Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Steam password Keylogger


  • This topic is locked This topic is locked
8 replies to this topic

#1 Cibot

Cibot

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 01 February 2018 - 10:24 AM

https://www.bleepingcomputer.com/forums/t/669661/steam-account-keeps-getting-accessed/

 

All information on the topic is in the thread mentionend above. I hope you guys can find something in the logs as I found nothing suspicious in them. 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 02 February 2018 - 09:49 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ATTENTION: System Restore is disabled
Turn System Restore On for Drives in Windows 10
http://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
===

Remove this program in bold via the Control Panel > Programs > Programs and Features.
Yahoo Search Set (HKLM-x32\...\Yahoo! SearchSet) (Version: - Yahoo Inc.)
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicy: Beschränkung <==== ACHTUNG
BHO-x32: Kein Name -> {120A8821-2BEE-4C29-BCDA-62C577781992} -> Keine Datei
CHR StartupUrls: Default -> "","hxxp://www.youporn.com/","hxxp://mysearch.avg.com?cid={22717F21-00F2-47B1-A083-C198C78EE44D}&mid=6e25b0f65fbd47d3b10f634120dc10e0-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=de&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-19 20:41:50&v=18.0.5.292&pid=safeguard&sg=&sap=hp","
hxxp://mysearch.avg.com?cid={22717F21-00F2-47B1-A083-C198C78EE44D}&mid=6e25b0f65fbd47d3b10f634120dc10e0-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=de&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-19 20:41:50&v=18.0.5.292&pid=safeguard&sg=&sap=hp","hxxp://mysearch.avg.com?cid={22717F21-00F2-47B1-A083-C198C78EE44D}&mid=6e25b0f65fbd47d3b10f634120dc10e0-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=de&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-19 20:41:50&v=18.1.0.443&pid=safeg... (long line)
CHR DefaultSearchURL: Default -> hxxp://www.startfenster.de/suche/?q={searchTerms}
CHR DefaultSearchKeyword: Default -> Startfenster
CHR DefaultSuggestURL: Default -> hxxp://www.startfenster.de/api/?q={searchTerms}&language={lang}
CHR Session Restore: Default -> ist aktiviert.
CHR Extension: (Tampermonkey) - C:\Users\Hitsuyaga\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2018-01-29]
CHR Extension: (EditThisCookie) - C:\Users\Hitsuyaga\AppData\Local\Google\Chrome\User Data\Default\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2017-12-29]
S3 Origin Client Service; "C:\Program Files (x86)\Origin\OriginClientService.exe" [X]
S2 Origin Web Helper Service; "C:\Program Files (x86)\Origin\OriginWebHelperService.exe" [X]

ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> Keine Datei
Task: {173E505A-0DE1-4AB2-826F-AF4F0D744030} - \Microsoft\Windows\UNP\RunCampaignManager -> Keine Datei <==== ACHTUNG
C:\Windows\System32\Tasks\Microsoft\Windows\UNP\RunCampaignManager

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Reset your router. It may be COMPROMISED.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html


Please post the fixlog.txt and let me know if the problem persists with this computer.

p.s.
If accessing steam from other devices check them all they can be compromised also if you are syncing Chrome.

If it's a Syncing issue.
To remove it you will have to reset the Sync in Chrome.

Read this article and proceed.

Chrome Secure Preferences detection always comes back
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/
<<<>>>

#3 Cibot

Cibot
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 02 February 2018 - 11:36 AM

Hi nasdaq,
 
I've done all the steps now. I realize that most people on here are new to computers and are generally not system administrators.
Just so you know, I work in IT and have pretty good knowledge when it comes to computers and administrating them.

(You should probably give a hint next time, that when you actually run the script, you lose all your chrome extensions, history, locally saved bookmarks, open tabs and so on) 
 
Shouldn't the router reset be unnecessary? I mean the password should ONLY be able to be seen in clear text on my pc. 
I don't think anyone could actually decrypt the https when sending it to Steam? (correct me if you know better though!) 
- I still did it, but I'm just curious - 
 
Do you have enough expertise to actually be able to analyze network logs? 
I ran Microsoft Network Monitor and Wireshark so I've got 2 logs but I think the Microsoft one is better either way, I'll just attach it.
Thought I was actually smart enough to analyze that, but yeah, it's not as easy as I expected. 
 
Will write into this post again, if the problem persists. 
 
Thanks for the help though! 
 
