Possible Bank Account data stolen by spyware

[IonutCalinCiupac]

Hello,

I work in music industry as an engineer. Unfortunately, I have tried to find a version of a software that runs plugins for use in music production, but when I ran the file, it seemed lilke it didnt run, but it started downloading different sort of items that infected my pc. It installed some sort of "anti-virus" named "Garbage Cleaner", and processes kept running in background. I ran a scan with HitmanPRO, it found malware and spyware. I then ran Malwarebytes, the same, found "spyware data stolen". Could you look into it if my data has been breached so I can talk to my bank to freeze my accounts in case of this happening. I face losing a lot of money in case this happens.

Please, help.

Malwarebytes Report.txt FRST_30-04-2021 16.39.15.txt Addition_30-04-2021 16.39.15.txt

[Maurice Naggar]

Hello. My name is Maurice. I will guide you.

Malwarebytes for Windows found a trojan + several P U P.

It seems you did not mark the items to be removed. I will make a 2nd post shortly.

[Maurice Naggar]

You have to look at all the lines found just after the Scan phase & then be real real sure to TICK each line for removal.

 

In Malwarebytes for Windows program, we want to do a special scan.

 

Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window.

 

Then click the Security tab.   

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈

 

Click it to get it ON if it does not show a blue-color

.

Next, click the small x on the Settings line to go to the main Malwarebytes Window.

Next click the blue button marked Scan.

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

 

You can actually click ( tick ) the topmost left check-box on the very top line to get ALL lines ticked ( all selected). 👈

🔻

Then click on Quarantine selected.

 

Then, locate the Scan run report; export out a copy; & then attach in with your reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

We will do more, later. 

[IonutCalinCiupac]

Hello, Maurice!

I will make sure to get them removed right away. I ran another scan and here are the results.

Thank you for your guidance. I'm waiting to hear from you again.

With respect,

Ionut Ciupac

Malwarebytes Report 2.txt

[Maurice Naggar]

Please know that we here cannot know what was lifted from this system. Windows has no all encompassing smart log that would show what bits of financial or password bits were ex-filtrated from here.

Microsoft Defender Antivirus did flag at least 2 trojans. I cannot tell whether now they might still be around.

But do notify your Bank & credit card accounts that you may possibly be at risk of identity theft.

Ask your Bank about putting a watch on your account.

I am presuming you do some banking online.

The following is just on 1 of 2 trojans.

Date: 2021-04-30 15:38:19

Description:

Microsoft Defender Antivirus has detected malware or other potentially unwanted software.

For more information please see the following:

https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:MSIL/ClipBanker.GD!MTB&threatid=2147775633&enterprise=0

 

Name: Trojan:MSIL/ClipBanker.GD!MTB

Severity: Severe

Category: Trojan.

.

Do you have a good BACKUP of your system from before this incident ?

If so, you may want to consider doing a restore from that backup.

Let me know what you decide.

Otherwise, perhaps you want to consider copying your personal files to a Backup media that is offline & then wiping erasing this system.  Then doing a new Clean install of Windows & re installing all your programs.

Take some time to consider.

In the alternate, we can continue by doing many scans with different tools to see on removing infections.

By the way, it should be noted that Defender is having failed attempts during updates.  As is apparently the Windows Update.

.

Separately from all that, at some later point you need to change all passwords to new ones. (to strong passwords) & use password manager program.

Just do not do any password changes on this machine now while it is in a questionable state.

 

Let me know how you want to proceed.

[Maurice Naggar]

The Malwarebytes scan found no active threats.

As just a initial quick test, let's do what follows to see if 2 earlier threats are gone.

First: use option one of this article to set File Explorer to SHOW all files & folders 

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

Then we want to use a Elevated Command Prompt to look for & remove if found 2 files .

This will not take a lot of time.

 

On the Windows taskbar , on the Windows search box, type in

 

cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.  

