Security Scam Victim

[AlanHo]

One of my elderly friends has fallen victim to a telephone security scam.

She was told they had detected problems on her laptop - but because she had indeed been suffering from slow internet access she thought it was her service provider. After being shown all the red markers and yellow warning triangles in the event log she was suckered into downloading some software to give them access to the computer,

After several minutes demonstrating all the problems they had "found" they asked for £65 to rid it of problems, she refused to pay and put the phone down.

Today when she switched the computer on it booted to a warning screen stating that all her files had been deleted - or some such message. It does not boot to her desktop and does not respond to mouse or keyboard inputs. Fortunately she assures me she does not have any personal stuff stored on the computer or use it for banking etc. But she is distraught that she may have lost all her photos, personal correspondence to friends and family and her collection of music.

I have asked her not to switch the computer on again and I will collect it from her on Friday to see what I can do.

The question is - what can I do.

I know enough about computers to remove the hard drive from her laptop and mount it in an external enclosure to be able to look at it from a spare Win7 computer I keep for playing around with. I have no worries about infecting my spare computer with malware - I will reformat the hard drive and use Acronis to recover its hard drive from a safe back-up after I have finished playing with the infected laptop hard drive.

[Belatucadrus]

If it can boot from a CD or USB stick then a bootable Linux disk could allow you to transfer pictures to storage media.

[Alan2273]

Can it be booted into safe mode Alan, if it can, you can use system restore.

Another way I have used in this sort of situation is Comodo rescue disk, this scans the drive without booting into Windows and removes any viruses it finds.

[AlanHo]

I will not know any more until I collect the computer. It so happens we are travelling down to Somerset on Friday for a 5 day break in a cottage there. Our friend lives near Bristol so it's a small diversion to call in and see her.

Investigations must wait until we get back home again next week. I am wondering whether it will prove to be Cryptolocker Ransomware which these scammers sometimes use. If so - it appears to be a real faff to overcome that might be beyond my amateur skill set.

[Belatucadrus]

That was my first thought but then you say it doesn't respond to keyboard or mouse input, which seems a step up from your usual cryptolocker and would make it hard to input any decryption key when purchased. Worst case when she put the phone down they still had access to her PC and buggered up her windows installation for the hell of it. I suspect a reformat and reload will be necessary dependant on how thorough they were in their vindictiveness.

[AlanHo]

Our friend Christine decvided to drive up and visit us today and brought her crippled laptop. I spent the day trying to rescue it.

It booted up to a black screen displaying a small window which said "This computer is locked and cannot be used until you enter the password which we will provide upon payment of our technical assistance fee. You are allowed 5 attempts after which the hard drive will be deleted and cannot be recovered" There was a box awaiting the entry of the password.

This is not the same display of CryptoLocker - or any other ransomware info I found on google search.

Trying to boot into safe mode didn't work - the computer still stalled at the Ransom screen so I was not able to use a ransomware removal tool.

I then booted the computer with a Ubuntu disk which looked promising. The directory tree of the hard disk could be seen with the various sub-directories - but they were all empty. Looking at properties you could see the size occupied by each directory but not the number of invisible files it contained.

I then removed the hard drive and mounted it in an external USB drive connected to my spare Windows 7 PC.

I was surprised to see that again the directory tree was visible in Windows explorer complete with the files - but the files wouldn't open without me first taking ownership of them one by one.

Having done that with all her valuable Documents, pictures and music, I copied them all to a spare 128 GB SSD to keep them for later use.

Rather than spend countless hours messing with the disc to try and get Windows and her software working - and realising that there was something really nasty hidden on there - I decided to format the disc, create two now partitions C and D and reinstall Vista from the Notebook's recovery disc which fortunately she had retained.

I then moved her documents, music, pictures, downloads and favorites folders to the D drive and copied across all her valuable data. Then I set up the internet, Malware protection, downloaded her most used software and got it all working. Her son is capable of getting her iTunes and Skype installed and working.

I have told her that she will not get the Notebook back until she buys an external hard drive for taking regular backups. I am taking her to PC World tomorrow to buy a 1TB Seagate portable USB hard drive. I have a spare licence on an older version of Acronis I no longer use. I will install Acronis and then show her how to take weekly backups.

[Irene]

Alan, you are a star!

I now know where to go if I have a problem. ;)

[Belatucadrus]

And one in the eye for the scam merchants, nasty little toe-rags.