How do I know if my computer has been hacked?

Hi Expert
my friend told me that his computer looks like hacked
he ask me How do I know if my computer has been hacked?
MASWORLDAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jim Dettman (Microsoft MVP/ EE MVE)President / OwnerCommented:
a.  If it's doing things that it normally doesn't do - lot's of popup ads, end up on different web sites, etc.
b. Is working differently than it has (slow, sluggish)
c. You see software or processes you never installed.
d. Your firewall and/or anti-virus software becomes disabled and/or you can't start it.

 If you suspect a problem, then it's best to download and use two or three different virus/mal-ware scanners and check for infections.

 I say two or three because there is no one product that will catch everything.   After you've used 2-3 and come up clean, you can be pretty assured that your good.

 Popular tools are Malwarebytes, Sophos, Kaspersky‎, Trend, McAfee, and McAfee.

 All offer free tools (some even online) to scan and clean your system.

Jim.
MASWORLDAuthor Commented:
yes
a, b, c and d
happened
Also he told me that one of the employees in the company phone tone every time he received or sent email or open an application etc...
Jim Dettman (Microsoft MVP/ EE MVE)President / OwnerCommented:
If you have a backup of the important files/documents, then you might find it simpler to do a factory restore of the operating system.

 Trying to get a PC clean can take a lot of time and work and can be quite technical.   If your not comfortable with working with things in detail in a very technical way (files, the registry, startup options, etc), then a clean install of the OS is the best course of action (after you backup your files of course).

Jim.
btanExec ConsultantCommented:
Can check

> Windows event viewer for security events logged e.g.
- if AV and FW is disabled,
- if account security event have been log on with remote logon type 10 – RemoteInteractive, meaning done some sort of RDP which user rightgully not normal for home users
- if failed logon events with logon type 5, indicating the password of an account has been changed without updating the service but also the possibility of malicious users at work
- if failed logons with logon type 7, indicating either a user entering the wrong password or a malicious user trying to unlock the computer by guessing the password.

> For the Windows FW log (http://support.microsoft.com/kb/875357) generated, there is src and dest ip as stated in the field listing and also able to set logging on specifici interface. Logging for dropped or success attempt need to be checked though to have the information in the .log file (see "Using Logging")
You can enable logging to help identify the source of inbound traffic and to provide details on what traffic is being blocked. %Windir%\pfirewall.log is the default log file.
>Finding traces of intrusion indicator (http://www.experts-exchange.com/Security/Vulnerabilities/Q_28539938.html#a40388698)
Some anomalous activities to watch on the wire can include
- some exfiltration traffic to get out this "loot" so look for odd hours or connections made at unusual times,
- unusual high outbound port, surge in traffic payload,
- unexpected changes in network performance such as variations in traffic load at specified times and it can be hogging transaction eating the bandwidth,
- brute force attempts which can include attempts (either failed or successful) to gain unauthorized access to a system or its data, and repeated, failed connection attempts
- beacons to certain "country" that has no dealing with the businesses, or traffic coming from or going to unexpected locations
- non legit attempts such as remote access or IRC attempts, unwanted disruption or denial of service, unauthorized scans and probes
- non-standard or malformed packets (protocol violations) that can also include
multiple secure shortlived channel that can be non SSL standard based
> Using  useful commands (http://www.experts-exchange.com/Security/Digital_Forensics/Q_28538207.html#a40383471) to gather trails left behind and anomalous activities pertaining to accounts, appl and network
A) Checking for anomalous process running:
-summary of every running process on a machine, run: C:\> wmic process list brief
-showing name, process ID and priority of each running process, as well as other less-interesting attributes.
C:\> wmic process list full
-programs that start when the system boots up or a user logs on, which could be defined by an auto-start registry key or folder: C:\> wmic startup list full
-pull a process summary every 5 seconds, run: C:\> wmic process list brief /every:1

B) Checking for anomalous account service
-the "net user" command shows all user accounts defined locally on the machine.
-the "net localgroup" command shows groups,
-the "net localgroup administrators" shows membership of the administrators group
-the "net start" command shows running services.

C) Checking for anomalous network activity
-for unusual and unexpected connections in the output of netstat, run : C:\> netstat -nao
-besides TCP and UDP, interested in ICMP, netstat run : C:\> netstat –s –p icmp
-list the TCP and UDP ports in use on a machine every 2 seconds, run: C:\> netstat –na 2

D) Checking out for any other "interest"
-look at information every second e.g. cmd.exe, run : C:\> wmic process list brief /every:1 | find "cmd.exe"
-autostart programs are associated with the registry hive HKLM, run: C:\> wmic startup list brief | find /i "hklm"
-see with one-second accuracy TCP port 2222 (example) starts being used with PID, run: C:\> netstat –nao 1 | find "2222"
Overall, will also get symptom of hack can also be seen AV alert and in the quarantined log, or host intrusion log alerts, far beyond just FW log. As well as the mentioned strange processes and browser add-ons in for a quick start..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.