Jump to content

Uncle fell for Microsoft tech support scam. Trying to determine changes made by scammer.

nick name
By nick name
in Operating Systems
 Share
Posted

Hi all and thank you in advance.

 

My father let my uncle borrow a laptop and my uncle allowed a tech support scammer remote access.

 

I've been trying to determine what changes the scammer made, how they accessed the machine, etc.  However, I am struggling to find anything beyond the local user account password being changed and a now deleted local user account.  Can anyone provide any guidance please?

 

Last resort is a full Windows 11 re-install as I am unfamiliar with what files, programs, etc. should be on the machine.

 

- Windows 11 Home

- User account is an administrator account (I know -- not a best practice).  No other accounts remain though one did exist at some point.  I only found this by checking the properties of the Chrome desktop icon.

- Local user account password was changed.  Uncle may have changed the account password, but highly unlikely.  I have since removed the unknown password and set another.

- Remote Desktop was turned on.  Now turned off.

- Laptop was purchased around late 2022 or early 2023.  Event occurred February 18 or 19 2024 (I've been putting this off for a while).  I checked Event Viewer to find this.  Can't be certain on the day because the time on the machine is currently incorrect.

- Last programs installed were on Feb. 18 or 19 2024 and they are: Microsoft Update Health Tools, WebAdvisor by McAfee, Google Chrome, Microsoft OneDrive.  I believe these were updates.  Prior to that -- the last installations were installed on August 08 2023.

- BitLocker was turned on.  Which I think is now the default behavior.  This prevented me from running a scan with a Kasperky rescue disk.  Rescue disk version is the 24 beta as the 18 version would load the gui.  

- Microsoft Defender off-line scan has been run twice without any threats reported.

- Only odd behavior I have noticed is that there is a significant delay when clicking on the Desktop for the first time after boot (with a mouse/touchpad.  Laptop has a touchscreen.  

 

edit:

The laptop has not has had internet access while I have been troubleshooting except while running the Kasperky rescue disk to update definitions prior to a scan.  That update failed so I used the Chrome install on the Kasperky rescue disk to check that an internet connection was active.  No internet access while logged into Windows.

 

 

 

 

 

 

 

 

 

AMD Ryzen 5800XFractal Design S36 360 AIO w/6 Corsair SP120L fans  |  Asus Crosshair VII WiFi X470  |  G.SKILL TridentZ 4400CL19 2x8GB @ 3800MHz 14-14-14-14-30  |  EVGA 3080 FTW3 Hybrid  |  Samsung 970 EVO M.2 NVMe 500GB - Boot Drive  |  Samsung 850 EVO SSD 1TB - Game Drive  |  Seagate 1TB HDD - Media Drive  |  EVGA 650 G3 PSU | Thermaltake Core P3 Case 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
7 minutes ago, nick name said:

Hi all and thank you in advance.

 

My father let my uncle borrow a laptop and my uncle allowed a tech support scammer remote access.

 

I've been trying to determine what changes the scammer made, how they accessed the machine, etc.  However, I am struggling to find anything beyond the local user account password being changed and a now deleted local user account.  Can anyone provide any guidance please?

 

Last resort is a full Windows 11 re-install as I am unfamiliar with what files, programs, etc. should be on the machine.

 

- Windows 11 Home

- User account is an administrator account (I know -- not a best practice).  No other accounts remain though one did exist at some point.  I only found this by checking the properties of the Chrome desktop icon.

- Local user account password was changed.  Uncle may have changed the account password, but highly unlikely.  I have since removed the unknown password and set another.

- Remote Desktop was turned on.  Now turned off.

- Laptop was purchased around late 2022 or early 2023.  Event occurred February 18 or 19 2024 (I've been putting this off for a while).  I checked Event Viewer to find this.  Can't be certain on the day because the time on the machine is currently incorrect.

- Last programs installed were on Feb. 18 or 19 2024 and they are: Microsoft Update Health Tools, WebAdvisor by McAfee, Google Chrome, Microsoft OneDrive.  I believe these were updates.  Prior to that -- the last installations were installed on August 08 2023.

