Stolen Discord account, I'm paranoid even after formatting

[Jim29]

Hi,

My problem is really very similar to these two topics that I found while searching on the forum :
(Especially the second, because the thief seems stolen by the creator of the executable !)
 

I was approached on discord by a stranger, who told me he had created a game. He said he was looking for people to try it.
He showed me a trailer, we talked about game-engine and in short ... I opened the .exe ....................... >.<
By contacting my account from a secondary account, the person on my account was claiming $ 500 from me.

The first thing I did was notify the admins of the servers where I am moderating (Official servers of Shiro Games).
Second, I checked if the tokens of my discord bots had been changed. Luckily, they didn't thinkd about it :
I was able to add a forEach() loop to my vps files in order to leave the 230 servers, in urge.

About two hours later, I received a private message from a Turkish man posing as the thief.
He explains to me that the creator of the executable stole my discord account from him, before he received the logs.
He showed me on his screen share that he had access to my emails.
My password had not changed on my email, because I had activated the option "add a backup email". Luckily.
I changed my email password, and during this time the Turkish gave me back my steam account and... my paypal !
Strangely, he contacted discord support from my address before I picked it up.
An investigation is underway, I am awaiting the response from the discord support.

After reinstalling Discord, the Turkish man warned me that he continued to receive my ids, password, email... when I connected to it from fake accounts.
Two days ago, I attempted a full reinstallation of windows. But I'm scared now. I have tried several scanning and antivirus tools.

Is it possible to get some help from you, just to check ?


Jim.

Addition.txt FRST.txt malwarbytes.txt

[AdvancedSetup]

Hello @Jim29 and

The logs do not show any real signs of an infection but you do have too many antivirus programs installed.

AV: Kaspersky Free (Disabled - Up to date) {4F76F112-43EB-40E8-11D8-F7BD1853EA23}
AV: Avast Antivirus (Enabled - Up to date) {EB19B86E-3998-C706-90EF-92B41EB091AF}
 

Also, never change passwords from any computer or phone that you believe might be infected. You could be sending the new password to the attacker.

 

Please choose either Avast or Kaspersky and fully uninstall the other one.

Then whichever one you choose to keep go ahead and do a FULL system scan with it.

 

Then disable real-time protection and run the following scan as well.

 

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

Thank you

 

[Jim29]

Hello again,

The kaspersky scan really didn't find anything. During the MSERT scan it showed more than 20 detections :
While it was searching on the Windows folder, it showed 4 detections, then more when it was searching to my external hdd.
There is only one report in the msert logs ... 🤔

Jim

msert.log

[AdvancedSetup]

Hi there Jim,

Yes, that is normal for how the Microsoft scanner works. It's basically grabbing crumbs of file entries, registry entries, etc.. Then compiles a list and analyzes the metadata of all it's found to then decide if it's actually a threat or not.

What it found is not a threat it's basically a default setting that was not set to default so it put it back to default.

 

Please restart the computer. Then temporarily disable the Kaspersky real-time protection and run the following.

 

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.
 

Spoiler

 

 

 

 

Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

 

STEP 01

• If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed make sure you have it quarantine any detections it finds.
• If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Double-click to run the program
• Accept the End User License Agreement.
• Wait until the database is updated.
• Click Scan Now.
• When finished, if items are found please click Quarantine.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
• Please attach the Additions.txt log to your reply as well.
• On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

[Jim29]

👋

When I wanted to restart my pc by clicking on the windows icon (start menu) then on the "On / Off" button, nothing happens. I restarted it by doing ctrl + alt + del.
(Also, usually if I type on my keyboard when this window are open, a results  of the search appear. Here, nothing.
Step 3, When I double click on FRST64, there is a wheel under my mouse, then nothing happens. I am in 64-bit version.

Jim

malwarbytes-05h37-27-12-21.txt

[AdvancedSetup]

Yes, but you already downloaded and ran FRST64 before.

Please restart the computer again and try again to run it.

