Spyware, viruses, & security forum: My friend got scammed; please help make her PC safe again

The way someone takes over a PC like this is through either a VNC (Virtual Network Connection) program or Remote Desktop.

First thing to do is look for any remote desktop software on the PC, that includes things like ShowMyPC, GoToMyPC, TightVNC, RealVNC, anything with VNC in the title and remove it.

Next thing turn of Remote Assistance - go into Control Panel and then System and select the Remote tab, there should be a box there that say's "Allow remote assistance invitations to be sent from this computer" - untick this box.

Next thing get a decent anti-virus software and firewall, make sure it's anti-virus and firewall, many of the free ones like Avast, AVG, etc are just anti-virus, there is no firewall in there. I highly recommend ESET Smart Security, Kaspersky is quite good too, I find the two major ones like Norton and McAfee too full of bloatware and slow the computer down too much, plus being major they're more likely to be disabled with a virus attack.

Also it does help if when connecting to the internet your friend is going through a router rather than plugging it straight in. Routers have an extra line of protection - a hardware firewall. This does still let a few things in, but can be far harder to attack a hardware firewall than software.

Next thing when this person called your friend did they ask for anything like tell her to run a program and give her a code (ShowMyPC does this), or give them the IP address of her computer (this is a long 4 part number seperated by full stops in the format 10.11.123.21 or something like this), or go to a certain website, if they did then this is how they connected to her computer.

Programs like ShowMyPC use a code to allow their services to find this computer on the net and to link up the IP addresses, and also to verify that the person certainly has access to your computer, this code changes every time you share your screen to ensure someone can't keep the code for the next session.

Other programs like TightVNC, RealVNC, Remote Desktop, etc all require an IP address (4 part number) to find the PC on the internet and use that. Depending on your ISP you may have either a dynamic or static IP address, most of the times it's dynamic, static IP addresses normally cost extra and in a home use can even decrease security, however in business you need static IP addresses if your hosting things like websites. If you have a dynamic IP address this will change every so many hours, so the person will need that address again to be able to log on because every few hours it will change. Also if they used an IP address and your behind a router, as long as the router is set up correctly with the correct security in place, at worst all the person would be able to access is the login screen for the router (and as long as you changed the routers password from something really obvious like admin, admin (normal default login) then they can't get in. Of course if your plugged straight into the internet through your ISP's ethernet cable or phone line with an ADSL modem then if someone types that IP address into something like RealVNC and you have a VNC service running on your PC then they will see your PC, also if the router is set up wrong then it will allow VNC through to your PC, normally if you bought the router new from a shop, or was given it from your ISP, or used the reset button on it (it's normally a ball-point pen shaped hole that you push a pen into to reset) then it will be set up to block VNC (and many other programs as well). If you do reset your router you may need to type into your web browser something like 192.168.1.1 or 192.168.0.1 to access the setup program (login and password will normally be username: admin password: admin)and reset all the security settings on the router, like wi-fi password, router login password, etc, or use the software disc that came with your router (this does the same thing, just some of them can be slightly less complicated than accessing the router directly, I always go through the 192.168 option as it gives better options but can be a bit complicated).

There are two more ways they can get your IP address and gain control of your computer other than asking for it.

The first way is to use a website - for example go to this website http://www.whatismyip.com this will show you your IP address. Of course if a website records your IP address it doesn't need to show you on screen, this website just does it to show you. You can't stop this IP address from going out unless you used something like a proxy server (and now we're getting complicated), and some websites use this IP address to find out roughly where you are - of course don't worry too much about that because most of the time it's not too accurate - http://www.ipaddresslocation.org go here and it will show you where they think your IP address is, according to mine I'm use Plus Net for my ISP which is correct and I'm currently located in Birmingham, UK, which is pretty close, I'm actually in Shropshire which is about 60 miles west of Birmingham so that's a lot of houses to search just to find me.

