We've been hacked I guess, what now?
November 11, 2020 4:31 AM Subscribe
I think one of our Windows laptops was hacked, maybe through remote access software. The mouse pointer was moving on its own. What should I do and how f***ed are we?
Husband, while sitting in front of his Windows 7 laptop and not doing anything (claims he was deep in thought for about 10 minutes), noticed the mouse pointer moving on its own - slowly, purposefully, towards the Firefox icon on the desktop. He moved his mouse to get the pointer back, and it moved again in the same fashion. The mouse was not physically moving, nothing was touching it, nothing was shaking the desk, etc. He then jigged his mouse (thinking it was me pranking him somehow), it didn't happen again and about 5 minutes later he shut the computer down. He only informed me of this about 8 hours later, while powering on the computer this morning. I stopped him from logging in and made him shut down the computer, so it was only running for about 5 minutes.
I have no idea how this happened, as we have adblockers installed on all computers and generally don't visit sketchy sites or blindly click OK on every prompt. The laptop has had the same setup for at least 5 years. I did install Windscribe VPN Firefox and Chrome plugins on the computer about a week ago, and that's about the only change I can remember making. They seem to be a reputable company.
Other facts:
- The laptop is running Windows 7 (and Ubuntu 18 dual boot). Windows has all the patches installed, but, you know, Win7 is not officially supported anymore. We've been using it for various stuff that doesn't work well on Linux or the newer versions.
- It's running official MS malware tool, which is being updated about every 3 months or so.
- This happened on an account with admin privileges. (I know...)
- The rest of the household is using Ubuntu (16 through 20), Win10, Android, Raspbian, AndroidTV and Tizen.
- The laptop has some passwords saved in the Firefox password store, and a LastPass plugin (that may have been logged into at the time). There's a digital certificate used for some e-government stuff somewhere too. No banking stuff, as we're using mobile banking.
I changed the password on our home wifi, which we're all using. What should I do next? I'm thinking change all the passwords for mission-critical stuff (LastPass, email), backup things from the compromised laptop (while disconnected from the network) and then reinstall Windows. Anything else?
How worried should I be about other machines on our local network?
I'm an IT project manager, so presume a certain level of proficiency with computers, but not very deep (as I've had sysadmins deal with this for the last 10+ years).
Husband, while sitting in front of his Windows 7 laptop and not doing anything (claims he was deep in thought for about 10 minutes), noticed the mouse pointer moving on its own - slowly, purposefully, towards the Firefox icon on the desktop. He moved his mouse to get the pointer back, and it moved again in the same fashion. The mouse was not physically moving, nothing was touching it, nothing was shaking the desk, etc. He then jigged his mouse (thinking it was me pranking him somehow), it didn't happen again and about 5 minutes later he shut the computer down. He only informed me of this about 8 hours later, while powering on the computer this morning. I stopped him from logging in and made him shut down the computer, so it was only running for about 5 minutes.
I have no idea how this happened, as we have adblockers installed on all computers and generally don't visit sketchy sites or blindly click OK on every prompt. The laptop has had the same setup for at least 5 years. I did install Windscribe VPN Firefox and Chrome plugins on the computer about a week ago, and that's about the only change I can remember making. They seem to be a reputable company.
Other facts:
- The laptop is running Windows 7 (and Ubuntu 18 dual boot). Windows has all the patches installed, but, you know, Win7 is not officially supported anymore. We've been using it for various stuff that doesn't work well on Linux or the newer versions.
- It's running official MS malware tool, which is being updated about every 3 months or so.
- This happened on an account with admin privileges. (I know...)
- The rest of the household is using Ubuntu (16 through 20), Win10, Android, Raspbian, AndroidTV and Tizen.
- The laptop has some passwords saved in the Firefox password store, and a LastPass plugin (that may have been logged into at the time). There's a digital certificate used for some e-government stuff somewhere too. No banking stuff, as we're using mobile banking.
I changed the password on our home wifi, which we're all using. What should I do next? I'm thinking change all the passwords for mission-critical stuff (LastPass, email), backup things from the compromised laptop (while disconnected from the network) and then reinstall Windows. Anything else?
