A keylogger got my stuff. Need help with damage control.

[samcool55]

I'm going to keep it short because i'm panicking and in a hurry doing damage control.

 

I found the logs of a keylogger today, that was active. Logged every single keystroke for the last week and it had a seperate logfile with my steam login.

It was all in plain text, just TXT files. And it also blocked my anti-virusses.

AVG, malwarebytes, windows defender, all refused to work.

Some showed a cmd command in a split second, some didn't do anything.

 

I have the logs, so i know exacly what whoever coded the keylogger knows.

I know it was in a GTA mod, because such keywords were in the beginning of the first log.

 

Atm i reinstalled windows, scanning the sh*t out of everything and changing every password.

I have 2-factor authentication enabled where it's important like steam and stuff.

And i know where the logfiles should be if there are any.

 

So, any tips to do damage control and protect my ass now some random person has all my stuff?

[flibberdipper]

Don't mod?

[samcool55]

Just now, tmcclelland455 said:

Don't mod?

Yea i'm not doing anymore modding or anything, i'm completely done with it.

[A Guy Eating Cereal]

3 minutes ago, samcool55 said:

I'm going to keep it short because i'm panicking and in a hurry doing damage control.

 

I found the logs of a keylogger today, that was active. Logged every single keystroke for the last week and it had a seperate logfile with my steam login.

It was all in plain text, just TXT files. And it also blocked my anti-virusses.

AVG, malwarebytes, windows defender, all refused to work.

Some showed a cmd command in a split second, some didn't do anything.

 

I have the logs, so i know exacly what whoever coded the keylogger knows.

I know it was in a GTA mod, because such keywords were in the beginning of the first log.

 

Atm i reinstalled windows, scanning the sh*t out of everything and changing every password.

I have 2-factor authentication enabled where it's important like steam and stuff.

And i know where the logfiles should be if there are any.

 

So, any tips to do damage control and protect my ass now some random person has all my stuff?

Tell the bank if you used online banking and change every password possible! Also watch your bank account balance and any accounts you have used for suspicious activity  Hope everything turns out well for you! They are an absolute B***H!

[flibberdipper]

3 minutes ago, samcool55 said:

Yea i'm not doing anymore modding or anything, i'm completely done with it.

Good thing you learned your lesson.

/s?

 

But maybe just make super sure that they're super legit. Possibly test them on a virtual machine or some crap rig that isn't crucial, to be super serious.

[samcool55]

Just now, A Guy Eating Cereal said:

Tell the bank if you used online banking and change every password possible! Also watch your bank account balance and any accounts you have used for suspicious activity  Hope everything turns out well for you! They are an absolute B***H!

I don't have a creditcard and logging in into the bank requires 2-factor authentication. I'll check the logs to see if it grabbed bank information.

So even if they do have information, it shouldn't be enough to make purchases in my name because it needs the thingy i got from the bank to make purchases, and that thingy needs my debit card or it doesn't work.

Thanks for the tip tho, didn't think about money.

[lowlyf]

Notify everyone that hosts the accounts that you have been compromised. They can mark your accounts to look for suspicious activity. You can check most email and bank logins to see if they we're from locations/IPs you know. Fire up 2 factor on everything, (might have saved you in the first place, keep backup codes somewhere safe), and stay dilligent.

[samcool55]

1 minute ago, tmcclelland455 said:

Good thing you learned your lesson.

/s?

 

But maybe just make super sure that they're super legit. Possibly test them on a virtual machine or some crap rig that isn't crucial, to be super serious.

GTA V mods in a VM, that's going to be tricky

But no i'm really done with it. I prefer no mods now, risking all this for some mods isn't worth it.

[simtransporter]

That must suck. sorry to hear that.

 

I can't think of anything other than the obvious.... reset all passwords for accounts that you have signed into recently, starting with email and the most important ones.
 

[Mazeman03]

man its one of the loggers that stay even after a system wipe i bet. google themc

[A Guy Eating Cereal]

Just now, samcool55 said:

I don't have a creditcard and logging in into the bank requires 2-factor authentication. I'll check the logs to see if it grabbed bank information.

So even if they do have information, it shouldn't be enough to make purchases in my name because it needs the thingy i got from the bank to make purchases, and that thingy needs my debit card or it doesn't work.

Thanks for the tip tho, didn't think about money.

No problem man, you did the best thing re-installing windows as well!  No but it could be enough to steal your identity in which cae you are screwed (not trying to scare you at all tho!)

[dave01978]

Banking sites there's not much they can do maybe pay them selves.  I would still change all passwords.turn on 2 form authentication on all i could.

 

On the windows install i would format that drive not just install over just incase something got snuck in somewhere

[samcool55]

1 minute ago, lowlyf said:

Notify everyone that hosts the accounts that you have been compromised. They can mark your accounts to look for suspicious activity. You can check most email and bank logins to see if they we're from locations/IPs you know. Fire up 2 factor on everything, (might have saved you in the first place, keep backup codes somewhere safe), and stay dilligent.

Backup codes are safe, i have them somewhere if i need them so i'm good with that

I have checked accounts for wierd activity but i can't find anything. Apart from steam freaking out sometimes last week, but i added my phone number and it seems like that solved it. I think that was also the main focus of the keylogger because my steam stuff was in a seperate file.

[Scionyde]

Don't know if I have any tips beyond what others have posted, but just out of curiosity, was this a well-known mod on a site like Nexus Mods?

