Jump to content

Stealing Discord accounts/bypass authentication.


Recommended Posts

Hello! I'm still pretty new to this, so if I'm doing this wrong I apologize. I originally made a post here about the issue if it helps:
https://forums.malwarebytes.com/topic/284747-steals-discord-account-bypasses-2fa-and-other-authentication/

In short, ran an .exe that kicked me out of Discord. My account instantly had it's password changed and was beginning to send messages to other people, despite it having 2FA and SMS authentication. From what I understand the .exe was able to grab some kind of login token that can bypass security measures.

After what happened earlier I deleted what I downloaded, emptied the temp and prefetch folders, used CCleaner to empty other temporary files (including Edge and Chrome files), emptied the recycle bin, scanned with both Malwarebytes Premium (with the rootkit option as well) and SUPERAntiSpyware, used AdwCleaner, none of which found anything. Used system restore to go back to a point before I ran the infected .exe.

The reason I believe I'm still infected is because I made a new account with a new password, and it was quickly stolen as well. However, this time I was able to get the account back with a simple password reset. Up to and including this point I was using the desktop version of Discord. Since regaining the 2nd account I've used the browser version of Discord in Incognito mode and so far I haven't had trouble, so I'm guessing it only affects the desktop version, that or the fellow stealing accounts just hasn't bothered doing anything yet. The only other thing I can think of that may help in relation to the log files made by Farbar is that I downloaded and ran the infected .exe at roughly 3:30 AM EST yesterday, the 13th.

I haven't included a scan log from Malwarebytes since it doesn't pick anything up and takes 7+ hours to complete a full scan of the drive the infected .exe was on.

FRST.txt Addition.txt

Link to post
Share on other sites

  • Root Admin

Hello @EliasAuxilibus

Please uninstall Discord. Then run the following in he exact order provided and we'll see about getting you cleaned up.

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

Spoiler
 
 
 
 
Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

  • Like 1
Link to post
Share on other sites

Thanks for the quick reply! I followed the steps in order and, just like before, none of them picked anything up even though I've been affected. If it helps, I downloaded and ran the infected .exe at roughly around 3:30 AM EST on the 13th.

 

Attached are the logs for Malwarebytes, AdwCleaner, and FRST.

Malwarebytes.txt AdwCleaner[S00].txt FRST.txt Addition.txt

Link to post
Share on other sites

  • Root Admin

Please uninstall the following

  • CCleaner (computer experts no longer recommend this program)
  • Java 8 Update 281
     

 

 

Did you install and set this up on your own?

S3 Te.Service; C:\Program Files (x86)\Windows Kits\10\Testing\Runtimes\TAEF\Wex.Services.exe [187904 2017-09-28] (Microsoft Corporation) [File not signed]

S3 dc3d; C:\WINDOWS\System32\drivers\dc3d.sys [47616 2011-05-18] (Hardware Group Test Cert -> Microsoft Corporation) [File not signed]

S3 DSI_SiUSBXp_3_1; C:\WINDOWS\system32\drivers\DSI_SiUSBXp_3_1.sys [16384 2007-09-06] (Microsoft Windows Hardware Compatibility Publisher -> Silicon Laboratories)

S3 sscdserd; C:\WINDOWS\System32\drivers\sscdserd.sys [141384 2010-11-11] (MCCI Corporation -> MCCI Corporation)

R3 VKbms; C:\WINDOWS\System32\drivers\VKbms.sys [13824 2014-07-12] (Microsoft Windows Hardware Compatibility Publisher -> Windows (R) Win 7 DDK provider)

 

I'm not saying they're bad but they are 10 years old or more for some of this stuff

 

 

  • Like 1
Link to post
Share on other sites

  • Root Admin

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

  • Like 1
Link to post
Share on other sites

56 minutes ago, AdvancedSetup said:

Please uninstall the following

  • CCleaner (computer experts no longer recommend this program)
  • Java 8 Update 281
     

 

 

Did you install and set this up on your own?

