To begin with, some context. My sister called me for help after a malicious person posing as customer support duped her into installing malware. Over the phone, he instructed her to visit a malicious website using an insecure browser (she mentioned Win+r, hh h, iexplore -extoff). She recognized it was a ruse when the guy demanded $300 to fix the mess.
I connected to her laptop from my workstation with Teamviewer 11. We first ran Malwarebytes Anti-Malware which found nothing. A couple tools later, we ran gmer, which found evidence of a rootkit. To my surprise, the gmer log also contained evidence that the malware had neutered MBAM.
I offered her two choices: research the malware and manually remove it, or wipe the laptop and reinstall Windows. She preferred the latter. I guided her through preparing two flash drives containing DBAN and Windows 10. She ran DBAN overnight, and installed Windows yesterday.
She called me back because gmer detected the rootkit on her new Windows installation.
She is sending me the laptop. I am posting on this forum for advice on best methods/practices.
First, I underestimated the sophistication of this malware. Obviously it infected the thumbdrive she used to reinstall Windows. Is there any chance it may have infected my PC via Teamviewer?
My intuition is that's incredibly unlikely, but I'd like reassurance. I imagine the hacker would've needed knowledge of an unpatched vulnerability in the Teamviewer client process to execute remote code on my system. As far as deliberate transfer of files initiated by me, only some logs in plaintext.
When the laptop arrives, here's what I plan to do:
1) Airgap it. No LAN, no internet.
2) Buy a cheap flash drive for DBAN.
3) Prepare the DBAN disk and Windows 10 disk on a known clean machine.
4) Wipe the laptop with DBAN and discard the flash drive.
5) Install Windows 10
Is this sufficiently paranoid? The gmer log indicated the rootkit had infected the MBR on her laptop's SSD. Is it possible the rootkit is present in other writable flash memory soldered to the motherboard? The UEFI BIOS is my first thought, but I imagine other non-volatile memory could be targeted.
If anyone is interested, I can share the gmer logs. Thanks in advance for your feedback.