Thank you @Jim29

 

 

[Jim29]

Always the same after a restart. By launching the "compatibility problem resolution", it start in Windows 8 mode.
 

FRST.txt Addition.txt

[AdvancedSetup]

What do you mean in Windows 8 mode?

The computer is running Windows 10

Microsoft Windows 10 Famille (X64) (2021-12-24 07:50:27)

 

 

[AdvancedSetup]

Since you really don't have a lot of data or customization to the computer yet. Perhaps doing a new CLEAN install would be the best way to proceed again just to ensure that all is good and safe.

 

I highly recommend following the advice from Greg. Though I personally don't care to use the Microsoft online ID and I choose to disconnect the network and create a Local account.

What do you think?

 

Greg Carmack - MVP 2010-2020 -Clean Install Windows 10
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

[Jim29]

Yes it is a good idea. This is what I usually do. I'll take the time to read Greg's article.
Do you think that a wipe with the guttman method, from linux running on a bootable key before reinstalling, is a good idea?

[AdvancedSetup]

No, a waste of time. There is nothing known that can survive simply deleting the partition except an BIOS/UEFI attack but that is very difficult to pull off and rarely ever seen. In every case I've investigated there was no evidence found to show that. In most cases it simply turned out that users just did not understand how computers work and though normal processes were somehow suspicious.

 

[Jim29]

Okay 😄
Thank you very much for your time.

Jim

[AdvancedSetup]

You're quite welcome.

Once the computer has been cleanly installed please do install other 3rd party software etc.

Copy the Farbar program from backup or download a fresh copy and run that and post back the new logs please.

I'll check back on  you again later.

Cheers @Jim29

 

[Jim29]

Hi 👋

After a new clean installation, I can click the start button icons again.
Farbar started without any problems. Everything seems to be going well :)

Jim

FRST.txt Addition.txt

[AdvancedSetup]

Good day @Jim29

 

You have reinstalled CCleaner which most computer expert do not recommend using. I would suggest that you consider uninstalling it.

 

System Restore is disabled. Please enable it and create a new System Restore Point

ATTENTION: La Restauration système est désactivée (Total:222.97 GB) (Free:162.66 GB) (73%)

 

 

You have some USB device that Windows 10 is having an issue with.

Name: Unknown USB device (device descriptor request failed)
Description: Unknown USB device (device descriptor request failed)
Class Guid: {36fc9e60-c465-11cf-8056-444553540000}
Manufacturer: (Standard USB host controller)
Service:
Problem:: Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.

 

 

 

Press Windows key + X

Click Command Prompt (Admin)

If only PowerShell is there you can run this from PowerShell as well

At the command prompt, enter the following command

slmgr.vbs -dlv

Hit Enter on your keyboard

A dialog will appear on screen

Take a screenshot of it and post in a Private Message to me

 

 

If you're comfortable updating your BIOS/UEFI please check for updates.

NOTE: Gigabit does give a warning (as show below) so if you are not 100% comfortable with updating your BIOS then do not do it. Updating is often for advanced users willing to take the risk of possible issues.

Warning:
Because BIOS flashing is potentially risky, if you do not encounter problems using the current version of BIOS, it is recommended that you not flash the BIOS. To flash the BIOS, do it with caution. Inadequate BIOS flashing may result in system malfunction.

 

 

Thank you

 

 

[Jim29]

Hi,

I use Ccleaner especially for its trial version which offers to update the drivers. I sent you the screen in DM.
I created a restore point. For the unrecognized usb perpherical, I think it's my sony portable speaker that charges on a usb port.
Although I have done some maintenance internships, I do not feel able to update my bios alone. I'm afraid of breaking everything.. 😁

Jim

[AdvancedSetup]

Please see your Private Message response for Licensing. In many cases Windows 10 Home version can still be activated for free even today.

You've already been through an ordeal by someone attacking you. Don't use cracks or other methods as that can potentially lead to the same thing again.

 

[Jim29]

True. This theft gave me a big slap... 👍

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you