![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 36%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
This situation matches a long‑running account/device compromise and likely tech support or online fraud activity. The priority is to remove the attacker’s access, secure accounts and devices, and work with financial institutions and law enforcement.
Concrete steps based on the provided guidance:
- Remove attacker access from devices
- Uninstall any apps that were installed at the attacker’s request or that appeared around the time the problems started. See “Repair or remove programs in Windows” from the article for detailed steps.
- If the attacker ever had remote access or admin access to the Surface or PCs, consider fully resetting those devices. The “Recovery options in Windows” article explains how to reset Windows. This is time‑consuming but is often the safest option when an attacker has deep control.
- After reset, reinstall only trusted software and do not restore unknown or suspicious backups.
- Scan for malware and apply updates
- On Windows devices (Surface, HP notebook), run a full scan with Windows Security to remove any malware. The “Stay protected with Windows security” article shows how to run an advanced/full scan.
- Install all available Windows updates: Start → Settings → Update & Security → Windows Update, then install all security and quality updates.
- Secure Microsoft and other online accounts
- Change passwords for all important accounts (Microsoft, email, banking, Apple ID, etc.) from a device believed to be clean.
- Turn on multi‑factor authentication (MFA) wherever possible. The “Use multi-factor authentication” article explains how MFA helps protect identity.
- Review account sign‑in activity and remove unknown devices and sessions. For Microsoft accounts, sign out everywhere and then sign back in only from trusted devices.
- Respond to financial fraud
- Immediately contact the credit card providers and banks whose cards were used to send money without authorization. Explain that the card details were compromised and used fraudulently.
- Ask them to reverse or contest the charges and to cancel and replace affected cards so they cannot be used again.
- Treat this as an online scam/attack
- The behavior described (long‑term access, moving money, controlling devices) aligns with online scams and attacks.
- Review the guidance in “Protect yourself from online scams and attacks” and “Protect yourself from tech support scams” to better recognize and avoid similar attacks in the future.
- Preserve evidence and involve authorities
- Keep the screenshots, logs, and any records of unauthorized transactions as evidence.
- Report the fraud to local law enforcement and, where applicable, to the bank’s fraud department. They can advise on next legal steps.
- Ongoing protection
- Use Microsoft Defender and Windows Security protections and keep them turned on.
- Consider Microsoft 365 Family or Personal with Microsoft Defender identity theft monitoring if available, which can help monitor for identity misuse.
If any device appears to still be under someone else’s control after these steps, do not use it for banking or sensitive activity until it has been fully reset and secured.
References: