My friend fell for a tech support scam. I formatted her computer. What should I do now?

Question

My friend received a call from a person claiming to be a Microsoft tech support representative. This person claimed her laptop was infected with malware and compromised by hackers. He proceeded to manipulate her with technical jargon and persuaded her to install ShowMyPC software on her laptop, at which point he gained remote access onto the laptop. At this point, the man opens notepad and types out protection plans offered by his company called Iyogi. He says that her computer will not be safe unless she pays subscribes to their protection plans. At this point she refuses to pay and he locks her computer from startup. i.e. when you boot the computer you get a prompt for a start-up password before you can get to the Windows 8 user login screen.

I was able to bypass the start-up password using System Restore which restored it to a state before any of this happened. To be safe, I also used Windows 8 Reset feature to format the hard drive and perform a fresh install of Windows from the recovery partition (this is an Asus Windows 8 laptop with a BIOS-embedded product key).

My questions are:

1) Is the computer safe to use now? (Access the internet, log into e-mail, banking etc. Note all passwords were changed for her accounts from a separate computer and a suspicious activity watch was placed on her bank/credit card)

2) Do we need to use anti-virus/malware/rootkit cleaning software? If so, what tools should I use? And can I run it from this computer? or do I need to use separate media?

I am not sure what steps to take next. Any help is appreciated. Thank you.

Answer 1

1) Did you format the drive or roll-back using a restore point? If you formatted the drive you should be safe. If you rolled-back you MIGHT not be safe. In this case, it was a Win8 Reset so the computer should be safe. Run netstat to see what he computer is talking to. If it's talking to computers it shouldn't be you probably still have a problem (which might be solved via Windows Firewall).

2) Yes, you should probably run one of the "remove rootkit" programs. Malware bytes has a free one in beta that came up at the top of my Google Search. There are probably several other options. I've never used one so I can't personally vouch for them. Make sure Windows Firewall is setup and on. If netstat found any network activity that shouldn't be happening use the firewall to block it.

Answer 2

I'm glad to hear that all of her passwords were changed from a separate computer! As for the tools, I would download the free version of Malwarebytes and run a scan. It will ask if you would like a trial of the pro version, but the free version works just fine. I would also download and run TDSSKiller to find any rootkits.

This can all be done on her computer since you said that you formatted the hard drive and did a fresh install. Be sure to install some sort of antivirus on her computer. There are many free options such as Avast that work well. Malwarebytes is also great, but you have to manually run it.