I think someone is connected to my fathers laptop

[rehab]

My dad bought a used laptop off Amazon and states this mouse was moving around and opening folders. I believe him. I did install bitdefender when he received it but WIN was already installed. Is there a easy-ish app. to port monitor or verify if any backdoors are open on this machine? Or, how would you go about securing it short of formatting / reinstalling?

thanks (my dad thanks you as well)

 

[Deleted member 126051]

Just format it and be done.

You can spend hours trying to uninstall shit, and fiddle with security, miss something and still be compromised.

Or you can just render it secure from the get go.

 

[ChristianVirtual]

Yes, clean install incl. reformatting the disk. And having a look on the partition table looking for some unwanted areas.

Check that you have required software (OS, driver) available upfront (in case of exotic hardware)

 

[Deleted member 184142]

Considering this was used off Amazon, I would also report the seller for selling possible infected/backdoored computers.

 

[NoOther]

First, you should always have a network firewall and only allow the traffic you want to come in or out. With most network firewalls, you can inspect the traffic and depending on your level of expertise, it may be hard to identify the specific malicious traffic. That is why you always go with least privilege, only allowing what you want through.

But it is always a good idea when buying a used system to do a full wipe and fresh install of software you know is clean. If the laptop uses a standard HDD, then I would also use DBAN to overwrite it multiple times just to be sure you remove everything (the UBCD has many useful utilities you may wish to check out).

 

[Cmustang87]

Never use a used computer without a full wipe (not just a reformat) and reinstall.

Use DBAN if it's a mechanical drive, or the manufacturer's disk wiping tool if it's an SSD. Then reinstall the OS from scratch.

 

[michalrz]

If you want to play around, open up task manager, click that 'as admin' or 'show all processes' and look for/post the list of running stuff. One of those can be a hidden remote control program like tightvnc or teamviewer.
I would however start from scratch.

Do NOT visit any sites like your bank or facebook because the guy might be keylogging.

 

[Archaea]

Google netstat

Or SYSinternalas TCPview


But yeah. Ultimately wipe it.

 

[Biznatch]

First, you should always have a network firewall and only allow the traffic you want to come in or out. With most network firewalls, you can inspect the traffic and depending on your level of expertise, it may be hard to identify the specific malicious traffic. That is why you always go with least privilege, only allowing what you want through.

But it is always a good idea when buying a used system to do a full wipe and fresh install of software you know is clean. If the laptop uses a standard HDD, then I would also use DBAN to overwrite it multiple times just to be sure you remove everything (the UBCD has many useful utilities you may wish to check out).

It's most likely using outbound 443 to call home. Most people are not going to setup outbound firewall rules on a site by site basis, and will just allow all 80/443 outbound. So a firewall isn't going to help here, he'd need something like untangle that looks at the actual traffic going in/out for known malicious packets/destinations.

And the only time you'd zero a HDD once/multiple times is if you are selling/disposing the drive and want to make sure the data is not recoverable. A regular format will be plenty for an OS reinstall, assuming all partitions get removed.

 

[TurK-FX]

Check out tcpviewer. That is the easiest way to monitor open connections.


I also agree with wiping the PC. That is one thing I always do when I buy used PC/laptop.

 

[Volume]

Whatever you're doing on it to find/clean the malware, someone is watching you do it. Just format the drive and be done with it.

 

[SamirD]

I never connect an 'unknown' computer to the lan or Internet. I image the current install, not changing anything, and once I have that done, I inspect the system with the lan disconnected and install something to freeze the configuration from any changes (like reboot restore, deep freeze, etc). Then I connect it to an old router where the wan port doesn't work but dhcp does and monitor what's attempting to go in and out of it. If it passes, I set it up, freeze its config, and let it join the pack on the lan, still watching for any fishy activity.