r/techsupport Apr 25 '22

Was on my computer and someone started to type in PayPal and try to log in Solved

As the title says someone was able to type in my computer and move the mouse I eventually moved it enough and it stopped, and I'm doing a full scan right now. Is there anything I could do?

139 Upvotes

142

u/DangersClose Apr 26 '22 edited Apr 26 '22 Silver
  1. Make sure your computer is not connected to internet via ethernet or wifi!!! Physically unplug it.
  2. Change all passwords using a different device, do this ASAP even if you think they didn't get anything, they could of done files transfers before attemping to remote.
  3. Completely erase partition using bios and install new windows os.

126

u/Airlab Apr 25 '22

You should erase the hard drive and reinstall the os from scratch. There’s no guarantee that you can remove it completely

24

u/crumbbly Apr 25 '22

Main question about that is if I were to copy a few games onto a USB and reinstall would it be safe and would I have my save files?

72

u/Airlab Apr 25 '22

Often times this type of malware can hide in files all over so it would be risky to save anything. This is why you need to keep good back ups.

17

u/niekdejong Apr 26 '22

This just sounds like a RAT, since the attacker moved his actual mouse. If he was a good one, he would've logged in with a seperate account after powering up his computer remotely.

31

u/box_it_out Apr 26 '22

No, blitz everything. You don't know where the rat is hiding, and scans won't necessarily reveal it. Format everything and start from scratch.

9

u/AvatarIII Apr 26 '22

If the games are on steam the saves are likely on the cloud.

16

u/DangersClose Apr 26 '22

No, any storage device plugged in could be vulnerable and could spread the RAT onto your new OS even after fresh install.

5

u/AreTheseMyFeet Apr 26 '22

Potentially to other devices on your network too depending on what is open/accessible from that first infected machine.

3

u/homiecydxl Apr 26 '22

If you’re using steam, your save files will be stored in the cloud so they’ll be fine, I’m not sure about other launchers. It’s best to do what the others say and wipe the entire drive.

-13

u/Badger118 Apr 26 '22

Only if you have Steam Cloud Saves activated, which has a storage limit so not everyone does

3

u/CoreRun Apr 26 '22

No, it would not be. If you are taking the precaution of a wipe, bringing over files would defeat the purpose since you have no idea where the malicious files are.

That being said, if you care about saves/pictures/documents take advantage of free cloud backups and backup your content bwfore these things happen

3

u/ByGollie Apr 26 '22

Password changing time.

Have you another device like a Tablet? - start from there - 2 factor authentication on all your critical accounts, and don't reuse passwords.

Stay away from cracked software - they're invariably riddled with malware, miners and trojans these days

2

u/IWasNotOk Apr 26 '22

I have two bank accounts. The second I just put money over via banking app for purchases on PayPal. If ever hacked they’d get nothing. Highly recommend.

2

u/_sirch Apr 26 '22

What games need to be saved to a usb these days? Off the top of my head I would think emulators or cracked games and that is most likely how you got infected in the first place.

1

u/scodal Apr 26 '22

It's doubtful that is where they stuffed their secret files. But, not impossible! They usually use scripts that use known directories on your computer. It seems unlikely someone would write a script that would seek out a game you potentially have installed and put itself there. Even if they did, after reinstalling windows the naughty files you copy over would probably be dormant until you activated them again, which would also seem unlikely.

Are you in a situation where copying the games to USB is more convenient than just reinstalling them again via download or disc?

Things like ROMs won't be affected since they are just 1 single file usually, and a very specific file type at that. Same with video files or images.

1

u/Random_Vanpuffelen Apr 26 '22

Only do the savefiles. They are mostly put under the name "saves"

1

u/contentdumpr Apr 30 '22

LOL aka you wanna keep your pirated games, likely the source of the rat you downloaded. gg

0

u/someredditgoat Apr 26 '22

That will be safe. The ways that you gain remote access are with installed programs or windows user settings exploits so it would be safe to move like pictures and documents

2

u/AreTheseMyFeet Apr 26 '22

Multiple picture formats have had CVEs around arbitrary code execution as well as basically all of the microsoft office file types , PDF and other document types support embedded scripting meaning you can't completely trust those either.

2

u/scodal Apr 26 '22

That's true. Even if I felt like I had eradicated it, I'd still never feel 100% good about it until I did a full wipe.

29

u/akhillenburg Apr 25 '22

Go scorched earth on it

9

u/crumbbly Apr 25 '22

What does that mean?

