As I was getting ready for bed my PC's screen came on and I noticed the mouse was moving around all laggy/jittery.
I instantly knew someone had RDP'd into my PC. I sat at my computer desk and chrome was open (I always leave it open with 3 email tabs). The person was in my main gmail tab deleting emails. One from my bank and another was the lastpass security notice email.
I quickly disconnected my pc from wifi and removed my wifi usb adapter. I began changing my gmail passwords from my phone's browser (disconnected it from wifi as well). then I get a text from my bank that my account has been charged ~$2,500.
Panicking that I can't change passwords fast enough on my phone, I connected my PC back to wifi and started changing passwords for my bank, paypal etc from my PC.
I installed and ran bitdefender and disconnected from WiFi while it was scanning. It froze at 44% and I reconnected to WiFi to download another Anti-Virus. When it reconnected it started running really slow and TeamViewer (which I've never installed or used) popped up with a login in French. Also chrome notified me new extensions were installed (a bunch of those BS Spigot extensions) I disconnected from wifi immediately.
Made a bootable USB from Avast and scanned my computer. Installed a bunch of anti-malware programs (malwarebytes, adwcleaner, RogueKillerm, JRT). I found out the person had installed a keylogger and all my password changes were logged in .dc files in c:/users/.../appdata/roaming/dclogs/. From viewing those files I could found out the person had logged into my ebay and changed the email to his along with going into my paypal and making a payment for a macbook from some random site.
I called my bank and got the charges reversed, changed all my passwords from my laptop (which I don't have a reason to believe is infected/compromised).
I've just finished running all the scans (see logs below) and I'm asking how do I make sure everything is good. I rebooted and ran MalwareBytes again and it found one more file Quarantine.exe. Rebooted again and now I'm running another full system scan with BitDefender.
I don't want to reconnect the PC back to the internet unless I'm 100% certain it's clean.
JunkWare Removal Tool Log:
ADWcleaner Logs:
I instantly knew someone had RDP'd into my PC. I sat at my computer desk and chrome was open (I always leave it open with 3 email tabs). The person was in my main gmail tab deleting emails. One from my bank and another was the lastpass security notice email.
I quickly disconnected my pc from wifi and removed my wifi usb adapter. I began changing my gmail passwords from my phone's browser (disconnected it from wifi as well). then I get a text from my bank that my account has been charged ~$2,500.
Panicking that I can't change passwords fast enough on my phone, I connected my PC back to wifi and started changing passwords for my bank, paypal etc from my PC.
I installed and ran bitdefender and disconnected from WiFi while it was scanning. It froze at 44% and I reconnected to WiFi to download another Anti-Virus. When it reconnected it started running really slow and TeamViewer (which I've never installed or used) popped up with a login in French. Also chrome notified me new extensions were installed (a bunch of those BS Spigot extensions) I disconnected from wifi immediately.
Made a bootable USB from Avast and scanned my computer. Installed a bunch of anti-malware programs (malwarebytes, adwcleaner, RogueKillerm, JRT). I found out the person had installed a keylogger and all my password changes were logged in .dc files in c:/users/.../appdata/roaming/dclogs/. From viewing those files I could found out the person had logged into my ebay and changed the email to his along with going into my paypal and making a payment for a macbook from some random site.
I called my bank and got the charges reversed, changed all my passwords from my laptop (which I don't have a reason to believe is infected/compromised).
I've just finished running all the scans (see logs below) and I'm asking how do I make sure everything is good. I rebooted and ran MalwareBytes again and it found one more file Quarantine.exe. Rebooted again and now I'm running another full system scan with BitDefender.
I don't want to reconnect the PC back to the internet unless I'm 100% certain it's clean.
