[SOLVED] I was hacked a few days ago

mtracy1991

Reputable
Hello all,

I was hacked, or my PC was compromised around Saturday near midnight of Sunday. I was playing League of Legends and my PC started acting strange; choppy audio, graphics were malfunctioning. Suddenly, someone and I were fighting over the cursor and the individual started spamming League of Legends chat on his end. While this happened, I was using VPN Unlimited and was connected to a VPN located out in Austria, Vienna. I quickly removed the network cable and performed a reset my PC (Windows 10). Once done, I changed my passwords and ran Malwarebytes, SUPERAntispyware, setup my free McAfee & Zone Alarm Firewall free version. I also changed the passwords to Wi-Fi, hid my SSID, updated router passwords. I also disabled my Windows Remote Assistance tool as I am under the impression this was the issue. I then reset this PC again because it was still acting weird & followed the above steps. At this time, I am requesting some additional insight or assistance with performing additional tasks to troubleshoot the issue or strengthen security posture on my end.

I have a few questions:
  1. I have additional hard drives connected to my PC, shall I run scans on these?
  2. I wanted to see if I could change my external IP address, not the IP address on the IPV4. I've contacted my ISP and was told to get a new router (is this true? The ip address will change once I get a new router?)
  3. How do I know that the individual is completely gone from causing issues in the future?
  4. If the individual got into my network, what shall be done to keep him or her at bay or remove them completely.

Thanks for your help.
 
  • Like
Reactions: ficler1977
Solution
Obtain a USB - SATA dock.
From a known uninfected system, create a new WIn 10 USB to install with.
Disconnect all drives except your hopeful boot drive.
Full wipe and reinstall on that drive.

Later, connect one of the other drives via the USB dock, and delete ALL partitions on it.
Why the dock? So that drive won't be seen as you boot up.
Repeat for all your other storage drives.

There is nowhere to "hide in the network".

But you really need to determine how this happened.

mtracy1991

Reputable
"reset my PC"
How did you do this?

Unless a full wipe and reinstall, it does not count.
(or recover from a known good backup you made before this happened)

Reset my PC is a full wipe, I believe, and reinstall and I did that twice. I searched reset this PC, which brought me to the recovery window. It shows remove everything and I followed the prompts after that. Also, I did install Total AV (purchased this on sale along with Ultimate VPN) through their sites I believe. I don't really deal with much downloading of random software from random sites these days.
 

mtracy1991

Reputable
I am totally unsure. It looks like the individual accessed via Remote Assistance Tool as once they remoted in, then we were fighting over the mouse cursor/typing within the game. I then proceeded to disconnect my ethernet cable and my Wi-Fi attachments & performed a "full wipe and reset to factory settings". After the re-install, I ended up disabling that tool.
 

Math Geek

Titan
Ambassador
remote assistance requires you to initiate the session. it can't be started from the other person.

remote DESKTOP can be started by an outsider which is why it comes disabled by default. there is no way to start an assistance session unless you start it through the tool and let them in.

nt saying someone did not get in, just saying you got to look elsewhere as to how.
 

mtracy1991

Reputable
remote assistance requires you to initiate the session. it can't be started from the other person.

remote DESKTOP can be started by an outsider which is why it comes disabled by default. there is no way to start an assistance session unless you start it through the tool and let them in.

nt saying someone did not get in, just saying you got to look elsewhere as to how.

Ok, then it seems like someone got in via some kind of remoting tool.
 

USAFRet

Titan
Moderator
remote assistance requires you to initiate the session. it can't be started from the other person.

remote DESKTOP can be started by an outsider which is why it comes disabled by default. there is no way to start an assistance session unless you start it through the tool and let them in.

nt saying someone did not get in, just saying you got to look elsewhere as to how.
And a Remote Desktop connection will kick YOU off. There will be no fighting over the mouse.
 

mtracy1991

Reputable
So at this time, what advice would you be able to provide?
  1. I have additional hard drives connected to my PC, shall I run scans on these?
  2. I wanted to see if I could change my external IP address, not the IP address on the IPV4. I've contacted my ISP and was told to get a new router (is this true? The ip address will change once I get a new router?)
  3. How do I know that the individual is completely gone from causing issues in the future?
  4. If the individual got into my network, what shall be done to keep him or her at bay or remove them completely.
 

USAFRet

Titan
Moderator
Obtain a USB - SATA dock.
From a known uninfected system, create a new WIn 10 USB to install with.
Disconnect all drives except your hopeful boot drive.
Full wipe and reinstall on that drive.

Later, connect one of the other drives via the USB dock, and delete ALL partitions on it.
Why the dock? So that drive won't be seen as you boot up.
Repeat for all your other storage drives.

