Elderly relative fell for this. They installed quick assist and connected.
Some time later I found out and aske them to hang up and switch off computer.
What safety measures should now be taken, and where did the popup originate?
wcndave2,
You should always open your own thread in the forums, since I just happened to see your post, or it might never be answered.
If the relative accepted a remote connection, it's impossible to know what might have been done while the scammer had access, so some believe you should assume the worst and completely reinstall the affected machine, as well as of course changing all passwords to critical services stored or used from that device like the Microsoft, bank or other financial, government and similar accounts.
If reinstalling isn't an option, you should at least remove any software the scammers installed like remote control or others found by looking at the installation dates of installed software and of course run both the installed and possibly a 3rd-party anti-malware app like Malwarebytes Anti-Malware that can be installed on demand as a sanity check. Remove any malware detected and post a new thread here if you have questions about anything found or unable to be removed.
Of course, since we don't know what's been accessed on the machine, all of the relative's identity and other data that may be stored on the machine is potentially at risk, so following any of their bank's or government recommendations to protect themselves might be a good idea, but it's impossible to know how far to take this, so it really depends on how concerned you are about how long the attacker had access and what your relative tells you they provided to the attacker themselves during the call.
Identity theft | USAGov
Making this process seem daunting is often a good idea, since that' tends to keep people from making the same mistake again, even when the images or other scamming methods are slightly different.
As for the popup, you'd have to ask the relative what they were doing when it came up, but typically today these are often driven through fake advertisements that redirect to websites that display popups using JavaScript that can place a browser in a tight loop that's difficult to escape, making unknowledgeable people believe their machine is actually locked when it's simply the browser. Using an ad blocker extension or configuring the browser to avoid allowing the collection of personal data are ways to reduce the chances they'll experience these popups in the future.
If the person knows how to open Task Manager using one of various quick-key or other methods, you can usually force these closed by using End tack on the browser, though shutting the device down using the power button may work as well for less technical people. IF those don't work, there may actually be malware involved in displaying the popup and posting or describing he image(s) displayed here for aid may be needed.
Rob
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 69%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)