- BitLocker was turned on.  Which I think is now the default behavior.  This prevented me from running a scan with a Kasperky rescue disk.  Rescue disk version is the 24 beta as the 18 version would load the gui.  

- Microsoft Defender off-line scan has been run twice without any threats reported.

- Only odd behavior I have noticed is that there is a significant delay when clicking on the Desktop for the first time after boot (with a mouse/touchpad.  Laptop has a touchscreen.  

 

 

 

 

 

 

 

 

 

To be safe format the drive and install Windows. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 minutes ago, nick name said:

Last resort is a full Windows 11 re-install as I am unfamiliar with what files, programs, etc. should be on the machine.

 

Do this. This is the best way. Or restore backups from before this happened.

 

Not worth the risk as its pretty easy to hide remote access tools or other malware. 

 

Or don't touch the laptop and let the dad/uncle deal with it them selves and take it to a shop if they want. This way your not taking any risk here.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
24 minutes ago, nick name said:

Hi all and thank you in advance.

 

My father let my uncle borrow a laptop and my uncle allowed a tech support scammer remote access.

 

I've been trying to determine what changes the scammer made, how they accessed the machine, etc.  However, I am struggling to find anything beyond the local user account password being changed and a now deleted local user account.  Can anyone provide any guidance please?

 

Last resort is a full Windows 11 re-install as I am unfamiliar with what files, programs, etc. should be on the machine.

 

- Windows 11 Home

- User account is an administrator account (I know -- not a best practice).  No other accounts remain though one did exist at some point.  I only found this by checking the properties of the Chrome desktop icon.

- Local user account password was changed.  Uncle may have changed the account password, but highly unlikely.  I have since removed the unknown password and set another.

- Remote Desktop was turned on.  Now turned off.

- Laptop was purchased around late 2022 or early 2023.  Event occurred February 18 or 19 2024 (I've been putting this off for a while).  I checked Event Viewer to find this.  Can't be certain on the day because the time on the machine is currently incorrect.

- Last programs installed were on Feb. 18 or 19 2024 and they are: Microsoft Update Health Tools, WebAdvisor by McAfee, Google Chrome, Microsoft OneDrive.  I believe these were updates.  Prior to that -- the last installations were installed on August 08 2023.

- BitLocker was turned on.  Which I think is now the default behavior.  This prevented me from running a scan with a Kasperky rescue disk.  Rescue disk version is the 24 beta as the 18 version would load the gui.  

- Microsoft Defender off-line scan has been run twice without any threats reported.

- Only odd behavior I have noticed is that there is a significant delay when clicking on the Desktop for the first time after boot (with a mouse/touchpad.  Laptop has a touchscreen.  

 

edit:

The laptop has not has had internet access while I have been troubleshooting except while running the Kasperky rescue disk to update definitions prior to a scan.  That update failed so I used the Chrome install on the Kasperky rescue disk to check that an internet connection was active.  No internet access while logged into Windows.

 

 

 

 

 

 

 

 

 

I agree with everyone else, there could be hidden RATs or malware and you should DEFINITELY reinstall. Just ask your uncle or dad what programs they want to be installed, wipe the C drive completely, install Windows, and reinstall those apps. You don't want to risk it. 

I love making PCPartPicker lists.

If I answer your question (or someone else), please mark it as the answer. 

Please refresh before replying, I like to edit my posts.

 

PC SPECS: Intel i5-12600K, RX 6700 XT, 32GB DDR4 RAM

Favorite cheap but great tech: AMD RX 6700 XT, Yunzii YZ75 Keyboard, Acer Nitro XV272U Vbmiiprx

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 hour ago, nick name said:

Last resort is a full Windows 11 re-install as I am unfamiliar with what files, programs, etc. should be on the machine.

DO THIS NOW

 

But first live boot a linux drive, format that drive and then fresh windows install.

 

Those scammers tend to have very little actual pc knowledge and just follow a basic ish script. However the tools they use are quite nasty pre packaged dumpsterfires that neccesetate a full on wipe and sanetize of all storage that has touched this system.

 

 

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Operating Systems

×