There is nowhere to "hide in the network".

But you really need to determine how this happened.
 
Solution

mtracy1991

Reputable
the USB, I have the windows stick. However, the other drives are: 1 external hdd 4tb WD My Book, A 4 TB Internal HDD, and two SSDs. Not sure if I can get the USB - SATA Dock today, is there a work around?


IE: Disconnect all drives except my original OS SSD and re-install Windows completely again via USB.
Then completely format my other drives before/after the initial OS reinstall?
 

USAFRet

Titan
Moderator
the USB, I have the windows stick. However, the other drives are: 1 external hdd 4tb WD My Book, A 4 TB Internal HDD, and two SSDs. Not sure if I can get the USB - SATA Dock today, is there a work around?


IE: Disconnect all drives except my original OS SSD and re-install Windows completely again via USB.
Then completely format my other drives before/after the initial OS reinstall?
I mention the USB dock, so that the drive in it will not be spun up until after the OS is already running.
 

Deicidium369

Permanantly banned.
BANNED
Mar 4, 2020
390
61
290
Hello all,

I was hacked, or my PC was compromised around Saturday near midnight of Sunday. I was playing League of Legends and my PC started acting strange; choppy audio, graphics were malfunctioning. Suddenly, someone and I were fighting over the cursor and the individual started spamming League of Legends chat on his end. While this happened, I was using VPN Unlimited and was connected to a VPN located out in Austria, Vienna. I quickly removed the network cable and performed a reset my PC (Windows 10). Once done, I changed my passwords and ran Malwarebytes, SUPERAntispyware, setup my free McAfee & Zone Alarm Firewall free version. I also changed the passwords to Wi-Fi, hid my SSID, updated router passwords. I also disabled my Windows Remote Assistance tool as I am under the impression this was the issue. I then reset this PC again because it was still acting weird & followed the above steps. At this time, I am requesting some additional insight or assistance with performing additional tasks to troubleshoot the issue or strengthen security posture on my end.

I have a few questions:
  1. I have additional hard drives connected to my PC, shall I run scans on these?
  2. I wanted to see if I could change my external IP address, not the IP address on the IPV4. I've contacted my ISP and was told to get a new router (is this true? The ip address will change once I get a new router?)
  3. How do I know that the individual is completely gone from causing issues in the future?
  4. If the individual got into my network, what shall be done to keep him or her at bay or remove them completely.
Thanks for your help.
Ouch - MacAfee? Wow. Zone Alarm is still a thing?

Scan everything and scan it often. But to me, i think they fighting over the cursor thing could have been something other than an incursion. Having a VPN makes it unlikely someone breached your system. I have no doubt you are having some issues - but someone taking control of your screen and cursor is not impossible but improbable.

Wow didn't see the part about remote assistance - WHY do you have remote assistance running? Yeah, you got clowned - but if you don't leave the back door open and the alarm code written on the alarm - you would not be getting hacked.

First off - get a decent package like Kaspersky Internet Security and Malware Bytes - the FULL TIME FULL RETAIL versions. and for god's sake - turn off the remote assistance.
 

ankit213506

Great
Feb 24, 2020
115
8
95
Change your all passwords first. Scan the whole computer. don't plug-in any extra hard drives to the computer before scanning. otherwise you may lose the data.
delete all kind of temporary files
 

henterpriser

Reputable
Sep 14, 2019
183
21
4,615
I wanted to see if I could change my external IP address, not the IP address on the IPV4. I've contacted my ISP and was told to get a new router (is this true? The ip address will change once I get a new router?)
Your ISP is way too stupid or they are compromising you.

Routers(Modem routers actually) Only Creates a DHCP local server and connects you to your ISP and the external IP your ISP giving it. so it doesn't affect on your external IP

Your solutions(In my opinion):
1.Use a VPN.
Yes! using a VPN will change your external IP to protect your identity(Thats the main usage of it)

2.Changing your ISP(Internet provider)
Changing your ISP simply means you are using another network results in IP address change.
 
Some gaming servers offer little 'patches' to ostensibly offer you their latest 'mods and/or levels', but, if run by miscreants, offer hidden Remote Access gems as well...

It will do little good to nuke and pave if one then simply reloads/reinstalls the offending 'patches/updates' from a nefarious server operator...; consider yourself very fortunate to have even seen a 'mouse battle' to alert you of the potential intrusion.

Search a freefixer scan's results (lots of good categories in the results, inlcuding easy to read open/listening TCP/IP ports, running processes/services, etc), and look closely at all things starting in autoruns, task manager, and process explorer...

www.freefixer.com
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

I'd flatten your router and reset it's password to a quite proper complex one ASAP...