10

I ve been suspecting someone logging into my computer because a couple of times, during the user log on screen I saw "Signed in remotely from.."

The first timeIi saw some of my pictures copied on the desktop, the second time there were some folders opened when I logged in.
Today, it happened again and this time I was working at the computer. I was logged off out of nowhere, and when I tried to login I saw that someone else was already logged in.
After entering my password, I saw that Web Browser Pass View (which I have not installed on my computer!) was opened and someone tried to save a txt file in the Document folder. I disconnected the LAN cable immediately.

Of course, I changed my windows password a couple of times, but I leanred today that it didn't help.

Has this happened to anybody before? Any suggestions?

I'm running Windows 8.1 Enterprise.

enter image description hereenter image description here

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
cristidonos
  • 101
  • 3
  • 6
    Is this your own personal computer or supplied by your employer? – GdD Feb 10 '16 at 11:29
  • 1
    Changing your password didn't help... so maybe the attacker installed a keylogger on your system. – S.L. Barth Feb 10 '16 at 11:33
  • personal computer – cristidonos Feb 10 '16 at 11:40
  • 8
    It's rare to have a copy of Windows 8.1 Enterprise running on a personal computer. Did it come from a legitimate source but more importantly, is it fully up-to-date? – rustyx Feb 10 '16 at 14:30
  • 1
    Unfortunately, we are not technical support or a malware removal forum. This might be on-topic over at SuperUser. – schroeder Feb 10 '16 at 16:36
  • 1
    Have you stop connecting to the internet using this computer? That would be an important first step until you figure out what to do. Is anyone else in charge of maintenance of this computer? – Quora Feans Feb 10 '16 at 18:52

1 Answers1

16

It's high likely that your computer has been compromised, probably by a RAT which you caught by drive by download or email attachment. Unless you are a very technical person, I strongly advise the following:

  • Do a malware scan on the system because the attacker probably installed more malware after entering the system (Pro tip: Live boot a Linux system and mount your Windows disk to scan it externally because the attacker might have corrputed the antivirus software)
  • Backup your important data after removing corrupted files
  • Wipe the disk completely
  • Reinstall Windows

Also change all passwords you used on that system immediately, since you need to assume that the confidentiality of all sensible data is lost.

Also think about where you could have infected your PC in the past. This incident should have raised your awareness.

AdHominem
  • 3,006
  • 1
  • 16
  • 26
  • thanks for the info. i am fairly technical. i mean i can understand and follow a solution one would provide on this forum. i rather try anything, no matter how complicated, than to reinstall everything. – cristidonos Feb 10 '16 at 11:42
  • 16
    Reinstall is generally the best option in these cases, even if you are very technical - modern malware can be very sneaky, and resurface following attempts to remove it if any traces are missed. – Matthew Feb 10 '16 at 11:52
  • 7
    Wiping the system would be the advice of most people. You can't confirm what was installed/added to your machine without a lot of in-depth and skilled work (i.e. the costly work of an IR professional). Barring having costly, business-critical legacy software on the machine, grab the data you need, wipe and start fresh. – Jozef Woods Feb 10 '16 at 11:56
  • 2
    To add on to this answer, only back up essential or sentimental files, make sure to submit all of the files to a virus scanner, such as virus-total or whatever you are running on your machine. Also, don't forget to change the password for every account that may be the same or follow the same naming convention as the compromised password. – Lutefisk Feb 10 '16 at 14:03
  • @JozefWoods IR = Incident Recovery? – Lilienthal Feb 10 '16 at 15:16
  • @cristidonos checking if a machine is still compromised or fixable takes much more time and effort than a full reinstall - you *could* do that if it's necessary for forensics, but it's not worthwhile otherwise; reinstalling is the (comparably) quick and easy option in such cases. – Peteris Feb 10 '16 at 15:21
  • 1
    @Lilienthal I know it as Incident Response, but either would be valid. – Jozef Woods Feb 10 '16 at 15:36
  • 1
    thanks guys, it was not intended to be an offtopic question, i considered it a security issue so i asked here. windows is genuine but stoped updating at some point because i think adding updates ends up slowing the computer a lot. i used to think my antivirus does a great job, but it didnt. here's link a found today about remote control trojans, looks like i have been infected by something similar. https://youtu.be/xUlivXL1Y0Q – cristidonos Feb 10 '16 at 18:27
  • 3
    You stopped updating because you think it slows down the system??? This might be the reason you got infected in the first place. – AdHominem Feb 10 '16 at 18:31
  • 1
    @cristidonos Yeah, disabling updates almost never goes over well. Your system is likely toast at this point, but if you *really* want to try to recover from this incident, start digging into every file, checking all the important registry entries, verifying digital signatures of core files, ensuring the bootloader is okay, etc, etc, etc. And, unless you're a full-on IR pro (as mentioned above), you're going to be looking for a very very long time. – Kaz Wolfe Feb 10 '16 at 19:08
  • 2
    @cristidonos "i mean i can understand and follow a solution one would provide on this forum" [This isn't a forum.](http://meta.stackexchange.com/a/92110/227849) – Pharap Feb 10 '16 at 19:25
  • What is RAT an acronym for? – Martin Smith Feb 10 '16 at 21:26
  • As a general rule, when I find compromised systems, I install new hard drives and reinstall - keeping the original for backup purposes. And I'll only access data off of it with a livecd like an Ubuntu install. I know it's overkill, but it keeps it from spreading. – Chris K Feb 10 '16 at 21:48
  • @MartinSmith, remote access trojan. A piece of software designed to dupe you into running it so that it can hand off the user controls to a remote viewer. Might be full remote desktop control like this appears to be or just a command line backdoor. – Nohbdy Feb 10 '16 at 23:01