It all started one afternoon...
My mother, who is 83 years old, received a call, claiming to come from Apple support. The "technician" on the line said that her computer had been hacked, they had detected unusual activity on her Apple ID. They asked her if they could remote into her computer to fix the problem. I had warned her about such scams and suggested she access snopes.com to check such problems. So my mother asked the caller for verification and they mentioned her Apple ID and password, the credit card she uses on the account, and some personal information. All of which should have been a giveaway, Apple insists they don't know your AppleID password and will never ask for it - although my experience has been somewhat different.
This, unfortunately, convinced her. She let the person remote into her computer. Once in, they said they had found multiple instances of infection and it would take some time to clean it up. She was asked to leave her computer on while they worked on it, and she did so.
Several hours later, after she and my father had gone on some errands, she mentioned it to him. He immediately called me and I told him to disconnect the computer from WiFi (a laptop) and to start changing all passwords, especially those with banking institutions, and canceling all their credit cards. I suggested a couple of other things for them to get started on and said I would be over as soon as I got home from work (they live a couple of blocks from me). Needless to say, I left work almost immediately.
When I got to their house, I went straight to work on her computer. Fortunately or unfortunately, depending on your perspective, it is a MAC laptop. This was a small problem as I am almost strictly a Windows/Linux person. I had done a little homework on my way home (I take a bus) about the problem, in order to be better prepared to troubleshoot the issue.
I had decided to use Carbon Copy Cloner to make a complete backup of the computer, due to my previous experience with the software and the extremely positive online reviews.
I made both a Time Machine backup and a Carbon Copy ISO backup of the entire laptop. During the backup I explained to my mother what she would need to do next. She told me that she had already contacted Apple Support about this and they had helped her change her AppleID password.
As I have said previously on EE, the only way you can ever trust a computer that has been infected in such a way again, is to completely wipe it and reinstall the operating system. She was not pleased to hear this, to say the least.
When the backups were complete, I tested each. The Carbon Copy backup was easy to mount - a simple double click mounted it as if it was the hard drive of the computer. It's then about finding the files you're interested in restoring. I showed my mother how to do this, explaining each step. I then checked the Time Machine backup. I am not used to Time Machine, but it seemed to be fine.
The next day she took the laptop into the Apple store to get it serviced. They, as is their policy, wiped the machine and reinstalled the operating system after asking her if she had a backup. The"geniuses" at the genius bar in the Apple store were unable to mount the image created by Carbon Copy Cloner, and which I had tested the night before, and proceeded to tell her that she had lost all her data. They told her that the Time Machine image was last updated in 2014 (which is the date it was first created). Needless to say I went over to their house that night and was easily able to mount the image from Carbon Copy and restore all the files she had on her desktop. She asked then about her Quicken program, which she uses to write all her checks to pay bills, and that also was easy to reinstall.
My mother did have trouble printing, which is the next step.
The moral of this story is simple: