0

I just had a rather alarming experience.

As I was sitting here doing something else, with my laptop open, logged in (Windows 10) but not in use, with Chrome open, I noticed some activity out of the corner of my eye. I looked at my screen just in time to see the PayPal login window disappear and get replaced with PayPal's main screen. For a brief moment I thought it was some animated ad until I remembered I had the password stored in my browser and realized it was logged into my account. I tried moving the mouse but the cursor was locked in position. As I watched, the mouse cursor smoothly moved to the address bar and begin typing "linkedin.com".

At this point I immediately hard powered off the machine.

I cautiously rebooted and erased all the passwords from Chrome's password manager as well as from my Google account. I exported my firewall logs, startup task list, and running process logs, scanned for malware, then shut down the machine, and haven't touched it. Now I'm paranoid there's a key logger or something on it so I don't want to use it for the time being, especially if I'm typing in passwords. I used a different machine to change the PayPal password and enable 2FA.

The whole thing is surprising to me because I'm generally cautious about what I download, even more cautious about what I run, and this'd be the first time in about 25 years that I had something malicious make its way onto one of my machines.

I'm not even sure if there was a human controlling it live or if it was some macro-style automated thing. It was the strangest thing, and very freaky.

I checked all my financial activity and everything seems good; I think I just lucked out and caught this just in time.

My question is: What do I do now?

I tried to figure out what it was but:

  • My firewall logs are too noisy and cluttered with legitimate connections.
  • My running process log showed nothing unusual: Whatever it was was either well-disguised as some legit process, or was some service that I didn't notice (Windows has a ton running), or no longer running.
  • There was nothing unexpected in the startup task list.
  • I haven't installed anything recently (i.e. no manual installations in at least the past few weeks).
  • Neither the Windows nor Google malware scanning tools found anything. However, I didn't leave the machine on long enough to do a full scan with Kaspersky (where I had realtime protection disabled, unfortunately).

Does this sound like some malware / attack that's been going around recently?

The only thing I can think of to do is wipe the drive and reinstall everything from the ground up, since I can't figure out what happened. Is that my only option?

I could also restore from a backup at any point in the past 4 weeks except I don't know when whatever this was ended up on this machine.

What is my next step?

The whole thing was rather eye-opening and is really bugging the heck out of me. But I can't just leave the machine as it is knowing that that just happened.

Jason C
  • 251
  • 2
  • 16
  • Do you have a wireless keyboard and/or mouse? – Mark Jan 10 '23 at 04:23
  • Yes I have a Logitech MX series wireless keyboard and mouse, I'm using the propietary little non-Bluetooth wireless dongle that requires pairing. – Jason C Jan 10 '23 at 04:24
  • Is there someone nearby that could be using a similar keyboard and mouse? – Mark Jan 10 '23 at 04:34
  • Hmm... that's a good thought but, I don't think so; with this series you need to actively pair the devices, and the software will display all attached devices including serial numbers, device settings, etc. The product has always been well-behaved even when using it next to somebody else who had an identical keyboard and mouse. There'd have to be a flaw in these products for that to have happened but my gut says they're pretty reliable; not that that means it couldn't happen. It just seems unlikely for this product line. – Jason C Jan 10 '23 at 04:43
  • 1
    I sucked it up and turned the machine back on with networking disabled so I could run a full scan with Kaspersky, and I think I may have found it. There was a copy of wmiprvse.exe in a suspicious place as well as a folder full of DLLs with random names, all classified by Kaspersky as remote administration applications. Seems like a classic situation. I still have to let the scan finish, though. I still don't trust the machine and am not sure what to do about it even if it does find and remove any results. – Jason C Jan 10 '23 at 04:45
  • The creation date on all of them was about 2 weeks ago. Assuming it's been on there that long I'm not really sure if it's done other real life damage; I'll have to scour my PayPal statements I guess, probably change all my passwords and turn on 2FA where I can... not really sure what these types of attacks typically go after. No idea what I could've done 2 weeks ago to get it, it doesn't line up with any software install dates in the Programs & Features dialog. What a pain... – Jason C Jan 10 '23 at 04:51
  • 1
    If there was malware, the only way to move forward it to completely wipe your HDD and reinstall from scratch. You can no longer trust any data on that HDD. For good measure I'll reflash BIOS firmware. UEFI has seen a lot of attacks recently and if you're a victim, OS reinstallation will be futile. Oh, and do check your backups for malware as well. You wouldn't want to restore malware :-) – Artem S. Tashkinov Jan 10 '23 at 09:52
  • 2
    If the mouse was moving to the address bar, then that isn't a script or something automated. A script would not move a mouse to a specific point in a window. What you saw was a human controlling your device. You would appear to have a Remote Access Trojan or some kind of "remote support" tool like Chome Remote Desktop, GoToMyPC, Teamviewer, etc. Aside from that, we can't help as we are not a tech support site. – schroeder Jan 10 '23 at 10:05
  • Thanks; and for the linked post too. Just going to wipe the drive and reflash the BIOS to be sure. I'll reinstall applications from their sources, manually recover data from the backup via a Linux device, and start a new backup series. I know this wasn't the greatest post, just wasn't sure where else to go. :) – Jason C Jan 10 '23 at 13:25

0 Answers0