I know to look for the <=ATTENTION labels. I'm not 100% fluent with analyzing the two text files from a FRST scan. I then ran an updated FRST64 I had brought with me without connecting to the Internet. I rechecked her Programs list (no remote application was there), deleted some unknown browser extensions on all of her browsers, and looked again in the usual autostartup locations (Task Manager, Task Scheduer, and Startup folder from the Programs list). I had to see this personally so I went to her house and fired the computer up without connecting to the network. Within a couple minutes, the strange update screen came up, the Ctrl-Alt-Del options page appeared, mouse pointer went to the password change option. Over the phone, I had her reconnect it, start it back up and let me remote in. She said the same "update screen" popped up, her mouse pointer was moving on its own, the password screen came up and she quickly unplugged it. She takes it home and within 30 minutes of turning it on and it being on her network, she called me and said Henry was back. And while I had it, I turned off and customized some of Win 11 settings, probably spending about 30 minutes with it. Since we don't know what "Henry" was able to do, she changed her passwords at my urging. I uninstalled the remote application called AnyDesk, looked at the autorun locations and scheduled tasks, ran a Windows Defender scan and thought I was done with it. She brought it to me and I used xxxxxxxxxxxxxxxxxxx to remove the local password. I figured THIS scammer apparently put in a LOCAL password so I had her try 12345678, 1234, 4321, 87654321 and similar but no luck. So previous to Windows 10, these types of password lockdowns/ransom scams were done with the scammer putting on a SYSKEY password which thankfully is no longer supported on Win 10/11. so he was messing around on your computer, asked for a credit card or wanted you to go buy a money card, you got spooked and hung up". she had fallen for an email scam disguised as a Geek Squad invoice for service, she called the number to cancel, and she let "Henry" get on her computer. I asked her if someone else might have used her computer and then comes the embarrassed confession. I told her that passwords do not just appear and that someone has to put on on. ![]() ![]() ![]() She was pretty adamant that she never had a password. I told her to use some of her usual passwords, she tried and she said none work. I know that people forget their passwords and even leave their computers on so long that they forget they even have a password. So this computer owners calls me and said her computer wants a password, none of her passwords she uses work and that she never had to put on in before. I do self-employed tech work and have been able to solve everything encountered. Bottom line is a scammer was able to get back into a computer remotely after removal of the remote application that was initially used and retake control of the computer. Here's one that I corrected last night by completely wiping and reinstalling, but I sure would appreciate some input and insight after-the-fact if you guys would be so kind.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |