1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Suspect my Computer's Been Hacked

Discussion in 'General Security' started by ladybon, Apr 21, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. ladybon

    ladybon Thread Starter

    Joined:
    Apr 21, 2010
    Messages:
    36
    This is my first post on your web site. Wish I had known about the site long ago, could have saved myself so many headaches. Anyway, I hope I'm in the correct forum for my problem. I strongly suspect a relative has hacked into my computer. The person I suspect is listed as a user on my system, and is also a computer specialist, working in the field for over 20 years. He had done some minor repairs to my laptop a year ago, and since that time has been listed as a user, and also had remote priviliges, and who knows what else. I was away for several days, came home, turned on my laptop and the icons on my desktop were huge, blurred, and scattered from one side of the screen to the other, some even off the screen. I went through the steps of changing the display, but nothing worked. I was also getting a lot of error messages, my router wasn't working, and I suspected my dsl modem was also malfunctioning. I phoned my service provider's tech service and, as she walked me through some possible fixes, we found that there were no ip addresses, among other things. She was able to get the dsl modem back on track, but not the router. She also told me that it was highly likely that someone had hacked into my machine, since the condition of my desktop screen could not have happened accidently, especially since I was unable to fix it through "Display". I immediately deleted this person's name and icon from my desktop as a user on my laptop, but not sure if he could still do harm. The following day, he was again listed on my desktop as a user, and with a NEW icon. I had been a user on his Norton Anti-Virus, and that had been turned off. I turned it back on, ran a scan, and found several virus had been able to get through. I had filled out my tax information on my laptop before leaving, and when I opened it, all the info was gone, and a totally new version of the software was on my screen. After he had worked on my computer last year, he told me to always put it in hibernate when finished, don't shut down completely. I believe having my laptop in hibernate gave him the opportunity to hack into it. I would really like some expert opinions regarding this, as I certainly don't want to make false accusations. Please help me! Thank you.
     
  2. maceman

    maceman

    Joined:
    Mar 1, 2010
    Messages:
    291
    Hi,
    That is too bad :(
    First thing to do is to disconnect it from internet. Scan your computer for malwares. There are good tricks in this forum too.Maybe after that you can save some data, even if you can't totally fix it. You may even have to format your HDD and do a fresh install.
     
  3. ladybon

    ladybon Thread Starter

    Joined:
    Apr 21, 2010
    Messages:
    36
    Thanks for your help maceman, but I've already gone through those steps, some of them with the techie from AT&T. In the meantime, I've downloaded AVG Anti-Virus and uninstalled the Norton. I contacted the tax software supplier and they walked me through the steps to retrieve my tax file, with all the info. I also turn my laptop completely OFF now when I'm finished. Do you think I'm correct in suspecting this person of hacking into my computer?
     
  4. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    11,882
    Does this mean you also have a desktop computer, or do you mean you deleted some icon on the desktop of your laptop computer ?

    You seem to be hacked, but one cannot be sure who it is that is doing the hacking. If your relative fixed your laptop, and arranged it so that he can remotely login to your computer, then he doesn't need to hack to get in. In any case, since you suspect him, go and delete his account. Go to Control Panel / User Accounts, and delete his account and all his files.

    The fact that you say that that user is again listed as a user on your Desktop machine, could mean several things. a) the hacker doesn't need an account to get back in. b) he created the account again for you to show you that you shouldn't delete that account ( why? I don't know )

    It is best you fix or get a new router, because a router acts as a low end hardware firewall, and can stop most hackers.

    After a computer has been hacked, it is best to backup the data, and reformat and reinstall Windows. After all, you don't know what hacking tools has been installed on the computer, thus you cannot rid yourself of them.
     
  5. maceman

    maceman

    Joined:
    Mar 1, 2010
    Messages:
    291
    Hi Ladybon,

    You could go to police, they have their (legal) ways to find who messed up your computer. But I afraid that they have no time for Average Jane's and Joe's hackers :(
     
  6. Bernardo

    Bernardo

    Joined:
    Jan 8, 2006
    Messages:
    4,221
    You don't have to make any acusations. Simply ask the person if he/she still has a way to access your computer as you're still having problems....and go from there.
     
