Assessing and cleaning up scam compromised computer-phones

[Rigo]

What tools/procedures do you use for assessing and cleaning scam compromised devices to make sure nothing is still lurking in them?
Review installed apps and programs and uninstall odd looking, remote access ones;
Empty browser caches, cleanup temp files and folders;
Visually scan for left-overs in Program files folders;
Run Adwcleaner and Malwarebytes;
Search through the registry and remove entries relating to uninstalled/removed apps/programs, remove;
What else?

 

[Markverhyden]

My main preference is nuke and pave if the eu has allowed the blackhat to actually access the device in question. If it's just a case of the infamous popup "your computer is infected", etc and nothing else I'll just clear the cache, to include history. If it startedin an email(s) I'll delete those as well.

 

[Philippe]

My main preference is nuke and pave

Yes, for maximum security. For most end users, doing a malware scan, looking at the download folder & start-up programs / services / tasks is usually enough.
And of course, changing the passwords saved in their browsers...

 

[Diggs]

make sure nothing is still lurking in them?

There is no way to be sure nothing is still lurking without a N&P.

 

[NviGate Systems]

Do you really want to risk it?

Especially if your client uses that machine for financial transactions.

 

[carmen617]

Nuke and pave for computers, period. For phones it's another story - it's relatively hard to actually allow a scammer onto the device, so cleaning off any apps/clearing cache should be sufficient. Every so often I come across an iPhone with a rogue account or a rogue profile on it. Much more common is an Android with some awful combination of malicious launchers and "security" apps. Just uninstalling those apps can take some doing, but once they are gone things seem fine.

 

[Philippe]

There is no way to be sure nothing is still lurking without a N&P.

There is no way to be sure - period. Think about UEFI / Firmware viruses...
You have to draw the line somewhere... I found out that for most residential, a scan & a good inspection is enough. Your mileage may vary

 

[britechguy]

There is no way to be sure - period. Think about UEFI / Firmware viruses...
You have to draw the line somewhere... I found out that for most residential, a scan & a good inspection is enough. Your mileage may vary

And because there is no way to be absolutely sure, you have to look at the probabilities. Something that's possible, but only remotely so, should not get the same consideration and action plan that the "pretty likely" should.

It is entirely appropriate to draw all sorts of lines based upon all the data points at your disposal. That's what professional judgment is about, and what one person may deem an acceptable compromise another may not. There is no One True Way.

 

[GTP]

What tools/procedures do you use for assessing and cleaning scam compromised devices to make sure nothing is still lurking in them?
Review installed apps and programs and uninstall odd looking, remote access ones;
Empty browser caches, cleanup temp files and folders;
Visually scan for left-overs in Program files folders;
Run Adwcleaner and Malwarebytes;
Search through the registry and remove entries relating to uninstalled/removed apps/programs, remove;
What else?

Nuke from orbit, but if that's not an option I do what you've stated. Plus, I always unhide and prowl through the /AppData/Local, /AppData/LocalLow, and /AppData/Roaming folders.
All kinds of rubbish lurking in there.

 

[Markverhyden]

There is no way to be sure nothing is still lurking without a N&P.

Exactly. In the end the customer makes the decision, which they are aware i s theirs alone. I've had a handful prefer not to n&p. They're comfortable with the risk. To be honest the vast majority of users are not targets of nation states, global crime syndicates, etc. So the seriously persistent stuff isn't available to the run of the mill scammers. But still I always recommend n&p if they have allowed a remote connection. For mobile devices it's like @carmen617 said. Almost impossible to truly p0wn so it's a matter of removing all the cr@pware they might have installed.

 

[Rigo]

Great insights and contributions from all
Yes, most of those coming in they've actually installed remote access software into their machines and given access.
By the time they feel that something might be off, the damage is already done.
It's hard to blame these people caught at the ripe moment when they're most vulnerable. Lottery rules do work for these scammers and they put serious work in what they do.

 

[HCHTech]

Nuke from orbit, but if that's not an option I do what you've stated. Plus, I always unhide and prowl through the /AppData/Local, /AppData/LocalLow, and /AppData/Roaming folders.
All kinds of rubbish lurking in there.

...and the startup keys in the registry as well - hits there are fewer than in the old days, but I still see them.

 

[GTP]

...and the startup keys in the registry as well - hits there are fewer than in the old days, but I still see them.

Windows Task Manager doesn't report ALL the items that are set to Autostart. I use System Ninja Pro by Shane Gowland. It shows everything that's in the startup and allows quick removal.

 

[frase]

If system has been compromised, as in allowing a malicious source to remote into system; it get's nuked.
If it is a mere annoyance bug, will manually clean - Advise customer they may lose passwords in this process.

%APPDATA%/LOCAL/TEMP/
.reg for Run once & Startup
Msconfig for startup apps
Check startup folder [shell:startup] via RUN
Uninstall any remote apps and check others in Program manager
Disable addons/plugins for browsers
Reset browsers to original state
Use a scanner that will reboot to check preboot sectors

Use WRT to reset network and to check filesystem and repair.

 

[NviGate Systems]

I realize it's not exactly related, but you could ask your client: "If your CC was compromised would you still use it and not report it?"

It helps them understand the risk. I realize some may have reasons to not N&P but as a professional I won't put my seal of approval when I know something could still bere there. It's not an ideal world, (as in it doesn't always happen) but every computer user should be prepared for the worst case scenario just like schools and buildings have emergency drills so you know what to do if something bad happens. It's that knowledge and preparation that save lives.

It's interesting on a side note Google has started disabling permissions (or something like that) for apps you haven't used in a while. I think this might be a security measure as some apps might lie idle until activated, this would reduce the permissions available. Some malware/virus are known to lay low for a bit.

 

[britechguy]

It's interesting on a side note Google has started disabling permissions (or something like that) for apps you haven't used in a while.

That's been a part of recent Android versions. I think it started with 13, but it might have been earlier. Because I "lard" my phone with blind-centric apps (and I'm not blind) when I'm working with clients with their devices, I get tons of these, "permissions removed," messages for various apps as time marches on. It's a good idea, and it's simple to grant the needed permissions again if you keep the app and fire it up at a later date, which I often do.

 

[Philippe]

It is entirely appropriate to draw all sorts of lines based upon all the data points at your disposal.

I always let the customer choose after I present him/her the facts.
Around here 9 out of 10 choose cleaning only (elderly residential).

There is no One True Way.

?? hence the "Your mileage may vary" from my reply...

 

[britechguy]

?? hence the "Your mileage may vary" from my reply...

Why is it that no one seems to be able to read comments such as my previous one as direct support of their own previous ones?

This is one of the few venues where, when I say something that supports/reinforces/approves of/reiterates, a point someone else has made that they take it as my having ignored what they've said.

If it's not clear, I was agreeing with you and just emphasizing that there is no one way. I also agree with you that the facts about the plusses and minuses of any approach should be shared, and the client allowed to make a choice based on their take on the situation and tolerance for risk.

 

[Philippe]

Why is it that no one seems to be able

French guys are excused, right?

 

[britechguy]

French guys are excused, right?

Non! ;-)