 is ...". At most all it'll cost is a blank cdrom disk or unimaginably if he has no spare flash drives laying around it might be $5 at walgreens for a small one. I'm assuming OP is not going to send his dad an itemized hourly bill of his work, so if he Fs around for a couple hours before the reinstall no one is "losin

      • Your points about the SSN and identify theft are spot on, but for the PC itself it just doesn't make sense in a risk/cost vs reward context for an amateur to try and salvage an infected PC. It'll take hours at least and most importantly, you'll never really know if the machine is clean or not. Any machine that I know has been compromised is treated as compromised until it gets a full wipe, no matter how much effort I put into clearing the infection.

        For my 2 cents: Boot from disk into a flavor of Linux th

    • by sabs (255763)

      Reflash the bios.
      BIOS Trojans are evil and bad.

  • Install a VM with a godawfully infected version of Windows 98 on it and turn them loose on it... for the lulz.

    • There's a video here [youtube.com] of somebody allowing one of these scammers access to a VM. They essentially just disable a bunch of regular Windows services. Given we have no idea of what the OP's scammer actually did the safest course of action is a format and reinstall.
  • oddly enough (Score:5, Informative)

    by alphatel (1450715) * on Tuesday August 28, 2012 @08:57AM (#41148117)
    I had a client do this to his machine. He called an 800 number thinking they were the Yahoo help desk and they performed a similar routine. Oddly enough, they left no traces of their activity and there is no reasonable way to tell if there is an inactive trojan waiting to be launched in the future. Best bet is to copy off the data, wipe, reinstall OS.
    • by Anonymous Coward on Tuesday August 28, 2012 @09:19AM (#41148485)

      What many of these scammers do is surf the hardrive for login information for financial institutions, bank and credti card numbers, and anything else they can get to commit financial fraud.

      Call and write letters to the credit bureaus, your banks, and every other financial institution one does business with.

      And keep a sharp eye out for shenanigans and don't pay any bill that's not yours.

      File a police report. The cops won't do anything, but at least you'll have something to fax the debt collectors who may be calling.

      It sucks but it's up to the victim to clear their name as best as they can.

      The banks and other financial institutions just write off any losses and pass on the costs to the rest of us in the form of higher and more fees.

      The other thing they do with the information is create phoney IDs for illegals, get medical care for folks who can't pay, and various other things that require an ID - all in the victim's name and SSN. Folks have been arrested in the past because of someone else using their identity to commit a crime, the warrant goes out, and then the victim gets their lciense plate scanned by a cop, pulled over and taken to jail.

      Have fun with that.

  • by h4rr4r (612664) on Tuesday August 28, 2012 @08:58AM (#41148131)

    This is why you have backups. Reinstall the OS, restore your backups and do not give him an administrator account this time.

  • by Fwipp (1473271) on Tuesday August 28, 2012 @08:59AM (#41148135)

    Get him to change all of his passwords, especially banking passwords. Preferably from a network that hasn't seen the computer in question (and of course not on that machine). You know that they've executed foreign code, you have to assume that the machine is pretty much forever compromised.

  • Back up all the data and then re-install the OS from scratch. Before restoring the data, do a thorough threat scan on it, to make sure there are no nasties lurking in there. If the machine has been rooted, then you simply can't guarantee that anything else you do to clean it up will get rid of all threats. Hope that helps! (I missed a chance there to evangelise on Linux!)
    • by vlm (69642) on Tuesday August 28, 2012 @09:04AM (#41148217)

      Given the price of drives and the rate of change, you're better off just buying a new $50 drive and upgrading him. Then take the old drive, stick it in an external enclosure, and play around with it on a linux host. Unless his old PC is so old it can't be easily upgraded. Can you still buy PATA from retail stores or is it all SATA now, for example?

      • by h4rr4r (612664)

        You can buy pata, but the markup is enough to cover the cost of a pci sata card in many cases.

      • I second this. Just get another drive and start from scratch on that drive. If you need any data from the old drive, do it on a isolated computer on different non standard OS (*BSD or *nix) to prevent cross contamination. I would also reapply BIOS in case they found a way to infect it.

        • by vlm (69642)

          I would also reapply BIOS in case they found a way to infect it.

          Like I said, look at it as an upgrade opportunity. May as well stick the latest bios version on there, if you're coming over to fool with the computer anyway.

