Jump to content

persistent threats keep leading to compromised accounts


Recommended Posts

I've done most everything I can think of, and unless I can find help here I'm going to have to resort to booting into a liveboot and zeroing out my drives and going with a clean install.  To date the most recent things I've used are ESSET online which is reporting zero threats, malwarebytes which is reporting no threats, and windows defender.  No threats.  However, I know there is a breach as my work pc is shown as the device using my account to sell and make purchases on steam currently, with a connection to russia listed in my logins.  Prior to this is was amazon, gmail and more.  This all started with a security breach to two major sites, and me being the dummy I am, I was using the same password, or a variation of it, on nearly EVERYTHING.  Brilliant, yes?  Two months later I've scrubbed both this and my home system, changed all my passwords using a well respected password manager, and stayed on top of virus definitions and routine scans.   After this steam breach, I'm dismayed to find everything coming up clean.  I installed glasswire to inspect my traffic and low and behold I see logitech gaming sotware as my number two uploader of data.  I don't use logitech software.  So, while I'm certain this is probably not the only breach of security, it's one I know of.  I've managed to clear the directory down to one, nagging, pervasive, jerk of a file.  I've taken ownership, I've changed permissions in icacls, attempted to delete on boot, and no matter, this file remains.  I'll include the farbar scan results, just in case, but any help would be very appreciated.  I simply do not want to try to go through all my drives and try to pick what needs saving, all the while running the risk of bringing the infection along to a fresh install.  I know I need to change all my passwords again, but utill I'm clean, that's just a waste of time.  Please, help.  I'm losing my mind here.

Addition_27-03-2023 13.54.38.txt FRST_27-03-2023 13.54.38.txt

Link to post
Share on other sites

  • Root Admin

Hello @n0penoway

The logs don't indicate an obvious infection to account for your issue. We can do some general clean up, but if you have some long term ongoing issue then perhaps it is best that you follow a guide on how to do a Clean install of Windows to include removing all partitions.

 

Greg Carmack - MVP 2010-2020 -Clean Install Windows 10
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

 

 

 

If you own your own router and are not renting it from your Internet Service Provider

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

Depending on one's preferences and the Router's capabilities please consider the following.

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network.
    Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date ?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389, 5555 and 9034
  • Document passwords created and store them in a safe but accessible location.

 

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

I actually work in IT, so the clean install is no problem.  I was aware there were no glaring obvious issues, which is part of what was driving me crazy!  even the Logitech Gaming Software was coming up clean until I found a hybrid scan done in the replies on virus total.  It's legit scary how well it does it job.  Honestly, if not for the outgoing traffic I probably never would of caught it.  I'm going to live boot into clonezilla or something equally lightweight and mount up the windows partition and clean the file and directory that way.  As for the router, I have AT&T fiber for my ISP and they don't directly support using your own router or modem, therefor you're stuck using their 2 in 1.  I tried using my own box with pfsense in conjunction with theirs, however it just led to too many head aches and pretty significant reduction in speed (30% of my symmetrical gigabit was average throughput).  As for work, we use pfsense and they are secure as can be  hoped for.  I have suspicions that one of the cleaning crew that does our building is using physical access to create vulnerability.  Taking measures to verify and prevent any potential physical intrusion going forward.  I had basic measures in place, but a decent payload on a usb would leave me with my pants down so to speak.  Time to clean the known issues, change my passwords and monitor traffic some more watching for outliers.  I appreciate the speed in which you replied and took a look for anything that stuck out.  I'm sure you're all absolutely inundated with requests.  Keep up the good fight and wish me luck.  Thank you.

Link to post
Share on other sites

  • Root Admin

For future reference as well.

You can password protect BIOS / UEFI and disable USB and only enable when you want or need it.

 

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.