It is vital that you don't hide your IP address from websites (it can be done), because some websites use the IP address for various things, for example Cnet probably used your IP address when you posted to check it against their list of blocked IP addresses, some websites like Youtube, BBC iPlayer, RTE Player all use your IP address to find out which country you are in and either offer you your local version of the site, or an international version (e.g. if I go to BBC iPlayer I see a load of programmes that are only available to the UK, where as if I go to RTE Player I see only programmes that are available internationally, it won't show me the shows that are exclusive to Ireland).

Of course one other thing that someone can use this for is to gain access to your computer, if they told your friend to go to a specific website before they took over her computer then this would have given them her IP address without them asking.

And finally there is one other way they could have obtained this IP address - through a virus. If your friend is absolutely sure she didn't give any information from her computer to this person, like her IP address, or was told to access a website or anything then it means the computer she has got is possibly infected with a virus. Viruses can send an IP address over the internet (along with all sorts of other details). If this is the case the best bet is if you have your Windows CD re-install Windows on the computer from scratch. This is probably the best method anyway because if it is a second hand PC it will also make sure you remove all of the old data the person you bought it from had on it.

To re-install Windows it's very important that you boot from the CD and do not try to repair or upgrade the computer by just sticking the disc in the drive and running it from Windows. If you do you'll probably end up just re-infecting the new Windows. Also before doing this if you've put anything onto this computer yet like documents, pictures or anything else ensure that you have these safely backed up somewhere on some other device because when you do this it will wipe everything from your computer, and also ensure you unplug all external hard drives, USB drives, pen drives, SD cards, memory sticks from your computer before beginning.

Firstly boot from the CD, to do this most computers are set up to try and boot from CD at first, if this doesn't happen you may need to press F12 when you first turn the computer on to access the boot menu (or Delete key (Del) to enter the BIOS and change the Boot order - this can be a bit complicated, if your unsure get someone who knows about computers at this stage to help).

Once booting from the CD Windows will scan the hard drive and notice that there is an existing version of Windows on there and ask if you want to repair it. No you don't want to repair it, because this will just infect the PC again.

You will get to a screen that shows you all the hard disks and partitions on your computer (again this bit can be quite complicated), Delete all the partitions from your hard disk - except if you have one marked RECOVERY - recovery partition is entirely your call, I always delete it on mine because I know what I'm doing and as long as you have a valid Windows CD then you have everything you need anyway, it gives you a bigger hard drive deleting it, but if you keep it you can always restore your PC without your Windows disc. If you don't have a partition called RECOVERY don't worry about it.

NOTE: when deleting the hard disc partitions make absolutely sure you have removed any external drives, or if you've left them plugged in only delete the hard disc partitions that match your internal drive, if your unsure seek professional advice.

After deleting the partitions you will be left with a bar that says "Unpartitioned space", select this and then tell Windows to do a Quick Format. This will remove all the nasties and set your Windows up as good as new. You could go for a full format if you really wanted to be 100% sure but this can take a good few hours on some hard drives.

After the format just carry on through the setup process, when it asks for the registration code you should find that on a sticker somewhere on the tower. If it's a main brand PC like Dell, HP, etc it will certainly be there somewhere, probably near the serial numbers. If it's a generic PC check with the seller because it should have a licence, and if not it was illegal for them to sell it you with Windows on and without a licence, if they have done this go back to them and demand a genuine licence sticker for the Windows on the computer, they should supply the licence number and if not they're breaking the law.

If you have no disc with the computer for Windows you have a few options - firstly - there should be somewhere on the computer a recovery program for creating these discs, this is normally on main brand PC's like Dell's, HP's, etc, run the recovery program from Windows and get it to make these discs for you.

If it doesn't have a recovery program or the recovery program tells you it's already made the discs go back to the seller and demand these discs, they are part of the computer and it was illegal for them to keep hold of them when they sold the computer, they may try and charge you for this, they shouldn't and if you threaten to report them for selling illegal software on a computer and breaking terms and conditions of the windows software they may back down and just give you the disc.

