Got hacked, need advices

[dgianstefani]

Step one - air gap all of your devices. Turning off router works well.

Step two - use a known clean device such as a laptop, on a different network, to download a fresh copy of Windows 10, use Rufus to install it onto a known clean USB drive that has not been plugged into your infected system. Copy the latest BIOS version of your motherboard onto this USB once it's been configured as a 10 install drive.

Step three - use the BIOS menu of your system to purge/wipe/sanitise all connected drives.

Step four - update the BIOS using your USB.

Step five - Install Windows on the wiped clean PC

Step six - go online and install a password manger - bitwarden is good. Install your favoured browser and then add ublock origin and HTTPS everywhere. You can also use root level hosts file adblock with https://github.com/StevenBlack/hosts.

Step seven - change all your passwords with ones generated by the password manager.

Step eight - profit.

Rufus - Create bootable USB drives the easy way

Rufus: Create bootable USB drives the easy way

rufus.ie

 

[1freedude]

Ok, filter/smear out the numbers

 

[Count von Schwalbe]

Step 9 - install a known-good AV. I personally like ESET, but each to their own.

 

[Dux]

Step one - air gap all of your devices. Turning off router works well.

Step two - use a known clean device such as a laptop, on a different network, to download a fresh copy of Windows 10, use Rufus to install it onto a known clean USB drive that has not been plugged into your infected system. Copy the latest BIOS version of your motherboard onto this USB once it's been configured as a 10 install drive.

Step three - use the BIOS menu of your system to purge/wipe/sanitise all connected drives.

Step four - update the BIOS using your USB.

Step five - Install Windows on the wiped clean PC

Step six - go online and install a password manger - bitwarden is good. Install your favoured browser and then add ublock origin and HTTPS everywhere. You can also use root level hosts file adblock with https://github.com/StevenBlack/hosts.

Step seven - change all your passwords with ones generated by the password manager.

Step eight - profit.

Rufus - Create bootable USB drives the easy way

Rufus: Create bootable USB drives the easy way

rufus.ie

1. I have only this one crappy PC. Nothing else. But just in case, I moved the cat to other room because it started sneezing, so might of caught something over wi-fi. Idk.

2-5. I have win 10 bootable USB around for ages. Hasn't been plugged into this PC. But i can just plug that into PC while it's powered off and boot directly from it and format everything. It has also a BIOS for this motherboard on it. But not gonna go nuclear option if i can clean PC some other way.

6. Ublock i already had. HTTPS thing i had while back, gonna install again. Also installed Malwarebytes extension now. Passwords gonna keep offline.

7. Will make some up on my own

8. I'm broke.

 

[TumbleGeorge]

is that a smart idea? Showing your entire ipconfig publicly?

No personal information content there. It can't hurt you. Probably checking to see if ports were forwarded, but I doubt it was.

 

[Bill_Bright]

These passwords are much easier to be broken then more short variants with unpredictable combination of letters(big ans small), numbers, punctuation and other special characters.

I agree - as long as they are not too short. IMO, 8 characters is the absolute minimum for less important sites.

Will have to agree to disagree. Length as always been the most important attribute with any password.

No, sorry, that is wrong. Yes, length is important, but always "the most important"? Nope. "Hard to guess" has always been the most important. "Elizabethann" at 12 characters is a nice long password. But if Elizabethann is your daughter, then that would be easy to guess.

As soon as you start making the password too difficult to manage the human factor takes over trying to make it easier to deal with and the possibility of unintended disclosure increases.

Exactly!!! Which is precisely why the use of a password safe or manager is advised.

"Peter Piper Picked a Pepper at NewEgg"
"Peter Piper Picked a Pepper at ModMyMods"
"Peter Piper Picked a Pepper at TPU"

IMO, those are not good because, (1) they follow a pattern, and (2) and even worse, the pattern is too predictable. While long is good, there are no special characters or numbers. And Peter Piper is almost as famous as Mickey Mouse. It would not take that long for a bad guy and his cracker software to guess much after Peter P... . And then once he or she sees NewEgg, they likely will try the site name for other sites elsewhere because that fits your rather obvious pattern.

Patterns are bad.

For the ones that are important remember those by heart and make a secured backup.
For the ones not important use a password keeper if you want.