How worried should I be about other machines on our local network?
I'm an IT project manager, so presume a certain level of proficiency with computers, but not very deep (as I've had sysadmins deal with this for the last 10+ years).
So first of before panicking boot the computer up, take it off all networks and set it down. Watch for mouse movements. Could just be a trackpad problem on a laptop.
posted by AlexiaSky at 4:45 AM on November 11, 2020 [5 favorites]
posted by AlexiaSky at 4:45 AM on November 11, 2020 [5 favorites]
Wait, was the pointer slowly drifting in the same direction no matter where you placed it? Because that sounds like a hardware problem with the mouse itself. That doesn’t sound like being hacked, and “hacked” would not be my first assumption. Does this laptop have a track pad as well as an external mouse? Might the problem be with the track pad?
posted by snowmentality at 4:47 AM on November 11, 2020 [5 favorites]
posted by snowmentality at 4:47 AM on November 11, 2020 [5 favorites]
This sounds a lot like a dodgy trackpad. Try disabling the trackpad and seeing if it still happens.
posted by EndsOfInvention at 4:48 AM on November 11, 2020
posted by EndsOfInvention at 4:48 AM on November 11, 2020
Agreed. My first thought was trackpad or trackpoint issue. It's not a ThinkPad by any chance, is it, as I have seen this happen plenty of times on mine? The nub just gets a bit stuck in one direction and does exactly this.
posted by Chairboy at 4:48 AM on November 11, 2020
posted by Chairboy at 4:48 AM on November 11, 2020
"Slow, purposeful" mouse movement is exactly the opposite of what I would expect to see in a remote access hack. If you're a hacker, you want to get in and do whatever you're trying to do and then get out as quickly as possible. Did the phantom mouse ever actually click on anything? Did it gravitate towards the Firefox icon from multiple directions, or did it just generally drift in one direction?
If the answer to both of those is no, then this is way more likely to be a mouse issue, either with the external mouse or the laptop's trackpad. Could just be a transient weirdness, could be a dying trackpad, but either way, not something that requires nuking it from orbit.
posted by firechicago at 4:50 AM on November 11, 2020 [2 favorites]
If the answer to both of those is no, then this is way more likely to be a mouse issue, either with the external mouse or the laptop's trackpad. Could just be a transient weirdness, could be a dying trackpad, but either way, not something that requires nuking it from orbit.
posted by firechicago at 4:50 AM on November 11, 2020 [2 favorites]
If the mouse pointer was moving at a completely consistent speed in a straight line, that's almost certainly either a mouse hardware issue or a mouse driver issue. If it happens again, try opening the mouse or touchpad control panel item and fiddling with acceleration and "enhanced precision" options.
And yes, this kind of thing is indeed more common on nubs than on trackpads, though I've seen it on both as well as on optical mice. If the machine does indeed have a nub, a good blast around the nub area with a can of compressed air might be enough to fix it.
posted by flabdablet at 5:02 AM on November 11, 2020 [1 favorite]
And yes, this kind of thing is indeed more common on nubs than on trackpads, though I've seen it on both as well as on optical mice. If the machine does indeed have a nub, a good blast around the nub area with a can of compressed air might be enough to fix it.
posted by flabdablet at 5:02 AM on November 11, 2020 [1 favorite]
Response by poster: Update: no nubs, just trackpad and USB optical mouse. Laptop brand is MSI. No movement detected in the 10 minutes I've been keeping an eye on it. Will ask husband more details about movement.
posted by gakiko at 5:24 AM on November 11, 2020
posted by gakiko at 5:24 AM on November 11, 2020
Even my Macbook cursor seems to drift on its own now and then. I've always assumed it's some software anomaly, static in the trackpad, or the like.
posted by beagle at 6:34 AM on November 11, 2020 [1 favorite]
posted by beagle at 6:34 AM on November 11, 2020 [1 favorite]
Whenever my cursor does something weird I change the batteries in the mouse and it solves the problem like 96% of the time.
posted by misskaz at 7:04 AM on November 11, 2020 [2 favorites]
posted by misskaz at 7:04 AM on November 11, 2020 [2 favorites]
My USB optical mouse will do that either if it needs new batteries, or if it is starting to die. I actually gave up on more pricey mice for that reason, and have had better luck with the cheap amazonbasics mice functioning longer.
posted by gudrun at 7:24 AM on November 11, 2020
posted by gudrun at 7:24 AM on November 11, 2020
no nubs, just trackpad and USB optical mouse
Is that a wired or wireless USB optical mouse?