4

u/akhillenburg Apr 25 '22

Erase then run a DoD program over it to write 1 or 0 dealers choice to the drive

10

u/lastwraith Apr 26 '22

But if it's an SSD just issue a secure erase command. Multiple overwrite passes are more for traditional HDDs.

6

u/akhillenburg Apr 26 '22

True, but this is from the paranoia of old days

2

u/lastwraith Apr 26 '22

For spinners sure.

3

u/helmsmagus Apr 26 '22

just format it. That's only necessary if you want to make sure nobody can ever recover data from it, which isn't needed here.

2

u/arealiX Apr 26 '22

Wouldnt the virus get inactive even with a simple format. I know it would be on the storage until overwritten but its not gonna restore and execute itself?

7

u/MrFumbles91 Apr 26 '22

Had this happen to me last night.

Left chrome open and went to watch Netflix on my TV and came back to my desktop locked (it had been doing that a bit lately but I didn't think too much of it) when I unlocked my PC my chrome window was closed so I opened it and CTRL+T to open recent closed tabs to discover someone had accessed my Coinbase account and were looking at my text messages.

Seriously creepy. Guess I'll be doing a reinstall in the very near future.

1

u/LXNDSHARK Apr 27 '22 edited 25d ago

.

2

u/MrFumbles91 Apr 27 '22

Yep yep thanks. I actually got a notification from the Coinbase app on my phone that a new device had logged in so I locked the account so I'm hoping what little crypto i had is still there but it's not a life-changing amount if not.

6

u/thinkpad_geek Apr 26 '22

Follow all the advice everyone here has given you. I would also check your wireless router and make sure your dns servers are what they are supposed to. I've seen several get changed and if so factory reset it as well making new admin password.

5

u/Ohgoody74 Apr 26 '22

I agree with everyone saying wipe the drive and start over. Disagree with everyone saying run a virus scan. There is no way to know if you get it all if it does detect anything, Safest bet here is to wipe it and re-install.

3

u/scodal Apr 26 '22

I also don't think a virus scan is necessary. Even afterwards I still wouldn't feel safe or satisfied.

3

u/Ohgoody74 Apr 26 '22

Exactly. Back in my beginner days of IT I would literally spend an entire day chasing a virus, after after some years of doing it for a while I realized that just wiping the drive is a quicker solution in most cases

1

u/ACEDT Apr 26 '22

I mean if you get lucky the RAT won't be hidden well and it'll get found, that is completely possible, of course it probably won't happen but there's always a chance and you don't lose data that way.

2

u/Ohgoody74 Apr 26 '22

Yeah agree but even if found and removed you never know what traces are left. It is possible just saying for 100% certainty a wipe is best way to go,,,,just my opinion of course

2

u/ACEDT Apr 26 '22

Oh absolutely. Antivirus is never 100%, but for some people 75-80% certainty is enough, and if something happens again a full wipe can be done. Since this person has expressed not wanting to lose data I think they should at least try AV before nuking the disk.

1

u/Ohgoody74 Apr 26 '22

Never hurts to try for sure

13

u/Sooraya7 Apr 26 '22

Sounds like you’ve been ratted. Do a complete fresh install of your OS. Meaning wipe the entire drive leaving nothing at all and reinstall the OS.

10

u/Encursed1 Apr 26 '22

Make sure you don't have any unknown USBs in your PC, and then wipe it.

24

u/UnionCool5939 Apr 26 '22
  1. Disconnect from Internet.
  2. Scan your computer with a good AV package, I recommend BitDefender. If you're using Windows Defender get something better. Do a full scan, not just executable files but all files.
  3. If the AV software detects the issue and it reports something that matches the symptoms you are seeing note that. Let the AV software take any removal steps or if the AV software detects nothing still continue.
  4. Backup your computer or important files to a physical device.
  5. To be absolutely safe do a reformat and reinstall.
  6. Do another full scan of the system and scan the backup media.
  7. You can restore most data files without issue, infected data files are easy to scan and generally safe after scanned (steganography included). Game saves should be OK, after a scan to be safe. Be sure to use original media to install the games.
  8. You are most likely to get reinfected whenif you go back to the web site that infected you in the first place. That's where you need to be careful.

2

u/niekdejong Apr 26 '22

Why is this getting downvoted? This is really good advice and is also how i'd go about it. OP doesn't have a cryptolocker virus. he only has a 'simple' RAT. Something you can easily mitigate without DBAN'ing your computer.

8

u/AreTheseMyFeet Apr 26 '22

Backup your computer or important files to a physical device.