          The part I don't get is I haven't BIOS upgraded anything in a while, but the board makers fixation used to be only providing a windows app to flash. So you can't install windows or it'll get owned by the flash but you can't upload the flash without installing windows. I'd hope all mfgrs would distribute freedos bootable cdrom/usb images with the boo

  • by stevegee58 (1179505) on Tuesday August 28, 2012 @09:04AM (#41148229) Journal
    In addition to the wipe and install suggested over 9000 times, your father needs a good talking-to.
    • by Zuriel (1760072)
      syslogd man page:

      If the problem persists and is not secondary to a rogue program/daemon get a 3.5 ft (approx. 1 meter) length of sucker rod* and have a chat with the user in question.

      Sucker rod def. — 3/4, 7/8 or 1in. hardened steel rod, male threaded on each end. Primary use in the oil industry in Western North Dakota and other locations to pump 'suck' oil from oil wells. Secondary uses are for the construction of cattle feed lots and for dealing with the occasional recalcitrant or belligerent individual.

    • Just remove Admin-Rights from his account.
    • by spacepimp (664856) on Tuesday August 28, 2012 @09:38AM (#41148795) Homepage
      I would also remove his administrative privileges. Set up team viewer so you can connect remotely when he needs to install/make changes. My father was the same way. He had some sort of weird skill to always get immediately infected. Almost like he looked for some way to screw up his own life constantly.
    • It occurred to me that OP's father might be the same age as me. Scary.
  • by necro81 (917438) on Tuesday August 28, 2012 @09:05AM (#41148253) Journal
    It's the only way to be sure.
  • by SecurityGuy (217807) on Tuesday August 28, 2012 @09:06AM (#41148267)

    Everybody's going to tell you the obvious right answer. You wipe the box and start over with a clean install, fully patched, with a firewall and AV. Anything less is really just asking for whatever happens next.

    Subsequent to that, you need to have a serious talk with your dad about sharing control over his finances with someone trustworthy (you, maybe). If he's handing out his social security number to any random nutjob who calls him, he's going to give away his life savings to some scammer someday. The time to prevent that is now, not later. I am seriously planning to do that myself, that is put something in place so that when (not if) I'm no longer competent to handle my own affairs, my kids will have the legal ability to seamlessly keep me from bankrupting myself. I have decades before this needs to happen, but the time to do it is when you are of sound, not failing, mind.

    I'd also look into putting a fraud warning on his credit report with all three credit bureaus. I'm not going to pretend that's something I know much about, so research it and confirm for yourself what good it will do and what harm before you act. I do think you want to limit the ability of any random goofball who knows your dad's SSN and name from opening credit in his name.

    • by niado (1650369)
      Here is an explanation of what to do if your SSN gets compromised, [ftc.gov] courtesy of the Federal Trade Commission.
    • by daemonenwind (178848) on Tuesday August 28, 2012 @01:05PM (#41152687)

      After you call your bank (including any banks you have loans/credit cards/ with) and let them know what happened, do this:
      (stolen shamelessly from usbank's website)
      1.Call the major credit bureaus:
      Equifax: 800-525-6285 or equifax.com
      Experian: 888-397-3742 or experian.com
      TransUnion: 800-680-7289 or transunion.com
      First, ask that they place a “fraud alert” on your credit file. A fraud alert prevents creditors from changing your accounts – or opening new ones in your name – without proper verification. Then, request a free copy of your credit report. If you see any additional signs of fraud, notify the credit bureau and the creditors whose accounts are affected. After the disputed transactions are resolved, request another copy of your credit report to make sure your file has been updated.

      2.Call your other creditors – including your phone and utility companies – and let them know that you’ve been a victim of fraud. Close any accounts that may have been compromised. As a precaution, consider resetting all of your passwords.
      3.Inform check security companies about the fraud:
      National Check Fraud Center 843-571-2153
      SCAN 800-262-7771
      TeleCheck 800-710-9898
      CrossCheck 707-586-0551
      Equifax Check Systems 800-437-5120
      International Check Services 800-526-5380
      Chexsystems 800-428-9623
      CheckRite 800-466-2748

      4.File a police report if you think your personal information (driver’s license, address) has been compromised or stolen.

      5.Call the Federal Trade Commission (FTC) identity theft hotline at 877-438-4338, or file your complaint online at ftc.gov.

      6.Be vigilant, patient and persistent. It can take weeks — or even months — to resolve identity theft. Keep a close eye on all of your statements, review your credit reports regularly, and immediately report any discrepancies.

      Why so paranoid? Because with nothing more than your SSN and Address, the bad guys can see your free credit report and know about *every line of credit you have*.

      The race is on; here comes Pride in the back stretch.

