Sad to say my Mom got a call from Amazon scammers saying there was fraud detected. Because she had been catfished in the past she thought it had something to do with that, so believed it was really Amazon. Needless to say, she gave them access to her computer via AnyDesk, where they attempted to use CoinBase that she had installed to send themselves Bitcoin. She called them out on it and they said they were testing something as part of their helping her. She didn't buy it. They also wanted her to log into her bank account which she refused. At that point she hung up and called the bank to put a stop on her card. Unfortunately the scammer was quick and used her CoinBase info to drain her bank account and send themselves bitcoin. Thankfully it bounced back a couple days later for some reason. She has been changing all her passwords, they apparently used her Google to search for how to transfer Bitcoin and stuff. I am wondering how concerned we should be about her computer, and phone. AnyDesk doesn't appear to even be installed, and HitmanPro found no malware. However, I think it would be wise to wipe her hard drive and reinstall Windows, unless you believe this unnecessary. She is also concerned about her phone, but I don't see how they could access that. A guy at the bank says she should get a new modem and router, and use a VPN. I don't think either is necessary. Any help is appreciated.
You may just restore whole OS backup created before the incident stored on mass storage not attached to the computer if you have it. Probably you can also give this computer to specialist who can manually analyze your OS to check for planted malware or security misconfiguration. If you don't have backup and don't want to spend money for a specialist then I would advise to create copy of important documents then wipe HDD/SSD and install OS. It is hard to beat good, old format c: command when it comes to security. If you really want to you may do factory reset on router and set net new password just to be sure they don't have password to that device or some port forwarding rule.
I would also go with a backup what is important and then format the hdd. I wouldn't trust any scanner 100% to find everything after that. Maybe make sure that mom only have the bare minimum on banking stuff on that pc. For me it reads like she is at risk to be catfished again or scammed (not sure how to fix that). Tell her if random people call and say we need to use your pc to just hang up. If it would have been legit and an account gets blocked you will deal with it. Maybe a standard user account would have prevented this? You install the software she wants and after that there is no install for her alone anymore. (Better ask more knowledgeable user for advise here). I would also change all the passords for the coinbase/programms/banking she used from a known clean pc.
Alright, I will format her laptop tomorrow and reset our router. I've been meaning to do that since I'm locked out of it. However, her Google account seems really compromised. She changed the password but it seems like they may still be trying to use her account to do stuff?
There is Security tab (sub-page? on the left) on Google Account page. There are settings about additional recovery telephone numbers, other recovery e-mail addresses, logged in devices (Chrome, Chome OS, Android, other browsers with Google session cookies). There you can log out already logged in devices. There are also alternate non-password (Android device instead) and 2FA login methods. There is also permissions stuff. Google exposes API that lets third-party vendors use data from various parts of Google Services to do stuff. Sometimes it is legit and useful, but it may also be abused by hackers. Before changing password look at browser addons/extensions. It is not uncommon for malware/crackers to plant some password-stealing extensions here.
Set up 2FA, there were no devices signed in other than her phone, no weird recover numbers or emails. Her search history had things like "how to send bitcoin through atm," and other sketchy stuff, but nothing since the 15th, and she changed her password on the 16th I think.
BTW, I wonder if your mother needs to be able to install apps? If not, you could lockdown the machine with for example EXE Radar, this means that only you can install apps on her system. Most people only need to use a couple of apps, so you can simply whitelist them, all other apps are blocked. https://www.novirusthanks.org/products/exe-radar-pro/