S3 Te.Service; C:\Program Files (x86)\Windows Kits\10\Testing\Runtimes\TAEF\Wex.Services.exe [187904 2017-09-28] (Microsoft Corporation) [File not signed]

S3 dc3d; C:\WINDOWS\System32\drivers\dc3d.sys [47616 2011-05-18] (Hardware Group Test Cert -> Microsoft Corporation) [File not signed]

S3 DSI_SiUSBXp_3_1; C:\WINDOWS\system32\drivers\DSI_SiUSBXp_3_1.sys [16384 2007-09-06] (Microsoft Windows Hardware Compatibility Publisher -> Silicon Laboratories)

S3 sscdserd; C:\WINDOWS\System32\drivers\sscdserd.sys [141384 2010-11-11] (MCCI Corporation -> MCCI Corporation)

R3 VKbms; C:\WINDOWS\System32\drivers\VKbms.sys [13824 2014-07-12] (Microsoft Windows Hardware Compatibility Publisher -> Windows (R) Win 7 DDK provider)

 

I'm not saying they're bad but they are 10 years old or more for some of this stuff

 

 

I removed CCleaner (I didn't know it was no longer recommended. Thanks!) and used Java's uninstaller to remove Java. As for the things listed, I have no idea. Doesn't seem familiar, but I have a problem with memory loss.

 

Anyway, I ran the FRST fix option. Removed plenty of things, and I noticed that there was an error for rebuilding a performance counter if that matters.

Attached is the fix log.

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

Thank you. The fix ran pretty well.

It found and fixed some issues as well related to the operating system.

Windows Resource Protection found corrupt files and successfully repaired them.

 

Was this computer a new install of Windows 10 or was it upgraded from Windows 7 or 8 ?

 

Let me have you run the following scanner from Microsoft

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

Thank you

 

  • Like 1
Link to post
Share on other sites

Heh, yeah, that took a little time. I started it within 20 minutes of your message and it just now finished 10 hours later. I looked at the log and I'm a little confused, because while it was scanning it said it picked up over 250 infected files, but the log only shows like a few dozen. Anyway, just wanted to say that I really appreciate you taking the time to help with this.

Oh, and for the question earlier, I upgraded this to Windows 10 from Windows 7. I've had this thing for a while, getting by with the occasional upgrade.

 

Attached is the MSERT log you asked for.

msert.log

Link to post
Share on other sites

  • Root Admin

Yes, it takes a while for full scans to run. Please restart the computer one more time. Then run another antivirus scan with ESET antivirus.

It too will probably be a long scan so maybe kick it off just before you go to bed.

 

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

  • Like 1
Link to post
Share on other sites

Just finished up. Almost all of the detections were false positives, game cheats mainly through the service CheatHappens. However, one I did see of note was the very first one. There might have been more I didn't notice, honestly, but the first detection did stick out.

 

Attached is the log from ESET after it finished scanning/cleaning.

ESET.txt

Link to post
Share on other sites

  • Root Admin

Don't under estimate the potential threat from game cheats. Often that is how they get people to install them and in some cases bundle other things with it.

I'm away from the computer for most of the day. I will get with you tomorrow.

Thank you

 

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

  • Like 1
Link to post
Share on other sites

That's true about cheats, I've wondered about that. CheatHappens is a paid service, but they're not exactly nice people.

Anyway, I've ran into a slight problem. I was able to download it fine but couldn't run it until I turned Malwarebytes Premium off, so I don't know if that affected anything. Also I looked at the log and, while this is probably unrelated, there's some weird things. I uninstalled qBittorrent like four years ago and uninstalled Audacity a few months ago so I'm not sure what to make of those showing up. (also, to clarify, I'm not trying to pretend I know how things work when pointing log stuff out, just offering my own thoughts if it helps to put things in perspective somehow)

I'll see you whenever I see you, I'm not in a huge rush or anything especially considering you're volunteering to help (which I'm SUPER thankful for by the way!), and I know folks have lives outside of the internet. Take care and have a good day!