  7. ladybon

    ladybon Thread Starter

    Joined:
    Apr 21, 2010
    Messages:
    36
    Thanks to all of you for your input. Sorry I wasn't clear regarding the "desktop" I was referring to. I don't have a desktop computer; the reference was to the desktop on my laptop. When he had signed up again as a user after I had deleted his account, I did go to Control Panel and deleted him there. Since then, he hasn't shown up again on my desktop, and things on my system haven't gotten any worse.

    There are a few residuals that I haven't been able to get rid of: I occasionally get an error message, "Windows Installer - feature you are trying to use is on a CD Rom that's not available. Insert "Smart Web Printing" disc." 90% of the time this comes up when I try to print, but 10% of the time it will appear in other areas. I have to click on "cancel" or the red X at least three or four times before it will disappear.
    Another message I get every time I print a document is "System cannot open Watermark file specified". I've clicked on the Watermark tab in the print screen, and there's nothing there that would either explain the error message, or give me an option to correct it. Neither of these error messages had ever appeared on my sreen prior to the remote access attack, and I've never used the Watermark option on my printer.

    This person is a relative, and I know how he lies and manipulates. Even if I were so inclined to ask him if he still had the means to access my system, I could never trust him to tell me the truth. Besides, common sense tells me that it must be him due to the fact that his name appeared again as a user on the desktop of my laptop after I had deleted him. Can any of you experts out there explain why or how anyone else besides him would do that? I'm 95% sure he's the one who accessed my system and did all that damage, but without the other 5%, I don't feel comfortable making accusations. I was hoping one of you could give me the other 5% assurance.

    Even if I were inclined to go to the police and file a report, I know it would be a waste of time, especially without proof. I don't want revenge, I just want to know if there could possibly be anyone else besides him who could have done this. I don't think so, since he's the only one who has remote access, he's a computer guru, and had done work on my laptop at his home. However, I'm not an expert in the more advanced inner workings of a computer. Can any of you verify that last 5% for me? Thanks for ALL your great input and suggestions.
     
  8. jiml8

    jiml8 Guest

    Joined:
    Jul 2, 2005
    Messages:
    2,634
    If he restored his user profile after you deleted it, then either he's rootkitted your computer or he has the administrator password. You should change the administrator password, and I would very strongly advise you to completely reset your router to factory defaults, then immediately configure a username and hard to guess password for it, AND disable its remote management features.

    Those steps, by themselves WILL block him from remotely accessing your machine, though if you leave the wireless radio on and he gets close enough to your house he could probably break in that way.

    You then need to conduct a hunt for trojans or root kits. Alternatively, you could just do a clean install; if you find a rootkit the recommendation is for a clean install anyway because that's the only way to be sure you have gotten rid of it.

    As for that other 5%...sorry. No one will be able to tell you that without doing a forensic examination of your hard drive. That takes time and costs money. It also might not be totally conclusive because Windows isn't all that good about logging things that are going on. You can set it to log everything, but no one ever does that. So it might not be possible to conclusively tell, though you might get 3-4% of the missing 5.
     
  9. antimoth

    antimoth

    Joined:
    Aug 8, 2009
    Messages:
    361
    Did you also turn off remote access, since you said someone has that permission?

    -Right click on the My Computer icon, select properties
    -Select the remote Tab.
    -Unclick any remote access grants.
     
  10. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    11,882
    One thing, your relative may have left remote access turned on, but it may be another hacker that discovered the access. So you can not positively say that it was him.

    Is there any incentive for your relative to hack your PC ? Were you arguing with him ? Was he mad at you for something?
     
  11. ladybon

    ladybon Thread Starter

    Joined:
    Apr 21, 2010
    Messages:
    36
    Jim18, thanks for the helpful information. I'm certainly no computer expert and that has been one of my concerns, afraid he had installed something destructive somewhere in the guts of the laptop. I have never heard of a root kit. Would an anti-virus scan uncover thisand a trojan? Also, when you refer to the administrator password, I'm assuming you mean for the router itself? Is the wireless radio the router? If I were to turn off the router, will that erase any ip addresses, passwords, user names, etc.?

    It's these kinds of things that make me nervous, afraid I'm going to create more of a problem and not be able to go back to fix it.

    What do you mean by a "clean install"? I assume you refer to the router? I appreciate all the info you sent, since it points out critical recommendations to further ensure my laptop is completely rid of anything he may have done to harm it. And, these are things I had never even heard of and, therefore, would never have considered. Thanks so much.
     
