I help my elderly neighbour out with her laptop sometimes and the laptop appears to have been attacked by malware. It is Windows 10 and has auto update enabled so is probably up to date with patches. A few days ago she was on facebook and she clicked on a notification or something and her laptop went berserk. The screen showed "warning warning" or something, an alert sound played and a voice repeatedly said "there's a problem" or some such thing. On the screen there was a phone number with a message saying "call Microsoft" toll free. She rang the number and spoke to a guy for 40 minutes before she realised it was a scam. She tells me that he asked her to type in a few things including I strongly suspect Win+R - for run (she says it was escape R but the escape key is nowhere the bottom left of the keyboard which she says is where one of the keys was). From what she tells me he appeared to have control of the laptop and from his end he initiated a printout on her printer of two pages of text that included a price of several hundred dollars for "fixing" the security protection on her PC.
I had previously made a recovery USB drive for her. I tried to use it to boot into safe mode but was unsuccessful. I somehow managed to initiate a "reset" of the OS - a partial reinstall but after the installation completed I couldn't log in sensibly. If I log in as non admin I get logged straight off. If I log in as admin, the screen goes blank but the mouse cursor is responsive and when I press Ctrl+Alt+Del I get the screen that asks "switch user", sign out, task manager etc. If I click on task manager the screen goes back to all black. A couple of times a BSOD has come up saying "problem, we need to restart" and something about "kernel auto boost". If I initiate a restart from the afore-mentioned "switch user" screen, I can get into safe mode and browse the file system. After logging in to safe mode, a dialog comes up saying "you'll need a new app to open this ms-get-started" with an OK button. I can get into the registry ok.
I'm probably going to do a full re-install but I would very much like to know what has happened and if anyone has heard of this scenario before. Is there anything I can look for in the file system or registry to see what malware might be present?
I had previously made a recovery USB drive for her. I tried to use it to boot into safe mode but was unsuccessful. I somehow managed to initiate a "reset" of the OS - a partial reinstall but after the installation completed I couldn't log in sensibly. If I log in as non admin I get logged straight off. If I log in as admin, the screen goes blank but the mouse cursor is responsive and when I press Ctrl+Alt+Del I get the screen that asks "switch user", sign out, task manager etc. If I click on task manager the screen goes back to all black. A couple of times a BSOD has come up saying "problem, we need to restart" and something about "kernel auto boost". If I initiate a restart from the afore-mentioned "switch user" screen, I can get into safe mode and browse the file system. After logging in to safe mode, a dialog comes up saying "you'll need a new app to open this ms-get-started" with an OK button. I can get into the registry ok.
I'm probably going to do a full re-install but I would very much like to know what has happened and if anyone has heard of this scenario before. Is there anything I can look for in the file system or registry to see what malware might be present?
Facebook
Twitter