I say, make a strong password for your password manager and remember that. Do NOT write it down. Then use the password manager to store (and perhaps) generate all your others. I see no reason to remember more than one - the password manager PS.

Easy to remember is great - as long as it is near impossible to guess at the same time.

"Mary had a little lamb" would be easy to remember - but easy to guess too. "Fr@p had a b1g l!77l3 T03" would be pretty easy to remember, but really hard to guess.

 

[wNotyarD]

Think I'll go with Malwarebytes + Bitdefender combo from now on.

If you're willing to spend a little cash, Bitdefender alone may be all you need. I follow some security labs reviews some years already, and Bitdefender NEVER has anything but great scores.
Malwarebytes is known as a good malware buster, however it is maybe a little too trigger-happy. False positives aren't uncommon with it.

 

[A Computer Guy]

Easy to remember is great - as long as it is near impossible to guess at the same time.

I can agree with this statement.

 

[Vario]

These passwords are much easier to be broken then more short variants with unpredictable combination of letters(big ans small), numbers, punctuation and other special characters.

Yes, this type of password is vulnerable to dictionary attack

 

[TumbleGeorge]

Many years ago, it happened that the carelessness of the user, while installing some free applications, did not remove some checkmarks that were contained in the steps of the installation windows. They received a code redirecting to open certain pages. Often fake versions of trusted and visited places on the Internet. The path in the browser to open these pages was manipulated and they opened by default. This change essentially does not write any computer infection code. Accordingly, no such or external intervention in the system is detected, because such a change, whatever the home page when opening the browser, was allowed by the user.
Is possible to be something similar. Not real infection. But will see when OP share enough information.

 

[1freedude]

Thats exactly what Inwas about to say....check installed apps and progs. I think it's called smart screen...the security feature that looks for undesirable features

 

[A Computer Guy]

Patterns are bad.

Well I would say patterns aren't all bad. Avoid easily guessed patterns. If your password data is compromised the lack of a pattern will only delay the inevitable.
The reliance of special symbols in a password really gives a false sense of security in my opinion although I understand people use it to avoid easily guessed passwords.

 

[Dux]

No personal information content there. It can't hurt you. Probably checking to see if ports were forwarded, but I doubt it was.

NAh. I googled a bit. Advised not to share. Even the MAC address from ipconfig can be misused.

 

[1freedude]

Then, look at every interface and decide if it belongs.

 

[Dux]

Then, look at every interface and decide if it belongs.

Everything looks normal. No IP routing. No proxy.

 

[A Computer Guy]

No, sorry, that is wrong. Yes, length is important, but always "the most important"? Nope. "Hard to guess" has always been the most important. "Elizabethann" at 12 characters is a nice long password. But if Elizabethann is your daughter, then that would be easy to guess.

I'll concede a bit on that and say length and hard to guess are both extremely important.

 

[TumbleGeorge]

The reliance of special symbols in a password really gives a false sense of security in my opinion although I understand people use it to avoid easily guessed passwords.

Offtopic/ A random, non-symmetrical string composed of a mixture of normal and upper letters, various symbols and numbers is extremely complex. I have a relative who, as a hobby, not for criminal purposes, tries to hack passwords on private wireless networks. Even a single digit randomly placed in a password made up of a not particularly long common word like "ivangr1ozni" adds a decent amount of time to sifting through the possibilities. After all, he uses a simple 6-7 year old office laptop, not an array of supercomputers.

 

[1freedude]

Look at installed progs?

Look at router next

 

[Bill_Bright]

Well I would say patterns aren't all bad. Avoid easily guessed patterns. If your password data is compromised the lack of a pattern will only delay the inevitable.

Not sure I would know what a hard to guess "pattern" is - except in cryptography.

My greater concern, on top of the recommendation for the use of "Peter Piper" like patterns is the suggestion to use it repeatedly on multiple sites. We must remember that bad guys are not getting these passwords exclusively by hacking our computers. In many cases, they are successfully hacking corporation, government and other sites, then collecting that information.

As far as your "If" statement, sorry, but it makes no sense. If the password data is compromised, it's compromised. There's nothing to delay. They are going to copy & paste - not type it in.

