What to do with possibly compromised PC

UncleZen

Got a call earlier from my elderly mum, who said that she had a message pop up on her computer to call microsoft, which she did. The MS lady "fixed" loads of stuff and "installed something" (which sounded like malwarebytes from her description). She didnt pay out any money.
She was genuinely convinced she was talking to MS.
I told her about social engineering and that her PC may now be compromised and that she should switch it off and not use it, which she has done.
I now need to check it. But what should I check for? Should I rebuild it from scratch? 
Advice?
Thanks

pbartlett

Goodness only know what is on there.

1. treat it like it is infected with COVID - anything you plug in there from now on do not plug into any other computer eg at home

2. power PC on, plug in a blank usb stick, copy off any data your mum wants to keep (eg documents, photos).

Re-install system from scratch, booting from eg DVD or bootable USB stick - format the drive before re-installing. OR you can go to settings / update and security / reset this pc and do it there but I personally would go the DVD / USB route.

Once up and running, ideally restore personal files from an old backup ie pre 'MS engineer' - these are unlikely to be infected. Otherwise, well you have them on the USB stick you made - I would be very very wary of putting that in the new machine. Depends on how precious the data is - it's  crap shoot. If you do, make sure autorun is disabled.

JJ_Egan

Yes for me it would be a full wipe unless machine has a backup image .

UncleZen

How best should I protect this PC in the future, assuming that its operated by a PC Numpty (which it is really). Like no Admin rights for example.

Thinking back: I once remember her telling me she got an Email from a friend who was apparently stuck in Dubai or somewhere without money. Click link to send some money for him to get home. She  didnt follow the link. Because she had seen him 2 days before and he didnt mention going to Dubai.

pbartlett

Yes you can change the password to the admin account and create a user account for her.

Make sure you change the password to the hidden admin account too - not that your mum will find it but  the 'MS engineer' will. Google it.

grumpycrab

UncleZen said: She didnt pay out any money.

She was genuinely convinced she was talking to MS.

Did she not pay any money because she wasn't asked (not a very clever scam) OR because she refused (clever mum)?

UncleZen

grumpycrab said:

UncleZen said: She didnt pay out any money.

She was genuinely convinced she was talking to MS.

Did she not pay any money because she wasn't asked (not a very clever scam) OR because she refused (clever mum)?

I dont think she was asked.

grumpycrab

UncleZen said:

grumpycrab said:

UncleZen said: She didnt pay out any money.

She was genuinely convinced she was talking to MS.

Did she not pay any money because she wasn't asked (not a very clever scam) OR because she refused (clever mum)?

I dont think she was asked.

Strange scam.  Guessing they were looking for bank info/passwords etc possibly with identity theft in mind?  They would be unlikely to install anything nasty in my experience but a belt and braces approach (clean install) is understandable.  With Windows10 its much easier these days (clean install that is.)

CoastingHatbox

Is there any data stored on the machine which needs to be retained?

In which case you might need to air gap it and copy off any important files/folders.

I have had exactly this situation twice with my Mother. Here is where I'm at currently:

I have a low power PC (Intel Atom NUC) running a PiHole. This blackholes DNS requests for domains which are use for tracking/malware/phishing etc.. I have added a number of extra blocklists to it.

Said low power PC also does some basic network monitoring via Zabbix. That's more helpful for the support calls rather than anything else right now.

Aside from that, she doesn't have admin access on the machine and support is provided via Microsoft Quick Assist.

HereToday

UncleZen said:

Got a call earlier from my elderly mum, who said that she had a message pop up on her computer to call microsoft, which she did. The MS lady "fixed" loads of stuff and "installed something" (which sounded like malwarebytes from her description). She didnt pay out any money.
She was genuinely convinced she was talking to MS.
I told her about social engineering and that her PC may now be compromised and that she should switch it off and not use it, which she has done.
I now need to check it. But what should I check for? Should I rebuild it from scratch? 
Advice?
Thanks

Yes and change ALL of her passwords immediately.

chrisw

Just a suggestion, but my mum was constantly struggling with her laptop and fell for one of these scams. In the end, we clubbed together and bought her an iPad which are pretty well locked down and are of no interest to these sort of scammers. We also set her up with a call blocker which has successfully stopped all scam calls.