While at the office this morning, I called my wife at home to check in... she immediately asks me if I am goofing around on the Home PC, to which I responded, "No." After convincing her that it was not me (as I do use VNC a bunch), she tells me that IE7 is up accessing www.paypal.com, and the PC is being remotely controlled.
I immediately jumped on VNC and logged in remotely to see what was going on. I found pspv.exe running, exposing a bunch of our Auto Complete passwords. In a panic, I quickly shut down the Home PC until I could get home to take a look. I then changed a bunch of our passwords at PayPal, eBaY, etc.
I looked the WindowsPrefetch folder and found the following interesting executables were run around that time:
1. pspv.exe
2. mailpv.exe
3. syslogger.exe
I read about pspv.exe and mailpv.exe on the Nirsoft website. I couldn't find any info on syslogger.exe.
My question is how could someone remotely access our PC to run these? Could it simply have been VNC? If so, how did they get our Public IP Address and learn the VNC password? Could it have been AIM (which was also running at the time)? What can I do to prevent this in the future?
Sorry for all the newbie questions! Thanks for any suggestions!
