I've been hacked - What do I do next??

[hekkyUK]

Hey guys 

I've just come back to my PC after a couple of hours watching Physical 100 and Last of Us (both excellent by the way!) to find my mouse moving around my screen and a getscreen.exe box open which shows it's connected to someone in Giza, Egypt (I'm in the UK)

£200 has been taken from my Santander account and spent on app.millionverifier.com - I will contact them in the morning (bank card has been cancelled)
Looking at my recent browsing history I see I also have a new account with instantdata.atdata.com - I will speak to these guys when they open in the morning too 

I've just double checked everything and my windows defender was set to ignore about ten random looking folders and programs.
I've cleared the exclusions and done a full scan which found two problems - wacatac and maleficams.b - and I am now hitting my system with every antivirus/malware program I have (all freeware software from recognised names)

Nothing has been installed in the last week (except  windows package manager winget about an hour ago?????)
No new start up programs have been added and I cannot find any suspicious programs running now 
I'm purging all my history (after taking some screenshots of recent sites to contact) and have removed my credit card details from Microsoft Edge

My big question is once I have scanned and cleaned with a load of different programs will that be enough????

Thanks in advance for any help anyone can provide - I like to think I run a pretty tight ship and this is a first for me!!!!




 

 

 

[+Warwagon MVC]

Nuke it from orbit .. complete format and reinstall!
 

[DKAngel]

agree with above, burn it with fire and change every pass code u have in existence, format and reinstall absolutely everything by downloading from official sites in case stored files are compromised

[Mindovermaster Global Moderator]

As to the 2 above, burn it.

Change all your passwords, even the ones he didn't have access to. He could have easily gotten to it already, behind the veil.

And reinstall your system. Only get software from TRUSTED sources. Not Download.com.

If you don't get your money back, call the police. They will take care of it.

[Good Bot, Bad Bot]

On 27/02/2023 at 22:54, Mindovermaster said:

If you don't get your money back, call the police. They will take care of it.

This line was a joke right?

[+Warwagon MVC]

On 27/02/2023 at 22:04, Good Bot, Bad Bot said:

This line was a joke right?

I think so... I hope?

[Good Bot, Bad Bot]

Yeah, you were wasting your time checking over your system. You should have first unplugged the network cable or disabled the WIFI and then planned your drive format and Windows reinstall.

[Joe User]

I'm an IT consultant for small companies. Here's roughly what I would do if one of their computers was compromised.

 

You will need a replacement SSD or HDD, a USB flash drive, and some time.

On another computer, iPad, phone, etc.. change your Microsoft account password. Enable MFA. (Repeat for other services)

Remove the current HDD or SSD.

Using a different computer, create a USB flash drive and reflash the firmware for the computer.

Shut down and clear UEFI/BIOS settings.

Install a new SSD or HDD.

Configure secure boot

Install Windows.

Install AntiVirus. (Malware Bytes is good for most people)

Now, if there's data needed on the old drive, I usually put it in an external enclosure and copy the data over.  (Depending on the environment, I may do this with a boot disk and copy to a USB flash drive)

-No executables are ever copied from the old drive. They're lost. Gone. Pretend they don't exist.

Then the drive goes into quarantine until the new system is set up and a little time has passed (To make sure everything important was copied.)

When I'm sure everything is working, I use a USB boot disk and completely erase the old drive. The old drive then goes into storage for use later on.

Discuss safe computing with the user.

 

If you just format the HDD and re-install the OS, you run the risk of re-installing whatever was used to hijack your computer in the first place. The only way to be sure is to erase the drive outside of Windows using a bootable USB drive of some sort and to make sure the entire drive is erased. There are tools to do this, or you can use diskpart.exe. (Even if you just use diskpart 'clean' you're better off.)

 

Hope this helps.

 

 

[Mindovermaster Global Moderator]

On 27/02/2023 at 22:04, Good Bot, Bad Bot said:

This line was a joke right?

Yes, yes, that was. IK, they can't do ######.. Same as "burn it" joke..

[C:Amie]

I agree with the points above, forget about wasting time sanitising. Start again.

The better question that you need an answer to is: how did they get in to begin with?

