Jump to content

Keylogger issue - clean confirmation


ello

Recommended Posts

Sooo long story short, i've had a cheating tool for a game, the tool worked based on a monthly subscription, the owner ended up hating me and hard targeted me and seems like his tool had some kind of keylogger in it and gained access to the accounts of pretty much all game related platforms, discord and so on (i know it was him since the location showing on the other connected device on discord was the same as the known location of the tool's owner).

Changed passwords several times, did malwarebytes scans, found 6 infections fi i am not wrong (its been a week since then so i am not very sure how many it was), 4 in $Recycle.bin, 1 utorrent, 1 i forgot what it was. Quarantined+removed. Did another scan  right away in safe mode, found 1 more infection again in $Recycle.bin, no other infections after that in all scans, both in normal mode and in safe mode, and reinstalled windows about 2 times just to be safe.

I did get 2 days later a discord message from an account made 3 months ago (probably just a fake discord account of his), saying that he knows i reinstalled windows - which could simply be a bluff since i was chatting with some friends that i would reinstall windows while he still had access to that specific platform without me realising. I only owned an SSD, no HDD, so after that message just to be safe I have purchased a new SSD and a new USB stick, downloaded windows on the USB stick from a different computer and pretty much now i have a fresh windows on a fresh SSD. Did over 20 scanes with malwarebytes, windows malicious tool removal and kaspersky virus removal tool, been checking task manager processes and netstat -ano in command prompt atleast 2 times per day for weird processed that i might find suspicious and all their IPs, all scans were clean and i wasn't able to find any weird process or IP.  I also checked C:\$Recycle.Bin which apparently had 3 folders (recycle bin and 2 other folders that i was not able to access that i have deleted and have not come back yet, been 2 days). So, so far from my own research i *should* be clean, the only "weird" thing happening being my second monitor's screen flickering a little pretty frequently while watching youtube, but that might be because while changing SSD i also disconnected my GPU and it might not be connected back properly - will have to check that. Also checked with process explorer, tcpviewer and security task manager, but again did not find anything suspicious.

Actually malwarebytes tray icon was not showing for several days and neither in startup in task manager, but i fixed that by logging out of windows user from start -> click on user -> log off.

I would like some "expert" advice to make sure that i am indeed totally clean, i am pretty bad when it comes to tech stuff, so i don't know the possibility of a keylogger existing in my BIOS or if there is any other way for it to survive after changing my SSD (again, did not own any HDD, just an SSD that i already changed).

Please let me know if everything should be allright and/or what other scans i should/could do.

Link to post
Share on other sites

3 minutes ago, ello said:

Please let me know if everything should be allright and/or what other scans i should/could do.

While you are waiting for the next qualified/approved malware removal expert helper to take on your case, even though you may have run the following Malwarebytes utility or its subsets, please carefully follow these instructions: Do not try any other cleaning of any kind after running the support tool. Use the computer as little as possible, or even better don’t use it at all except to check this topic and follow the instructions given.

First, Restart the computer.

Then do the following after restart.

WARNING: Do Not click the Repair System under Advanced unless requested by a Malwarebytes support agent or authorized helper

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

Link to post
Share on other sites

as a little additional information, i managed to find photos of the scans that i have done previously myself right on the day i found out i was infected, the history showing 6 infections, 5 during the first normal mode scane, the 6th being found in safe mode -> no other infections were found by the next scans
and again, this was before,~10 days ago, while still having the old SSD, i did not perform any other scams since the last message, its just that i remember i had those photos and it might give a little insight on what i was infected with

372420852_973697880600903_2083420497431154326_n.jpg

372418836_124005910792364_2389040484083129854_n.jpg

Link to post
Share on other sites

  • Root Admin

Hello  and  :welcome:    @ello

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow all steps in the provided order and post back all requested logs
  • Please attach all log files to your post, unless otherwise requested
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
  • Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim.
  • Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections.
  • If there are any on the system you should uninstall them before we proceed.
  • Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
  • If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

Sorry to say but unfortunately you see why using hacks, cracks, keygens, and stealing software in general can often lead to problems.

Personally I would not even try to repair Windows. I would back up any personal data to an external USB drive.

Then do a CLEAN install of Windows 11. You have a new enough system that you should be able to install Windows 11

 

BIOS: American Megatrends Inc. F4 09/04/2019
Motherboard: Gigabyte Technology Co., Ltd. X570 AORUS ELITE

 

Enable Secure Boot in your UEFI / BIOS

During the install process DELETE ALL PARTITIONS

Follow the advice from the following article but DO NOT. I repeat DO NOT use a Microsoft Online account. Install Windows using a LOCAL ACCOUNT ONLY

 

DO NOT install ANY 3rd party software at all until the computer is 100% up to date with ALL Microsoft security updates, etc.

