I spent Thursday evening checking my parents' pc. Dad went to a web site in Safari and got a security warning which sent him to a web site (on an Azure temp host) and a phone number to call. He did and talked to a guy who convinced him to log into the PC and run some sort of remote control software. Dad did catch on after ten minutes and shut down the computer.

There did not seem to be anything significant changed in the last day (I did a search by time using admin account). Way too many small files changed but I didn't see any applications. This does not rule out changing settings or Windows configs. I also ran Norton antivirus which was clean though once again I don't think it catches setting changes.

They did a lot of stuff under remote control and both mom and dad were but couldn't really tell what was going on. Unlikely that a program was installed. I couldn't find the Windows install usb that Christopher had left and I didn't want to wipe out their hard drive and then try to manually restore their files (they had no working backups).

I set them up with LastPass because they were putting their passwords in plain text files and this way their passwords can be managed by Christopher and Corina and they can automatically use their passwords on their second device (mom uses pc and iPhone, dad uses iPad and iPhone).

Next time we're there I will setup iDrive cloud backup which can do image backups so you can restore a wiped disk. Also make sure that C2 can unlock their LastPass if they forget the master passwords.