jhmed
Posts: 17 +0
So, yesterday a good friend of mine was playing TF2 when all of a sudden his Medic began to move on its own. The in-game menus began opening and closing on their own, very peculiar stuff... He exited the game. Then, with Steam still active in the system tray, the hacker began to open Office documents etc... He closed Steam down which seemed to end the threat. It was late and he couldn't call to have me investigate for him, so today I had him bring his rig over for the day so we could inspect logs etc...
I didn't see anything in the event viewer that was alarming, and since he made no notation of the times etc just that it was between 12-1am, there were a lot of things happening as he was trying to figure things out. We ran Virus scans (Norton Corp v8 or 10 I can't remember which, Norton online scan from symantec website and we did a scan with AVG) and did a Spybot check. Everything appeared clean. Checked Windows Update to ensure he was up to date with the latest and greated from Bill and Co.
I looked at the Windows Firewall, and there were a lot of Exceptions, but all seemed ok. I shut off a couple that I deemed unnecessary and told him to monitor the situation and to call me if it happens again -- 3am I don't care....
Tonight he called me and told me it happened again. I VNC'd in ( v4something Enterprise, with encryption) and watched as this guy took control of the machine. I watched as he would attempt to launch games on my friends My Games page in his Steam account, and even turned on his WinTV card. We exited Steam and the activity stopped. I closed every port on Windows Firewall except VNC, Steam, and Skype, and we launched TF2 again. Within minutes it happened again.
I checked the logs on the router (wireless is disabled on the router), and the logs in Event Viewer, the Steam forums and I did some Googling but to no avail.... IP scan (using netscan.exe) shows only my friend's PC and the Router on the LAN.
We have unplugged his PC from the net, and he will be bringing it back to me tomorrow. I changed his passwords for sensitive sites from my machine (except Steam -- if this OP obtained the IP thru Steam, we don't want him finding my IP and possibly compromising 2 systems) and we will be trying to figure out how this person is getting in, and more importantly, how to stop it.
I've never seen this in person before, so I'm not too sure where to begin. I think I will start by performing the steps for Anti-Virus/Malware removal on this site... But I don't know if it will do any good.
Any help would be appreciated.
Thanks in advance,
Andy
I didn't see anything in the event viewer that was alarming, and since he made no notation of the times etc just that it was between 12-1am, there were a lot of things happening as he was trying to figure things out. We ran Virus scans (Norton Corp v8 or 10 I can't remember which, Norton online scan from symantec website and we did a scan with AVG) and did a Spybot check. Everything appeared clean. Checked Windows Update to ensure he was up to date with the latest and greated from Bill and Co.
I looked at the Windows Firewall, and there were a lot of Exceptions, but all seemed ok. I shut off a couple that I deemed unnecessary and told him to monitor the situation and to call me if it happens again -- 3am I don't care....
Tonight he called me and told me it happened again. I VNC'd in ( v4something Enterprise, with encryption) and watched as this guy took control of the machine. I watched as he would attempt to launch games on my friends My Games page in his Steam account, and even turned on his WinTV card. We exited Steam and the activity stopped. I closed every port on Windows Firewall except VNC, Steam, and Skype, and we launched TF2 again. Within minutes it happened again.
I checked the logs on the router (wireless is disabled on the router), and the logs in Event Viewer, the Steam forums and I did some Googling but to no avail.... IP scan (using netscan.exe) shows only my friend's PC and the Router on the LAN.
We have unplugged his PC from the net, and he will be bringing it back to me tomorrow. I changed his passwords for sensitive sites from my machine (except Steam -- if this OP obtained the IP thru Steam, we don't want him finding my IP and possibly compromising 2 systems) and we will be trying to figure out how this person is getting in, and more importantly, how to stop it.
I've never seen this in person before, so I'm not too sure where to begin. I think I will start by performing the steps for Anti-Virus/Malware removal on this site... But I don't know if it will do any good.
Any help would be appreciated.
Thanks in advance,
Andy