Question Stuck for the best option after hack?

Jul 25, 2019
21
2
15
I'd really appreciate some help please. I will try to keep it short...

Basically, somehow someone managed to access my email. I have no idea how, particularly as I have 2FA setup - I get a 'key' prompt on my phone to ask if it is me logging in on a new device.

Whoever did it then setup a recovery email address (a disposable email address I believe) and an auto forward to another email address.

Whilst they had access they locked me out of services I use and then sent phishing emails to get back into my account - which I ignored.

Normally on those accounts you get alerts to tell you you've been locked out but I am guessing they permanently deleted those.

I removed the recovery and forward emails and changed my password. But now I don't know what to do to stop this again?

I have a suspicion that this is related to a refurb pc I bought recently but am not sure. I have run malwarebytes scans on it but nothing came up. When I bought it the vendor (who seemed reputable and was recommended) sent me to download windows and MS office. At the time, I didnt think much of it but now I wonder. I may be wrong and it could be something else.

What do I do, having read up there seems to be differing views from...

  • So long as mwb scan is clean I am ok
  • Do a rollback
  • Format the hard drive
  • Bin it and never use it again

What do people think please as I am a bit paranoid now. I am scared to use any of my devices at the moment in case I am being spied on or get hacked even worse.

Much appreciated.
 

PC Tailor

Illustrious
Ambassador
So to get this straight, you suspect you may have had a virus which compromised your accounts, now you are looking at how you stop this from happeneing again with the same equipment? (Correct me if I have misread).

So long as mwb scan is clean I am ok
I would say largely this is true, but just remember Anti-malware and Anti-virus are technically geared to do 2 different things. Obviously all viruses are malware, but usually Anti-malware is more geared to very recent more advanced or subtle malicious codes/programs, whereas the Antivirus is the large proactive approach to a more general scheme.

Is this the free or premium MWB? I'm assuming free, in which case, you may want to use a good quality Anti-Virus such as Bitdefender to also do a full check.

Do a rollback
  • Do a rollback
  • Format the hard drive
If it is a virus, I'd sooner go for the format and clean install. A rollback has no guarantee that it will rollback far enough.

Bin it and never use it again
Personally I wouldn't bother, some malware does have the ability to retain itself in hardware yes, however they are few and far between and are usually much more advanced / malicious programs that would be doing far more than phishing. Nearly all mainstream malware will be cleared with effective proactive scanning or a complete wipe of the drive.

However, can you be sure that the issue has come from a virus?
Have you ever used an unsecure site to login to the accounts?
Have you ever logged into the accounts on an open WiFi without a VPN for example?
 
Jul 25, 2019
21
2
15
So to get this straight, you suspect you may have had a virus which compromised your accounts, now you are looking at how you stop this from happeneing again with the same equipment? (Correct me if I have misread).


Basically, yes.

I would say largely this is true, but just remember Anti-malware and Anti-virus are technically geared to do 2 different things. Obviously all viruses are malware, but usually Anti-malware is more geared to very recent more advanced or subtle malicious codes/programs, whereas the Antivirus is the large proactive approach to a more general scheme.

Is this the free or premium MWB? I'm assuming free, in which case, you may want to use a good quality Anti-Virus such as Bitdefender to also do a full check.

It's the free version, but I am happy to upgrade.

If it is a virus, I'd sooner go for the format and clean install. A rollback has no guarantee that it will rollback far enough.


Personally I wouldn't bother, some malware does have the ability to retain itself in hardware yes, however they are few and far between and are usually much more advanced / malicious programs that would be doing far more than phishing. Nearly all mainstream malware will be cleared with effective proactive scanning or a complete wipe of the drive.

Would it be risky to reinstall the office software? I thought it might be the culprit but i am unsure now tbh.

However, can you be sure that the issue has come from a virus?
Have you ever used an unsecure site to login to the accounts?
Have you ever logged into the accounts on an open WiFi without a VPN for example?