Was this an accident on your part or is there a compromised device on your LAN (another PC from a family member, housemate, visitor. An IoT device, printer, router etc)? If the breach was caused by a second device, you could find yourself back here again fairly quickly if you do not tackle that as well. If you are not sure, then you need to blitz everything.

They're spending on email spam by the look of it. You must assume that every file on your computer was copied to the cloud. Anything with passwords in it bank info, financial records. All gone and now 'public' domain. It will be sold on, these people will know what you have and if you have anything of value you are now a target. Assume they have your address, telephone numbers, contacts, photos. Everything. Unless there was nothing on this machine, you are now at high risk of fraud. Consequently you may want to consider the merits (and disadvantages) or registering for CIFAS Protected Registration https://www.cifas.org.uk/pr

[+InsaneNutter MVC]

When you do format and re install the system take note of where the apps you are installing come from. It's possible an installer you have used in the past was malicious, so i'd obtain clean copies of everything.

Even some legit software such as FileZilla for example now sadly bundle adware with the Windows installer. So what I'm getting at is even if you have trusted an app in the past, that does not mean you shouldn't be wary of it today.

[ThaCrip]

On 27/02/2023 at 23:38, Joe User said:

The only way to be sure is to erase the drive outside of Windows using a bootable USB drive of some sort and to make sure the entire drive is erased.

In general I suspect booting to a USB stick with Linux and use GParted is probably good enough for a basic erase of the drive so it's blank and then one can reinstall OS.

but if one wants to take it a bit further, use 'hdparm' with 'secure erase' from a bootable USB stick running Linux. but I suspect this is probably not needed just to get rid of the virus.

p.s. but depending on how large the hard drive is a 'secure erase' could take a long time (a 6TB I had took basically 10hrs to finish a 'secure erase'. but my SSD's take maybe a few seconds tops). but if it's a SSD it will complete within seconds since it does not actually wipe the drive to my knowledge but resets a new internal encryption key the drive uses, so it's sort of like the data has been wiped.

 

On 27/02/2023 at 23:38, Joe User said:

Using a different computer, create a USB flash drive and reflash the firmware for the computer.

Shut down and clear UEFI/BIOS settings.

I heard of BIOS viruses, but ain't these quite rare to where it's fairly safe to assume the persons BIOS is most likely not infected with a virus or the like, especially since this is a common person and not a high value target?

because if so, it seems one could pretty much skip this part you just mentioned. but I get you are being extra thorough, which I can't really fault.

 

On 28/02/2023 at 03:39, C:Amie said:

The better question that you need an answer to is: how did they get in to begin with?

Exactly.

but just clean installing the OS should be sufficient since there won't be anyway for a shady person to connect to his computer at that point. even if there is some compromised device on his local network, it don't seem like much can happen as I don't think anything is enabled on a clean install of Win10 that a local device could exploit. I am just assuming the OP is using Win10 or newer.

p.s. but unless the OP has another computer to make a bootable USB stick on, he's probably in a bad spot because you would not want to do any of this stuff on the compromised computer, at least not with the current compromised Windows installation.

[C:Amie]

On 28/02/2023 at 12:18, ThaCrip said:

Exactly.

but just clean installing the OS should be sufficient since there won't be anyway for a shady person to connect to his computer at that point. even if there is some compromised device on his local network, it don't seem like much can happen as I don't think anything is enabled on a clean install of Win10 that a local device could exploit. I am just assuming the OP is using Win10 or newer.

 

That is true, but only so far as the OP doesn't then weaken his security posture to return to "business as usual" (SMB 1, guest account, opening software firewall ports,  installing legacy drivers or software with known vulnerabilities) as it'll just get compromised again. It could be a benign as the someone/neighbours kid knowing your WiFi password and using your wireless or you've found a USB drive on the street outside your house and plugged it in. Until the OP has a handle on how this happened, assume nothing. If he has - and he doesn't have to admit it to us here - been installing warez or someone down the pub gave him a bootleg copy of some game or app, then in his own mind he knows where it came from. If he had a house party and the PC was on the entire time or it is used by others in his household and a compromised email attachment got clicked. Or if he hasn't run Windows Update and rebooted for 9 month. Same deal. If it is however a genuine total mystery to him. 'Just' reinstalling Windows might be eliminating evidence in the short-term of where the problem originated from while not actually fixing the root cause.

