Machine hijacked

A user recently reported their machine was hijacked, there mouse was moving and folders and emails were being accessed. I thought Malware infections normally operate on the command line and access would not be visible to the user but I could be wrong. AV was the latest including Symantec network protection. Verious malware programs were run and everything looks clean. To me it just doesn't fit I also didn't see it happening.

Any suggestions thanks
LVL 6
Sid_FAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ste5anSenior DeveloperCommented:
hmm, help desk remote support? Team Viewer?

Take the machine down, run a complete AV scan. This means use more than one scanner, run it against the disk from a LiveUSB or LiveDVD, but not from the installed OS.
0
Sid_FAuthor Commented:
It does run teamviewer but connection logs are clean for the time of the incident.
0
Kanti PrasadCommented:
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

noxchoGlobal Support CoordinatorCommented:
If the user saw the mouse moving and files accessed then it is a remote desktop like TeamViewer or similar.
Maybe someone used it and cleaned the logs? Ask the user if the desktop background changed as it happened.
0
Sid_FAuthor Commented:
It's the "similar" I'm unsure of as there is not a trace.
0
noxchoGlobal Support CoordinatorCommented:
Have you checked the Windows Events for any suspicious event logged at this time?
0
Sid_FAuthor Commented:
Yes nothing standing out. I noted when running a wireshark two machines attempted to connect to my machine on a http connection to port 50688. I'm not sure what this port relates to but will check the machines for outbound connections
0
noxchoGlobal Support CoordinatorCommented:
Is this a laptop or a Desktop PC?
0
Sid_FAuthor Commented:
PC
0
noxchoGlobal Support CoordinatorCommented:
Ok, was asking because sometimes the laptops touchpad behaves as it would be hijacked.
I would remove the team viewer from this machine and wait to see if the behavior reproduces. If you dont see any traces in team viewer logs and Windows Events plus Antivirus says nothing then it an allowed action from a user.
0
mismoboyCommented:
I don't have a 100% answer but a good advice to get you going:

1.  I would try to remove all spyware and malware using Spy Hunter ($39) because they would have implanted something by now knowing you will do something to remove their exploit.  
2.  Then I would use 'Hijack This' software (download from CNet - http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html) to dig deep into what might be trying to exploit your machine and try to delete it.  However, it is not automated, you will need to look and research what is harmful to the system and remove it with Hijack This.
0
ste5anSenior DeveloperCommented:
Try to get the the German magazine c't No. 14 of June 13. It contains a LiveCD named Desinfec't 2015. It contains four AV scanners, which allow a full scan of your system.
0
BillDLCommented:
Does the user have a wireless mouse?
is it possible that somebody else in the vicinity was using a wireless mouse at the time?
0
Sid_FAuthor Commented:
No wireless mouse, tested using malware bytes and also hijack this. The machine has been sent else where for investigation. Thanks for the help
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sid_FAuthor Commented:
Resolved
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.