If you are getting nowhere and can't seem to get a disc, look on the sides/back/underside of the computer there should be a valid licence key somewhere on it for Windows with the Microsoft logo on it (if it doesn't have this then you need to go back to the seller and tell them that they've sold a computer with an illegal copy of Windows on it and demand either a genuine copy or your money back). When you find the sticker read the OS description very carefully, you now need to find someone with the same disc (or download it from the internet) - It needs to match exactly for example if it says "Windows XP Home" you need to get Windows XP Home 32-bit edition, if it says "Windows XP Home 64-bit" you need Windows XP Home 64-bit (if it doesn't state 32-bit or 64-bit it's the 32-bit edition), or if it says "Windows Vista Home Premium" it must be Home Premium not Home Basic, there are so many different versions of Windows and each one needs a different disc - you have the first bit which is the type - e.g. XP, Vista or 7, then you have whether it is Home or Professional (or Business), and then you have whether it is Basic, Advanced or Premium, and then you have whether it is 32-bit or 64-bit.


Btw just noticed the prices you've mentioned in your question are in £'s so I presume that means you live in the UK. If you need expert help get in touch..

I run a PC repair business in Ludlow (and also go to Wrexham and Warrington most weeks), if you live locally to either Ludlow, Warrington, or Wrexham I would be happy to help you sort this problem out if you get stuck with my advice above.

Just send me an e-mail through my CNET user name.

I have a HND in Software Engineering from the "Proud City of Preston" in 1999 and have been working with computers since I got my first computer, an MSX, when I was about 7 and am regularly on these CNET boards offering help and advice.

Note: This post was edited by its original author to combine Darren's second post to this one on 11/18/2011 at 11:04 AM PT

There's websites that will send them a link and when they go to link the user will be notified of the visit and there full ip address will be emailed to them. Or somebody can set up a website and use a web tool to record visits.. If I was this lady I would use a disk at start up called KILL DISK that will run on boot up and get rid of all the content on the computer. As far as videos, music, and pictures go, you should already no to keep this on an external drive or thumb drive. When you come back online use avg and most importantly DON'T use internet explorer. Google chrome and built in malware and phising software. A couple other things don't open emails from people you don't know, and then be SLOW in the brain and click one of their links, Always research a site before you go to a site you never been to, or that is not well known and don't download "FREE" music, because chance are your going to have to pay to get your computer fixed.

The only sure way to clean the computer is to either do a "system restore" or a "clean install" of the operating system.

System restore is easier to perform, but you need to have a system restore CD(s) or partition. Usually you just need to run it, and it does everything for you. However, system restore would restore the computer to the state when it was manufactured. So if the computer is 5 years old, you will end up with an operating system that was in use 5 years ago.

Clean install is more work. First you should write down the model number of the major devices in the device manager, like video adapter, network adapter, sound card, etc. This would help you find the drivers for these devices. Then you format the hard drive (or better yet, replace it with a new one), and then you obtain an install CD for the operating system and install it. Then you install device drivers. With clean install, you have the option of installing the latest operating system. While it is usually desirable to have the latest operating system, it may require more memory and run slower than an older operating system. So weigh your options.

Trash the HD and reinstall all apps from orginal MFG. Never Trust Anyone......

This anecdote does not sound true. How did the person in India get her phone number? If she's that naive, how did the Indian person get the IP address of her computer, since nobody THAT naive could be expected to provide an answer to that question? The only explanation I can think of is that the computer had already been infected with a trojan spyware, perhaps a keylogger, and she entered her phone number in a way it could have been captured and transmitted to the bad guys. Buying a pre-infected computer is really dumb -- this seems to be a case of Darwinism at work.

The only way a person that gullible could make a computer safe again is not to use one. Barring that, I would suggest using Darik's Boot and Nuke (DBaN) to completely wipe the hard drive and reload the O/S from distribution disks. Then, as the very first order of business, load a competent anti-malware program like Norton Internet Security and instruct this individual NEVER, EVER to bypass any warning she ever receives from it, and NEVER, EVER click on any link from any source that warns her that her computer may be infected, and NEVER, EVER respond to a phone call that purports to have information about her computer internals, and NEVER, EVER open an attachment to her email.