For a little fun (that may, or may not be realistic): Password Strength Testing Tool | Bitwarden

 

[A Computer Guy]

Offtopic/ A random, non-symmetrical string composed of a mixture of normal and upper letters, various symbols and numbers is extremely complex. I have a relative who, as a hobby, not for criminal purposes, tries to hack passwords on private wireless networks. Even a single digit randomly placed in a password made up of a not particularly long common word like "ivangr1ozni" adds a decent amount of time to sifting through the possibilities. After all, he uses a simple 6-7 year old office laptop, not an array of supercomputers.

Consumer wireless networks is a perfect example of a system that allows one to pound it into submission.

 

[Vayra86]

You can build passwords around phrases with unique elements or in particular framed around context that makes sense to you.
For the ones that are important remember those by heart and make a secured backup.
For the ones not important use a password keeper if you want.

for example: pattern based
"Peter Piper Picked a Pepper at NewEgg"
"Peter Piper Picked a Pepper at ModMyMods"
"Peter Piper Picked a Pepper at TPU"

for example: context based
"NewEgg shipping is great except when it's not"
"Cool s*** at ModMyMods, look for deals daily"
"Fanboy battles at TPU never ending"


Not saying you should use the same password for all, that would be really bad in my opinion.

Eh, yeah you do you, if that gives you an illusion of better security.

I just have a single password for everything, well two or three in fact, and when prompted to renew I add or change numbers in it. Across all accounts I need to remember 2, maybe three versions of this password. That's nice because even if you forget you get a few attempts, its always a hit trying the last few you used.

Its pointless man. This whole process is automated, and the automation algorithms are tweaked to suit new tricks and old. You just don't know what kind of password is going to be safe or not. Its luck of the draw and a constantly evolving thing.

That's why there is 2FA. Manage your 2FA properly and keep your devices secure. Passwords are just for separating one account from the other these days, really.

If you really want to go hard on your password management, use KeePass or something instead. Anything else is total nonsense.

 

[Upgrayedd]

I feel like password managers are just a giant risk themselves.
Write your passwords on a piece of paper.


Make your passwords with made up words or slangs. Not ALL dictionary words. Dickshinary.

 

[Vayra86]

I feel like password managers are just a giant risk themselves.
Write your passwords on a piece of paper.


Make your passwords with made up words or slangs. Not ALL dictionary words. Dickshinary.

Head's the safest place, is my rationale as well when I consider password managers, its still an application on a device so at risk just the same. So I limit the complexity to my head capacity - or, what's left of it for a password among the numerous other accounts, codes, etc you have to remember.

The rest of the security issue is the business of service providers. I didn't make it up that everything has to happen online and my data is not 'mine' nor stored locally to use. Deal with it. That's why 2FA is great.

 

[DemonicRyzen666]

I'm betting it came from twitter.
Listening "level1tech show" makes me glad I don't use it anymore.

"tiny rant"
Social media is terrible
Seond it's just "virutal networking" there is nothing "social" about twitter facebook or any others. They're not "media" either That would inferer, it's 1. either entertainment or 2. a report of some kind with a reported giving you imformation. Social Media is none of these options.

what ever moron started calling it "social media" needs a

 

[A Computer Guy]

My greater concern, on top of the recommendation for the use of "Peter Piper" like patterns is the suggestion to use it repeatedly on multiple sites. We must remember that bad guys are not getting these passwords exclusively by hacking our computers. In many cases, they are successfully hacking corporation, government and other sites, then collecting that information.

Yea if your a high value target like a former president of the US (not talking about anyone in particular) the pattern example I gave probably isn't a good example because people will be specifically looking for your data. If your joe shmoo nobody is going to scan through bulk data looking for you and trying to identify your specific password pattern unless they have an axe to grind. Also a good system won't be storing your plain-text password either. So identifying the pattern "Peter Piper Picked a Pepper..." would be difficult and extremely cost prohibitive if the password is stored in a secure manner.

For a little fun (that may, or may not be realistic): Password Strength Testing Tool | Bitwarden

Thanks for the link I'll take a look

Eh, yeah you do you, if that gives you an illusion of better security.

That's why there is 2FA. Manage your 2FA properly and keep your devices secure. Passwords are just for separating one account from the other these days, really.

2FA is a good thing but then you have to keep your devices and recovery passwords secure.

If you really want to go hard on your password management, use KeePass or something instead. Anything else is total nonsense.

KeePass is nice


I'm a bit more chatty today than usual and might be getting off topic so I will end it here. I've enjoyed the chat.