EDIT: can't actually upload the Microsoft Network Monitor log as it's too big.
The link to it : https://ufile.io/s8cha

edit
Fixlog.txt pasted.
Entfernungsergebnis von Farbar Recovery Scan Tool (x64) Version: 27.01.2018
durchgeführt von Hitsuyaga (02-02-2018 17:07:34) Run:1
Gestartet von C:\Users\Hitsuyaga\Downloads
Geladene Profile: Hitsuyaga (Verfügbare Profile: defaultuser0 & Hitsuyaga)
Start-Modus: Normal
==============================================

fixlist Inhalt:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicy: Beschrnkung <==== ACHTUNG
BHO-x32: Kein Name -> {120A8821-2BEE-4C29-BCDA-62C577781992} -> Keine Datei
CHR StartupUrls: Default -> "","hxxp://www.youporn.com/","hxxp://mysearch.avg.com?cid={22717F21-00F2-47B1-A083-C198C78EE44D}&mid=6e25b0f65fbd47d3b10f634120dc10e0-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=de&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-19 20:41:50&v=18.0.5.292&pid=safeguard&sg=&sap=hp","
hxxp://mysearch.avg.com?cid={22717F21-00F2-47B1-A083-C198C78EE44D}&mid=6e25b0f65fbd47d3b10f634120dc10e0-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=de&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-19 20:41:50&v=18.0.5.292&pid=safeguard&sg=&sap=hp","hxxp://mysearch.avg.com?cid={22717F21-00F2-47B1-A083-C198C78EE44D}&mid=6e25b0f65fbd47d3b10f634120dc10e0-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=de&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-19 20:41:50&v=18.1.0.443&pid=safeg... (long line)
CHR DefaultSearchURL: Default -> hxxp://www.startfenster.de/suche/?q={searchTerms}
CHR DefaultSearchKeyword: Default -> Startfenster
CHR DefaultSuggestURL: Default -> hxxp://www.startfenster.de/api/?q={searchTerms}&language={lang}
CHR Session Restore: Default -> ist aktiviert.
CHR Extension: (Tampermonkey) - C:\Users\Hitsuyaga\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2018-01-29]
CHR Extension: (EditThisCookie) - C:\Users\Hitsuyaga\AppData\Local\Google\Chrome\User Data\Default\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2017-12-29]
S3 Origin Client Service; "C:\Program Files (x86)\Origin\OriginClientService.exe" [X]
S2 Origin Web Helper Service; "C:\Program Files (x86)\Origin\OriginWebHelperService.exe" [X]

ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> Keine Datei
Task: {173E505A-0DE1-4AB2-826F-AF4F0D744030} - \Microsoft\Windows\UNP\RunCampaignManager -> Keine Datei <==== ACHTUNG
C:\Windows\System32\Tasks\Microsoft\Windows\UNP\RunCampaignManager

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew

End
*****************

Wiederherstellungspunkt wurde erfolgreich erstellt.
Prozesse erfolgreich geschlossen.
C:\WINDOWS\system32\GroupPolicy\Machine => erfolgreich verschoben
C:\WINDOWS\system32\GroupPolicy\GPT.ini => erfolgreich verschoben
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => erfolgreich verschoben
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{120A8821-2BEE-4C29-BCDA-62C577781992}" => erfolgreich entfernt
HKLM\Software\Wow6432Node\Classes\CLSID\{120A8821-2BEE-4C29-BCDA-62C577781992} => Schlüssel nicht gefunden
"Chrome StartupUrls" => erfolgreich entfernt
hxxp://mysearch.avg.com?cid={22717F21-00F2-47B1-A083-C198C78EE44D}&mid=6e25b0f65fbd47d3b10f634120dc10e0-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=de&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-19 20:41:50&v=18.0.5.292&pid=safeguard&sg=&sap=hp","hxxp://mysearch.avg.com?cid={22717F21-00F2-47B1-A083-C198C78EE44D}&mid=6e25b0f65fbd47d3b10f634120dc10e0-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=de&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-19 20:41:50&v=18.1.0.443&pid=safeg... (long line) => Fehler: Kein automatisierter Fix für diesen Eintrag gefunden.
"Chrome DefaultSearchURL" => erfolgreich entfernt
"Chrome DefaultSearchKeyword" => erfolgreich entfernt
"Chrome DefaultSuggestURL" => erfolgreich entfernt
"Chrome Session Restore:" => nicht gefunden
CHR Extension: (Tampermonkey) - C:\Users\Hitsuyaga\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2018-01-29] => Fehler: Kein automatisierter Fix für diesen Eintrag gefunden.
CHR Extension: (EditThisCookie) - C:\Users\Hitsuyaga\AppData\Local\Google\Chrome\User Data\Default\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2017-12-29] => Fehler: Kein automatisierter Fix für diesen Eintrag gefunden.
"HKLM\System\CurrentControlSet\Services\Origin Client Service" => erfolgreich entfernt
Origin Client Service => Dienst erfolgreich entfernt
"HKLM\System\CurrentControlSet\Services\Origin Web Helper Service" => erfolgreich entfernt
Origin Web Helper Service => Dienst erfolgreich entfernt
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui" => erfolgreich entfernt
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => Schlüssel nicht gefunden
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{173E505A-0DE1-4AB2-826F-AF4F0D744030} => konnte nicht entfernt werden Schlüssel. ErrorCode1: 0x00000002
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{173E505A-0DE1-4AB2-826F-AF4F0D744030}" => erfolgreich entfernt
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => Schlüssel nicht gefunden
"C:\Windows\System32\Tasks\Microsoft\Windows\UNP\RunCampaignManager" => nicht gefunden

========= ipconfig /flushdns =========


Windows-IP-Konfiguration

Der DNS-Aufl”sungscache wurde geleert.

