Computer Hacked - Options to Restore Windows 10

msny

2[H]4U
Joined
Sep 5, 2001
Messages
2,197
I've been out of the hobby for a few years, so excuse my ignorance.

My brother got suckered into an on line scam & fell for it. The scammer installed remote software & God knows what.
Once he realized he got hacked, he unplugged everything & is now afraid to turn his system back on.

He has three drives, one being the boot drive where the hacker installed malware or whatever.

I'm no expert, but i was thinking about using a fresh install of windows 10 from a boo-table USB and installing a new copy on another drive.
We could then copy any important files from the hacked drive over, then format it.

Questions:
Is this the a good way, or what would you recommend?
Is his license to activate lost & we need to get another?
Any suggestions appreciated, thank you.
 
Was the computer actually hacked or did he fall for the standard "you're computer is infected, call this number" browser hijack?

If that's all it was, removing any installed remote access software and running some malware \ AV scans is typically sufficient. These people aren't hackers anymore than a level 1 comcast rep is. They are just using standard remote support utilities and following a script in a call center in India to try to convince you to pay them to "fix" your computer.

A reload is the ultimate sure fire method but it's probably overkill. If you wanted to be as cautions as possible I would;
-Boot to a linux live CD \ USB
-Copy any data wanted from all drives to an external HD
-Scan external for infections \ malware
-Wipe all internal drives
-Re-install Windows (I'm not sure why but Windows tends to install the boot partition on a drive other than the OS drive when you have multiple drives installed. I wait to connect any additional hard drives until after the install is complete to prevent this.)
-Copy data back from external.

Windows 10 shouldn't need a new license as it is tied to the mobo.
 
Was the computer actually hacked or did he fall for the standard "you're computer is infected, call this number" browser hijack?

If that's all it was, removing any installed remote access software and running some malware \ AV scans is typically sufficient. These people aren't hackers anymore than a level 1 comcast rep is. They are just using standard remote support utilities and following a script in a call center in India to try to convince you to pay them to "fix" your computer.

A reload is the ultimate sure fire method but it's probably overkill. If you wanted to be as cautions as possible I would;
-Boot to a linux live CD \ USB
-Copy any data wanted from all drives to an external HD
-Scan external for infections \ malware
-Wipe all internal drives
-Re-install Windows (I'm not sure why but Windows tends to install the boot partition on a drive other than the OS drive when you have multiple drives installed. I wait to connect any additional hard drives until after the install is complete to prevent this.)
-Copy data back from external.

Windows 10 shouldn't need a new license as it is tied to the mobo.
Thanks for advice. Yes the scammer did actually install some type of remote software & took over his system.
 
Thanks for advice. Yes the scammer did actually install some type of remote software & took over his system.

We see that with old people regularly at my office (thank god someone else handles residential customers lol). Just remove the remote software and run some scans and you should be fine. You can probably even look in downloads to find what remote software they used so you know what you are looking for.

They typically have you download and run a remote access software that uses a one time access code and can't reconnect on it's own after it has been closed.

The end goal is to get you to pay them for "legitimate" service. I have never seen an instance where they maintain access or steal files. (Not saying it isn't possible but I have not seen it and I have seen a ton of these cases.)
 
The end goal is to get you to pay them for "legitimate" service.
Had this happen to an older relative of a friend of mine. The perp was a guy in Nevada. The family hired a lawyer to see if they could sue for damages, but because the relative signed a contract for computer work, there was nothing they could legally do outside of sending him a strongly worded letter to never contact the person again.

Still pissed everyone off to no end though, and hopefully the person who did this will eventually scam someone from the wrong family.
 
We see that with old people regularly at my office (thank god someone else handles residential customers lol). Just remove the remote software and run some scans and you should be fine. You can probably even look in downloads to find what remote software they used so you know what you are looking for.

They typically have you download and run a remote access software that uses a one time access code and can't reconnect on it's own after it has been closed.

The end goal is to get you to pay them for "legitimate" service. I have never seen an instance where they maintain access or steal files. (Not saying it isn't possible but I have not seen it and I have seen a ton of these cases.)
 
Do you think malwarebytes & hit man pro would do the job?
it’s what I’ve used in the past, but I’ve been out of it for a while.
 
I think a review of the installed programs and those scans would do fine. Paid for Malwarebytes is pretty good at detecting weird outgoing connections and alerting you, you may get those features with the standard free trial if it hasn't been installed on this PC before.

It also wouldn't hurt to make sure rdp is still disabled and check the windows firewall entries.
 
I probably wouldn't trust the install anymore, regardless. I'd boot it up offline and archive any important data to an external drive. Once done, I'd take that drive to a known, good computer and scan it to be sure. While that was running, I'd wipe the drives on the old computer and install Windows 10 cleanly.
 
