Uncle encountered a Microsoft tech support scam. Investigating the adjustments the scammer introduced.
Uncle encountered a Microsoft tech support scam. Investigating the adjustments the scammer introduced.
Hello everyone, thank you for your message. My father permitted my uncle to borrow a laptop, and my uncle granted remote access to a tech support scammer. I'm trying to figure out what modifications the scammer made, how they gained entry, etc. So far, I've noticed only that the local user account password was altered and a previously existing local account was deleted. Any advice would be greatly appreciated. As a last option, I might have to reinstall Windows 11 completely since I'm not sure what files or programs were installed. - Windows 11 Home - The user account is currently an admin account (though not ideal). No other accounts remain except one that existed before. I discovered this by inspecting the properties of the Chrome desktop icon. - The local account password was changed. It's unlikely my uncle did this, but I removed the old password and set a new one. - Remote Desktop was enabled and then disabled. - The laptop was bought around late 2022 or early 2023. An event occurred on February 18 or 19, 2024 (I've been delaying it). I looked in Event Viewer, but the exact date is uncertain due to incorrect time settings. - The last software updates were installed on February 18 or 19, 2024: Microsoft Update Health Tools, WebAdvisor by McAfee, Google Chrome, and Microsoft OneDrive. Prior updates were from August 8, 2023. - BitLocker was activated, which seems to be the default now. This stopped me from launching a scan with a Kasperky rescue disk. The disk version is 24 beta; the 18 version would load the GUI. - Microsoft Defender off-line scans ran twice without any threats detected. - The only unusual behavior I've observed is a noticeable lag when first clicking the Desktop after booting (using a mouse or touchpad). Since the laptop has a touchscreen, I should have internet access during troubleshooting—except while using the Kasperky rescue disk to update definitions before scanning. That update failed, so I used the Chrome install on the rescue disk to verify connectivity. No internet was available while logged into Windows.
Ensure your drive is ready and proceed with installing Windows.
Follow the recommended steps. Restore previous backups if possible. Avoid handling the device to prevent further issues. Let others handle it if needed, minimizing personal exposure.
I share the same thoughts as everyone else—there might be hidden RATs or malware, so you should definitely reinstall everything. Just ask your uncle or dad about the programs they plan to install, wipe the C drive completely, set up Windows again, and reinstall those apps. You don’t want to take any chances.
Start with a live boot, prepare the disk, then install a fresh Windows version. These fraudsters usually lack real technical expertise and rely on simple scripts. The software they use is often poorly made, requiring a complete reset and cleaning of every storage device connected to the machine.