When you have to assume your computer isn’t your computer anymore.
A tricky problem: someone breaks in, but you don’t know what they did.
Can you clean up? How do you keep it from happening again?
The news isn’t great.
Become a Patron of Ask Leo! and go ad-free!
Computer compromised?
Once your computer has been compromised, you can’t assume it’s yours anymore. The hacker could have left undetectable malware so they can continue to access the machine. The only safe solutions are to restore to an image backup taken prior to the compromise or to reinstall Windows (and everything else) from scratch.
It’s not your computer anymore
Once someone has accessed your computer, particularly if they’ve had an extended time with it and they happen to be particularly savvy, you can only assume it’s not your computer anymore.
By that I mean they could have installed malware, remote access software, keyloggers, and more. While a good anti-malware scan should catch most of that, there’s no guarantee that it’ll catch everything. You simply have no way to know what was done and no way to know what needs to be undone… or even if it can be undone completely.
You have two options.
Restore from backup
IF you know when the intrusion or compromise began, and you’ve been backing up regularly and completely, one solution is simple: restore your entire computer from a backup image taken prior to the compromise.
This depends on three things.
- You’ve been routinely taking image backups: backups that include everything on your hard disk.
- You know when the intrusion began.
- You’re certain that the intruder wasn’t able to compromise your backups. It’s rare, but once again, a possibility.
It sounds like the intrusion you’re speaking of has been going on a while. Even if you did specifically know when it started, restoring from a very old backup might not be practical.
That leaves the nuclear option.
Assume the worst: rebuild from scratch
You can’t trust your machine, so the only absolute solution is to start over.
That’s a drastic step, but if your intruder is as adept as you indicate, it’s likely the best approach. If they’re really good, they could leave hooks you could never find.
In your shoes, I would:
- Disconnect from the network
- Reinstall Windows from scratch
- Reinstall my applications from scratch
- Restore my data from backups or other locations as convenient
Then, for additional security:
- Either disable the administrator account (the default these days), or be sure it has a strong password.
- Ensure your own login account has a secure password.
- Make sure Windows and your applications are as up to date as possible.
- Remember physical security. If someone can walk up to it and reboot, then all the other security might be bypassed.
Consider reviewing all the steps outlined in Internet Safety: 7 Steps to Staying Safe Online. While we’re considering the security of your PC here, your online security is just as important, if not more so, and can sometimes be the steppingstone allowing access to your machine.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
One tip you left out, which helps a little with physical security–set a BIOS password. Also, if you are worried about booting from a floppy, some BIOS’s have a setting to disallow booting from a floppy or they at least allow you to specify booting from the hard drive first.
Never mind cleaning up, you have had that computer for 5 or 6 years, its prehistoric!
Do yourself a favour, give the old one to charity, or sell it on ebay, and get a new one. You will thank yourself for doing so. The difference will be huge, it will be soooo much faster you wont believe it.
ken
[URL removed]
If you value the data on the machine, then a reformat is your ONLY option. Otherwise the intruder could have loaded a “rootkit” (look it up on google), which is essentially impossible to find. At this point, you don’t own your computer, the bad guys own your machine, and you’ll never be able to get rid of them (short of a reformat). They can use your machine to send spam, they can use your machine to attack other people, they can use your machine to host kiddy porn (and then you’ve got to explain to the police what the kiddy porn was doing on your computer (this is a very real threat, it’s happened in the past (see: http://ask-leo.com/d-41012a for details)).
The list of things that a sophisticated hacker can do to make your life unpleasant is quite large.
Btw, Leo’s list of “day 1” suggestions is quite good (as always).
[editted link through redirector – ln]
If you donate your PC, make sure that you remove the hard drive if you have personal info on it. Information is not necessarily deleted from a hard drive just because you hit the delete button
No need to remove it. Just wipe it using DBAN or perform a full reformat (not a quick format) on it.
How Should I Erase My HDD Before Giving It Away?
can you help me beacuase someone has changed my password and my secret question. i would get a new account but i havnt saved my addys and i have loads what do i do?
