A co-worker of mine's wife received a phone call claiming to be from Microsoft Support and saying she had problems with her computer. She allowed them remote access to the computer but got suspicious and hung up without giving any CC info.
The computer started being over run with pop ups and other annoying behavior. He brought the computer in to me and I ran Malwarebytes, Combofix and MSSE. I also did a system restore to the furthest back date that was there.
After multiple scan the computer came up clean with no maleware detected. He took the computer home and after 10 minutes he got a fake virus warning among other things. He brought the computer back and I scanned and cleaned again. This time he went through everything he normally does on the computer while it was sitting on my desk. Again, everything was fine and no problems.
He took the computer home and again got a fake virus warning and other issues.
Essentially, the computer works fine connected to the network at work and will for hours. But when connected to his home network it will run for about 10 minutes and then the maleware is back.
I told him that he needed to call his ISP and have them check that his internet connection was secure and that no changes had been made. His ISP told him there was nothing they could do to help him and that he needed to wipe out and reload his computer. I also told him to have them change his IP address if possible but I don't know if he remembered to do that.
My question is, could these scammers have somehow gotten into his router and opened a port or two so that they could gain access to his system even if all maleware were removed? Could they have done something to the cable modem? Both?
I'm thinking the cable modem is a long shot and am leaning towards the router being tampered with. Has anyone heard of these people doing anything like that?
I have cleaned a lot of computers but this is the first one that was a victim of this type of scam.