Not to my knowledge. In a way this is the most frustrating part, not knowing how it happened. Especially as I use the login key for email.

Is there a VPN you would recommend please?

Thanks
 

PC Tailor

Illustrious
Ambassador
Sorry, my replies didnt format too well in there but hopefully you can still see them. Thanks again.
No problem at all my friend.

Not trying to critique MWB, it is bloody good, just in some ways they serve slightly different purposes. Personally I use Paid Bitdefender, but they also offer an outstanding free version and they always stay on the top of the AV tests.

It is just something worth considering that's all, usually if MWB doesn't pull anything out, I'd be inclined to trust it, I just don't use MWB myself except for repairs on other personnels PCs.

Reinstalling MS Office software would be fine, but not sure a Virus will really embed itself here. But there is no harm in a clean, if you are concerned, a clean install is the best way to go.

As for VPN I would probably stick to this list:
  • NordVPN (what I use, fast, secure and cheap)
  • SurfShark (affordable and very fast and secure)
  • ExpressVPN (great security and speed, but expensive)
  • CyberGhost (affordable and good security but not necessarily the fastest)
I would typically recommend avoiding Free VPNs as there is always a catch. Which is up to you to decide if it's worth it, usually their security isn't quite as up to scratch, or they have tons of ads, or they sell your data.
 
Jul 25, 2019
21
2
15
No problem at all my friend.

Not trying to critique MWB, it is bloody good, just in some ways they serve slightly different purposes. Personally I use Paid Bitdefender, but they also offer an outstanding free version and they always stay on the top of the AV tests.

It is just something worth considering that's all, usually if MWB doesn't pull anything out, I'd be inclined to trust it, I just don't use MWB myself except for repairs on other personnels PCs.

Reinstalling MS Office software would be fine, but not sure a Virus will really embed itself here. But there is no harm in a clean, if you are concerned, a clean install is the best way to go.

As for VPN I would probably stick to this list:
  • NordVPN (what I use, fast, secure and cheap)
  • SurfShark (affordable and very fast and secure)
  • ExpressVPN (great security and speed, but expensive)
  • CyberGhost (affordable and good security but not necessarily the fastest)
I would typically recommend avoiding Free VPNs as there is always a catch. Which is up to you to decide if it's worth it, usually their security isn't quite as up to scratch, or they have tons of ads, or they sell your data.

BTW - this was the video I was sent at the time about installing office -
View: https://vimeo.com/335568297


Does anything look unusual about that?

If not, if I reformat, will I just repeat the same process?
 

USAFRet

Titan
Moderator
This drive needs a full wipe and reinstall of Windows.
Don't try to 'fix this', or undo things...full wipe and reinstall.

Get the Windows install directly from Microsoft.
https://www.microsoft.com/en-us/software-download/windows10



Your email issues are a whole other problem.
 
Jul 25, 2019
21
2
15
This drive needs a full wipe and reinstall of Windows.
Don't try to 'fix this', or undo things...full wipe and reinstall.

Get the Windows install directly from Microsoft.
https://www.microsoft.com/en-us/software-download/windows10



Your email issues are a whole other problem.
Thanks, will the vpn and bitdefender help prevent future email problems?

I am still struggling to understand how someone bypassed the 2fa.
 

PC Tailor

Illustrious
Ambassador
Thanks, will the vpn and bitdefender help prevent future email problems?

I am still struggling to understand how someone bypassed the 2fa.
Not necessarily rectify the problem you had, but they are both outstanding applications to help protect your data and computer from infection and data breaches in the future.

I use a VPN and Bitdefender on all my devices as Bitdefender has never given me an issue, and I travel a lot so a VPN is essential. Less essential if you are on secured WiFi accessing secured networks/servers.
 
Jul 25, 2019
21
2
15
Not necessarily rectify the problem you had, but they are both outstanding applications to help protect your data and computer from infection and data breaches in the future.