Once the Command prompt window is up, copy > paste the line in the code-box below into the command-window.

 

It is best to use COPY & Paste for the following 

 

del /s /q "%userprofile%\AppData\Roaming\7601092.exe

 

Tap Enter-key to run.

Next. COPY & Paste for the following 

del /s /q "%userprofile%\AppData\Roaming\1938833.exe

 

Tap Enter- key to run.

Next, use your mouse on the top bar of the Command window-box and then select all & then Copy

 

Then do a PASTE into a reply back here.

[IonutCalinCiupac]

Hello, Maurice! 

Thank you once more for being so quick with the replies. I have introduced in cmd.exe the commands you have hinted. 

C:\Windows\system32>del /s /q "%userprofile%\AppData\Roaming\7601092.exe
Could Not Find C:\Users\Ciupac Ionut\AppData\Roaming\7601092.exe

C:\Windows\system32>del /s /q "%userprofile%\AppData\Roaming\1938833.exe
Could Not Find C:\Users\Ciupac Ionut\AppData\Roaming\1938833.exe

 

[IonutCalinCiupac]

I do not have a backup as i recently reinstalled everything on a new windows, but besides preventing from happening again, these viruses work as a direct send of information to the database of the spyware "actor" or is there a mechanism that sends the information to the owner of the virus by what i press on keyboard and then copying and filtering the info, or it just reads all information you introduced in different softwares? I ask this because as soon as I saw something is wrong with the file i downloaded, I immediately ran the hitman pro and malwarebytes app. If you want, I could attach the file i tried opening if you wanna write it down in the system as a virus, or maybe look into it for security purpose.

 

[Maurice Naggar]

Sorry, but I have no means to know what any of the threats did, nor how.

I also can't make use of any suspect file. You may if you wish upload suspect file to virustotal.com

 

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

 

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

 

[IonutCalinCiupac]

Just so I understand,

Do you want me to rerun the malicious app and then run the scan?

 

[Maurice Naggar]

No.  Just do the last tips to run Eset Online scanner.

[IonutCalinCiupac]

Hello, Maurice

I ran the scan, found more trojans and deleted them, besides FabFilter Bundle which wasnt a virus, but a cracked bundle for plugins that I work with.

Lemme know what you discover in the scan report!

 

Esetscan.txt

[Maurice Naggar]

Thanks for the report. I would remark that finding other trojans means we would have to do more scans later.

At this point, a special custom script to do more cleanup.

The script Fixlist.txt  needs to be saved to the same folder that contains FRST64.exe   /  the Downoads one.

 

The custom script on this post is ONLY for this machine and NO other.   

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

 

The system will be rebooted after the script has run.

 

Please save the (attached file named) FIXLIST.txt   to the  Downloads folder

 

Start the Windows Explorer and then, to the Downloads  folder.

 

RIGHT click on  FRST64.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Fixlist.txt

[IonutCalinCiupac]

This morning right after I got up from bed with the report i did a full reset. Reinstalled my siftware, drivers, updates from widows, etc. 
 

i should be safe from here, right? Or does it leave some kind of info behind by reset. I chose the full reset plan. It kept some of my drivers and files from my other partitions

[Maurice Naggar]

Ok. We can do other steps later.

Now, I would still do the Fix procedure just above ( from my preceding reply ).

[IonutCalinCiupac]

Hello, Maurice! I'm so sorry for the late reply. I have been out of town due to easter. I ran the fixlist, and here is the fixlog

Fixlog.txt

[Maurice Naggar]

Hello. Thank you for the report.

Let's get a readout on some security status for some apps & for security in general.

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

and save the tool on the desktop.

If Windows's  SmartScreen block that with a message-window, then

Click on the MORE INFO spot and over-ride that and allow it to proceed.

This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward

Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.

You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

[Maurice Naggar]

Hello. I hope you are doing well.

Are you still with us ?

[Maurice Naggar]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks