Question I messed up but I need some extra help

Dec 26, 2023
4
0
10
Good afternoon, I was dumb and downloaded a file I shouldn't have on my Win 10 PC. They got into my Instagram, Riot Games, Epic Games and that was all. I changed every single password, added two-factor authentication with google authentication too to every email, account that is possible along with my emails. I downloaded the program on Dec 24, 2023 at like 11pm EST. Once I woke up to seeing my accounts accessed I went on my PC and went back to a restore point on Dec 23, 2023. I then went through a lot of precautions in cleaning my PC.

My specs are as follows
Windows 11 Home 64-bit
Ryzen 7 3700X
RTX 2080ti
32GB RAM
2X M.2 SSD
2X SSD
DX 12

This is what I found in time and dates.

Dec 23: Windows did an update prior to any stupid program downloading.
Dec 24: Downloaded dumb program (Turned PC off prior to me going to bed)
Dec 25: Restore point on Dec 23 prior to me downloading program.

Things I noticed. When I downloaded the program there was a stupid attachment program linked with it some stupid browser thing that I went to skip but clicked to fast and it installed anyways. So when I went back to my restore point the program remnants were still there which was a little weird so I then went though a lot of steps to clean this situation up along with results.

Installed malwayrebytes and ran a scan that did some work but I didn't feel like that was good enough so I installed bitdefender and that also cleaned up a decent amount.
Used MSERT and that took about 6 hours doing all of my drives and that found some hidden files. After that I did a ESET scanner and that came up empty as I did that last and ran these scans about 5 times throughout the day doing each drive one by one. I think I'm fine no accounts have been touched for over two days and have all emails and recovery sent to my phone which was also being used on WhatsApp which I found out so I made a WhatsApp to take control of them trying to use that as a recovery. Still not being comfortable as I was 5 days ago I kept on Googling advice on what to do and find any oddballs on my PC and I think I found some that I have tried to google but I don't know what it is and that's why I'm here.

In the spoiler are some questionable apps that are on my private network that Im not sure of. They're the ones that have the blocked out numbers which I also don't know if they're supposed to stay hidden off the internet.
LAIbfo3.png
0S4z2MT.png

I also did the CMD "/netstat" and went through I think it was afb and I understood that was incoming and outgoing connections to IP's. I copied all of them and put them into a IP tracker and most of it makes sense to things such as spotify, cloudfare, google, valve (steam) but I don't know what it would look like if someone actually was receiving from my IP. Any help to further enhance my safety of my PC and my personal files would be great.

After watching various videos and reading forums I saw some things people say that you will notice are slow typing response, crazy usage in task manager. I haven't noticed any of that and this is my current status as of writing this post.

1 Google Chrome tab open (For this post)
1 Windows explorer for the images I posted above
1 Malwarebytes in the background (Tray application)
1 Bitdefender in (Tray application)
1 Task Manager

I would post my Task Manager but not sure if anything personal would be on there but I still took screenshots with just the above programs running and have them saved if there's no personal information on it. I hope someone could help me out.
 
Good afternoon, I was dumb and downloaded a file I shouldn't have on my Win 10 PC. They got into my Instagram, Riot Games, Epic Games and that was all. I changed every single password, added two-factor authentication with google authentication too to every email, account that is possible along with my emails. I downloaded the program on Dec 24, 2023 at like 11pm EST. Once I woke up to seeing my accounts accessed I went on my PC and went back to a restore point on Dec 23, 2023. I then went through a lot of precautions in cleaning my PC.

My specs are as follows
Windows 11 Home 64-bit
Ryzen 7 3700X
RTX 2080ti
32GB RAM
2X M.2 SSD
2X SSD
DX 12

This is what I found in time and dates.

Dec 23: Windows did an update prior to any stupid program downloading.
Dec 24: Downloaded dumb program (Turned PC off prior to me going to bed)
Dec 25: Restore point on Dec 23 prior to me downloading program.

Things I noticed. When I downloaded the program there was a stupid attachment program linked with it some stupid browser thing that I went to skip but clicked to fast and it installed anyways. So when I went back to my restore point the program remnants were still there which was a little weird so I then went though a lot of steps to clean this situation up along with results.

Installed malwayrebytes and ran a scan that did some work but I didn't feel like that was good enough so I installed bitdefender and that also cleaned up a decent amount.
Used MSERT and that took about 6 hours doing all of my drives and that found some hidden files. After that I did a ESET scanner and that came up empty as I did that last and ran these scans about 5 times throughout the day doing each drive one by one. I think I'm fine no accounts have been touched for over two days and have all emails and recovery sent to my phone which was also being used on WhatsApp which I found out so I made a WhatsApp to take control of them trying to use that as a recovery. Still not being comfortable as I was 5 days ago I kept on Googling advice on what to do and find any oddballs on my PC and I think I found some that I have tried to google but I don't know what it is and that's why I'm here.

In the spoiler are some questionable apps that are on my private network that Im not sure of. They're the ones that have the blocked out numbers which I also don't know if they're supposed to stay hidden off the internet.
LAIbfo3.png
0S4z2MT.png

I also did the CMD "/netstat" and went through I think it was afb and I understood that was incoming and outgoing connections to IP's. I copied all of them and put them into a IP tracker and most of it makes sense to things such as spotify, cloudfare, google, valve (steam) but I don't know what it would look like if someone actually was receiving from my IP. Any help to further enhance my safety of my PC and my personal files would be great.