That’s this article: http://ask-leo.com/ive_forgotten_the_answer_to_my_msn_hotmail_secret_question_and_my_password_what_do_i_do.html
best advice is to download: zone alarm, adaware, and spybot search and destroy, and nortan anti virus. Disconnect from the internet take of any programs or folders that u dont need anymore of look a lil sus. Install all those programs and set them up, change your ip address. Download all the latest updates then back ofline and scan your computer clean. Also try and back up those valuable files.If u do want a new computer get 1 then load all that stuff onto it so that they cant access it again. If they continually do it and you cant fix it theres allways the good old baseball bat visit them aproach :P
A person I trusted a lot has a lot of computer knowledge. He works in a data center. He has opened an email address at my work to make it look like it was done on my computer, under my other user IDs, which were mine. HE wrote himself emails and turned me in to HR for a “hostile work environment”. I am really worried because he had both of my laptops for a few days each and now he is mad at me and seeking revenge. Is it possible for him to have gained remote access into my laptops to send futher emails that appear to be me? I also found my firewalls were off and I have an unsecure wireless network I used for a while. I am really scared. I am now being investigated at work and I know his knowledge and anger will get me fired. How do I prove my innocence with someone who had total electronic access and ability to set me up?
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
“Is is worth it?” – that’s not a question I can answer.
That’s something you want to ask an attorney.
Leo
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFIOZV1CMEe9B/8oqERAmReAJ4o6lt/BqLYfNGf/zPjphHvT2YBkQCghBrM
5ifckS2Y/LI+zGHfg3kZYL0=
=/OtS
—–END PGP SIGNATURE—–
I have also had my aol,gmail email accounts hacked by someone that was very close to me. If she had access to my laptop in my home could she have gotten the passwords that way. I did have a couple of my accounts the the passwords remembered on my old laptop. She has been sending nasty emails from one of my email accounts also how do i find out where these emails were sent from? It was an aol account that she had access to of mine. I have the emails in the sent box im trying to find out where they were sent from the ip information?
Any help would be appreciated.
I too had my computer access compromised as a remote user on the company’s PC in my home. Someone hijacked my e-mail address, both personal and my work Lotus Notes accounts, andn were sending damaging e-mails to others with my address. I have always used either Verizon or Comcast high-speed, but I was pushed to try “remote access,” which I believe was constantly trying to be setup on the PC, which would not work. I could not stay connected at all, until I put a router between my cable modem and the PC, but then I was “slammed” every 15 minutes until I took the router off. Because of all this, my work reputation has been ruined, my skill reputation has been ruined, and I am finding it extremely difficult to rebuild my reputation. I have been “black-balled” out of the business that I was in, and now can only find part-time work doing menial tasks in the same field; however, my bosses have perceived me to be unintelligent. I will graduate with a bachelor’s degree in a technology field, and actually have an associate degree in a technology field. HELP! HOW DO I REINVENT MYSELF AND REGAIN MY WORK REPUTATION SO THAT I CAN FIND A DECENT JOB? Will I need to completely start over? I have been sent into almost finanacial ruin because of these lies and underhanded tactics at my former employer. The techs at work were constantly “reformatting” the PC, which was work’s, but I couldn’t even do my job — it was like there were constantly two people (at least) connected on with me at all times. My cable company administrator told me that he was watching my connection and help me one time when the PC “crashed.” We found some kind of ancient NT error — it took down everything. After I didn’t have to connect to that employer anymore, IMMEDIATELY my problems disappeared.
I work in an office and i have found that a person who has adminstrator access has went into my computer over ridded my codes and taken away a programme that was set up on my system . He did this when i was on my day off. Should he have come and said he wanted to go into my computer , and explained why he was taking this programme away as this programme was part of my job. Our firm is closing down due to retirement , but surely he just cannot go in without saying. He could have waited till i returned the next day and i would have let him in under my codes. Why have personnel coeds if someone can just go in and over ride them, when they want to.
17-Mar-2010
I have a question. I think someone might be looking at my email files using Outlook web access. I believe they already have teh usernames and passwords.
Is there a way to track who is looking at my messages?
08-May-2010
This is not a comment, but a question and im on my wits end… So my ex-hubbs and i are divorced for over 3 years, we have to communicate because of the child we have together, however i noticed at first that some emails between me and him dissapeard from my email account.. first i was like damn i must have deleted them in accident, then more and more disapeared… now he seems to know on social sites what i post etc… even though we blocked each other and my profile is on private..and we also do not have any friends in common… i recently had my email account suspended etc because of weird activity.. was able to get it back.. the list of things is long, now my question is, i know my ex is a IT specialist and works for a internet security firm, i am almost certain he hacked into my computer thrue my ip adress, is there a way i can find this out for sure? and if, what can i do to stop it and / or prevent it from happening again…
thanks
@Hated
If I suspected that someone was illegally accessing my computer, I would go to the police. They also deal with computer crimes.