JunkWare Removal Tool Log:
Code:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 7.0.1 (06.17.2015:2)
OS: Windows 7 Ultimate x64
Ran by Ramacher on Wed 06/17/2015 at 17:11:35.41
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
Successfully stopped: [Service] bdsandbox
Successfully deleted: [Service] bdsandbox
~~~ Tasks
~~~ Registry Values
Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_4333808BBBE2F6936704A768BFD032EE
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\\SearchAssistant
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL
~~~ Registry Keys
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\APN PIP
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\PIP
~~~ Files
Successfully deleted: [File] C:\Windows\system32\drivers\bdsandbox.sys
Successfully deleted: [File] C:\ProgramData\1434454344.bdinstall.bin
Successfully deleted: [File] C:\Users\Ramacher\appdata\local\google\chrome\user data\default\local storage\chrome-extension_bmnlcjabgnpnenekpadlanbbkooimhnj_0.localstorage
Successfully deleted: [File] C:\Users\Ramacher\appdata\local\google\chrome\user data\default\local storage\chrome-extension_bmnlcjabgnpnenekpadlanbbkooimhnj_0.localstorage-journal
Successfully deleted: [File] C:\Users\Ramacher\appdata\local\google\chrome\user data\default\local storage\chrome-extension_gkojfkhlekighikafcpjkiklfbnlmeio_0.localstorage
~~~ Folders
Successfully deleted: [Folder] C:\Program Files (x86)\adawaretb
Successfully deleted: [Folder] C:\Program Files (x86)\application updater
Successfully deleted: [Folder] C:\Program Files (x86)\Toolbar Cleaner
Successfully deleted: [Folder] C:\ProgramData\blekko toolbars
Successfully deleted: [Folder] C:\Users\Ramacher\appdata\local\slick savings
Successfully deleted: [Folder] C:\Users\Ramacher\appdata\locallow\adawaretb
Successfully deleted: [Folder] C:\Users\Ramacher\AppData\Roaming\pdfforge
~~~ Chrome
Successfully deleted: [Folder] C:\Users\Ramacher\appdata\local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\mhkaekfpcppmmioggniknbnbdbcigpkk
[C:\Users\Ramacher\appdata\local\Google\Chrome\User Data\Default\Preferences] - default search provider reset
[C:\Users\Ramacher\appdata\local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
bmnlcjabgnpnenekpadlanbbkooimhnj
gkojfkhlekighikafcpjkiklfbnlmeio
[C:\Users\Ramacher\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
[C:\Users\Ramacher\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[
hbcennhacfaagdopikcegfcobcadeocj,
icdlfehblmklkikfigmjhbmmpmkmpooj,
mhkaekfpcppmmioggniknbnbdbcigpkk,
pfndaklgolladniicklehhancnlgocpp
]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 06/17/2015 at 17:17:44.12
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ADWcleaner Logs:
Code:
# AdwCleaner v4.206 - Logfile created 17/06/2015 at 17:22:37
# Updated 01/06/2015 by Xplode
# Database : 2015-05-31.5 [Local]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : Ramacher - Ramacher-PC
# Running from : C:\Users\Ramacher\Desktop\New folder\adwcleaner_4.206.exe
# Option : Cleaning
***** [ Services ] *****
***** [ Files / Folders ] *****
Folder Deleted : C:\Users\Ramacher\AppData\LocalLow\HPAppData
[/!\] Not Deleted ( Junction ) : C:\Users\Ramacher\AppData\Local\Google\Chrome\User Data\Default\Extensions\niloccemoadcdkdjlinkgdfekeahmflj
File Deleted : C:\Users\Ramacher\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_niloccemoadcdkdjlinkgdfekeahmflj_0.localstorage
File Deleted : C:\Users\Ramacher\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_niloccemoadcdkdjlinkgdfekeahmflj_0.localstorage-journal
File Deleted : C:\Users\Ramacher\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cikkigamncoobkmpenfdeniclmehdidh
File Deleted : C:\END
File Deleted : C:\prefs.js
File Deleted : C:\Users\Ramacher\AppData\Local\Temp\Uninstall.exe
File Deleted : C:\Users\Ramacher\AppData\Roaming\AdobeWLCMCache.dat
***** [ Scheduled tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\StartSearch
Key Deleted : HKCU\Software\AppDataLow\Software\Browser Extensions
Key Deleted : HKLM\SOFTWARE\adawaretb
Key Deleted : HKLM\SOFTWARE\Toolbar Cleaner
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DE1D6B0C-D8F3-4FC0-9B9F-E5EB1529BF94}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4BB7A109-FDB5-45E3-9DB9-ECB2EA7B80EE}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\00E944CB89111313EAF35A0553F547F9