  • by Alzheimers (467217) on Tuesday August 28, 2012 @09:07AM (#41148283)

    Disconnect the PC from the internet, so it's only useful for Word/Excel and maybe Turbotax.

    Get him an iPad for day-to-day web surfing.

    Unless he's a real gamer or his bank is from the 19th century, this should solve most of his problems.

  • obvious (Score:4, Informative)

    by slashmydots (2189826) on Tuesday August 28, 2012 @09:11AM (#41148341)
    Combofix, believe it or not, specializes in removing all forms of remote control software. Most people don't know that. In fact, it will even destroy gotomeeting related files whether you want it to or not :-P Also, any system setting viewer like even the ancient HijackThis will list all LSP and protocol changes and all startup entries and all browser plugins. Just get rid of anything you can't identify or that google says is a remote control viewer. If malware scanners can't pick up anything bad, a system restore will definitely destroy any legitimate remote control software so between the two, you should disable any control they had.

    So, reset all passwords for all significant accounts, add a fraud alert to his credit report or add a third party lockdown solution like Lifelock (even though I hate them) and you should be set.
  • Is there a reason your father MUST be on Windows? Is he primarily browsing and using office productivity applications? If he does not have specific requirements (such as gaming, high end graphics/video production, ect) then he should not be running Windows to begin with.

    Get thee to Linux Mint, good sir, and do have that son to father talk regardless. Giving out personal info to strangers is insane.

  • by jones_supa (887896) on Tuesday August 28, 2012 @09:15AM (#41148423)
    Do you think your father could do everything he needs by using desktop Linux? If so, you could consider switching him to Ubuntu or some other distro. This could be a good turning point as you need to wipe the machine anyway.
  • by gman003 (1693318) on Tuesday August 28, 2012 @09:16AM (#41148435)

    Failing that, you need to treat the entire system as compromised, because it probably is. Do the following:
    Bring a Linux live CD and an external hard drive. Boot ONLY into Linux, copy necessary files (documents, photos) over to the external hard drive.
    Wipe the computer and reinstall everything from scratch. EVERYTHING. DBAN is your friend here. In fact, if he needs a bigger hard drive anyways, do that - just get a completely new hard drive.
    Restore his data files from the backup you just made.

    Yes, it's a pain, but at this point the system could contain something that anything short of this wouldn't clear out. (In fact, it's *possible* for malware to make it through even that, but AFAIK those are still just research demos, not in the wild).

  • Boot From System Recovery Disk

    Backup data files to DVD

    Reinstall BIOS

    NUKE MBR

    Zero the hard drive

    Reinstall everything.

    -or-

    Boot From System Recovery Disk

    Backup data files to DVD

    Zero Hard Drive

    Put Computer in Trash

  • 2. Have him save all his data to a cloud service.

    3. As for the data on the hard drive, consider it all suspect. Only read it on a readonly environment such as Knoppix or other live Linux CD. I'm sure there are online virus scanners out there (Panda was one I used a couple times several years ago - are they still going?) that can be used to scan individual files, which can then be moved to flash or online storage.

    4. Microsoft Windows should be considered a niche platform.

    • 2. Have him save all his data to a cloud service.

      Has anyone heard of "cloud services" being used as a vector for computer virus infection?

      I wouldn't let an infected machine access the Internet at all, let alone a password-protected service.

  • http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline [microsoft.com] Download it on another machine, boot with it and clean up the mess. I will recommend installing the free Microsoft Security Essentials, and avoid using administrative login. Also not using any browser plugins will help as well.
  • Lots of good advice so far, but one more item -- since your father has turned sysadmin tasks over to you, once you wipe and re-install, set up his account on the computer so that it is a restricted user account, not an admin account. If he isn't doing sysadmin tasks then he doesn't need the privs and this limits the amount of damage that a scammer can do to the computer. (Although getting his SSN and other info is still really bad.)

    --Paul

  • credit freeze (Score:2, Informative)

    by Anonymous Coward

    I can't believe no one has recommended a credit freeze:
    http://en.wikipedia.org/wiki/Credit_freeze

  • gave them his ssn? (Score:5, Informative)

    by v1 (525388) on Tuesday August 28, 2012 @09:33AM (#41148715) Homepage Journal

    really? And you're worried primarily about the state of his computer?

    He should be spending some time on the phone with his credit card companies making sure any security features they offer are fully activated, such as enhanced (not easily guessed based on what was on his computer) security questions, subscribing to a few years of identity theft watch, schedule regular pulls of his credit report watching for new plastic, checking accounts, and loans in his name, etc. The ssn by itself has some limits on abuse, but combined with the information on the hard drive (mother's maiden name, address, workplace, etc) it greatly magnifies the risk because it's going to allow additional verification of identity that a lot of places require.

