Jump to content

Trojan.StolenData


Zim1

Recommended Posts

It appears that I have a Trojan of some sort.  I noticed some suspicious activity on my credit cards so I ran a MBM scan.  It found the following 41 files which I quarantined.  I deleted all my saved credit cards and passwords from Google Chrome but is there more that I should be doing?  I hate to have to re-format my drive but I will, if required.

Is it possible to tell what was stolen?

StolenData2.jpg

StolenData1.jpg

Link to post
Share on other sites

Hello Zim1 and welcome to Malwarebytes,

Continue with the following:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Report tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites

I ran Malwarebytes and found the 41 files that are attached above.  I changed the settings to what you describe and it is running again.  I ran AdwCleaner and it found 3 things:

PUP.Optional.AnonymizerGadget   C:\Users\jznet\AppData\Roaming\AGData
PUP.Optional.Legacy             C:\Program Files (x86)\AnonymizerGadget
PUP.Optional.Legacy             C:\Users\jznet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
 

Link to post
Share on other sites

Thanks for those logs, continue please:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Let me see those logs in your next reply, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites

Thanks Kevin,

 

Sophos scan was totally clean.  I'm trying to assess the damage of this.  Someone did try to log into some of my accounts and did try to use some of my credit cards.  They were not successful.  I have been cancelling credit cards and changing passwords.  If I had to guess, somehow they got access to the stored passwords and credit card info that Chrome caches?  That's my only guess because that's the only place on my computer where that info exists.

Do you think I need to do a full re-format of my hard drive?

Link to post
Share on other sites

All we see in FRST logs were remnants of a prior or failed infection, Regarding Chrome caches, those were emptied when we ran FRST fix, also same with other browsers and temp folders. As Sophos log is clean and prior logs do not show definite infection I would not believe a format/reinstall is needed. Obviously if you feel safer with that option then maybe it should be done.. Its your choice...

 

Edited by kevinf80
typing error
Link to post
Share on other sites

Hi Kevin,

Is there any way to know the extent of what was done?  Were they able to retrieve files off of my computer?  I have several spreadsheets with financial and password information.  Is there any way to know if those were compromised?  Or, was the virus more targeted at Chrome's caches?  Even though the trojan looks like it is gone, I am trying to assess what exactly what was done.

Link to post
Share on other sites

Hello Zim1,

It`s really hard to know exactly what was harvested from your system, it`s probably wise to assume all passwords were taken at the very least.. You mentioned changing passwords already, one point of note, never change passwords on a system known to be compromised. Either wait until the system is clean or change them from another known to be clean PC..

If you are still unsure of or cannot definitely trust this PC we are working on, a format and reinstall is the way to go. Obviously when the PC is back online and working correctly change all passwords once again....

Does that help you...?

Regards,

Kevin...

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.