After watching various videos and reading forums I saw some things people say that you will notice are slow typing response, crazy usage in task manager. I haven't noticed any of that and this is my current status as of writing this post.

1 Google Chrome tab open (For this post)
1 Windows explorer for the images I posted above
1 Malwarebytes in the background (Tray application)
1 Bitdefender in (Tray application)
1 Task Manager

I would post my Task Manager but not sure if anything personal would be on there but I still took screenshots with just the above programs running and have them saved if there's no personal information on it. I hope someone could help me out.
The proper action really depends on how safe you want to be. For example are you 100% sure your pc was compromised on the 24th or was that when you noticed it? Are your sure it was a program or did you get "phished" at some point in the recent past? It's not uncommon for a phished password to go unexploited for days or even weeks.

If it were me and I were unable to rule out the uncertainty I was phished I would grab all of the specific files I cared about and move then externally then reformat the drive and start from scratch, copying over my important information manually afterwords. This is because anti-malware software isn't perfect and cannot guarantee the removal of anything, especially newer malware. You know when your problems started showing up but not when you were hacked, in other words.

For future reference learn from sketchy websites, installers etc and go from there. Good luck.
 
  • Like
Reactions: Zupps
I was not phished and the reason why I say that is because I have been using the same programs and playing the same games. (Mostly steam) This all happened after I downloaded a file and then the next day some accounts ie: Instagram, Riot, Epic and EA were compromised but that was about it. I even went about going to all my emails and seeing last log ins and nothing. One thing I did notice was that if I was phished how are they able to grab 4 accounts without me getting a notification like at all? My instagram I was most confused about because sometimes it takes me a hot minute to log into it. I went as far as signing everyone including myself out of every account and basically purging my online identity and re-doing everything. I don't click on any links except this last one (Which I still have no idea why I thought it was a good choice from the start) but it didn't ask me to sign into anything it was a program that was setup.exe and nothing happened then boom everything else happened. So with that being said I still don't have a clue how they were able to grab like 4 accounts because they were all different. Only thing is they used the saved passwords maybe on my google account and I went through every single password and used a generator using every key, letter combo you can think of.
 
I was not phished and the reason why I say that is because I have been using the same programs and playing the same games. (Mostly steam) This all happened after I downloaded a file and then the next day some accounts ie: Instagram, Riot, Epic and EA were compromised but that was about it. I even went about going to all my emails and seeing last log ins and nothing. One thing I did notice was that if I was phished how are they able to grab 4 accounts without me getting a notification like at all? My instagram I was most confused about because sometimes it takes me a hot minute to log into it. I went as far as signing everyone including myself out of every account and basically purging my online identity and re-doing everything. I don't click on any links except this last one (Which I still have no idea why I thought it was a good choice from the start) but it didn't ask me to sign into anything it was a program that was setup.exe and nothing happened then boom everything else happened. So with that being said I still don't have a clue how they were able to grab like 4 accounts because they were all different. Only thing is they used the saved passwords maybe on my google account and I went through every single password and used a generator using every key, letter combo you can think of.
If a malicious program is allowed to run on your computer, especially with administrator privileges it can access just about anything on the PC. Assuming it's well written it will seek out and exploit cached passwords from various known popular accounts but it's functionality could be theoretically anything.

Based on what you've said it does sound probable that you were infected by installing malware on the 24th and that restoring to the 23rd should be sufficient. The only other thing I would caution in this situation is that changing passwords on a compromised device is not sufficient, so I hope you changed them on another device or after restore.
 
  • Like
Reactions: Zupps
If a malicious program is allowed to run on your computer, especially with administrator privileges it can access just about anything on the PC. Assuming it's well written it will seek out and exploit cached passwords from various known popular accounts but it's functionality could be theoretically anything.

Based on what you've said it does sound probable that you were infected by installing malware on the 24th and that restoring to the 23rd should be sufficient. The only other thing I would caution in this situation is that changing passwords on a compromised device is not sufficient, so I hope you changed them on another device or after restore.
I changed like two passwords prior to restore then changed everything again. Is there a way to tell through my firewall or any outbound connections that could be sending any info through the RAT?
 
I changed like two passwords prior to restore then changed everything again. Is there a way to tell through my firewall or any outbound connections that could be sending any info through the RAT?
This is the struggle that anti-virus software has fought from the beginning. There are programs that will check this for you such as ESET as you had mentioned prior but none of them are foolproof. Theoretically you can do everything right and still get hacked, such is the nature of a zero day hack, though they are generally highly targeted. Otherwise you can look at a cmd prompt "netstat -an -y 5" and drive yourself mad.

Otherwise if you have 2fa enabled on your accounts and you've restored from before you were hacked you're probably fine.
 
  • Like
Reactions: Zupps
This is the struggle that anti-virus software has fought from the beginning. There are programs that will check this for you such as ESET as you had mentioned prior but none of them are foolproof. Theoretically you can do everything right and still get hacked, such is the nature of a zero day hack, though they are generally highly targeted. Otherwise you can look at a cmd prompt "netstat -an -y 5" and drive yourself mad.

Otherwise if you have 2fa enabled on your accounts and you've restored from before you were hacked you're probably fine.
I appreciate the insight. I logged into an account on a bookmarked website and just got a notification saying failed log in and it wasn’t from my IP. So as of right now I think I’m infected doing a fresh install of windows 11 now. I saved all my handful of personal files externally so we are going to go from there