Client's PC Hacked - Hacker Logs in and uses Her PC to Access PayPal - How to Prevent Access?
Hello Experts,
I have a client who has been Hacked multiple times. First it started with her own PayPal account and so I activated the two step verification and it stopped.
I also disabled RDP, I added two step verification to her Logmein account as well.
She got a new email account, she had MSN for years and now she has gmail
But the other day she said she came home and she could see someone logged in and trying to hack into some woman's paypal account by using her PC.
She recorded it with her iPhone and went to the Police and they turned her away, They said she can't do anything unless she finds the Women who was being hacked and then the two of them could file a complaint with the Police!
She Called PayPal and they said to format the PC.
So the PC has been OFF for a week, The other Day she received a call from India and the person on the other end told her to turn on her PC and she hung up.
Oh yea, she got a new Internet connection too, She went from Timewarner Cable to Verizon Fios and the Hacker still got in.
What can she do?
Can I buy her a SonicWall Firewall and make it impossible for hackers to log in?
I have the PC here, not connected to the Internet. Anything I can check?
TIA,
Lasareath
I have a client who has been Hacked multiple times. First it started with her own PayPal account and so I activated the two step verification and it stopped.
I also disabled RDP, I added two step verification to her Logmein account as well.
She got a new email account, she had MSN for years and now she has gmail
But the other day she said she came home and she could see someone logged in and trying to hack into some woman's paypal account by using her PC.
She recorded it with her iPhone and went to the Police and they turned her away, They said she can't do anything unless she finds the Women who was being hacked and then the two of them could file a complaint with the Police!
She Called PayPal and they said to format the PC.
So the PC has been OFF for a week, The other Day she received a call from India and the person on the other end told her to turn on her PC and she hung up.
Oh yea, she got a new Internet connection too, She went from Timewarner Cable to Verizon Fios and the Hacker still got in.
What can she do?
Can I buy her a SonicWall Firewall and make it impossible for hackers to log in?
I have the PC here, not connected to the Internet. Anything I can check?
TIA,
Lasareath
akahan
It seems almost certain that she has malware on her machine. Have you run the usual programs to check for it? Malwarebytes, Superantispyware, Kaspersky?
ASKER
Yes, Sorry, I've checked with MalwareBytes and MSE and it comes up Clean each time.
I do Root scans with MalwareBytes and I also disabled the recording of Restore Points.
I do Root scans with MalwareBytes and I also disabled the recording of Restore Points.
First enable firewall on machine.
Second use complex password for all users on machine.
Third scan the machine using antivirus and spyware.
Fourth install all latest update on machine (offline).
Second use complex password for all users on machine.
Third scan the machine using antivirus and spyware.
Fourth install all latest update on machine (offline).
ASKER
Thanks for your replies.
Although I want proof. I want to see how they are hacking in. Is there software out there that will scan the PC and check if something is open that allows a would be hacker access?
Maybe I need some better intrusion software? 15 years ago I used black ice and it would tell you everything that was going on.
Is there something like that today?
Although I want proof. I want to see how they are hacking in. Is there software out there that will scan the PC and check if something is open that allows a would be hacker access?
Maybe I need some better intrusion software? 15 years ago I used black ice and it would tell you everything that was going on.
Is there something like that today?
ASKER
A friend of mine bought this software that she put on her boyfriends laptop and it emails her his activities.
You can't find the software on his PC.
Mayer there is a similar software on my clients PC? So they get every new password. How do you find a program like that?
You can't find the software on his PC.
Mayer there is a similar software on my clients PC? So they get every new password. How do you find a program like that?
ASKER
This is the software:
www.spectorsoft.com
Remote Computer & Internet Monitoring Software
eBlaster is a hidden software agent that records any Mac or PC. Detailed activity reports are sent directly to your email, so you can keep track of what they’re doing online, no matter where you are!
100% Undetectable
Read every email & chat
See everything they do on Facebook and other social networks
View every keystroke they type (even their passwords!)
Real-time keyword alerts let you know when specific words appear on their computer
Detailed activity reports are sent directly to your email inbox as often as you choose!
www.spectorsoft.com
Remote Computer & Internet Monitoring Software
eBlaster is a hidden software agent that records any Mac or PC. Detailed activity reports are sent directly to your email, so you can keep track of what they’re doing online, no matter where you are!
100% Undetectable
Read every email & chat
See everything they do on Facebook and other social networks
View every keystroke they type (even their passwords!)
Real-time keyword alerts let you know when specific words appear on their computer
Detailed activity reports are sent directly to your email inbox as often as you choose!
Spectorsoft is just eblaster under a different name, I believe. Here are instructions for how to get rid of it:
http://www.bleepingcomputer.com/forums/t/3255/how-to-remove-eblaster/
Spectorsoft's claim that their software is "100% undetectable" is just malarkey.
You should be able to see pretty much everything that's going on with your client's computer by using hijackthis.
http://www.bleepingcomputer.com/forums/t/3255/how-to-remove-eblaster/
Spectorsoft's claim that their software is "100% undetectable" is just malarkey.
You should be able to see pretty much everything that's going on with your client's computer by using hijackthis.
ASKER
Thanks akahan!
I ran HiJackThis but I don't know how to use it. Attached is the Log file. Do you see anything?
hijackthis.log
I ran HiJackThis but I don't know how to use it. Attached is the Log file. Do you see anything?
hijackthis.log
You can have it analyzed online. Just cut and paste it here:
http://www.hijackthis.de/
and here:
http://www.hijackthis.co/
http://www.hijackthis.de/
and here:
http://www.hijackthis.co/
ASKER
Ok, Thanks.
