Computer Hacked - Options to Restore Windows 10

msny

2[H]4U
Joined
Sep 5, 2001
Messages
2,197
I've been out of the hobby for a few years, so excuse my ignorance.

My brother got suckered into an on line scam & fell for it. The scammer installed remote software & God knows what.
Once he realized he got hacked, he unplugged everything & is now afraid to turn his system back on.

He has three drives, one being the boot drive where the hacker installed malware or whatever.

I'm no expert, but i was thinking about using a fresh install of windows 10 from a boo-table USB and installing a new copy on another drive.
We could then copy any important files from the hacked drive over, then format it.

Questions:
Is this the a good way, or what would you recommend?
Is his license to activate lost & we need to get another?
Any suggestions appreciated, thank you.
 

Kardonxt

2[H]4U
Joined
Apr 13, 2009
Messages
3,451
Was the computer actually hacked or did he fall for the standard "you're computer is infected, call this number" browser hijack?

If that's all it was, removing any installed remote access software and running some malware \ AV scans is typically sufficient. These people aren't hackers anymore than a level 1 comcast rep is. They are just using standard remote support utilities and following a script in a call center in India to try to convince you to pay them to "fix" your computer.

A reload is the ultimate sure fire method but it's probably overkill. If you wanted to be as cautions as possible I would;
-Boot to a linux live CD \ USB
-Copy any data wanted from all drives to an external HD
-Scan external for infections \ malware
-Wipe all internal drives
-Re-install Windows (I'm not sure why but Windows tends to install the boot partition on a drive other than the OS drive when you have multiple drives installed. I wait to connect any additional hard drives until after the install is complete to prevent this.)
-Copy data back from external.

Windows 10 shouldn't need a new license as it is tied to the mobo.
 

msny

2[H]4U
Joined
Sep 5, 2001
Messages
2,197
Was the computer actually hacked or did he fall for the standard "you're computer is infected, call this number" browser hijack?

If that's all it was, removing any installed remote access software and running some malware \ AV scans is typically sufficient. These people aren't hackers anymore than a level 1 comcast rep is. They are just using standard remote support utilities and following a script in a call center in India to try to convince you to pay them to "fix" your computer.

A reload is the ultimate sure fire method but it's probably overkill. If you wanted to be as cautions as possible I would;
-Boot to a linux live CD \ USB
-Copy any data wanted from all drives to an external HD
-Scan external for infections \ malware
-Wipe all internal drives
-Re-install Windows (I'm not sure why but Windows tends to install the boot partition on a drive other than the OS drive when you have multiple drives installed. I wait to connect any additional hard drives until after the install is complete to prevent this.)
-Copy data back from external.

Windows 10 shouldn't need a new license as it is tied to the mobo.
Thanks for advice. Yes the scammer did actually install some type of remote software & took over his system.
 

msny

2[H]4U
Joined
Sep 5, 2001
Messages
2,197

Kardonxt

2[H]4U
Joined
Apr 13, 2009
Messages
3,451
Thanks for advice. Yes the scammer did actually install some type of remote software & took over his system.

We see that with old people regularly at my office (thank god someone else handles residential customers lol). Just remove the remote software and run some scans and you should be fine. You can probably even look in downloads to find what remote software they used so you know what you are looking for.

They typically have you download and run a remote access software that uses a one time access code and can't reconnect on it's own after it has been closed.

The end goal is to get you to pay them for "legitimate" service. I have never seen an instance where they maintain access or steal files. (Not saying it isn't possible but I have not seen it and I have seen a ton of these cases.)
 

Jonnycat99

Limp Gawd
Joined
Nov 9, 2006
Messages
237
The end goal is to get you to pay them for "legitimate" service.
Had this happen to an older relative of a friend of mine. The perp was a guy in Nevada. The family hired a lawyer to see if they could sue for damages, but because the relative signed a contract for computer work, there was nothing they could legally do outside of sending him a strongly worded letter to never contact the person again.

Still pissed everyone off to no end though, and hopefully the person who did this will eventually scam someone from the wrong family.
 

msny

2[H]4U
Joined
Sep 5, 2001
Messages
2,197
We see that with old people regularly at my office (thank god someone else handles residential customers lol). Just remove the remote software and run some scans and you should be fine. You can probably even look in downloads to find what remote software they used so you know what you are looking for.

They typically have you download and run a remote access software that uses a one time access code and can't reconnect on it's own after it has been closed.

The end goal is to get you to pay them for "legitimate" service. I have never seen an instance where they maintain access or steal files. (Not saying it isn't possible but I have not seen it and I have seen a ton of these cases.)
 

msny

2[H]4U
Joined
Sep 5, 2001
Messages
2,197
Do you think malwarebytes & hit man pro would do the job?
it’s what I’ve used in the past, but I’ve been out of it for a while.
 

Kardonxt

2[H]4U
Joined
Apr 13, 2009
Messages
3,451
I think a review of the installed programs and those scans would do fine. Paid for Malwarebytes is pretty good at detecting weird outgoing connections and alerting you, you may get those features with the standard free trial if it hasn't been installed on this PC before.

It also wouldn't hurt to make sure rdp is still disabled and check the windows firewall entries.
 