[samcool55]

1 minute ago, Mazeman03 said:

man its one of the loggers that stay even after a system wipe i bet. google themc

At first sight doesn't look like it does tho.

The logs are stored in C:/Program Data/ map with random number

And atm there isn't a map with a random number. So it does look like a reinstall did the trick, i hope. I will do a complete wipe of every single drive if i have to, i have an almost complete off-site backup that's intact (checked it and it's fine) so even if i have to get rid of everything, not a big deal. Annoying, but not a disaster.

[IsaacDaGrazin]

0-0 damn man that sucks! I don't really know anything about that type of stuff but just incase get tunnelbear (Linus's sponsor well one of them anyway) the free one its a vpn idk if it will help but I guess it would be better safe than sorru

 

anyways good luck and be careful!

sorry for any mistakes in.on my phone in relying on auto correct

[A Guy Eating Cereal]

2 minutes ago, samcool55 said:

At first sight doesn't look like it does tho.

The logs are stored in C:/Program Data/ map with random number

And atm there isn't a map with a random number. So it does look like a reinstall did the trick, i hope. I will do a complete wipe of every single drive if i have to, i have an almost complete off-site backup that's intact (checked it and it's fine) so even if i have to get rid of everything, not a big deal. Annoying, but not a disaster.

If you have to clear then use DBAN, to overwrite the disk and remove all the data left on it!  

[lowlyf]

Our policy is a format of every compromised system. If they pushed a keylogger they could have pushed more. Watch for TCP/IP sessions that shouldn't be there, and isolate that PC to a vlan by itself if possible. If you notice anything, copy your HDD to VHD, completely format it, (no quick formats) and recover your data in a non networked VM.

[samcool55]

1 minute ago, Scionyde said:

Don't know if I have any tips beyond what others have posted, but just out of curiosity, was this a well-known mod on a site like Nexus Mods?

I used Nexus-mods and GTA5-mods.

Only 2 sites i used to get stuff and i don't know about the rep of GTA5-mods. But it looked safe... was a big mistake.

 

Also, i'm going through the logs, and for some weird reason it looks like it didn't grab everything? I'm not sure but some logs are really short and look like they missed stuff...

Not sure what's going on with that.

[samcool55]

1 minute ago, lowlyf said:

Our policy is a format of every compromised system. If they pushed a keylogger they could have pushed more. Watch for TCP/IP sessions that shouldn't be there, and isolate that PC to a vlan by itself if possible. If you notice anything, copy your HDD to VHD, completely format it, (no quick formats) and recover your data in a non networked VM.

Any tips on keeping an eye on the sessions?

First thing that comes to mind is wireshark, but i'm not sure if that's an efficient way...

[samcool55]

2 minutes ago, A Guy Eating Cereal said:

If you have to clear then use DBAN, to overwrite the disk and remove all the data left on it!  

Forgot about that one, i'll keep that in mind if i have to do a full wipe, thanks for the tip.

[Sir Asvald]

18 minutes ago, samcool55 said:

I'm going to keep it short because i'm panicking and in a hurry doing damage control.

 

I found the logs of a keylogger today, that was active. Logged every single keystroke for the last week and it had a seperate logfile with my steam login.

It was all in plain text, just TXT files. And it also blocked my anti-virusses.

AVG, malwarebytes, windows defender, all refused to work.

Some showed a cmd command in a split second, some didn't do anything.

 

I have the logs, so i know exacly what whoever coded the keylogger knows.

I know it was in a GTA mod, because such keywords were in the beginning of the first log.

 

Atm i reinstalled windows, scanning the sh*t out of everything and changing every password.

I have 2-factor authentication enabled where it's important like steam and stuff.

And i know where the logfiles should be if there are any.

 

So, any tips to do damage control and protect my ass now some random person has all my stuff?

Please tell me you haven't used online banking, (if you have an online account) is so, tell your bank to stop your account, credit card, debit card. 

Anyway, best option is if you reinstall windows. I've had to do that for some people. -

[simtransporter]

If you are ever worried about remnants of malware or anything like that... the ATA secure erase command on a SSD will pretty much guarantee to wipe out everything on the drive, from what i've read it applies a voltage spike to the nand and physically flushes the stored electrons resetting all blocks.  It uses one p/e cycle but it's supposed to be the most secure method to erase a drive.

[samcool55]

2 minutes ago, Abdul201588 said:

Please tell me you haven't used online banking, (if you have an online account) is so, tell your bank to stop your account, credit card, debit card. 

Anyway, best option is if you reinstall windows. I've had to do that for some people. -

Just did a quick search through the log files and i can't find any information about my bank, so it looks like at least that's safe.

I have reinstalled windows, and it looks like that was enough, let's hope it stays that way.

[samcool55]

1 minute ago, simtransporter said:

If you are ever worried about remnants of malware or anything like that... the ATA secure erase command on a SSD will pretty much guarantee to wipe out everything on the drive, from what i've read it applies a voltage spike to the nand and physically flushes the stored electrons resetting all blocks.  It uses one p/e cycle but it's supposed to be the most secure method to erase a drive.

ffs i should have done that. My ssd has such thing, i have a crucial, i think BX100 and afaik it does have a wipe feature in the software it comes with.

Well, i haven't done much on this fresh install, i'll give it a shot and start again. Thanks for the tip.