SecurityCheck.txt

Link to post
Share on other sites

  • Root Admin

Good day @EliasAuxilibus sorry for the delay, I was out of the office yesterday.

Please uninstall, update, or otherwise address the following as appropriate for your system.

 


---------------------- [ AntiVirusFirewallInstall ] -----------------------

Malwarebytes version 4.5.4.168 v.4.5.4.168 Warning! Download Update

 

--------------------------- [ OtherUtilities ] ----------------------------

Notepad++ (64-bit x64) v.8.2.1 Warning! Download Update


------------------------------ [ ArchAndFM ] ------------------------------

7-Zip 19.00 (x64) v.19.00 Warning! Download Update
Uninstall old version and install new one.


------------------------------- [ Imaging ] -------------------------------

IrfanView 4.58 (64-bit) v.4.58 Warning! Download Update


--------------------------------- [ P2P ] ---------------------------------

qBittorrent 4.3.5 v.4.3.5 Warning! Download Update


-------------------------------- [ Media ] --------------------------------
Audacity 3.0.5 v.3.0.5 Warning! Download Update

K-Lite Codec Pack 16.8.6 Standard v.16.8.6 Warning! Download Update


------------------------------- [ Browser ] -------------------------------

Opera GX Stable 83.0.4254.70 v.83.0.4254.70 Warning! Download Update

 

 

Once that has completed please restart the computer. Then download and run the following software and let me know if it finds items to update as well

 

Patch My PC Home Updater
https://patchmypc.com/home-updater

 

Then restart the computer one more time, then click on Start / Search and type in "Check for updates" and allow Windows to scan for and install any updates found.

Let me know how things go

Cheers

 

  • Like 1
Link to post
Share on other sites

No need to apologize for doing other things or not being available 24/7. Like I said in my last post, I'm not in a rush or anything since you're just volunteering to help, which once again I'm very appreciative about. Thank you for taking the time out of your day to help out folks like me, it means a lot. You sure as heck are a lot more helpful than Discord support that "can't find" a payment I didn't authorize despite the me showing them the receipt.

Small rant aside, I've ran that updater you've shown and there's something odd. It's showing that SUPERAntiSpyware and Dropbox are outdated when they're actually up-to-date. However, it did show other programs that needed dealt with that I thought I had auto-updates enabled for, and it also helped me realize that some things I thought were uninstalled were still installed (like qBittorrent I thought I got rid of like 4 years ago).

Thanks for everything. Assuming there's not really much else to do, I'm going to make a dummy account for Discord and see if it gets stolen again.

Link to post
Share on other sites

Ah, makes sense. I honestly had no idea how that works. Anyway, I think I'm good. Account hasn't been stolen, and I was able to remove the programs I thought I did before (in short I just went about it wrong before I think. I have issues with confusion that kicks up at times).

Everything seems to be fine now, there's nothing else I need. Heck, things seem to be running a little smoother than before my PC was infected. I really appreciate what you do. Take care!

 

(Now if only Discord was as professional or competent as the folks here. I'm still fighting for a $105 refund and they "can't find" the purchase even with the receipt!)

Link to post
Share on other sites

  • Root Admin

Good day @EliasAuxilibus

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

Sure thing! Cleanup is done, and the log you asked for has been attached. I've already got a password manager, backup sorted out, Windows updates sorted, and I already have both Malwarebytes Browser Guard and uBlock Origin, but I double checked to make sure. Everything seems to check out, at least as far as I can tell.

kprm-20220318135655.txt

Link to post
Share on other sites

  • Root Admin

Great, all sounds good. You should be all set now.

Take care and stay safe out there. I'll go ahead and close your topic now and wish you well.

Have a great weekend

As an aside, you may want to take a look at this video and make up your own mind if you want to change any of these settings

Turn these Windows settings OFF!
https://www.youtube.com/watch?v=Yn9NNUFtVng

Cheers

 

Edited by AdvancedSetup
Updated info
Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.