DeaconFrost

[H]F Junkie
Joined
Sep 6, 2007
Messages
11,351
I probably wouldn't trust the install anymore, regardless. I'd boot it up offline and archive any important data to an external drive. Once done, I'd take that drive to a known, good computer and scan it to be sure. While that was running, I'd wipe the drives on the old computer and install Windows 10 cleanly.
 

msny

2[H]4U
Joined
Sep 5, 2001
Messages
2,197
I probably wouldn't trust the install anymore, regardless. I'd boot it up offline and archive any important data to an external drive. Once done, I'd take that drive to a known, good computer and scan it to be sure. While that was running, I'd wipe the drives on the old computer and install Windows 10 cleanly.
Yes, id rather be safe then sorry!
 

socK

Supreme [H]ardness
Joined
Jan 25, 2004
Messages
4,131
It's compromised, this Windows install cannot be trusted again. I doubt it was exceedingly sophisticated since it sounds like a social engineering attack, but there is no telling what they did.

Clean slate is the only option.
 

msny

2[H]4U
Joined
Sep 5, 2001
Messages
2,197
It's compromised, this Windows install cannot be trusted again. I doubt it was exceedingly sophisticated since it sounds like a social engineering attack, but there is no telling what they did.

Clean slate is the only option.
Yes, I agree, will be doing a clean install on another one of his drives.
 

B00nie

[H]F Junkie
Joined
Nov 1, 2012
Messages
9,004
It's compromised, this Windows install cannot be trusted again. I doubt it was exceedingly sophisticated since it sounds like a social engineering attack, but there is no telling what they did.

Clean slate is the only option.
I treat every windows install like it's infected. Most are.
 

socK

Supreme [H]ardness
Joined
Jan 25, 2004
Messages
4,131
I treat every windows install like it's infected. Most are.
Do dumb things, get shit results

Everyone's admin on their personal machines. You're one click away from Yes'ing the UAC prompt and getting compromised.

Nothing can save you when you fork over root.
 

B00nie

[H]F Junkie
Joined
Nov 1, 2012
Messages
9,004
Do dumb things, get shit results

Everyone's admin on their personal machines. You're one click away from Yes'ing the UAC prompt and getting compromised.

Nothing can save you when you fork over root.
UAC can be bypassed and windows computers have had dozens of 'fly by' infections i.e. user needs to do nothing to activate the payload. Just a visit on a website with an infected ad or previewing an e-mail on your outlook is enough. Or in case of worms, plugging in the ethernet. UAC was never even meant to be a safety feature, it was designed to annoy developers into adjusting their code to work in user land.
 

socK

Supreme [H]ardness
Joined
Jan 25, 2004
Messages
4,131
I have not seen a completely non-interactive and successful drive-by in many years. The worst I've seen is something downloaded. A relatively recent adware/malware campaign tried to do this, it would masquerade as a media player or audio driver or something. You still had to be the one to click run on it though. At which point your browser was fucked and you were probably on your way to getting whatever you typed in it harvested.

I worded the UAC bit poorly. UAC isn't the _actual_ security boundary - i.e. the underlying account permissions. A UAC bypass isn't necessarily the end of the world, until it actually manages to become a true escalation of priviledge and you manage to elevate accounts. Then you're in trouble (and Microsoft generally takes these much more seriously, obviously). The next goal is almost certainly some kind of lateral movement, and it's probably going to happen off some form of credential harvesting. Moving up to local administrator turns that machine into ez-mode. And hopefully you don't work somewhere where IT loves to have themselves as domain admin and effectively doom themselves when they try to remote to your machine to help close the fake screeching BSOD browser window.

Microsoft's Security Baseline policies also sands down a ton of those edges - like you mentioned, previews and macros get restricted, among literally a couple thousand other things. Microsoft provides a pretty robust selection of anti-footgun for the enterprise... consumer is a bit more wild west. In some cases they can try to warn you, but not really prevent you from jumping off the cliff because it's your fuckin machine god dammit and you can do whatever you want.
 

B00nie

[H]F Junkie
Joined
Nov 1, 2012
Messages
9,004
At least UAC hasn't been broken like sudo was for years
True, UAC never worked in the first place. UAC is being actively bypassed as we speak, sudo was patched before it became even public knowledge.
 
Last edited:

B00nie

[H]F Junkie
Joined
Nov 1, 2012
Messages
9,004
I have not seen a completely non-interactive and successful drive-by in many years. The worst I've seen is something downloaded. A relatively recent adware/malware campaign tried to do this, it would masquerade as a media player or audio driver or something. You still had to be the one to click run on it though. At which point your browser was fucked and you were probably on your way to getting whatever you typed in it harvested.

I worded the UAC bit poorly. UAC isn't the _actual_ security boundary - i.e. the underlying account permissions. A UAC bypass isn't necessarily the end of the world, until it actually manages to become a true escalation of priviledge and you manage to elevate accounts. Then you're in trouble (and Microsoft generally takes these much more seriously, obviously). The next goal is almost certainly some kind of lateral movement, and it's probably going to happen off some form of credential harvesting. Moving up to local administrator turns that machine into ez-mode. And hopefully you don't work somewhere where IT loves to have themselves as domain admin and effectively doom themselves when they try to remote to your machine to help close the fake screeching BSOD browser window.

Microsoft's Security Baseline policies also sands down a ton of those edges - like you mentioned, previews and macros get restricted, among literally a couple thousand other things. Microsoft provides a pretty robust selection of anti-footgun for the enterprise... consumer is a bit more wild west. In some cases they can try to warn you, but not really prevent you from jumping off the cliff because it's your fuckin machine god dammit and you can do whatever you want.
I wouldn't want to see one either but it happens to people. I take the precaution to never surf the internet using Windows.
 
Top