Been hacked despite having Malwarebytes and anti-virus software

[JerryBox]

I closed my laptop without locking the screen, assuming it's going to lock by itself. Don't know if it did. In a while I heard the famous windows "ding, ding" sound for a few times but didn't pay any attention. After some time I heard it again and decided to look what's going on. I opened my laptop and was shocked to see what's going on. The screen wasn't locked. I saw lots of different windows open: bit defender, malware bytes, web browser with different searches, my onedrive folder and many others. A totally different user was signed in (the built in Windows Administrator), therefore the desktop background was different and all the files of my own user were invisible. I ran my Bitdefender and Malwarebytes - they said everything was safe. I restarted my PC and it logged straight into the admin account without asking to enter a password. I've never used or even enabled this account.

It's more than obvious I have been hacked. 

1. I know I should uninstall malicious software, but how can I know which software is malicious, if Malwarebytes finds nothing? I don't trust myself to go through files with strange names and delete files manually using my own discretion.

2. How come Malwarebytes Premium and Bitdefender didn't prevent this from happening? It really raises the question what I'm actually paying money for. These programs are saying everything is ok, when quite obviously something is wrong.    

3. What should I do?

[dprout69]

Step 1 would be to disable the built in admin account.  That actually should have been done in any regard (its enabled by default).  Couple of ways to do it

https://www.isunshare.com/windows-10/3-ways-to-enable-and-disable-built-in-administrator-in-windows-10.html. 

 

Step 2 do you have a password on your router?  Is it a good password (not 1234)?  Do you have the ability to add mac addresses for allowed devices in your router?  Add them and add/change the password.

Most likely this is someone that just exploited your lack of securing your system (someone that lives around you).   Also what firewall are you using?

 

Step 3 Run a couple of other portable AV's (Avira has one, Emsisoft has one).  If they are all telling you there is nothing wrong then most likely see step 2, its one of your neighbors snooping on your computer.

Edited December 17, 2017 by dprout69

[dprout69]

Step 4 uninstall any software added in the last couple of days that you didn't add specifically, or any software that you added in the last month that is not from a reputable company (Microsoft, google or whomever) and use an uninstaller like revo...

Edited December 17, 2017 by dprout69

[JerryBox]

@dprout69Thanks for your help. Only after reading your comment I've realized what an idiot I was. I'm an airbnb host and gave all my guests my regular WiFi password, not a guest one... Could they have connected to my computer from a distance? There was a strange piece of software installed on the day of the incident. It's called ms:resource:appDisplayName and I can't uninstall it. I'll probobly reinstall windows to be completely safe. To answer your question, I use the default windows firewall. 

[dprout69]

Could they have connected to my computer from a distance?

Yep... Not only yours but anyone connected to that network and in all honesty, if they have your password there is no telling how long it's been going on from the very first person you gave the pwd to, to the very last.  The day of the incident may have just been the day you caught them.  I would say reinstalling windows would be the best bet because with access to the admin account they could have done a million things and you will probably never be able to track down every change and have peace of mind.  Also, any transactions you were conducting on the computer, change passwords (banking, Netflix, email accounts, etc.)

Most importantly, change your router password immediately and disable the admin account.

Additionally, spend a bit of time going through your router configuration and look for anything abnormal... strange mac addresses or routing IP's that you don't recognize.  May want to just hit the reset button on that too

 

 

Edited December 18, 2017 by dprout69

[David H. Lipman]

7 hours ago, JerryBox said:

@dprout69Thanks for your help. Only after reading your comment I've realized what an idiot I was. I'm an airbnb host and gave all my guests my regular WiFi password, not a guest one... Could they have connected to my computer from a distance? There was a strange piece of software installed on the day of the incident. It's called ms:resource:appDisplayName and I can't uninstall it. I'll probobly reinstall windows to be completely safe. To answer your question, I use the default windows firewall. 

Please check with your ISP as that may violate your Terms of Service ( ToS ) for sharing your Internet access with non-family.  That is unless you have a commercial subscription.

Your best option here is to have a separate Router altogether and "guests" should use the Ethernet and Wifi provided by that separate Router. 

Think of it as physically segregating the business and customer networks.

 

Edited December 18, 2017 by David H. Lipman

[JerryBox]

I appreciate your help guys. I just didn't expect someone can hack me knowing ONLY my WiFi password. I've deactivated the admin account and changed passwords. I've found strange chinese MAC addresses having connected to my WiFi recently. I'm going to reinstall Windows very soon. 

One of my computers has professional Windows and I've never traced any signs of intrusion on it, unlike on another one, which has Windows Home. I've heard professional Windows are safer, could it have prevented the hackers from breaking into that computer? If so, is there a need to reinstall windows on that one too?  

Lastly, should I be worried about the security of smartphones which i connected to WiFi with?

[David H. Lipman]

What do you think is a "Chinese MAC address" ?

As far as you may be concerned Windows Professional and Windows Home are relatively equivalent.  It isn't the the variant version of Windows that is relevant but HOW the PC is being used.  Windows professional is designed to work with Windows Server and Active Directory ( AD ) as a Domain Participant.  Windows Home lacks that capability.  When they are used in a non-AD environment they are relatively the same.  It is how they may be setup and used that makes a difference.  Reinstalling  Windows may just be a draconian knee-jerk reaction that may be unwarranted.

 

[dprout69]

Jerrybox it's your call.  You left the front door wide open, they came in and they had time to play around in your network (to include every mac address that connected to your router, phones or otherwise).  How long that was going on and what the extent of their tampering was is anyone's guess (You could probably review the router logs if you want to go to that level).  Me personally, I'd reinstall because I'd never have peace of mind that there wasn't something lingering.

Windows Pro has an admin account enabled by default without a password just like home does.  So if they got in one they got in the other.   As far as if they did anything on your phone that depends on their skill level. 

The intrusion may have been benign (just kids discovering).  The intrusion may have been malicious and turned your computers into bots for the next major virus outbreak.  Bottom line is do what you need to do to feel ok with it.

[AdvancedSetup]

Please note that regular members that have not completed a malware removal school are not allowed to provide malware detection and removal advice. I'll leave the topic as is but if you need further assistance please post in the malware removal section of the forum or stick with Networking and Administration advice.

Thank you

Ron

 

 

[JerryBox]

@dprout69 I am really amazed you told straight away the one who broke into my system had my router password. Just curious - how did you know?

 

[dprout69]

You are using MB and another AV which, although not 100%, almost eliminates malware as being the culprit and the symptoms you were describing are not usually how malware behaves.  If it were a zero day exploit the odds are higher you would hear about it on the news or on a forum before you were affected by it.  True "hackers" aren't spending time with individuals unless there is some kind of payout and since you are asking on here instead of asking your IT department, I can gather you aren't a large entity.  True hackers are going after companies where the risk and reward are equal.  Since they were in your admin account, which as I mentioned should have been disabled the second you got your computer, it was obvious to me that a door was left open somewhere... the most common point of entry is a password (weak or none) and the only place a password exists as an entry point (since they were not in your locked account) is your router.