Solved Is my windows laptop compromised in any way?

[Nick3426]

Hi,

This happened on my son's computer. He is remote and I can help him with remote access sessions (teamviewer for instance). For the rest of the conversation, I will use "I" instead of "He" to simplify writing.

Something strange happened last night while I was sleeping. I received 2 emails: the first one requesting a code to connect to my Bitwarden account (since I had 2FA by email - note that I switched it to 2FA by authenticator app), and the second one confirming a successful connection. The mentioned IP in the email seems to be from Russia.

I checked my gmail activity and there is nothing bad. Gmail 2FA is also enabled (I have to click Yes on my phone).

I took some security measures (purge sessions, password changes a bit everywhere, done from a friend's PC). But I wonder, how this can happen. The attacker would need to know my bitwarden master password and also an access to my gmail. Frightening...

Can you help me investigate?

Thanks

 

[icotonev]

Hello..! Welcome to MalwareTips..!

By Staff - [MANDATORY] Preparation Guide Before Requesting Malware Removal Help

Hi and welcome to MalwareTips Malware Removal Forum. If you are reading this, then you are probably seeking help or feel infected. Over 5000 topics have been posted in this forum and most of them have reached a successful conclusion. All instructions are very simple and you need only basic...

malwaretips.com

 

[Nick3426]

Thanks. Here are the files.

 

[icotonev]

Please give me some time to examine your logs and I will get back to you as soon as possible.

 

[icotonev]

Hi Nick3426 ..! I was delayed with the answer, but I had to resolve an emergency question ..! No signs of an active infection that I can see in your FRST logs. However, I want to make more checks to be completely sure ..

I would like you to run a tool named SecurityCheck to inquire about the current-security-update status of some applications:


Scan with SecurityCheck by glax24

• Temporarily disable Microsoft SmartScreen only if it blocks the download of the software. The program is safe
• Download SecurityCheck by glax24 from here
• If SmartScreen blocks the file from running click on More info and Run anyway
• This tool is safe. Smartscreen is overly sensitive. You can check the VirusTotal scan of the tool from here
• Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow it to run
• Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply.
• You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt
  
  
  Malwarebytes
  
  Open Malwarebytes you have already installed.
  Click the little gear on the top right (Settings) and when it opens, click the General tab. Under the title Windows Security Center, make sure the option is disabled.
  Click the Scan and Detections tab and under the Scan options title, enable Scan for rootkits option. Do not change any other option.
  Return to the Dashboard and choose Scan.
  When finished, you will see the Threat Scan Summary window open.
  If threats are not found, click View Report and proceed to the two last steps below.
  If threats are found, make sure that all threats are selected, and click on Quarantine/Remove selected.
  • You may need to restart the computer.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility

https://free.drweb.com/download+cureit/gr/?lng=en

• The downloaded file will normally have a unique name such as: q7a9tr4p.exe
• Close all open applications and locate the downloaded file and double-click to run it
• The program will take a moment to launch and bring up the License and Update screen
• Place a check mark to agree to the terms and then click on the Continue button
• Click the underlined link Select objects for scanning
• On the top left click the Scanning objects that should automatically check all objects
• Click the small wrench and make sure there is a check on Automatically apply actions to threats
• Then click the large button on bottom right Start scanning
• Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
• The log is saved in the folder named Doctor Web in the top of your user profile folders
• Please attach that log on your next reply

 

[icotonev]

I forgot to ask you ..: WebAdvisor by McAfee did you install this app ..?

 

[Nick3426]

Thanks so much.

> I forgot to ask you ..: WebAdvisor by McAfee did you install this app ..?

No, I don't think so.

Malwarebytes has absolutely 0 detections on everything.

 

[icotonev]

Malwarebytes has absolutely 0 detections on everything.

... and Dr.Web Cureit! He finds nothing .. everything is clean ..!

Total 32885738759 bytes in 91396 files scanned (100988 objects)
Total 90813 files (100027 objects) are clean
There are no infected objects detected

• Download the Revo Uninstaller (Free Download) and save it on your Desktop.
• Double click on the exe file created on your Desktop to run the installer, and follow the instructions to install the program.
• Double click the program's icon to open it.
• Write in the search area, on the top left, the following program:

WebAdvisor by McAfee

• Choose the Uninstall tab from the menu and let the program to create a Restore point.
• Choose Scan, and then the Advanced mode scan.
• Select all the Online Services items found, Delete and Next.
• Let the procedure be completed and click on Finish.
• Restart the computer.

• Right click on FRST and select Run as administrator
• Copy/paste the following in the Search: box

Searchall: WebAdvisor;WebAdvisor by McAfee

• Click Search Files button
• When completed click OK and a Search.txt document will open on your desktop
• Аttach the report in your reply. If the file is too large zip and upload it here.

In your next reply, please include:

• Search report

 

[icotonev]

+

I recommend updating the software in the box below:

AMD Software v.23.7.2 Warning! Download Update
TeamViewer v.15.62.4 Warning! Download Update
Foxit PDF Reader v.2023.2.0.21408 Warning! Download Update
7-Zip 23.01 (x64) v.23.01 Warning! Download Update
Uninstall old version and install new one.
paint.net v.5.0.7 Warning! Download Update
Zoom Workplace (64-bit) v.6.3.52884 Warning! Download Update
Discord v.1.0.9005 Warning! Download Update
Microsoft Teams classic v.1.7.00.3653 Warning! Download Update
Proton VPN v.3.5.0 Warning! Download Update
VLC media player v.3.0.18 Warning! Download Update

 

[Nick3426]

And here it is.

