Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scam call, remote access gained, what to do now?


  • Please log in to reply
11 replies to this topic

#1 sammyd

sammyd

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 28 June 2016 - 12:29 PM

Hi, I'm looking for some advice regarding my girlfriends laptop.

 

Yesterday her brother took a call from somebody claiming to be from TalkTalk, and unfortunately they were able to take control of the laptop after claiming to have noticed problems and needing remote access to solve the issues. He was instructed to download TeamViewer. My girlfriend returned home during this call and took over after becoming suspicious with the nature of the call and after some questioning the caller quickly hung up. An attempt to withdraw a substantial amount from a bank account was denied shortly after or during the call. 

 

I've since uninstalled TeamViewer.

 

My question really is, would there potentially be anything malicious left behind after this attack? And what is the best course of action to take now?

 

Many thanks 

 

Sam.



BC AdBot (Login to Remove)

 


#2 RolandJS

RolandJS

  • Members
  • 4,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:07:39 AM

Posted 28 June 2016 - 12:35 PM

Yes!  You will need to scour the hard-drive with several anti-virus and anti-malware programs, both online and downloadable/installable.  Do you have current external image backups of the OS and the Data partitions?  If yes, you can choose to simply restore right over the entire laptop.  The regular BC malware team should be along shortly.  Let them know what external usb and/or dvd boot material you have on hand.


Edited by RolandJS, 28 June 2016 - 12:35 PM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#3 sammyd

sammyd
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 29 June 2016 - 10:09 AM

Thanks for your reply RolandJS

 

Unfortunately no we don't have any external backups. It's a fairly new laptop and the only data wanted off it are the pictures, would it be ok to copy those to an external drive and then totally wipe the laptop? Or is there potential for even image folders to contain maliciously programs? 

 

Regarding boot material, would the laptop have came with boot discs? I'll be able to get hold of anything the laptop shipped with later on today, I don't have it to hand at the moment.

 

I shall have a read on the forums regarding which  anti-virus/malware programs to run, but do you have any you would particularly recommend? 

 

Many thanks.

 

Sam



#4 RolandJS

RolandJS

  • Members
  • 4,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:07:39 AM

Posted 29 June 2016 - 10:13 AM

Regarding which anti-virus/anti-malware programs [online and on hard-drive] -- let the BC malware team recommend which ones to run.  They have a well-designed, very thorough procedure, guiding you every step of the way.  My recommendations would simply get in the way.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#5 sammyd

sammyd
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 30 June 2016 - 11:46 AM

I've scanned with the AVG suite, it found and removed one threat.

 

Does anybody have any further advice and recommendations?

 

Many thanks,

 

Sam



#6 sammyd

sammyd
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 05 July 2016 - 10:58 AM

Can anybody advise if there is a forum section more suited to this post?

 

I've held fire on running programs such as malwarebytes, spybot etc and the laptop hasn't been used since my last post. Hoping for some further advice on what the best course of action to take is.

 

Many thanks, 

 

Sam.



#7 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:39 AM

Posted 09 July 2016 - 07:04 PM

Hello Sam, and welcome to BC! :)

My name is bloopie and I will be helping you as best I can!

 

We apologize for the delay in response to this thread! The forum can get busy at times, but you have correctly posted in the 3-Day Wait topic...so here we are! :wink:

Just to let you know, I have moved this topic to the Malware Removal Logs forum where it will stay, and I am currently preparing a response for you. I will respond again in a little while...so if you are just seeing this now, please stay tuned! :)

 

bloopie



#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:39 AM

Posted 09 July 2016 - 08:12 PM

Hello again Sam,
 
First, to answer your earlier question more thoroughly:
 

My question really is, would there potentially be anything malicious left behind after this attack?

Since you've had TeamViewer installed on this machine, that would allow for another person to take nearly full control of the computer for the time that the connection is live. While TeamViewer is by itself, a completely legitimate program, the potential for malicious activity during that live connection is very real.
 
You can usually see what the other person is doing while they are controlling the machine, but it's not always so easy to see or recognize whether it is malicious activity, or simply normal. ...And for that reason we cannot be completely sure exactly what the other person did to the machine while they had access to it. Removing TeamViewer was the correct first step, so well done there!!
 
But, proper precautions must now be followed! :
 
Since there is no sure way for us to know what was done to your machine, we must hope for the best...but unfortunately, expect the worst! :(

Warning :
You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, paying bills, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for taxes, email, eBay, paypal and any other online activities. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password before connecting again.
 
====================

The next step will be up to you, and how you would like to continue. My advice would be to reformat the hard drive and re-install the operating system. That is the only sure way to know that your computer will be free of any malicious software, and/or backdoors that could have been opened by the attacker.
 
Here is some documentation and a canned speech I usually use when a machine has become compromised:

It is possible that your machine has been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. In some cases malware may leave so many remnants behind that security tools cannot adequately find all of them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:

  • Reimaging the system
  • Restoring the entire system using a full system backup from before the backdoor infection
  • Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.



The only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


====================

I would like to note that this doesn't AT ALL mean that your computer was in fact damaged beyond repair...but to be totally honest, there is no sure way to tell exactly what has happened without an extremely extensive time period for forensics in complete detail. The plain fact is, we simply do not know how or if the machine was compromised and to what extent.
 