It came up with this:
[X] - MSIE: Internet Explorer v11.0 (11.00.9600.17496)
[?] - C:\Users\MY_Clients_namE\A
[?] - R1 - HKCU\Software\Microsoft\In
[N] - O2 - BHO: (no name) - {95B7759C-8C7F-4BF1-B163-7
[?] - O4 - HKCU\..\Run: [Amazon Music] "C:\Users\MY_Clients_namE\
[?] - O4 - Startup: JL Christmas Market.lnk = C:\Program Files (x86)\JL Christmas Market\JL Christmas Market.exe
[?] - O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc
[?] - O23 - Service: Intel(R) Content Protection HECI Service (cphs) - Intel Corporation - C:\windows\SysWow64\IntelC
[?] - O23 - Service: @%SystemRoot%\system32\iee
[?] - O23 - Service: VIA Karaoke digital mixer Service (VIAKaraokeService) - Unknown owner - C:\windows\system32\viakar
[?] - O23 - Service: @%SystemRoot%\system32\Wat
I guess I should remove all these items?
It came up with this:
[X] - MSIE: Internet Explorer v11.0 (11.00.9600.17496)
[?] - C:\Users\MY_Clients_namE\A
[?] - R1 - HKCU\Software\Microsoft\In
[N] - O2 - BHO: (no name) - {95B7759C-8C7F-4BF1-B163-7
[?] - O4 - HKCU\..\Run: [Amazon Music] "C:\Users\MY_Clients_namE\
[?] - O4 - Startup: JL Christmas Market.lnk = C:\Program Files (x86)\JL Christmas Market\JL Christmas Market.exe
[?] - O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc
[?] - O23 - Service: Intel(R) Content Protection HECI Service (cphs) - Intel Corporation - C:\windows\SysWow64\IntelC
[?] - O23 - Service: @%SystemRoot%\system32\iee
[?] - O23 - Service: VIA Karaoke digital mixer Service (VIAKaraokeService) - Unknown owner - C:\windows\system32\viakar
[?] - O23 - Service: @%SystemRoot%\system32\Wat
I guess I should remove all these items?
No, not necessarily. What it's telling you about Internet Explorer, for example, is that it is an out of date version that should be updated. You need to decide whether these are legitimate or not. You'll need to research each one.
However, it did NOT find that the particular intrusion software you were concerned about (or any other intrusion software) was running.
However, it did NOT find that the particular intrusion software you were concerned about (or any other intrusion software) was running.
ASKER
I found some stuff, AVG SafeGuard.exe, Open Candy
Open-Candy.jpg
Open-Candy.jpg
PayPal was right, you won't catch the person, reinstall the OS. Have the user change his/her passwords for everything. You can install SysMon from Sysinternals (Microsoft), and it will log each connection and exe that runs on the system in the sysmon event log, but if the PC is rooted (it probably is) then it could hide from Sysmon. WireShark is another option, but Sysmon will probably log an easier to follow trail.
-rich
-rich
ASKER
richrumble, I'll try that Sysmon. Thanks!
I did install ESET NOD32 and it found 3 items and deleted them.
ESET-NOD32-Found-3-Items.jpg
I did install ESET NOD32 and it found 3 items and deleted them.
ESET-NOD32-Found-3-Items.jpg
ASKER
How do I use Sysmon? I downloaded it and ran it but it did nothing. a dos window flashed on the screen.
open a CMD window, cd to where you downloaded Sysmon, then install the service
sysmon.exe -n
That will install the service and log network connections. You can view the logs by going to the event viewer
(Start -> Run: eventvwr.msc, then Application and Service logs -> Microsoft->Windows ->Sysmon-> operational)
From that point you can read which files created which processes, what loaded when they did that, and what ports were used if any. I'll try to work on making it easier to follow, but the raw data should be there.
-rich
sysmon.exe -n
That will install the service and log network connections. You can view the logs by going to the event viewer
(Start -> Run: eventvwr.msc, then Application and Service logs -> Microsoft->Windows ->Sysmon-> operational)
From that point you can read which files created which processes, what loaded when they did that, and what ports were used if any. I'll try to work on making it easier to follow, but the raw data should be there.
-rich
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Web_Tracker! I'll check those out.
Honestly it's probably better to just backup all her data and reformat it again from scratch. In my experience these sort of viruses can find their way back in so it's better to start off with a clean slate again. Try to teach her to be more careful on the web as well since you said she's been hacked multiple times, which probably means she will get infected again.
I'd also recommend installing AdBlock Plus as it's a great in getting rid of 95% of the harmful things out there on the web.
I'd also recommend installing AdBlock Plus as it's a great in getting rid of 95% of the harmful things out there on the web.
This is a quick, but not all that great way to cut down on the data you see in the event logs from the users computer. It will look for network connections (event id 3) and then only display certain event information items. Note that Sysmon is very verbose, so you will see items that don't resolve to a hostname. I'm working on a correlation script that will be better from a forensics standpoint. (run cmd as admin btw)
wevtutil qe /f:text /q:*[System[(EventID=3)]] Microsoft-Windows-Sysmon/Operational |findstr "Event[ Image: Protocol: Initiated: SourcePort: DestinationIp: DestinationHostname: DestinationPort:" >c:\temp\events.txtASKER
These 4 programs: rkill, roguekiller, adwcleaner, and JRT Have been amazing, They cleaned up this PC and 4 more since. These programs are a great resource! Thanks fro your help! - I also Installed ESET NOD32 & MalwareBytes Pro
Those tools are part of my malware tool box I use to fight malware on the university campus where I work. One tool does not catch everything as you probably found out. One thing I like about these tools they are portable and do not require you to install an application in order to run them.
I am glad I was able to help. Thanks for awarding the points.
I am glad I was able to help. Thanks for awarding the points.