I use a VPN and Bitdefender on all my devices as Bitdefender has never given me an issue, and I travel a lot so a VPN is essential. Less essential if you are on secured WiFi accessing secured networks/servers.
Thank you so much, you have been very helpful. How will I rectify the problem as you put it or will I never know?

I dont want to be worried about using my email.
 

PC Tailor

Illustrious
Ambassador
Thank you so much, you have been very helpful. How will I rectify the problem as you put it or will I never know?

I dont want to be worried about using my email.
Only way to know is to reset the login details for any compromised account.
Clean install OS as USA and I have stated.
Then act precautiously going forward.

If you do all of that, the problem shouldn't return.
 
  • Like
Reactions: lukeron
I'd really appreciate some help please. I will try to keep it short...

Basically, somehow someone managed to access my email. I have no idea how, particularly as I have 2FA setup - I get a 'key' prompt on my phone to ask if it is me logging in on a new device.

Whoever did it then setup a recovery email address (a disposable email address I believe) and an auto forward to another email address.

Whilst they had access they locked me out of services I use and then sent phishing emails to get back into my account - which I ignored.

Normally on those accounts you get alerts to tell you you've been locked out but I am guessing they permanently deleted those.

I removed the recovery and forward emails and changed my password. But now I don't know what to do to stop this again?

I have a suspicion that this is related to a refurb pc I bought recently but am not sure. I have run malwarebytes scans on it but nothing came up. When I bought it the vendor (who seemed reputable and was recommended) sent me to download windows and MS office. At the time, I didnt think much of it but now I wonder. I may be wrong and it could be something else.

What do I do, having read up there seems to be differing views from...

  • So long as mwb scan is clean I am ok
  • Do a rollback
  • Format the hard drive
  • Bin it and never use it again
What do people think please as I am a bit paranoid now. I am scared to use any of my devices at the moment in case I am being spied on or get hacked even worse.

Much appreciated.

Go to https://haveibeenpwned.com/ and enter your email address.

Also change your security questions for password recovery.

Also if you have accounts linked to that email address, and use the same password on the account site, it's possible the hacker just tried the same password on your account.

For example:

My email account password is "ILoveBagels"

I sign up at "Bagels.com" and use my email address, and "ILoveBagels" as a password

Bagels.com gets backed and they get password for your Bagels.com account, along with the email address.

Hacker tries your bagels.com password on your email because people are lazy when it comes to security.
 
Thanks, will the vpn and bitdefender help prevent future email problems?

I am still struggling to understand how someone bypassed the 2fa.

2fa via text isn't secure. Any one who purchases access to a wireless company's text system (use SS7 exploit) can intercept said 2fa. Also conning the phone carrier to switch SIM card ID's is another common attack.


Another possibility your phone might be the device that is hacked. Especially if you access your email with it.
 
Jul 30, 2019
15
2
15
I'd really appreciate some help please. I will try to keep it short...

Basically, somehow someone managed to access my email. I have no idea how, particularly as I have 2FA setup - I get a 'key' prompt on my phone to ask if it is me logging in on a new device.

Whoever did it then setup a recovery email address (a disposable email address I believe) and an auto forward to another email address.

Whilst they had access they locked me out of services I use and then sent phishing emails to get back into my account - which I ignored.

Normally on those accounts you get alerts to tell you you've been locked out but I am guessing they permanently deleted those.

I removed the recovery and forward emails and changed my password. But now I don't know what to do to stop this again?

I have a suspicion that this is related to a refurb pc I bought recently but am not sure. I have run malwarebytes scans on it but nothing came up. When I bought it the vendor (who seemed reputable and was recommended) sent me to download windows and MS office. At the time, I didnt think much of it but now I wonder. I may be wrong and it could be something else.

What do I do, having read up there seems to be differing views from...

  • So long as mwb scan is clean I am ok
  • Do a rollback
  • Format the hard drive
  • Bin it and never use it again
What do people think please as I am a bit paranoid now. I am scared to use any of my devices at the moment in case I am being spied on or get hacked even worse.