If you would like to save any pictures from that computer before reformatting, you may do so...but please limit it to only pictures and text documents you would like to save to an external media (do not save programs anytime, there is really no need)! ...And be sure the computer is disconnected from the internet during this time (as explained above).

====================
 
If reformatting is simply not an option for you, then please let me know and we will begin the cleaning process manually.

Please let me know if you have any questions about the above, about anything that has already been done, or about anything you're unsure of and I will assist you as best I can! :thumbup2:

bloopie



#9 sammyd

sammyd
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 10 July 2016 - 10:51 AM

Hi bloopie, thanks for the reply. No worries at all for the delay. I've used BC before for problems and am amazed by the help you guys give out!   

 

Have read through all the advice and info, thank you. I think reformatting is definitely the best option, its a fairly new laptop and hardly used so there isn't an awful lot of programs or apps to worry about losing. I will just backup the photo files.

 

I'm a bit unsure about how to go about reformatting. The laptop runs Windows 10, it didn't come with any recovery discs or such like, I've read about the 'reset PC' option in the security settings of windows 10. Is this the equivalent to a full format and what I should be looking to do?

 

Many thanks,

 

Sam.



#10 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:39 AM

Posted 10 July 2016 - 02:30 PM

Hello again Sam,
 

thanks for the reply. No worries at all for the delay. I've used BC before for problems and am amazed by the help you guys give out!

The help is my pleasure! :)  ...And since you've been amazed before, I'm going to have to work hard to live up to your previous experiences at BC!!! (Hopefully I won't let you down!! :wink: ) :lol:
 
==========
 

I'm a bit unsure about how to go about reformatting. The laptop runs Windows 10, it didn't come with any recovery discs or such like, I've read about the 'reset PC' option in the security settings of windows 10. Is this the equivalent to a full format and what I should be looking to do?

Good question! ...And to fully answer your question it will take a bit of knowledge, on exactly how the hard drive in your computer works.

 

...And I'm not 100% sure of your current level of understanding about hard drives or computers, so let me try to briefly explain how this happens...(and please go easy on me...I've never actually explained this to anyone before in a "beginner-through-advanced" way! :lol: )!
 
When you delete a file on your computer, your computer doesn't actually delete and remove the file, it simply removes a "pointer" to that file. When the "pointer" to that file is removed, the part of the hard drive that "reads" and "writes" data, will see that particular space as "writable". And over time, the place where your "deleted file" (that actually still exists on the hard drive) can, and will be overwritten at some point.
Before the data gets overwritten it can, in many cases, be fully recovered. ...However once the data has been overwritten, that task becomes extremely difficult, and in some cases it becomes impossible...
This is exactly why some of those "File Recovery" tools out there, depending on your situation, actually work! It is possible to go in and replace (or reset) that pointer, so that your 'deleted files' can sometimes be recovered (as long as you don't wait too long on a machine that gets used very often).
 
Now, with that being said, let's get back to answering your question:
 
The "Reset PC" option is just as thorough as a reformat, as long as you use the "Remove Everything" function. ...But there is a bit more to it, than that. Once the 'Remove Everything' option is chosen, you are given another choice:

Just remove my files

--or--

Remove files and clean the drive

And sometimes there is a "Restore Factory Settings" option as well (that I won't cover unless you have that option and would like to use it).
 
Selecting "Just Remove My Files" will essentially reformat the disk, but only in a partial manner.
 
The files themselves will not get removed. Only the "pointers" to those files (as explained above) will get removed over a finite block of data on the disk. And whatever files or information actually left on the disc in that block, are susceptible to being overwritten. This effectively renders any malicious files that were on the disc harmless. And I'm not 100% sure, but I believe both will reset your firewall settings (and that's very important in your case if indeed a backdoor was opened during the TeamViewer session).
So, in your case the option to "Just Remove My Files" should do the trick. ...And to be honest, if it were my system in your case, I would test that option straight away!! That way, you'll always have the second option to fall back on in case your firewall settings didn't get reset on the first one! :wink:

But in any case, I would STILL save your personal pictures that you want to keep onto a thumbdrive or similar media...You could always use MBAM (Malwarebytes Antimalware) to scan a plugged-in thumbdrive (with your personal info on it) from any other computer that has MBAM installed. :)

 

====================

 

I hope this helps in answering your question! :thumbup2:

 

...And while writing this, I did a couple of searches to find you some web pages with instructions and screenshots. I hope these will also help you if you're still unsure about how to continue. :)

 

 

 

But be aware!!! I did not fully read over, or filter these links!!!  ---  I simply found some links for you to read so that you'll have a much better idea of what to expect, and you'll know what was coming!  So don't take the links above as any golden rule.

 

So if you're still unsure or are worried about something in the links, don't hesitate to bring it to my attention! :thumbup2:

 

==========

 

Please let me know if you're feeling more confident now, or if there is anything else you'd like to discuss!

 

bloopie



#11 sammyd

sammyd
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 10 July 2016 - 03:58 PM

That is brilliant, I will do as suggested asap.

 

I came here knowing I could get some solid information about how best to tackle things  :thumbup2: many thanks for your assistance.

 

Regards,

 

Sam.



#12 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:39 AM

Posted 10 July 2016 - 08:13 PM

It was my pleasure Sam, glad I could help! :)

 

I will leave the topic open for a few days in case there is anything else you'd like to bring up.  :thumbup2:

 

Best regards,

 

bloopie






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users