I just had a rather alarming experience.
As I was sitting here doing something else, with my laptop open, logged in (Windows 10) but not in use, with Chrome open, I noticed some activity out of the corner of my eye. I looked at my screen just in time to see the PayPal login window disappear and get replaced with PayPal's main screen. For a brief moment I thought it was some animated ad until I remembered I had the password stored in my browser and realized it was logged into my account. I tried moving the mouse but the cursor was locked in position. As I watched, the mouse cursor smoothly moved to the address bar and begin typing "linkedin.com".
At this point I immediately hard powered off the machine.
I cautiously rebooted and erased all the passwords from Chrome's password manager as well as from my Google account. I exported my firewall logs, startup task list, and running process logs, scanned for malware, then shut down the machine, and haven't touched it. Now I'm paranoid there's a key logger or something on it so I don't want to use it for the time being, especially if I'm typing in passwords. I used a different machine to change the PayPal password and enable 2FA.
The whole thing is surprising to me because I'm generally cautious about what I download, even more cautious about what I run, and this'd be the first time in about 25 years that I had something malicious make its way onto one of my machines.
I'm not even sure if there was a human controlling it live or if it was some macro-style automated thing. It was the strangest thing, and very freaky.
I checked all my financial activity and everything seems good; I think I just lucked out and caught this just in time.
My question is: What do I do now?
I tried to figure out what it was but:
- My firewall logs are too noisy and cluttered with legitimate connections.
- My running process log showed nothing unusual: Whatever it was was either well-disguised as some legit process, or was some service that I didn't notice (Windows has a ton running), or no longer running.
- There was nothing unexpected in the startup task list.
- I haven't installed anything recently (i.e. no manual installations in at least the past few weeks).
- Neither the Windows nor Google malware scanning tools found anything. However, I didn't leave the machine on long enough to do a full scan with Kaspersky (where I had realtime protection disabled, unfortunately).
Does this sound like some malware / attack that's been going around recently?
The only thing I can think of to do is wipe the drive and reinstall everything from the ground up, since I can't figure out what happened. Is that my only option?
I could also restore from a backup at any point in the past 4 weeks except I don't know when whatever this was ended up on this machine.
What is my next step?
The whole thing was rather eye-opening and is really bugging the heck out of me. But I can't just leave the machine as it is knowing that that just happened.