Much appreciated.
I had the same problem someone hacked my email account as well... didn't want the same thing happening again so I got Surfshark, it has the newest security protocols so I thought that it should be safe enough for me to not get hacked again, haven't had any issues
 

PC Tailor

Illustrious
Ambassador
I had the same problem someone hacked my email account as well... didn't want the same thing happening again so I got Surfshark, it has the newest security protocols so I thought that it should be safe enough for me to not get hacked again, haven't had any issues
Surfshark is also good.

If you want probably the "better featured" VPNs from my experience - NordVPN, ExpressVPN (expensive), Surfshark, and CyberGhost (slower than others). They all have latest security really.
 
Jul 25, 2019
21
2
15
This drive needs a full wipe and reinstall of Windows.
Don't try to 'fix this', or undo things...full wipe and reinstall.

Get the Windows install directly from Microsoft.
https://www.microsoft.com/en-us/software-download/windows10



Your email issues are a whole other problem.

Hi, I wanted to follow-up on this.

First of all, thank you so much for people taking the time to help, I really appreciate it. This is not an area I am very knowledgeable in so advice from those who know more than me is great.

I have done a clean install as you said, getting the install directly from microsoft and following that thread you highlighted. I must confess, I did it for a second time after I had accidentally skipped a step on deleting all the partitions etc.

Anyway, there has been a development, I am fairly sure that my problem was caused by a 'cmd.exe' script running when chrome opened - I discovered this after temporarily installing Comodo Free pre-the reinstall (I have since purchased Bitdefender Total Security 2020 + their VPN service and have free Malwarebytes too).

Comodo showed the 'cmd.exe' above script running and sandboxed it. I googled this and it seems to be a known spyware problem. I am guessing this is how my email was hacked. So on to the clean reinstall...

I went through the process as mentioned. Then I went on to connect my pc to the internet to download Bitdefender etc. However, something odd happened - a file explorer window I had open (I had been cleaning the c: drive) closed of it's own accord and in the corner of my eye I saw another window quickly open then close.

I'll be honest, this worried me a lot and made me think there was still a problem even after a full, clean install. Am I being paranoid?

If not, what could do that? Could it be something in the hardware or somewhere else?

I'd really appreciate some help please.
 

PC Tailor

Illustrious
Ambassador
Comodo showed the 'cmd.exe' above script running and sandboxed it. I googled this and it seems to be a known spyware problem.
This could well be something.

Bitdefender Total Security 2020 + their VPN service and have free Malwarebytes too
If you have Bitdefender Total, you don't really need malwarebytes.

I'll be honest, this worried me a lot and made me think there was still a problem even after a full, clean install. Am I being paranoid?
Probably. A clean install will remove 99.9% of viruses. The remaining 0.01% are advanced malware that can reside in hardware that are very few and far between, and aren't really targetted against consumers.

Best thing to do is to continue as necessary, and make sure you follow the tips above, if an issue returns, then you know something else is at play. Maybe even on another device for example.
 
Jul 25, 2019
21
2
15
This could well be something.


If you have Bitdefender Total, you don't really need malwarebytes.


Probably. A clean install will remove 99.9% of viruses. The remaining 0.01% are advanced malware that can reside in hardware that are very few and far between, and aren't really targetted against consumers.

Best thing to do is to continue as necessary, and make sure you follow the tips above, if an issue returns, then you know something else is at play. Maybe even on another device for example.

Thank you again. I will try. Just quickly....

I thought I was being doubly safe with BD and MWB both being on. I thought they did different things but would BD work better 'alone'?
 

PC Tailor

Illustrious
Ambassador
Thank you again. I will try. Just quickly....

I thought I was being doubly safe with BD and MWB both being on. I thought they did different things but would BD work better 'alone'?
They don't do entirely different things, but are geared towards different things. But you'll find a top quality AV will do nearly all of it. I run BD by itself and have never had an infection.