If it's wireless, go buy the cheapest shittiest $15 USB wired mouse your local office supplies store has in stock. It will work better.
I loathe wireless mice. So many stupid unpredictable failure modes.
posted by flabdablet at 7:31 AM on November 11, 2020 [1 favorite]
Is that a wired or wireless USB optical mouse?
If it's wireless, go buy the cheapest shittiest $15 USB wired mouse your local office supplies store has in stock. It will work better.
I loathe wireless mice. So many stupid unpredictable failure modes.
posted by flabdablet at 7:31 AM on November 11, 2020 [1 favorite]
I have had optical mice do that. Usually jiggling the mouse or moving it a bit makes it stop. It happens more if I'm trying to mouse on a patterned surface, or something with printing on it or similar, instead of a nice clean mousepad.
posted by beandip at 7:54 AM on November 11, 2020
posted by beandip at 7:54 AM on November 11, 2020
Response by poster: Update #2:
Wired USB mouse. No batteries. I've been running the PC without an internet connection today, and there was no autonomous movement of the mouse pointer.
Husband says the movement looked like someone was moving it over a laggy, slow connection - he's seen someone do remote IT support like that and swears it looked just the same. The movement was in the same general direction both times, which seems to support the faulty mouse/trackpad hypothesis, but it stopped on the Firefox icon in the taskbar - if I move the mouse down and keep moving it in the same direction, the pointer disappears over the edge of the screen, it doesn't stop when it reaches the lower edge of the taskbar.
MS Malicious Software Removal Tool found nothing. Microsoft Security Essentials is still running.
posted by gakiko at 8:59 AM on November 11, 2020
Wired USB mouse. No batteries. I've been running the PC without an internet connection today, and there was no autonomous movement of the mouse pointer.
Husband says the movement looked like someone was moving it over a laggy, slow connection - he's seen someone do remote IT support like that and swears it looked just the same. The movement was in the same general direction both times, which seems to support the faulty mouse/trackpad hypothesis, but it stopped on the Firefox icon in the taskbar - if I move the mouse down and keep moving it in the same direction, the pointer disappears over the edge of the screen, it doesn't stop when it reaches the lower edge of the taskbar.
MS Malicious Software Removal Tool found nothing. Microsoft Security Essentials is still running.
posted by gakiko at 8:59 AM on November 11, 2020
Response by poster: Update #3: MSE found Trojan:Win32/Predator.ARA!MTB . I think it might be the culprit, if it actually was a hacker and not a faulty mouse/trackpad. I'm removing it now. What else should I do?
posted by gakiko at 9:52 AM on November 11, 2020
posted by gakiko at 9:52 AM on November 11, 2020
I’m on mobile so I can’t easily link it, but Deezil’s profile used to have a detailed game-plan for malware recovery.
posted by Alterscape at 11:48 AM on November 11, 2020
posted by Alterscape at 11:48 AM on November 11, 2020
Deezil's infamous profile of fine anti-virus instructions
posted by zenon at 11:57 AM on November 11, 2020 [1 favorite]
posted by zenon at 11:57 AM on November 11, 2020 [1 favorite]
Best answer: Turns out he has moved the directions offsite
posted by zenon at 11:59 AM on November 11, 2020 [7 favorites]
posted by zenon at 11:59 AM on November 11, 2020 [7 favorites]
This thread is closed to new comments.
posted by Alterscape at 4:44 AM on November 11, 2020 [32 favorites]