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\30C16B15B255BD349A1157B8A83E2AF9
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53F55AF3F4049ED3FA6EA6F88E414E24
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\68E4BF4B11615E03C97732FD581AB607
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CE3DDAB2D152683FBCEB4866BCD2B0F
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF6CE16AFEA5C9A39B766468A8B35C21
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ED1CAE30F47D14B41B5FC8FA53658044
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB1E44269B58F433A8C8E671E37CFDCF
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <-loopback>
***** [ Web browsers ] *****
-\\ Internet Explorer v11.0.9600.17840
-\\ Google Chrome v43.0.2357.124
[C:\Users\Ramacher\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://movies.netflix.com/WiSearch?raw_query=charlie+bartlett&ac_category_type=none&ac_rel_posn=-1&ac_abs_posn=-1&v1={searchTerms}&search_submit=
[C:\Users\Ramacher\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Ramacher\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
*************************
AdwCleaner[R0].txt - [4945 bytes] - [17/06/2015 17:19:03]
AdwCleaner[S0].txt - [4836 bytes] - [17/06/2015 17:22:37]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4895 bytes] ##########
Code:
# AdwCleaner v4.206 - Logfile created 17/06/2015 at 17:19:03
# Updated 01/06/2015 by Xplode
# Database : 2015-05-31.5 [Local]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : Ramacher - Ramacher-PC
# Running from : C:\Users\Ramacher\Desktop\New folder\adwcleaner_4.206.exe
# Option : Scan
***** [ Services ] *****
***** [ Files / Folders ] *****
File Found : C:\END
File Found : C:\prefs.js
File Found : C:\Users\Ramacher\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cikkigamncoobkmpenfdeniclmehdidh
File Found : C:\Users\Ramacher\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_niloccemoadcdkdjlinkgdfekeahmflj_0.localstorage
File Found : C:\Users\Ramacher\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_niloccemoadcdkdjlinkgdfekeahmflj_0.localstorage-journal
File Found : C:\Users\Ramacher\AppData\Local\Temp\Uninstall.exe
File Found : C:\Users\Ramacher\AppData\Roaming\AdobeWLCMCache.dat
Folder Found : C:\Users\Ramacher\AppData\Local\Google\Chrome\User Data\Default\Extensions\niloccemoadcdkdjlinkgdfekeahmflj
Folder Found : C:\Users\Ramacher\AppData\LocalLow\HPAppData
***** [ Scheduled tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <-loopback>
Key Found : HKCU\Software\AppDataLow\Software\Browser Extensions
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\StartSearch
Key Found : [x64] HKCU\Software\Conduit
Key Found : [x64] HKCU\Software\StartSearch
Key Found : HKLM\SOFTWARE\adawaretb
Key Found : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DE1D6B0C-D8F3-4FC0-9B9F-E5EB1529BF94}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner
Key Found : HKLM\SOFTWARE\Toolbar Cleaner
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\00E944CB89111313EAF35A0553F547F9
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\30C16B15B255BD349A1157B8A83E2AF9
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53F55AF3F4049ED3FA6EA6F88E414E24
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\68E4BF4B11615E03C97732FD581AB607
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CE3DDAB2D152683FBCEB4866BCD2B0F
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF6CE16AFEA5C9A39B766468A8B35C21
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ED1CAE30F47D14B41B5FC8FA53658044
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB1E44269B58F433A8C8E671E37CFDCF
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4BB7A109-FDB5-45E3-9DB9-ECB2EA7B80EE}
***** [ Web browsers ] *****
-\\ Internet Explorer v11.0.9600.17840
-\\ Google Chrome v43.0.2357.124
[C:\Users\Ramacher\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://movies.netflix.com/WiSearch?raw_query=charlie+bartlett&ac_category_type=none&ac_rel_posn=-1&ac_abs_posn=-1&v1={searchTerms}&search_submit=
[C:\Users\Ramacher\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Ramacher\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
*************************
AdwCleaner[R0].txt - [4755 bytes] - [17/06/2015 17:19:03]
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [4814 bytes] ##########My Computer
At a glance
7 ultimate 32bit
- OS
- 7 ultimate 32bit