 

[icotonev]

Farbar Recovery Scan Tool - Fix

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone

Please download the attached file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.

In your next reply, please include:

• Fixlog.txt

 

[Nick3426]

Thanks. Here is the file.

 

[icotonev]

Good morning ..! Excellent work..!

Windows Resource Protection found corrupt files and successfully repaired them.

Although the main idea of the topic is to check your malware system, I treat the system as a whole. The message above means that you have had some system files that needed repair and have been successfully repaired. No need to worry. They are usually not related to malware.

Farbar Recovery Scan Tool Fix

• Right click on the FRST icon and select Run as administrator
• Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
• There is no need to paste the information anywhere, FRST will do it for you

Start::
Zip: C:\Windows\Logs\CBS
End::

• Click Fix
• When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
• The tool will create a zipped folder in the same location from where FRST was run with today's date. Upload the file to GoFile or the file hosting site of your choice and post the download link in your reply.

Everything looks good ..! Let me know about how is the computer running..?


In your next reply, please include:

• Fixlog and download link, if necessary

 

[Nick3426]

Performance is good, but this is usual.

Link: Gofile - Cloud Storage Made Simple

> Everything looks good

Perfect. But do you have an idea about the original issue? Did someone actually accessed my bitwarden account and how? And since it seems that this is the case, I guess that the damage is done and he has all my passwords...

 

[icotonev]

If everything is fine ..for final:

KpRm by Kernel-panik

• Download KpRm and save it to your Desktop (see here if you must use Chrome)
• Note: If the file is detected as malware it is not and it is safe to download. The detection is a false positive.
• Right click on the icon and select Run as administrator
• Click Yes on the Disclaimer
• Place a check mark in Delete Tools, Create Restore Point, and Delete in 7 days
• Click Run
• Click OK on All operations are completed
• KpRm will delete itself from you Desktop and you can either save or remove the report that is generated
• You are free to remove any other tools/reports still remaining
• Please copy and paste its contents in your next reply.

 

[Nick3426]

Here it is

 

[icotonev]

Thank you..! That is all..! All Clean..! Thank you for placing your trust in MalwareTips..!
Stay Safe...!

 

[icotonev]

About bitwarden .... Why don't you ask Contact Support to check to what extent the information from your account has leaked ..!

Help Center | Bitwarden

The Bitwarden Help Center can help guide you on how to use a password manager, evaluate password manager capabilities, and answer the most frequently asked questions.

bitwarden.com

 

[Nick3426]

Thanks for all. You are incredible.
Well, I contacted BW, but they just answered standard stuff, like change your passwords, ...

 

[Wrecker4923]

Hello Nick3426,

I would like to comment on the Bitwarden (BW) penetration aspects. It's clear they gained access to your account, which usually requires the master password and 2FA. The machine you worked on with the mod seems to NOT have persistent malware or an info-stealer from the outset, but that doesn't mean there wasn't an info-stealer on it at some point. There are info-stealers that can infect a system, steal the necessary information, and then eventually disappear, possibly without a trace. Additionally, there are other devices on which you have used Bitwarden, both present and past; these should all be considered suspects.

They definitely need the password; there's no way around it. They can obtain it through 1) keylogging, 2) where you save it on the machine, such as in the browser's password manager or elsewhere on your device, or 3) phishing.

They must also have the 2FA, which in this case can be either access to your email or a 2FA token saved on your machine. If they lifted a Google session cookie from your device, they would presumably have access to all your emails without generating a login record (from another location) because they are simply reusing your access token without logging in. If you have checked "Remember me" in the past, the BW client may have saved a 2FA token on the machine, which can be stolen and used for login, again without generating a "New Device Logged In" email from Bitwarden, as the attacker's client would appear to be a familiar device due to all the tokens.

I would encourage you to do the following if you haven't done so already:

1. Change your Google password and deauthorize all devices. Go through the Google account security checkup at Account settings: Your browser is not supported., checking connected apps, forwarding rules, security events related to 2FA setups, passkeys, and resetting the 2FA recovery codes. You want to be absolutely sure that they no longer have access. Remember that if they had your session cookie, they might have been able to access your emails without generating a login event from another location. If they had the password, they might have beem able to change many security settings (but presumably generating logs).
2. Change your Bitwarden master password and deauthorize all devices. Bitwarden now has a new screen in the web app that allows you to view all clients that have ever connected: Bitwarden Web vault. However, this may not mean much if they were able to use the access tokens they might have stolen. You may also want to use the 2FA recovery code to log in to reset it (and not forgetting to grab a new one). Consider using a different 2FA method (for example, a TOTP authenticator app) just in case the attacker somehow retains access to your email.
3. You need to treat this as a total breach because the attacker likely obtained the entire set of passwords from BW, and possibly more sensitive information from the system. You should reset all passwords and deauthorize all existing devices when such an option is available. For important accounts, also pay attention to 2FA and recovery codes, as you did with your Google and BW accounts. If you keep TOTP seeds in Bitwarden, those will need to be reset as well. Even if they don't use the information now, these compromised accounts may come back to haunt you later.

If you need more suggestions and tips, I encourage you to look at the BW community forum at Bitwarden Community Forums. There are people there who are familiar with BW and can provide helpful guidance. There is also a subreddit, but the comments there can often be fast and furious.

Good luck.