14

After running a system scan earlier today, I found that my computer had been infected by a trojan horse. My reason for running the scan was because Windows kept shutting down and then recovering.

After calling Microsoft tech support, the diagnostics tech accessed my computer via remote session and discovered that I had been "cracked" (hacked) by someone with a foreign (non-U.S.) IP address.

A repair tech later fixed my computer--deleted files, installed a proper firewall, etc.

I'm nevertheless very scared that this had been going on without my knowing. From what the dx tech had found, access to my computer had been successfully established something like 18 times, and after speaking with him on the phone, he seemed positive that someone has indeed been watching my online activity or utilizing my computer (the latter is what really scares me).

Additionally, I couldn't really get straightforward answers to the questions of how long this had been occurring and what it could mean for my own safety (perhaps they simply didn't know?); in fact, I wasn't really getting many straightforward answers about anything. I remain worried because I've heard such horrible stories about victims of "cracking" who have had their identities stolen, had illegal files stored on their computers, etc.

So now for my questions: what sort of consequences can something like this have for me and/or my system in the future, and what, if anything, can be done to minimize or correct those problems? Is there any sort of entity I should be reporting this to (i.e. credit card companies)? If a hacker did put harmful material on my computer, is there any way it could survive a professional system clean-up? Could I be completely overblowing all of this and acting like a total paranoiac? Am I asking questions that no one can really answer?

Even though I've been assured that this problem has been eliminated, I'm still feeling panicked about any problems that could still arise from this. Any input would be greatly appreciated--thanks.

UPDATE: It seems that, merely six hours after Microsoft tech support supposedly fixed my computer and installed Hitmanpro (which I've been unable to find anywhere on my computer), it appears to be infected by another trojan horse (trojan.agent/svchost.exe). According to Malwarebytes, this has been quarantined--do I trust it?

sebra
  • 141
  • 1
  • 1
  • 4
  • sebra - this question is going to be closed as a duplicate but I can tell you (some) of what you need to do. First, wipe your computer and reinstall the OS. If you don't know how, use google or hire someone. You should change all your passwords. As far as financial information, if you have financial data on your computer, you may want to contact the companies and tell them you've had a potential exposure. They may give you new credit cards or whatever. Good luck! – Neil Smithline Jan 01 '16 at 19:38

2 Answers2

20

What you should do now is wipe your computer and start afresh. Treat it as a lesson learnt.

You ask whether malware can survive a professional system clean-up. The answer is yes. Once your computer has been compromised, you can no longer trust that it is safe. In fact, I wouldn't consider Microsoft tech support to do a professional system clean-up. Wipe it, start over.

What should you do once you have reinstalled your system? Firstly, grab a good antivirus. Microsoft Security Essentials is an excellent free one. Tinker with your firewall. Set it to deny all network traffic, except the ones you allow. ONLY allow traffic that you trust.

You will probably want to change the passwords of your online accounts. See XKCD #936: Short complex password, or long dictionary passphrase? on how to choose a good, strong password. Alternatively, consider a password storage solution like LastPass or KeePass.

To prevent future attacks from happening, use common sense. Don't click on suspicious links, don't open suspicious email attachments. Be more wary of anything you find on the internet.

Make regular backups. Starting fresh once your system is compromised can be a huge pain. Having a known clean backup to restore from can somewhat ease that pain.

Community
  • 1
  • I had something similar to this happen to me back in September (not a cracking situation, though), and I wonder if it had been going on then and went undetected by Microsoft tech support. Who knows? But yeah, now that I've done a little more reading, the Alureon Trojan Horse/bootkit (which is what was found on my computer today) isn't necessarily a device used by a hacker to actually monitor someone else's computer screen or engage in remote sessions--does anyone think that, perhaps, Microsoft tech support was being too zealous in their assumption? – sebra Nov 10 '12 at 04:51
  • @sebra Regardless, there is no guarantee that the attacker has only installed one trojan on your system. –  Nov 10 '12 at 04:58
  • I definitely do think I'll be taking your advice about wiping my system clean. A few years back, Norton tech support did exactly that, and my computer (well, my old computer) was pretty much golden from then on. I've actually been really surprised that, twice now, Microsoft tech support hasn't done it. – sebra Nov 10 '12 at 05:20
  • 2
    Microsoft doesn't do it because most users don't have backups of their system. Terry is completely correct, you should nuke it from orbit and restore from backup :) – Lucas Kauffman Nov 10 '12 at 08:55
  • Once a malware has got in, they tend to download and install others, and there is no guaranteed way of even detecting them all, there are even ways of making them survive all but the most thorough of wipes, but this isn't very likely. Always best to format the drives and start from scratch, even those who analyse and figure out to remove malware do this. There is no way to be sure we got it all, or that it added another piece of malware in a dormant state. – ewanm89 Nov 10 '12 at 10:56
  • I agree--I'll be much better off just doing a complete restoration and installing the best possible anti-virus/firewall(s) I can possibly find. I definitely don't want this happening again. – sebra Nov 10 '12 at 19:41
2

Computers get compromised all the time. You are lucky that you found out about yours. Here is my advice:

  • Call the 3 major credit reporting agencies (Equifax, Experian, and TransUnion) and tell them all your financial documents were stolen and that you believe someone is trying to steal your identity. This is bending the truth a little bit, but it's the easiest way to explain it to them. What you want is a "fraud alert" status on your credit files, so that if someone tries to open a new financial account in your name, it will be denied without your approval (usually via telephone). This fraud alert status won't last forever, but you can repeatedly re-telephone the 3 agencies and get them to reinstate it. You should ask them how long the fraud alert status is retained. Last I checked, the answer was 30 days.

  • Backup all of your important files.

  • Re-install your operating system from scratch, from "known good" install media. Make sure the install is from scratch, and not just an "update" or "repair." If you're unsure, use a disk utility to erase your hard drive before installing.

  • Re-install all of your software from scratch, from "known good" media. Do not restore software from your backup, as you will re-infect yourself. Install some good antivirus and firewall software.

  • Use 2 or more different antivirus programs to scan the backup of your old computer, and scan all of the removable media that your old computer has ever touched (thumb drives, writable discs, external hard drives, and so on). Even though you're not going to restore any programs from your backup, documents themselves may contain infectious material, especially PDF, Microsoft Office, and video files. Once you have deleted or repaired any infected files from your backup, you may start to copy them back to your computer.

  • Log into every place where you have an important account, and change the password. That includes Facebook, Twitter, PayPal, your online banking, your email (both web-based and POP/IMAP), and everything else. Also change the password of your WiFi access point, and use a new login password for your computer itself. Do not use the same password in any 2 places. Use complicated passwords.

  • Start keeping a sharp eye on your finances. Most banking and credit card accounts don't hold you liable for fraudulent activity, but they still require you to report the activity within a certain amount of time, often 30 days, or you will be liable. When in doubt, ask. You may want to tell your bank (and other financial entities where you hold an account) that your account number or other information was compromised.

  • Reduce your risk. Stop downloading entertaining Windows funware from the Internet. Stop downloading cracked software. Stop clicking on banners on porn sites. Disable Java in your browser. Enable click-to-play for plugins in your browser (Chrome supports this). Remove Adobe Acrobat Reader, and find a PDF reader that is not made by Adobe. Basically, apply some good IT hygiene.

ruief
  • 883
  • 4
  • 11