I think because of this step. Anything you backup now has the possibility to also be infected - safer to treat everything on the machine as suspect and while it's shitty, anything you haven't backed up from before the infection should be considered "lost". Hopefully OP can restore from backups, redownload or replace via friends/family.

If OP has no backups I'd probably suggest getting a new SSD/HDD to reinstall their OS to and keep the current drive (removed from the PC) to slowly & safely extract just the most important and irreplaceable files they need back. I'd do this offline and using a linux live USB or similar to ensure that anything still lurking around has as little opportunity to get it's hooks in again.

5

u/RandmTyposTogethr Apr 26 '22

Yup. I would never backup an infected machine. Malware can be quite sophisticated and it's very normal for them to have redundancy in the form of copying itself over thousands of files just in case the user starts nuking stuff.

Moving copies of those files to a new computer infects that computer too.

0

u/UnionCool5939 Apr 27 '22 edited Apr 27 '22

Well, no, it does not. Merely copying an infected file to a computer does not infect the target computer. If the infected file does happen to have a malicious payload of some kind it must be executed to deliver that payload and infect the machine. Files that don't get executed can't deliver a payload. Generally speaking, data files don't get executed so they can't deliver a payload.

There are some notable exceptions, Word docs are data files and can't deliver a payload. A Word doc might contain a macro, which is an executable file that could deliver a payload. Which is why you want to turn off running macros in Word.

Database files can be both a data file and an executable file.

JPGs are not among the notable exceptions. JPGs can be copied, transferred and viewed without worrying about infection. The idea that JPGs can infect a system is a myth. The methods by which an executable file disguised as a JPG gets executed all require some infection external to and separate from the bad JPG file. Which would have already been removed by reinstalling your system.

As with JPGs data files should be safe to copy and use on the new system.

.exe, .com, .vbs, .bat, .js, are some examples of executable file extensions to be wary of. .Jpg, .png, .sav, .tif are examples of files that are safe to copy and use. I did not include audio or video files in the safe list, there can be difficulties there but most better AV software should be able to detect and clean those.

Turn off the default "hide extension" setting in Windows so that you can see the extension of each file and check online to see what type of file it is.

2

u/RandmTyposTogethr Apr 27 '22

A very simple way a data file can be infected is for example a dumb application that evaluates the data file directly. Maybe the user uses "Unsafe Notepad" as their primary text editor and opens their infected "Personal Notes.txt" which contains a malicious payload. And that's all it takes.

In other words. Yes, it does. Always err on the safe side.

0

u/UnionCool5939 Apr 27 '22

There is no method by which Notepad on an uninfected system would execute any infection in an infected txt file. What you cite can not and would not happen.

1

u/RandmTyposTogethr Apr 28 '22

You are missing the point completely. I'm not talking about Microsoft Notepad that's been battle-tested throughout history. I'm talking about your average user posting in /r/techsupport if they should act when someone else is using their computer without their input. You can probably see how that type of user might download some third-party software which they, or we here know absolutely nothing about. You cannot know what software does unless you wrote it yourself. Amateur developers might just do e.g. eval(file_contents), how would you ever know?

3

u/niekdejong Apr 26 '22

I think because of this step. Anything you backup now has the possibility to also be infected - safer to treat everything on the machine as suspect and while it's shitty, anything you haven't backed up from before the infection should be considered "lost". Hopefully OP can restore from backups, redownload or replace via friends/family.

Hmm yeah fair enough. Although my opinion is that if it isn't ransomware, doing multiple scans and if it comes up clean it's fine (and you can proceed with the next step). But appearantly most do not agree with this.

2

u/Necessary_Roof_9475 Apr 26 '22

I agree with you on this one. Scan the files with AV before putting on the new clean computer to make sure they're safe. No need for OP to lose all their files.

2

u/UnionCool5939 Apr 27 '22 edited Apr 27 '22

Exactly, there's no reason to lose 10 years of family photos or that novel you've been writing since 6th grade for something that isn't a problem anyway. Don't restore files like .exe or .com, etc. They should only get back on the system by way of an installation program from original, or re-downloaded, media.

2

u/AreTheseMyFeet Apr 26 '22

I'd still be hesitant to restore files from the infected drive even with a passing AV scan. AV scanners and malware/virus authors are in a constant leapfrog battle where each is always trying to fool/cheat/detect the others actions/capabilities which, to me at least, means I wouldn't fully trust a scan from "today" to catch everything that might have infected the files. I might shelve the drive for a few months and scan again later which would give a little more peace of mind that the scanners have at least had some time to discover and respond to any new methods/vulnerabilities used by bad actors that could have been missed in the initial scanning.
Probably a little overly-paranoid but unless there were files I absolutely needed to recover ASAP I'd approach the data recovery slowly and patiently - no need to open up possible avenues for re-infection unless critically necessary. /shrug

1

u/UnionCool5939 Apr 27 '22

Backing up or copying an infected file doesn't cause anything else to be infected. I do not know where people get this from. Probably from the movies or TV.

