Hello guys and nice to meet the community here,
today I received a message in steam by a random person that I had in my friend list for quite some time now (maybe a month or so). He wanted to play a competitive game in CS:GO in which we can win some skins even if we lose, so he asked me if I wanted to join "their team". I said alright sure, why not. His profile seemed legit, level 10 on steam, like 500+ hours on CS:GO, he had 50/60 friends in his list or so, you get the point. After that he wanted me to go to msi-fire, which seemed also a legit site, until I was stupid enough to click on the "Client download" at which nothing happened. Then I was prompted out of my steam and it wanted to login again. Good thing I had Steam Mobile Guard, so you can't login without me confirming on mobile. Then I immediately knew what happened and most probably I've gotten a keylogger, so Immediately proceded to scan my computer. Then all suddenly everything on my desktop disappeared (my icons and my taskbar) and I got a window which wanted my to enter some random password wanted by the "Administrator", or something like. Then in the moment of "oh sh*t" I immediately turned of my pc by holding the power button. After that I immediately rebooted in safe mode and used Malwarebytes (which found 3 things I deleted - (but it was from a driver updater program so I don't think it's the problem), after that I performed a full scan with Microsoft Security Essentials (which didn't find nothing). After that I downloaded and scanned with Wipe, System Ninja, Junkware Removal Tool, AdwCleaner, which all found some old temp stuff that they deleted but I think not any real threats. After that I downloaded Hitman Pro x64 and performed a scan, which found a file with the site name i visited (msi-fire!!!) but it almost immediately disappeared, which I don't know if it got deleted or anything? It didn't say in the results. So I had one last thing to do - get the ESET Online Scanner which I performed a full scan of everything and it found 7 infected files - 1 of them even has the Steam name in it!!! So here are some of the results:
ESET Online Scanner:
C:\Program Files (x86)\Steam\COMCTR32.dll Win32/PSW.Steam.NEH trojan cleaned by deleting - quarantined C:\Windows\AutoKMS\AutoKMS.exe MSIL/HackKMS.A potentially unsafe application cleaned by deleting - quarantined D:\Utility\Programs\ccsetup510.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined D:\Utility\Programs\CrystalDiskInfo6_5_2-en.exe Win32/OpenCandy potentially unsafe application deleted - quarantined D:\Utility\Programs\CrystalDiskMark5_0_2-en.exe Win32/OpenCandy potentially unsafe application deleted - quarantined D:\Utility\Programs\DAEMON Tools Lite 4.49.1.0356.exe Win32/DownWare.L potentially unwanted application deleted - quarantined D:\Utility\Programs\SetupImgBurn_18.104.22.168.exe Win32/OpenCandy potentially unsafe application deleted - quarantined
Edited by deepfreeze12, 03 December 2015 - 12:16 PM.