Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential keylogger infection from Steam


  • Please log in to reply
3 replies to this topic

#1 deepfreeze12

deepfreeze12

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 03 December 2015 - 12:13 PM

Hello guys and nice to meet the community here,

 

today I received a message in steam by a random person that I had in my friend list for quite some time now (maybe a month or so). He wanted to play a competitive game in CS:GO in which we can win some skins even if we lose, so he asked me if I wanted to join "their team". I said alright sure, why not. His profile seemed legit, level 10 on steam, like 500+ hours on CS:GO, he had 50/60 friends in his list or so, you get the point. After that he wanted me to go to msi-fire, which seemed also a legit site, until I was stupid enough to click on the "Client download" at which nothing happened. Then I was prompted out of my steam and it wanted to login again. Good thing I had Steam Mobile Guard, so you can't login without me confirming on mobile. Then I immediately knew what happened and most probably I've gotten a keylogger, so Immediately proceded to scan my computer. Then all suddenly everything on my desktop disappeared (my icons and my taskbar) and I got a window which wanted my to enter some random password wanted by the "Administrator", or something like. Then in the moment of "oh sh*t" I immediately turned of my pc by holding the power button. After that I immediately rebooted in safe mode and used Malwarebytes (which found 3 things I deleted - (but it was from a driver updater program so I don't think it's the problem), after that I performed a full scan with Microsoft Security Essentials (which didn't find nothing). After that I downloaded and scanned with Wipe, System Ninja, Junkware Removal Tool, AdwCleaner, which all found some old temp stuff that they deleted but I think not any real threats. After that I downloaded Hitman Pro x64 and performed a scan, which found a file with the site name i visited (msi-fire!!!) but it almost immediately disappeared, which I don't know if it got deleted or anything? It didn't say in the results. So I had one last thing to do - get the ESET Online Scanner which I performed a full scan of everything and it found 7 infected files - 1 of them even has the Steam name in it!!! So here are some of the results:

 

ESET Online Scanner:

C:\Program Files (x86)\Steam\COMCTR32.dll Win32/PSW.Steam.NEH trojan cleaned by deleting - quarantined
C:\Windows\AutoKMS\AutoKMS.exe MSIL/HackKMS.A potentially unsafe application cleaned by deleting - quarantined
D:\Utility\Programs\ccsetup510.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined
D:\Utility\Programs\CrystalDiskInfo6_5_2-en.exe Win32/OpenCandy potentially unsafe application deleted - quarantined
D:\Utility\Programs\CrystalDiskMark5_0_2-en.exe Win32/OpenCandy potentially unsafe application deleted - quarantined
D:\Utility\Programs\DAEMON Tools Lite 4.49.1.0356.exe Win32/DownWare.L potentially unwanted application deleted - quarantined
D:\Utility\Programs\SetupImgBurn_2.5.8.0.exe Win32/OpenCandy potentially unsafe application deleted - quarantined

Edited by deepfreeze12, 03 December 2015 - 12:16 PM.


BC AdBot (Login to Remove)

 


#2 RolandJS

RolandJS

  • Members
  • 4,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:09:07 PM

Posted 03 December 2015 - 12:20 PM

Great job!  If you want to run one more thing:  Emsisoft has an emsisoft emergency kit [EEK]; heard it's pretty good.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#3 deepfreeze12

deepfreeze12
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 03 December 2015 - 12:22 PM

Thanks for the quick reply! I will definitely try that too... The thing is... Should I delete all the stuff ESET found and quarantined, or should I leave it as is? I'm thinking of deleting everything, just to be sure... Though I don't know if that's the right thing to do.



#4 RolandJS

RolandJS

  • Members
  • 4,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:09:07 PM

Posted 03 December 2015 - 12:30 PM

If you delete the flagged-infected files, you might have to reinstall the programs associated with those files.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users