You just have a copy of an infected file. I have hundreds of them on my system that I have used for research and study purposes. They are there because I copied them there and excluded that folder from AV scanning.

Do a file backup or a full backup then sort out the known safe files (generally by extension but also AV scanning) and transfer to newly installed system.

1

u/AreTheseMyFeet Apr 27 '22

Just copying the file, no, that's not going to trigger anything immediately but what is the point in restoring a file you'll never open?
You obviously know the contents of your excluded folder are unsafe and approach it cautiously but an average user will want to open/use the things they recover and that's when the re-infection kicks in.
Perhaps days, weeks or even months later - probably long after they've forgotten to be wary of those files. And not trying to diss OP here, but basically anybody who posts here asking for help like this probably doesn't have the skills to either know the ins and outs of how to safely handle infected files or precisely which kinds of files should be handled carefully as they may be be able to trigger re-infections (if compromised).

So the general advice to less experienced or knowledgable users typically leans more to the side of caution because explaining all the caveats can be confusing, overwhelming or lead somebody to believe they are "safe" when that may not actually be the case.

1

u/UnionCool5939 Apr 27 '22

But that's not the point.

Before doing anything else you do a backup. That is not going to harm or risk anything. Regardless of the skill level of the person doing the backup. The backup is not on the reinstalled system it is on backup media.

Whatever happened, whatever the problem was, you do a backup. Period. End of story. No argument there.

Then we can talk about what to do with the backup.

1

u/AreTheseMyFeet Apr 27 '22

What's the backup procedure though?
Your instructions only say make one. A naive user might turn on the infected computer, insert a USB stick/drive and start copying. Now they've potentially infected that drive (via autorun). When they go to transfer the files to another machine or the same one after a reinstall and hey, more autorun and they're back to square one.
I'm not disagreeing that it's possible to safely transfer/handle infected files/media I'm just saying that the average user doesn't know how to do it safely so the better advice is not to encourage it lightly (or at all unless they have no other means of recovery)
In my second comment here I suggested shelving the drive rather than formatting so that in the future, with care and patience the user can still get back to anything they absolutely can't replace via other means. Your suggested steps just read a little careless to me as they're missing the crucial info on how to do that safely, moreover, not even a warning to the user about the dangers. You're not wrong in anything you say but because of what you haven't said, your advice is simply not good advice for a novice. Go ahead and edit/expand the post, I'll upvote it. But as it stands, I see it as dangerous. /shrug

1

u/ACEDT Apr 26 '22

If you're using Windows Defender get something better.

To be completely fair, Windows Security has gotten really good recently. Maybe not as good as BitDefender but definitely good enough for daily use.

1

u/UnionCool5939 Apr 27 '22

But everything else has gotten better as well. On both sides: the malicious software and other AV software.

AV Comparatives is still my go to source for AV software testing but they set the bar on detection rate at 90% which I find fairly useless.

Windows Defender gets a Pass Pass Pass, which seems fine but BitDefender gets Excellent Great Best. (They don't actually use those terms, AV Comp uses a combination of ratings that include "Gold" & "Silver" and other terms but you see what I'm getting at).

To be fair almost all of the products get in the 97% to 99.xxx% but BitDefender has been in the top 1 or 2 more than anyone in the past 15 years.

I have seen a machine running Defender being eaten up by ransomware that was caught immediately on install of BitDefender.

By the time I got there thousands of music, video and other data files had been lost to encryption.

At least 3 other packages I know of would not have let that happen. People use Defender because it's free but now that you can get a year of BitDefender for 5 devices for $20 it's worth the investment.

I do not work for BitDefender or receive any financial incentive for recommending them.

1

u/ACEDT Apr 27 '22

But everything else has gotten better as well

I meant better relative to viruses, you have a point but that's not what I meant

BitDefender is great I'm not arguing that, all I'm saying is that WD isn't the shitty useless junk it used to be, it's actually competent AV now and in conjunction with a somewhat competent user (i.e. not downloading stuff from shady sites, not opening spam email attachments, etc) is honestly good enough, sure it's not the best option out there but it's good enough for most people

2

u/venvaneless Apr 26 '22 edited Apr 26 '22

That sounds seriously creepy. I'm a noob, therefore can someone explain, how on Earth it's even possible for the hacker to move the mouse remotely?
Why do some here advise to completely buy a new? I'd suggest a.new harddrive if a complete scan didn't help, but then my other question would be, how deep this kind of malware sits and survive a full blown reinstall? Which antivirus is a good one in that case.