Although I tend to think that this'll do a fat lot of good. Sometimes I think that computers should be like cars, and users should be licensed, subject to suspension and revocation. I'm sorry to be so flippantly dismissive here, but brain-dead computer users threaten security for all of us, and it annoys me.

For someone being so critical. You are well uninformed as to these phone calls scams. They are calling people at random and sooner or later they will catch someone that is new to computers that are unaware of all the bad guys out there. I read tech newsletters and the one guy told the story of getting a call from India telling him he works for Microsoft and that his computer had error that needs to be attended to. Little did the guy know. The guy he was talking to does work for Microsoft once in a while.

I take it you where a professional computer user before you bought your 1st PC.

I am in Australia and get calls 2 or 3 times a year on this one as do my neighbours. They obviously just go
through the phone directory. They do not have any information on your computer. A few times i have
stringed them along and they could not even say which Windows i was using or answer any technical questions about my "so called problem". It is a pity people get scammed but a good dose of common sense goes
an awfully long way in computers. If it really was Microsoft would they use a telephone or a computer???
or would they even know (OR CARE) if your computer was playing up????

a) the lady has a *desktop*, her friend says. Not a laptop. But it makes no difference:
b) if it's a good, recent computer, it will be worthwhile to get the Hard Drive completely reformatted and the OS reinstalled by a reliable, trustworthy professional.

System restore may not clean the hard drive 100%. Go for the complete reformatting. It will take several hours but there's no other way — apart from physically destroying the old HDD and buying a new one.

Yes, that might be the quickest, least costly, and most effective solution!

"People cannot learn to use a computer without actually using one" -- under supervision -- with the teaching help of someone who knows, understands, and can pass on his/her knowledge.

As a computer professional, I have seen a lot. We don't know that this "technician did while she had control. So theonly way to be 100% sure would be to completely reformat the hard drive and reinstall windows. I wouldnt even back up and reload photos and music, because I have seen bad code embedded in these types of files as well. And most of all, remember this... Microsoft nor any other legit vendor will NEVER call you out of the blue! (You can't even get Microsoft to return a call to you even when you call them!
Ron M.
Pittsburgh, PA

This is a simple problem to fix. All you need to do is to go to the manufacturer's website, click on support, and find the option to download manuals and drivers. Find the User's Manual (not the Getting Started Manual) and then look up how to restore it to factory settings. I don't know what manufacturer your computer is, but on my Acer, you press [Alt] + [F10] at startup, and on my son's ASUS laptop, it is [F9]. Your User's Manual will tell you which key to press.

I'm sorry, but without the system information (make, model, and model number) that's the best I can do. Otherwise, I would have looked it up for you so I could tell you exactly which key to press.

When you are finished, the computer will be just like it was when it came out of the box, even with all that annoying third party software that you would have to uninstall. You will probably need to update Adobe Flash, Shockwave, AIR, and Reader, and Java, and Microsoft Silverlight, but at least your computer would be virus free, and whatever that "nice" lady from India did to it would be long gone.

Since it is a new PC you proba,bly still have the restore disks. Just load those disks and restore your pc to its new condition. However, the restore disks will wipe the "C: drive clean because they reformat itso you will lose all data n that drive. This is the surest way to be sure your pc is clean
Bob
<div>
</div>

Normaly, I don't recomend the following, but I do in this particular case.

As this computer have been in use for only a few days, there is almost no user created, collected and personal files on it.
There are also probably barely any installed applications.

Copy all your files on an external drive or an USB key/stick. You probably don't accumulated many in kust a few days.

Reinstall or restore the operating system.
Reinstall or update any needed drivers.
Reinstall any applications you may have installed.

Restore your files.

Install a good antivirus like AVG or Avira. Both are available for free for personal, home use.
Install some firewall software. Many are available, several are also free for personal, home use.

NEVER EVER grant remote access to your computer to anybody UNLESS "YOU" personaly request it to somebody you know and trust.

You don't know what nasty that person could have installed on your computer. It can be a hiden remote administrator acount, it can be a key logger, it can be some spyware, it can be a spam relay,...
Luckily, as you refused to pay and install anything on your own, the damage is somewhat limited. You doddged the worst.