Nothing wrong with both, but IMO it's not needed. That and if you happen to run them both at the same time, then heuristic testing might make them conflict.
 
Jul 25, 2019
21
2
15
They don't do entirely different things, but are geared towards different things. But you'll find a top quality AV will do nearly all of it. I run BD by itself and have never had an infection.

Nothing wrong with both, but IMO it's not needed. That and if you happen to run them both at the same time, then heuristic testing might make them conflict.

Another quick update (and question please).

Since getting Bitdefender running, it seems to be giving regular alerts / warnings on the PC (not others). For example, it has blocked....

  • searchui.exe (seems to be cortana linked)
  • backgroundtaskhost.exe (in system32)
  • backgroundtransferhost.exe (in system32)
  • usocoreworker.exe (also in system32)

Also, when downloading and setting up chrome the bitdefender extensions were really tough to add.

Finally I had a weird thing where I could not get the windows / power button to work and had to use the physical button. Again, never had this on other devices.

Any thoughts?
 
Jul 25, 2019
21
2
15
Sorry one last thing (another which I never see elsewhere) - the bitdefender message keeps popping up in the bottom corner saying 'internet is secure, you can now browse safely' almost like it is being turned on and off?

Beginning to feel crazy but it all seems odd!
 
Hi, I wanted to follow-up on this.

First of all, thank you so much for people taking the time to help, I really appreciate it. This is not an area I am very knowledgeable in so advice from those who know more than me is great.

I have done a clean install as you said, getting the install directly from microsoft and following that thread you highlighted. I must confess, I did it for a second time after I had accidentally skipped a step on deleting all the partitions etc.

Anyway, there has been a development, I am fairly sure that my problem was caused by a 'cmd.exe' script running when chrome opened - I discovered this after temporarily installing Comodo Free pre-the reinstall (I have since purchased Bitdefender Total Security 2020 + their VPN service and have free Malwarebytes too).

Comodo showed the 'cmd.exe' above script running and sandboxed it. I googled this and it seems to be a known spyware problem. I am guessing this is how my email was hacked. So on to the clean reinstall...

I went through the process as mentioned. Then I went on to connect my pc to the internet to download Bitdefender etc. However, something odd happened - a file explorer window I had open (I had been cleaning the c: drive) closed of it's own accord and in the corner of my eye I saw another window quickly open then close.

I'll be honest, this worried me a lot and made me think there was still a problem even after a full, clean install. Am I being paranoid?

If not, what could do that? Could it be something in the hardware or somewhere else?

I'd really appreciate some help please.

Bit defender comes with a free "recovery" scan. It will create a bootable USB key which will run a scan on the windows drive. Since this recovery program is based on Linux, and loads before the windows boot loader has a chance, it will catch anything installed on the windows system. If you TRULY did a clean install with a wiped partition, then there is a strong possibility of a Boot Kit virus. Only thing that can truly fix this is a clean UEFI ROM overwrite from the motherboard mfg.
 
  • Like
Reactions: PC Tailor
Sorry one last thing (another which I never see elsewhere) - the bitdefender message keeps popping up in the bottom corner saying 'internet is secure, you can now browse safely' almost like it is being turned on and off?

Beginning to feel crazy but it all seems odd!

Way to tell is go to your browser and in google type "What is my IP?" It should show an IP address that obviously doesnt belong to your WAN, or nowhere near your house.
 
Jul 25, 2019
21
2
15
Bit defender comes with a free "recovery" scan. It will create a bootable USB key which will run a scan on the windows drive. Since this recovery program is based on Linux, and loads before the windows boot loader has a chance, it will catch anything installed on the windows system. If you TRULY did a clean install with a wiped partition, then there is a strong possibility of a Boot Kit virus. Only thing that can truly fix this is a clean UEFI ROM overwrite from the motherboard mfg.

Hi, thank you. Do you know of a good guide to do this please? I tried google but struggled to find one.