I probably wouldn't trust the install anymore, regardless. I'd boot it up offline and archive any important data to an external drive. Once done, I'd take that drive to a known, good computer and scan it to be sure. While that was running, I'd wipe the drives on the old computer and install Windows 10 cleanly.
Yes, id rather be safe then sorry!
 
It's compromised, this Windows install cannot be trusted again. I doubt it was exceedingly sophisticated since it sounds like a social engineering attack, but there is no telling what they did.

Clean slate is the only option.
 
It's compromised, this Windows install cannot be trusted again. I doubt it was exceedingly sophisticated since it sounds like a social engineering attack, but there is no telling what they did.

Clean slate is the only option.
Yes, I agree, will be doing a clean install on another one of his drives.
 
It's compromised, this Windows install cannot be trusted again. I doubt it was exceedingly sophisticated since it sounds like a social engineering attack, but there is no telling what they did.

Clean slate is the only option.
I treat every windows install like it's infected. Most are.
 
I treat every windows install like it's infected. Most are.
Do dumb things, get shit results

Everyone's admin on their personal machines. You're one click away from Yes'ing the UAC prompt and getting compromised.

Nothing can save you when you fork over root.
 
Do dumb things, get shit results

Everyone's admin on their personal machines. You're one click away from Yes'ing the UAC prompt and getting compromised.

Nothing can save you when you fork over root.
UAC can be bypassed and windows computers have had dozens of 'fly by' infections i.e. user needs to do nothing to activate the payload. Just a visit on a website with an infected ad or previewing an e-mail on your outlook is enough. Or in case of worms, plugging in the ethernet. UAC was never even meant to be a safety feature, it was designed to annoy developers into adjusting their code to work in user land.
 
I have not seen a completely non-interactive and successful drive-by in many years. The worst I've seen is something downloaded. A relatively recent adware/malware campaign tried to do this, it would masquerade as a media player or audio driver or something. You still had to be the one to click run on it though. At which point your browser was fucked and you were probably on your way to getting whatever you typed in it harvested.

I worded the UAC bit poorly. UAC isn't the _actual_ security boundary - i.e. the underlying account permissions. A UAC bypass isn't necessarily the end of the world, until it actually manages to become a true escalation of priviledge and you manage to elevate accounts. Then you're in trouble (and Microsoft generally takes these much more seriously, obviously). The next goal is almost certainly some kind of lateral movement, and it's probably going to happen off some form of credential harvesting. Moving up to local administrator turns that machine into ez-mode. And hopefully you don't work somewhere where IT loves to have themselves as domain admin and effectively doom themselves when they try to remote to your machine to help close the fake screeching BSOD browser window.

Microsoft's Security Baseline policies also sands down a ton of those edges - like you mentioned, previews and macros get restricted, among literally a couple thousand other things. Microsoft provides a pretty robust selection of anti-footgun for the enterprise... consumer is a bit more wild west. In some cases they can try to warn you, but not really prevent you from jumping off the cliff because it's your fuckin machine god dammit and you can do whatever you want.
 
At least UAC hasn't been broken like sudo was for years
True, UAC never worked in the first place. UAC is being actively bypassed as we speak, sudo was patched before it became even public knowledge.
 
Last edited:
I have not seen a completely non-interactive and successful drive-by in many years. The worst I've seen is something downloaded. A relatively recent adware/malware campaign tried to do this, it would masquerade as a media player or audio driver or something. You still had to be the one to click run on it though. At which point your browser was fucked and you were probably on your way to getting whatever you typed in it harvested.

I worded the UAC bit poorly. UAC isn't the _actual_ security boundary - i.e. the underlying account permissions. A UAC bypass isn't necessarily the end of the world, until it actually manages to become a true escalation of priviledge and you manage to elevate accounts. Then you're in trouble (and Microsoft generally takes these much more seriously, obviously). The next goal is almost certainly some kind of lateral movement, and it's probably going to happen off some form of credential harvesting. Moving up to local administrator turns that machine into ez-mode. And hopefully you don't work somewhere where IT loves to have themselves as domain admin and effectively doom themselves when they try to remote to your machine to help close the fake screeching BSOD browser window.

Microsoft's Security Baseline policies also sands down a ton of those edges - like you mentioned, previews and macros get restricted, among literally a couple thousand other things. Microsoft provides a pretty robust selection of anti-footgun for the enterprise... consumer is a bit more wild west. In some cases they can try to warn you, but not really prevent you from jumping off the cliff because it's your fuckin machine god dammit and you can do whatever you want.
I wouldn't want to see one either but it happens to people. I take the precaution to never surf the internet using Windows.
 
Back
Top