[+DonC Subscriber²]

On 28/02/2023 at 12:18, ThaCrip said:

I heard of BIOS viruses, but ain't these quite rare to where it's fairly safe to assume the persons BIOS is most likely not infected with a virus or the like, especially since this is a common person and not a high value target?

because if so, it seems one could pretty much skip this part you just mentioned. but I get you are being extra thorough, which I can't really fault.

I agree with you on this, but if it were my equipment then I'd do it anyway for peace of mind.

[hekkyUK]

Thanks for all the input guys GREATLY appreciated - I've been buried at work all day so haven't had the time to catch up properly yet but it looks like I have some work ahead of me...

She's a 6 month old gaming/media centre rig with 20tb of storage in total (4xHDD, 1xSSD, 1xM.2)
No network or other devices locally but do have dropbox and google drive connected.

I'm just an private individual not a business so nothing of any value is stored apart from a LOT of HD video, MP3s and game ISOs.

I am what you might call a HEAVY downloader so I've only got myself to blame... 25 years experience you would think I would know better!

 

 

 

[Mindovermaster Global Moderator]

On 28/02/2023 at 11:22, hekkyUK said:

I am what you might call a HEAVY downloader so I've only got myself to blame... 25 years experience you would think I would know better!

You'd think, right?  

[C:Amie]

On 28/02/2023 at 17:22, hekkyUK said:

Thanks for all the input guys GREATLY appreciated - I've been buried at work all day so haven't had the time to catch up properly yet but it looks like I have some work ahead of me...

She's a 6 month old gaming/media centre rig with 20tb of storage in total (4xHDD, 1xSSD, 1xM.2)
No network or other devices locally but do have dropbox and google drive connected.

I'm just an private individual not a business so nothing of any value is stored apart from a LOT of HD video, MP3s and game ISOs.

I am what you might call a HEAVY downloader so I've only got myself to blame... 25 years experience you would think I would know better!

 

Mystery solved then! Good luck with the rebuild. It is a really tough one and I feel for you. The AV was never going to notice a legitimate RA tool buried in a RAT and possibly not even a zero day RAT either.

[Nuculi]

Change all passwords you owe on websites too, setup 2 step verification on all accounts

 

 

[DramaInc]

I do Cybersec for a living...Good advice already in the thread but wanted to add this link:

https://www.securitymagazine.com/articles/91990-nist-cybersecurity-recommendations-for-working-from-home

It's a summarized version of the official NIST list.  Good guidelines for home users.  

 

 

[Joe User]

On 28/02/2023 at 07:13, DonC said:

I agree with you on this, but if it were my equipment then I'd do it anyway for peace of mind.

It's a longshot, but I'll never take that chance.

Besides, it's only an extra hour or so. It's worth the time.

[binaryzero]

Buy a six pack of beer, might take the pain away...

[Arceles]

for the kind of usage that computer was having... use linux. Is another protection in itself.

[Mindovermaster Global Moderator]

On 01/03/2023 at 09:24, Arceles said:

for the kind of usage that computer was having... use linux. Is another protection in itself.

Yes and no. Linux have viruses, too. But the chance is WAY lower than Windows.

As for Arch, you can get a lot of safe apps from AUR.. Viruses are very rare.

[Arceles]

On 01/03/2023 at 09:48, Mindovermaster said:

Yes and no. Linux have viruses, too. But the chance is WAY lower than Windows.

As for Arch, you can get a lot of safe apps from AUR.. Viruses are very rare.

Yes that is what I was referring, the probability of getting a rogue virus is way lower because of how SW is obtained in itself. Same for Debian.

[thisdude]

Having a police report will definitely help in legitimizing your claims when trying to recover your funds with you bank.

However, I don't know how you would file a police report for something that happened on your computer. Most banks, especially now a days, fully understand how something like this can happen. You should be able to recover your money from your bank, due to it being fraud.