Once Windows is installed and has ALL Windows Updates and NO 3rd party software let me know and we'll check the status and help you further.

 

Clean Install Windows 10 & 11 (2023)
https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

Also, please review the following topic

Bypass Microsoft Online Account Creation during installation of Windows 11

 


Recovery options in Windows
https://support.microsoft.com/en-us/windows/recovery-options-in-windows-31ce2444-7de3-818c-d626-e3b5a3024da5#WindowsVersion=Windows_11

 

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

  • Root Admin

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you @ello

 

 

 

Link to post
Share on other sites

  • Root Admin

Good day @ello and thank you for  the logs

 

[ 1 ]

These entries are not default installs. These are add-on extensions for Microsoft Edge and 3rd party

 

Edge Extension: (Google Docs Offline)

Edge Extension: (Edge relevant text changes)

 

We will assume that there is no harm in having them though.

 

 

[ 2 ]

The system installed Spotify on the computer. If you're not actually using it I would recommend that you uninstall it.

 

[ 3 ]

Your current DNS Servers:  192.168.0.1

Please consider changing your default DNS server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

Pick just one of these 4 providers. And be aware that you need to modify 1 time for IPv4 & a 2nd pass for IPv6

  • Google Public DNSIPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • CloudflareIPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNSIPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCHIPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b


The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

[ 4 ]

If you're not using and do not plan on using Microsoft OneDrive then I would recommend that you uninstall it.

In and of itself MS OneDrive is safe but I'm just not a fan of having more data in the Cloud than one has to. Every week there is another large company that has had their data in the Cloud compromised. Microsoft themselves is not immune to attack.

However, you should most definitely setup a back up routine to an external USB drive to keep your data backed up. Make sure the USB drive is only connected for back ups. Once the back has completed disconnect it.
The reason to disconnect is that if the computer were to get attacked they would not be able to attack your back ups. Never connect the backup if you have any reason to believe you might be infected. Clean the computer first.

 

[ 5 ]

You are running BIOS F4 on your system from 2019

BIOS: American Megatrends Inc. F4 09/04/2019
Motherboard: Gigabyte Technology Co., Ltd. X570 AORUS ELITE

 

There appears to have been more than a dozen updates to the BIOS since then.

I would contact Gigabyte Support and ask for advice on updating the BIOS or do the research on your own.

Update F36 itself addressed security issues in Jan 2022 and they're now up to F38f BIOS level.

 

[ 6 ]

Please run the following Microsoft antivirus scanner.

NOTE:  It is normal for the Microsoft Safety Scanner to show detections during the scan process.
That is not a sign of infection

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

NOTE:  It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

 

Link to post
Share on other sites

the edge extensions were probably auto installed

uninstalled spotify and onedrive

i will consider updating BIOS, did not do it until now since atleast from what i know its a little dangerous if you're unskilled

changed DNS to google one, from what i understood its only mostly for faster speeds, right? which DNS server would you recommend from the 4 that you mentioned

i will return with the logs of the scan after it was completed

Link to post
Share on other sites

  • Root Admin

Google Public DNS is a good choice overall.

Often using your ISP they may not have a listing of all the websites or they may not block out known infected sites. Thus these other mainstream DNS providers are considers faster, better, and safer than many others.

Yes, in the past a BIOS update was dangerous. Today it's pretty rare to have an issue. But since you're so many versions behind there may be a special set of updates you need to perform first. Why I suggested seeking help directly from Gigabyte Support or on their Forums

 

 

Link to post
Share on other sites

  • Root Admin

Great, that's good.

Now, please run the following

 

Please download the following tool

Farbar Service Scanner and run it on the computer with the issue
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/

 

Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

Click "Scan"

It will create a log (FSS.txt) in the same directory the tool is run.
Please attach the log to your next reply.

 

Link to post
Share on other sites

  • Root Admin

Great that looks good too.

NOW. What I would recommend is using a back up program like Macrium Reflect (we can get you the free installer still if you're interested) and making a full image backup of the current system to an external USB drive.

Then you'll have a backup of the system the way it is exactly now and you can safely start to slowly reinstall other software and configure customization as wanted.

 

Backup Software
https://forums.malwarebytes.org/index.php?/topic/136226-backup-software

 

Do not overwrite up modify the Macrium Reflect master back up image. If you want to make a new back up at some point start a new image for that.

 

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

  • Root Admin

If you own your own router and are not renting it from your Internet Service Provider

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

Depending on one's preferences and the Router's capabilities please consider the following.

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network.
    Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date ?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389, 5555 and 9034
  • Document passwords created and store them in a safe but accessible location.

 

 

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.