Quantcast

Maximum PC

It is currently Tue Sep 16, 2014 1:38 pm

All times are UTC - 8 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Windows Support call.....
PostPosted: Mon Apr 28, 2014 7:19 pm 
Coppermine
Coppermine
User avatar

Joined: Mon May 16, 2005 7:06 pm
Posts: 619
Location: San Antonio
I have an elderly client who received a "helpful" call from one of these scammers. She suspiciously went along with their spiel and allowed them access to her computer. When they came to asking about banking info, she hung up on them and shut down her computer. As you might suspect, when she re-booted the machine, it was locked requiring a password. The message box states: This computer is set up to require a password. You have two choices, type in their password (who knows what that is) or restart.

All her data seems to be in place as I slaved the hard drive to another computer. I tried using password cracking software and tried to change every user's password to nothing. No change, the computer still required a password. I suspected that perhaps they did something with in the BIOS and cleared that hoping that would remove their lock on things. No change.

I've tried to use Microsoft's Malicious Removal Tool (the real one) and it did not detect anything that could be changed. I've run Super Anti-Spyware and Malwarebytes. So far both have only found simple things like cookies. Nothing serious.

I scanned the drive by booting with a Linux product and tried to find system recovery files. They have been deleted or strange error messages come up about memory. Google could not identify the messages.

Using the search box in Windows, I cannot find data in the System files in the original drive I slaved to a separate computer. At least nothing that Windows can find. Perhaps I'm asking to find the wrong data. Before I copy all her files over and re-install the operating system, is there some way to get rid of password block they installed?

I firmly believe there should be a Hunting Season for these low lifes with bonus points for extra pain.


Top
  Profile  
 
 Post subject: Re: Windows Support call.....
PostPosted: Mon Apr 28, 2014 9:20 pm 
Smithfield
Smithfield

Joined: Sun Jun 18, 2006 7:37 pm
Posts: 5241
If you can boot into Linux, they didn't do anything to BIOS. BIOS security will prevent the system from booting into anything, period. They probably didn't use anything malicious either. There are plenty of legitimate tools and options to require a password when attempting to boot that OS.

In any case, I would just take out the data and nuke that OS from orbit. I'm paranoid that even if something got inside my computer, I'm not even sure if it's been sufficiently sanitized. The only surefire way is to do a secure erase.


Top
  Profile  
 
 Post subject: Re: Windows Support call.....
PostPosted: Tue Apr 29, 2014 4:09 pm 
Team Member
Team Member

Joined: Wed Aug 12, 2009 12:09 pm
Posts: 565
Just curious how this worked. The scammers added a password lock on the PC? They didn't just change the user log-in password?


Top
  Profile  
 
 Post subject: Re: Windows Support call.....
PostPosted: Tue Apr 29, 2014 4:33 pm 
Coppermine
Coppermine
User avatar

Joined: Mon May 16, 2005 7:06 pm
Posts: 619
Location: San Antonio
From what I've been able to find Googling around, it's a common practice they use. I get the drift there is some sort of executable file that puts up that screen and it's not a password in the way Windows would use one. When I used my Linux based password cracking software, it ID'd all the users. I selected each user and deleted any passwords that might have been there. Using this software on other machines works every time.

The pisser is, there are ways around this. Usually the way the scammers write their programs, attempts to get around what they did only makes things worse. After a single incorrect attempt to fix things, any restore points you might have are deleted by the attempt or sooner if they have enough time in your machine. See: http://triplescomputers.com/blog/casest ... m-lockout/

They talk their victims into allowing perfectly legal software to be installed on your computer so they can take control and show you in a variety of ways "what is wrong or going wrong" in your computer. Eventually one way or another they try to convince you to purchase their fix and will "help you" by asking for banking info.

In this case, they must have guessed at one time or another my client purchased some sort of anti-virus software and convinced her it didn't work and they wanted to refund her money. Again they asked for banking info. She got spooked and hung up on them. They were telling her not to turn off her computer when she did. What they might have gotten into had she left it on is anyone's guess.

After many hours of trying various things suggested as fixes and using the various problem solving software, nothing was found to be "bad". Does that mean all they did was lock the machine, or are they clever enough to cover their tracks so they can't be discovered? Since I can find all of her documents, photos and such, I pulled them off her hard drive and installed a completely new drive. Scanning those files, I don't find anything bad.

I re-installed the operating system on the new drive and am in the process of restoring things now.

How anyone can feel they can just steal your money without any guilt is beyond me. As I said, opening a hunting season on these criminals just seems like a good thing to do. Sorry for the long rant. Imagine how my client feels. She's 92 years old and A LOT less trusting now.


Top
  Profile  
 
 Post subject: Re: Windows Support call.....
PostPosted: Wed Apr 30, 2014 3:10 pm 
Thunderbird
Thunderbird
User avatar

Joined: Sun Dec 30, 2007 6:17 pm
Posts: 849
Location: Phoenix, AZ
oldwizkid wrote:
....there is some sort of executable file that puts up that screen and it's not a password in the way Windows would use one.

Possibly...it would be in the startup folder or a Service. Nothing can hide from Process Explorer/Autoruns.

oldwizkid wrote:
....Usually the way the scammers write their programs, attempts to get around what they did only makes things worse. After a single incorrect attempt to fix things, any restore points you might have are deleted by the attempt or sooner if they have enough time in your machine.

My experience is the exact opposite. Malware is laughable. And easily identifiable, and removable. Things can get altered (HOSTS file, break built in recovery tools, etc.) There are a few exceptions but the only real SOB are the ransomware that encrypts your files. That you can't fix that I am aware of.

oldwizkid wrote:
....they asked for banking info. She got spooked and hung up on them. They were telling her not to turn off her computer when she did. What they might have gotten into had she left it on is anyone's guess.

They may have (started) downloaded the contents of her hard drive particularity cookies and My Documents. I am not certain if there is a last accessed or copied code forensically available on files.

Mostly not useful unless it contained credit card info, Soc Security info, personal info, passwords (especially unencrypted), product keys . . . sales receipts and email (including addresses) can be useful too.

I would guess they were too busy about to slam the door and make her an offer she couldn't refuse to start downloading. But you cannot be sure.

oldwizkid wrote:
.... nothing was found to be "bad". Does that mean all they did was lock the machine, or are they clever enough to cover their tracks so they can't be discovered?

No, you cover your tracks when you leave (last steps).

oldwizkid wrote:
Since I can find all of her documents, photos and such, I pulled them off her hard drive and installed a completely new drive. Scanning those files, I don't find anything bad.

Good practice.

oldwizkid wrote:
I re-installed the operating system on the new drive and am in the process of restoring things now....

Sounds like she figured it out in time and did the correct thing to save her bacon. You can kill the partition(s) of the old drive and quick format a new partition, and then copy the drive image of the test drive back to her drive when ready.


Top
  Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group