Removing Malware from a computer

Forums › Desktop computing › Removing Malware from a computer - bloody scammers!

wonderstuff

110 posts

Master Geek

#274575 29-Aug-2020 11:33

Hi all,

It's been about 10 years since I have used MS Windows and your advice would be welcome.

On Thursday morning a relative reached out to me. They had been contacted by Spark to say that there computer was compromised and "Spark" wanted to do an online session to protect their computer. I made my relative absolutely aware that this was a scam, ignore them completely, and never trust anyone that reaches out to you.

Later that evening may relative was contacted again by "Spark" and which stage why relative told them that this was a scam and not to call again. "Spark" then indicated that they would disable the internet for them, so my relative panicked and accepted the Zohodesk session. During this session the "Spark" person asked my relative to log in to Westpac, TradeMe and a number of other sites, so that they could assess if they were secure.

After 3 hours on the phone and once the session finished, my relative gave me a call and asked if they needed to run a virus check. My advice was, get off the phone, call the bank, stop all credit cards and in progress transactions, power off the computer and courier to me. Unfortunately in this short time my relative had many thousands of dollars transferred out of their bank account. We will pursue that with the bank.

After hearing the description of what happened, I have assumed that a key logger was installed (how else would they see the passwords), risk of a crypt locker installed, and probably harvesting of email accounts.

I have now received the computer and working out what the best plan of attack is. It is off network. There is data I would like to recover from it, and the data is pretty simple so should be unlikely to have any unwanted payloads in it. However, I am also wondering at how effective Windows Defender is? I initiated a scan and found TrojanDownloader.Win32/Dalesic.C on it which I have removed and the Zohodesh app that I have removed. Nothing else is highlighted by Defender.

Would Defender have found any key loggers or cryptolockers?

Do I need to use a different tool for neutralising threats?

Back in the old days I would have reformatted the HD and reinstalled the OS. Is this still the best way? (I am not even sure how to do this with Win10 these days!)

1 | 2

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2551873 29-Aug-2020 11:44

You can use TrendMicro Housecall to start with. Then follow with MalwareBytes. Unplug or turn other computers off when doing this if you want to be sure but they should be ok if up-to-date.

If this is Windows 10 you can use Reset my PC to reinstall a fresh copy of Windows - you find this in Settings.

Linux

11399 posts

Uber Geek

Trusted

Lifetime subscriber

#2551874 29-Aug-2020 11:44

Malwarebytes free home edition is very good

gb67

44 posts

Geek

#2551890 29-Aug-2020 12:29

System Restore to a time before the scam?

Then all the security scans mentioned above.

Change email password and check for forwards set up in email so scammers can see password changes.

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2551891 29-Aug-2020 12:30

System restore doesn't really do much - reset is a lot better.

huckster

842 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#2551896 29-Aug-2020 12:58

So sorry to hear about this. Have managed to head one of these off at the pass before any real damage myself.

Another alternative - if the data is simple - use a Linux boot CD and copy off to a usb stick? Then blow the OS away completely.

wonderstuff

110 posts

Master Geek

#2552629 30-Aug-2020 20:38

I would like to thank you all for your advice - much appreciated.

Looks like Windows Defender did a reasonable job.

TrendMicro Household was unable to find any other infections.

MalwareBytes found some potential threats which I removed.

I finished with the Windows Reset and have spend the rest of the afternoon restoring Office and the other apps.

Thanks. Now will see if my relative is able to recover the funds transferred.

Apsattv

2388 posts

Uber Geek

#2552752 31-Aug-2020 04:00

The last one i looked at, they thought they were clever and could hide things and made a restore point before they started mucking with the guys pc. Which they tried to restore once they finished.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

timmmay

20575 posts

Uber Geek

Trusted

Lifetime subscriber

#2552755 31-Aug-2020 06:20

I wouldn't boot the compromised computer at all in this case. I'd probably create a temporary computer as a malware removal workstation, even if it meant taking the main hard drive out of my normal computer, or booting a Linux USB. I'd copy the data off you want to keep, image the drive with something like Macrium just in case you missed something, then format the disk and reinstall windows. Scan the data you copied off, and copy it back onto the new windows install.

Dulouz

883 posts

Ultimate Geek

#2552816 31-Aug-2020 07:54

I did this yesterday. Malwarebytes followed by HitmanPro did the job for me.

Amanon

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2552839 31-Aug-2020 08:44

Apsattv:

The last one i looked at, they thought they were clever and could hide things and made a restore point before they started mucking with the guys pc. Which they tried to restore once they finished.

I wouldn't trust a restore point at all for these things.

1101

3122 posts

Uber Geek

#2552909 31-Aug-2020 10:48

All his passwords need to be reset , not just bank & trademe . Also his email pass , any passwords saved in Chrome IE edge etc.
Have a look and see if anything has been sent via his email ,see if the scammer has been using his email to send scam emails to people in his contact lists (unlikely but worth checking)

Check the router to make sure DNS hasnt been changed .

Apsattv

2388 posts

Uber Geek

#2553012 31-Aug-2020 11:17

freitasm:

Apsattv:

The last one i looked at, they thought they were clever and could hide things and made a restore point before they started mucking with the guys pc. Which they tried to restore once they finished.

I wouldn't trust a restore point at all for these things.

I'm talking about the scammer, they made a restore point before they started messing with the guys pc.

Then once they were done tried to reset the pc to remove all trace of their activity.

The usual scam, guy was told by demanding indian to travel into town (rural guy) and get itunes vouchers etc!

Im amazed people STILL fall for this nonsense

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#2553024 31-Aug-2020 11:29

malware can be a pain unpick at times, some of it is quite nasty with how it locks itself in there. best solution...

fdisk.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

elpenguino

3419 posts

Uber Geek

#2556069 2-Sep-2020 23:46

hio77:

malware can be a pain unpick at times, some of it is quite nasty with how it locks itself in there. best solution...

fdisk.

Amen. I'd never be able to trust that machine again until the HDD was nuked from orbit i.e. reformatted and completely wiped.

Most of the posters in this thread are just like chimpanzees on MDMA, full of feelings of bonhomie, joy, and optimism. Fred99 8/4/21

JaseNZ

2576 posts

Uber Geek

ID Verified

Lifetime subscriber

#2556073 3-Sep-2020 00:39

If its a spinning hd bin it and install fresh on ssd.

Ding Ding Ding Ding Ding : Ice cream man , Ice cream man

1 | 2