  12. ladybon

    ladybon Thread Starter

    Joined:
    Apr 21, 2010
    Messages:
    36
    Thanks, antimoth. I have turned off the remote access. I appreciate your input because I wasn't sure if the procedure you gave me was sufficient, not knowing if there were other areas inside the laptop that also had to be "unchecked". You have alleviated one of my many concerns. Thanks again.
     
  13. ladybon

    ladybon Thread Starter

    Joined:
    Apr 21, 2010
    Messages:
    36
    The relative is my son-in-law. He's never made me feel comfortable around him, and has put a wedge between me and my grandchildren, whom I had a strong bond with. He is their step-father, and apparently quite insecure. He's been in the picture for the past 5 years, and has done a lot of damage, even though I did all I could to win him over, nothing worked. He's always treated me with disrespect and rudeness. I said nothing to either him or my daughter until a couple months ago, when I told my daughter I deserved to be treated with respect. Unfortunately, she defended him. I'm pretty sure he accessed my computer in retaliation. Not a nice person, unfortunately for my daughter and grandchildren.
     
  14. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    11,882
    The only real way of getting rid of a hacker after he has hacked your PC is to reformat and reinstall Windows. After that, update Windows with all service packs and patches, and update ALL your software. This is to ensure that there are no security vulnerabilities left unaccounted for. Hackers exploit security vulnerabilities to hack in. Then, you have to deploy good network security, like having a router and a good software firewall too. For software firewall, I recommend Online Armor Free. For router, look for one with SPI ( stateful packet inspection ).

    It is of absolutely no use to add security onto a already hacked PC. Because the hacker would have installed a backdoor, and ways to hide himself. There are some tools to detect rootkits, but their scans may be incomplete, and you'd need to employ several tools. And Antivirus tools do not recognize these things. You would also need to be knowledgeable enough to distinguish legitimate programs included with Windows apart from his tools. The time you take trying to dig out the hacking tools is better spent doing a fresh install of Windows.

    If you already have a router, change the router's admin password. And check that it is not doing Port Forwarding of any ports. Some routers call that as 'running servers', so make sure there are no servers set with an ip address.
     
  15. ladybon

    ladybon Thread Starter

    Joined:
    Apr 21, 2010
    Messages:
    36
    Thanks lunarlander. Your recommendations are very thorough, but I'm afraid to get into this much depth, since I don't have the expertise to follow through. I'm afraid I'll really make a mess of it. I think I'll have to hire someone to come and do these things for me. I'm not comfortable doing it myself. I guess he's made a real mess of my laptop. He was attempting to get through to my laptop on Friday and may have succeeded. I opened Administrator Services/Security, and found several Security IDs referring to attempted log-ons. ID 529, Symbolic Name SE_AUDITID_UNKNOWN_USER_OR_ PWD. Message: Logon failure: Reason: Unknown user name or bad password; User name: %1; Domain: %2; Logon type: %3; Logon process: %4; Authentication package: %5; Workstation name: %6.

    Another Security ID, No. 528, symbolic name: SE_AUDITID_SUCCESSFUL_LOGON. Message: User name: %1; Domain: %2; Logon ID: %3; Logon type: %4; Logon process: %5; Authentication Package: %6; Workstation name: %7; Logon GUID: %8; Caller user name: %9; Caller domain: %10; Caller logon ID: %11; Caller process ID: %12; Transited srvices: %13; Source Network address: %14; Source port: %15.

    Does the information in the "message" area make sense? It's all numbers, no name, workstation location, logon ID, etc? Can these numbers be translated into a format that would help me identify who this is?

    Another, Source: Dhcp; ID: 1007; Symbolic name: EVENT_IPAUTOCONFIGURATION_SUCCEEDED; Message: Your computer has automatically configured the IP address for the Network Card with network address %1. The IP address being used is %2.

    Source: Security; ID 576; Component: Security Event Log; Symbolic name: SE_AUDITID_ASSIGN_SPECIAL_PRIV; Message: Special privileges assigned to new logon: User name: %1; Domain: %2; Logon ID: %3; Assigned: %4.

    I have no idea what all the above means, but am sure it's not good. HELP!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/918403

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice