My buddy Mike was taken in by the tech support webpage scam this afternoon, and allowed some guy with a thick Indian/Pakistani accent calling himself "Michael White" to have remote access to his Windows 10 PC.
Mike is bringing his PC over to me to look at tomorrow evening, and when I do I want to ensure that I catch and remove anything that the scammer might have installed on his computer. He and his wife run their office cleaning business off of that computer, so the data on it is extremely important to their family livelihood.
THE BACKSTORY: Mike started having problems getting his wireless HP printer to print from his PC yesterday, and tried for a while in his own limited way to diagnose it. Having no luck, he did a Google search for "HP Printer Support" and one of the top results was pcgurunow (dot) com/Printer-Drivers.html (WARNING, this is a scammer site!!). He dialed the 1-866 telephone number and was connected to a helpful seeming guy who told Mike his name was Michael White (even though he sounded very Indian or Pakistani). "Mr. White" told Mike he would help and had him grant remote access via fastsupport.com.
Once connected, the scammer "ran some tests" (like those detailed here) and convinced Mike that his computer was full of viruses/malware, and that unauthorized users were connected to his pc from all around the world (see example image below):
He convinced Mike that his PC had no virus protection or firewall (I installed Avast and configured Windows Firewall when the computer was set up new several months ago) and started in trying to sell Mike on a complete protection suite for $500. After a little back and forth, Mike got suspicious and ended the call and then called me.
After I got the story and telephone number he had called and did a search on it, I immediately saw a page of people complaining about exactly this scam. I called Mike back and told that he's been scammed and to unplug his computer from the wall immediately, which he did within 10 seconds.
THE HELP I NEED: Mike is bringing his PC over tomorrow evening and I want to boot it up with a thumb drive/CD and use the best tools I can find to scan the living crap out of it, looking for keyloggers, dialers, rootkits, etc, etc. Then I'm going to either do a System Restore from a week ago (there were no problems with the PC then) for failing that use AOMEGI Backupper to restore the backup from the beginning of the month.
So what I want to know is what tools should I use, and in what order should I use them?
Thanks very much for your assistance!