========= Ende von CMD: =========


========= IPCONFIG /release =========


Windows-IP-Konfiguration

Es kann kein Vorgang auf Tunngle ausgefhrt werden, solange dessen Medium nicht
verbunden ist.
Es kann kein Vorgang auf Ethernet 2 ausgefhrt werden, solange dessen Medium nicht
verbunden ist.

Ethernet-Adapter Ethernet:

Verbindungsspezifisches DNS-Suffix:
Verbindungslokale IPv6-Adresse . : fe80::d96e:ecb6:d320:4aa4%13
Standardgateway . . . . . . . . . :

Ethernet-Adapter Tunngle:

Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:

Ethernet-Adapter Ethernet 2:

Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:

Tunneladapter LAN-Verbindung* 11:

Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:

========= Ende von CMD: =========


========= IPCONFIG /renew =========


Windows-IP-Konfiguration

Es kann kein Vorgang auf Tunngle ausgefhrt werden, solange dessen Medium nicht
verbunden ist.
Es kann kein Vorgang auf Ethernet 2 ausgefhrt werden, solange dessen Medium nicht
verbunden ist.

Ethernet-Adapter Ethernet:

Verbindungsspezifisches DNS-Suffix: fritz.box
Verbindungslokale IPv6-Adresse . : fe80::d96e:ecb6:d320:4aa4%13
IPv4-Adresse . . . . . . . . . . : 192.168.178.49
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . : 192.168.178.1

Ethernet-Adapter Tunngle:

Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:

Ethernet-Adapter Ethernet 2:

Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:

Tunneladapter LAN-Verbindung* 11:

Verbindungsspezifisches DNS-Suffix:
IPv6-Adresse. . . . . . . . . . . : 2001:0:9d38:78cf:1444:2b85:aa4b:d53d
Verbindungslokale IPv6-Adresse . : fe80::1444:2b85:aa4b:d53d%8
Standardgateway . . . . . . . . . : ::

========= Ende von CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 7364608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 67152046 B
Java, Flash, Steam htmlcache => 370226571 B
Windows/system/drivers => 3583527 B
Edge => 23174572 B
Chrome => 542745691 B
Firefox => 378720407 B
Opera => 113138691 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 9656 B
NetworkService => 417100 B
defaultuser0 => 0 B
Hitsuyaga => 1101342587 B

RecycleBin => 0 B
EmptyTemp: => 2.4 GB temporäre Dateien entfernt.

================================


Das System musste neu gestartet werden.

==== Ende von Fixlog 17:12:12 ====

Attached Files


Edited by nasdaq, 02 February 2018 - 02:12 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 02 February 2018 - 02:31 PM


This is the notice you see when resetting the Chrome settings.

This will reset your startup page, new tab page, search engine, and pinned tabs. It will also disable all extensions and clear temporary data like cookies. Your bookmarks, history and saved passwords will not be cleared.


Shouldn't the router reset be unnecessary?

Just a suggestion. Check if secured.


===

I do not have the expertise to read the .cap file.

An expert in the Networking forum may be able to help you.
https://www.bleepingcomputer.com/forums/f/21/networking/

Have you been hacked recently?

#5 Cibot

Cibot
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 02 February 2018 - 03:58 PM

Oh yeah, you're right. I didn't do that first, but the command Fixlist thingy which you use for FRST64.exe actually removes everything related to chrome by itself. 

Not that I know. Well someone has tried accessing my device again, so it's not fixed unfortunatly. 

It's also as I said ONLY the Steam password, nothing else has been accessed so it's very weird. 

 

As I said, I'm working daily with computers so I shouldn't get a typical kinda malware, that most people get through some toolbar or weird driver program.

Hence I came here to analyze it or atleast learn how to find out, which application/service or whatever is acting malicious. 
Should I post my problem into networking?
I mean afaik Wireshark and co. capture all trafic among applications since they do it through ports so it should be possible to track / find it. 

 

I'll try completely uninstalling steam and reinstalling it, maybe some registry key has been maliciously changed to point to some other .dll that is infact injected. 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 03 February 2018 - 08:40 AM



Hi,

Yes reinstalling Stream is a good idea.

This tool may help you identify any bad settings.
Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List last 10 Event Viewer log
  • List content of Hosts
  • List IP Configuration
  • List Winsock Entries
  • Click Go and copy/paste the log (MTB.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


#7 Cibot

Cibot
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 03 February 2018 - 10:03 AM

Hey there,

 

I reinstalled steam and this morning once again someone attempted to login into my account.

I've been running sysmon for like a couple days so if you know what that is and you need it, I can provide you the logs.

 

I've again reset my router and done the flushing before.

 

Now we wait, I'll contact you incase someone trys accessing it again.

 

Attached Files

  • Attached File  MTB.txt   24.26KB   1 downloads


#8 Cibot

Cibot
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 03 February 2018 - 11:50 AM

Okay, it's been accessed again. 

Seems like it's not fixed yet. 



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 04 February 2018 - 09:39 AM

Hi,

I was reading about this problem and some have suggested to change the password and your Email address.

Hope it help.

If you contact the Network forum I suggest you include the results of the MinitoolBox in your reply.

Good luck.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users