Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passwords got stolen #222

Closed
wizo99 opened this issue Sep 12, 2023 · 4 comments
Closed

Passwords got stolen #222

wizo99 opened this issue Sep 12, 2023 · 4 comments
Labels
Cure PC

Comments

@wizo99
Copy link

wizo99 commented Sep 12, 2023
edited
Loading

Welcome!
Thank you for joining the section of VIRUSNET association support.

BEFORE ASKING HELP, READ CAREFULLY THIS INSTRUCTION:

Step 1: Show us the required logs (for PC cure only):

Step 2: Describe your problem in details:

  1. What did you done before the problem occurs: installed an .exe from www - expected program was not installed
  2. What programs (browsers) affected by the problem: stolen passwords from google chrome
  3. Steps to reproduce: _________________
  4. Expected behavior: _________________
  5. If applicable, add screenshots to help explain your problem.
@wizo99 wizo99 added the Cure PC label Sep 12, 2023
@dragokas
Copy link
Owner

Hi,
thank you for the log.
We'll return to you as soon as possible.

Please, note that only members of VIRUSNET-Association are allowed to respond to PC cure topics.
Ignore any recommendations given by other users, including PM !!!

Assistance is provided free of charge in our free time. If you found our help useful, you can thank us with any amount using this form or you can leave feedback in Guestbook.

@akokSZ
Copy link

akokSZ commented Sep 12, 2023
edited by dragokas
Loading

Hello, I'm using an online translator, so there may be errors. If something is unclear, please ask.

Right now, there are two pieces of news.

  1. After the theft of passwords, the malware most likely self-destructed.
  2. Now, you will need to go through your online services and check the settings (backup addresses, phone numbers, etc.). Attackers may have left backdoors for a potential account breach.

"Fix" in HijackThis.

O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{06FEF118-1E47-4CD0-8CA1-3F23A5249FEF} - \OneDrive Standalone Update Task-S-1-5-21-3694354457-3490745333-3309742090-500 (no xml)
O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{105D676A-D551-4274-81E7-97AC52E4FD87} - \Microsoft\Windows\Speech\HeadsetButtonPress (no xml)
O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1949073A-8FDA-4EA4-8E59-407CDB02440F} - \Microsoft\Windows\WindowsUpdate\sihpostreboot (no xml)
O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{704F2869-5713-4DE8-962D-149957B7C03E} - \NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} (no xml)
O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7B2D75C-85D7-46F8-AE60-24BBC424140C} - \Lenovo Power Management Driver PnP Task (no xml)
O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C9D12534-24D4-4A67-9B9E-8E4BF096068D} - \Microsoft\Windows\SMB\UninstallSMB1ServerTask (no xml)
O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CBFB6BE6-9828-4121-A91C-8ADE8B6B1C36} - (no key)
O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CBFB6BE6-9828-4121-A91C-8ADE8B6B1C36} - \Microsoft\Windows\Management\Provisioning\PostResetBoot (no xml)
O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E96E9715-FA22-4BD4-A524-B83E939842E5} - \NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} (no xml)
O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EDFB5CA4-0633-40DD-A2A1-6B82624AD85B} - \Microsoft\Windows\SMB\UninstallSMB1ClientTask (no xml)

Download the [Farbar Recovery Scan Tool] https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ and save it to your Desktop.

Note: You need to choose a version that is compatible with your operating system. If you're unsure which version is suitable for your system, download both and try running them. Only one of them will run on your system.

Run the program. When the program starts, click "Yes" to agree to the warning.

Click the "Scan" button.

After the scan is complete, reports named FRST.txt and Addition.txt will be created in the same folder where the program was launched. Attach these reports to your next message.

@akokSZ
Copy link

akokSZ commented Sep 12, 2023

I don't see any malicious software in the logs right now. Did the built-in antivirus find anything?

Let's clean up after ourselves. To automatically remove all files and folders created by FRST, including the tool itself, rename FRST/FRST64.exe to "uninstall.exe" and run it. This procedure requires a reboot.

To search for outdated or vulnerable software, you can use the following resource: link.

@wizo99
Copy link
Author

wizo99 commented Sep 14, 2023

No, nothing find - when happend, i installed windows fresh - but a few days later.

Many thanks for your help!

@wizo99 wizo99 closed this as completed Sep 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Cure PC
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dragokas @akokSZ @wizo99