    After that, get him a book or something on how to be less of a sucker on the internet and in the world in general, or he'll just do it to himself again.

    This could hound him for years to come. Make sure he understands that. If someone DOES manage to take out say, a loan or a card on his ssn, he needs to deal with it swiftly and decisively. Banks and similar organizations are notorious for not wanting to be the fall guy in cases like this, and will often try very hard to stick your dad with some or all of the bill. Don't be terribly surprised if something requires a lawyer to fix or clear off his record.

  • Back up just his data then blow away windows entirely and upgrade him to Linux.

    Not only is linux more secure than windows anyway, but if his recovered data includes places where virusses can hide (such as any Microsoft Office files or PDF files) then they most likely wouldn't be able to do harm or even run in that environment either.

  • it's the only way to be sure.

    dd if=/dev/zero of=/dev/sda bs=1M
  • MS says reinstall (Score:4, Informative)

    by InvisiBill (706958) <slashdot AT invisibill DOT net> on Tuesday August 28, 2012 @09:48AM (#41148977) Homepage

    According to Microsoft's 10 Immutable Laws of Security [microsoft.com], "it's not your computer anymore" and you need to revert to a known-good state. This generally translates into a complete restore from backups or a reinstall. If you have a spare drive, it's probably easiest to just save an entire image of the bad drive (just to make sure you don't lose anything) and do a complete wipe. You can recover any needed data from the backup image (just be careful not to actually run any apps from that backup). A current AV installed on the fresh rebuild may be able to help remove some of the junk from the backup image as well, just make sure it doesn't accidentally "clean up" anything important. That should fix the PC itself, but there are other things you may want to consider as well (as suggested by others here).

    Your dad may need some training/assistance regarding finances and private info. You'll want to reset any accounts that were accessed via the tainted PC (and any others you think could have been compromised by the infected PC). If he doesn't specifically need Windows, changing to Ubuntu or similar can inherently stop Windows-specific malware (including crap from well-meaning but incompetent remote techs, e.g. unnecessary software from the ISP). I set a previous girlfriend up with a laptop running Ubuntu, and was able to find Linux versions of pretty much any app she needed for what she wanted to do (web browser, office suite, iPod software, etc.). Linux may not do everything he needs, and it won't stop phone-based social engineering, but it can go a long way to help against malware.

  • by hobarrera (2008506) on Tuesday August 28, 2012 @09:49AM (#41148991) Homepage

    Why is giving out his SS number such an awfuly bad thing? From what I've read [wikipedia.org], it's no secret, but rather the contrary. It's just misassumed that the SS number should be secret.

  • So.... what happens when these scammers call someone who actually knows something about computers, or runs a Macintosh, or run Linux? Or are these scammers only targeting retirement communities, because an awful lot of people these days are computer literate. And many kids aren't even running PCs anymore, they are using tablets.

    • by pnot (96038)

      So.... what happens when these scammers call someone who actually knows something about computers, or runs a Macintosh, or run Linux?

      He keeps them talking and sets up an instant honeypot to study their modus operandi. [slashdot.org]

      Seriously though, you don't need a huge success rate for this to be a profitable endeavour. That guy was an unusual case -- I imagine that it usually takes about thirty seconds to figure out that your target is unsuitable, at which point you hang up and move to the next phone book entry.

  • There's (at least) two sides to this:

    Personal:

    Credit agencies: So, this is a tech site, but before getting down-and-dirty with trying to fix his computer I would strongly suggest contacting the credit bureaus and put a hold on things. This will protect him from someone trying to open a new credit account in his name.

    Credit cards and Banks: Depending on your level of paranoia, have him contact his credit card companies and banks and ask them to issue new cards. Of course, that may in turn require updat

  • by kelemvor4 (1980226) on Tuesday August 28, 2012 @10:26AM (#41149607)
    IMO the bigger problem is the social security number. He needs to setup fraud alerts with the credit reporting agencies. http://www.usatoday.com/money/perfi/columnist/block/2005-03-28-ym_x.htm [usatoday.com] They have links to do it for each of them.

    A hacker (or spammer) with access to the PC is probably only a minor inconvenience in the scheme of life, identify theft could be devastating for years to come!

    As far as the computer goes, many have already answered that a format and reinstall of the OS is a good cure, and really isn't very hard to do.

Moneyliness is next to Godliness. -- Andries van Dam

Working...