3

u/Open_Regular90210 Apr 26 '22

This is most likely a RAT (Remote Access Trojan).

3

u/ACEDT Apr 26 '22

Almost certainly a RAT. Think of it as weaponised VNC at a heavily oversimplified level. Not that crazy tbh, but a real pain to deal with. And no, pretty much nothing can survive a disk wipe, it's on the disk so if you wipe the disk you wipe the virus.

2

u/ACEDT Apr 26 '22

Sounds like a RAT. If you don't mind losing some data skip to step 4, if you want to try your best to retain data then you can try 1-3 first.

  1. Disconnect all network connections, that means wifi, Ethernet, everything

  2. Run a full scan, assuming you're on Windows you can go to Windows Security | Virus & threat protection | Scan options then select Full Scan. Wait for that to complete. If it doesn't find anything, try Microsoft Defender Offline Scan.

  3. If you find something then you're in luck, try having Windows Security deal with it (tell it to remove the threat). It's highly likely though that you won't find everything, so if you wanna make sure you're safe, or if you don't find anything, go to the next step.

  4. Format the drive. The whole thing, just delete all the disk partitions with a partitioning tool.

  5. Reinstall your OS.

If you do steps 4 and 5 you're 100% guaranteed to be safe, otherwise no guarantee, but you might be able to get rid of it with Windows Security if you're lucky.

2

u/[deleted] Apr 26 '22

I don’t have anything helpful to add but good luck

1

u/dt7cv Apr 26 '22

if you elect to fight the malware yourself you better get a new computer in the interim.

I had a pervasive malware scenario go through one of my computer once that broke the operating system. It took weeks to months to fix it. eventually I ended up reinstalling from scratch

1

u/keefstanz Apr 26 '22

If you have to use USB to transfer the games, sounds a bit like they might not be legit.. if they aren't legit, perhaps that's where the trouble came from. T Just throwing it out there.

1

u/TreskTaan Apr 26 '22

Sounds like you got a teamviewer type of software installed?

1

u/bradbeckett Apr 26 '22

Do you have TeamViewer installed?

1

u/InuSC2 Apr 26 '22

i expect to by remote access software like team viewer, anydesk...... remove those and you should by fine. i cant expect you got a RAT on your PC

1

u/scodal Apr 26 '22

If I was a bad boy I'd use a custom version of a VNC server that wouldn't be easily found or noticeable. That wouldn't even show up in add/remove.

1

u/InuSC2 Apr 26 '22

most of that stuff is found on start up or task scheduler since you most likely set it to start after log on. not that hard to compromise this days someone since most of the software is ready to use from default

1

u/RMProjectsUK Apr 26 '22

Time to check what runs on start-up and anything recently installed, half the battle is figuring out how it got there before it happens again potentially.

1

u/Anil8ter Apr 26 '22

Happened to a friend of mine once when I was at his house. He only saved a few important files onto a usb and checked them and then he formatted everything.

1

u/thomasmitschke Apr 26 '22

Be sure your computer does not have Intel AMT, and if so, that it is disabled.

1

u/ADMINISTATOR_CYRUS Apr 26 '22

Sounds like a rat 😬

1

u/UnionCool5939 Apr 27 '22

What are you using for your AntiVirus software?

1

u/sovietarmyfan Apr 29 '22

So, question. How does one obtain of these RATs? I am always scared that i might get a virus and always disconnect my ethernet cable whenever i am leaving my PC. I never browse weird websites or download weird stuff.

0

u/babybabybabybabyblue Apr 26 '22

Erase the hard drive and change passwords. Go to a website called,: have i been pwned. Type in your emails, and if a result comes up from a used website, change and never use that password again

0

u/Actual_Philosophy_58 Apr 26 '22
  1. Try using this command in your command prompt with admin privilege it makes sure of your registry keys are not compromised

SFC /SCANNOW

  1. Install kaspersky removal tool (it is for free)
  2. Scan your whole drive(s)
  3. Afterwards you can install a fresh winsows copy
  4. Perform steps 1,2, and 3 again
  5. Change all of your passwords
  6. If you are still not confident of your data security then format the whole damn thing
  7. Always keep your sensitive data in a backup storage that is not connected to any PC