Superusers!
Yesterday someone broke into my Gmail Account.
Long story short: Thiefs recovered my PayPal-Account password by accessing my email and after permanently deleted all Emails about changed passwords and purchases. They managed to place orders at cdkeys.com for 115USD.
Short story long: Gladly I was using my computer at that time and got the Notification on my iPhone about successful payment for the "MAFIA trilogy" game, that I haven't even ordered. I viewed the email and after that, I reopened my Gmail to see more emails like that. All E-Mails about purchases were deleted. I quickly changed my Password for PayPal account and tried to get into PayPal. Unfortunately, the thief changed the password again, and ordered another game, for a Total 115USD. Changed quickly my password again, and removed my Banking accounts. Changed Password again, and also asked PayPal for a refund. Quickly changed my Google Account passwords twice, unlinked from every device possible to regain control.
I managed to get the IP address from Gmail - who has used my Gmail. Reviewed Google history, found how the thief searched for cdkeys.com, opened PayPal, purchased, etc.
Now, I'm asking myself, how? How thief's managed to get into my Google account with 2 Steps authentication activated. To shrink the possibilities, where, how, and from what device the malware or my information like passwords came.
How to detect Malware or KeyLoggers? If there is any, how to remove and clean the device?
I scanned my Computer for Malware by Malwarebytes, and these were multiple found:
Trojan.WMIHijacker.ClnShrt
PUP.Optional.Delt
PUP.Optional.Babylon
Adware.Elex.ShrtCln
PUP.Optional.Funmoods
PUP.Optional.Linkury
PUP.Optional.Conduit
in:
C:\Users[MY_USER_ACC]\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000320.ldb
C:\Users[MY_USER_ACC]\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT
C:\Users[MY_USER_ACC]\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK
C:\Users[MY_USER_ACC]\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
C:\Users[MY_USER_ACC]\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
C:\Users[MY_USER_ACC]\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001
C:\USERS[MY_USER_ACC]\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data
Extensions in Google Chrome: Adblock Plus LastPass Manager Google Docs Offline DuckDuckGo Privacy Essentials ProxFlow
After putting these "Malwares" in Quarantine and after restarting my Computer, these same "Malwares" appears again. Other Antivirus programs can't find anything suspicious.
Is there some kind of program, where I can monitor the outgoing Network Traffic in a specific application? Not like WireShark, where's everything encrypted. If there are some Keyloggers etc. on my Computer, they logical will be attempting to send my entered password through the network back to the "hacker". Any tips, where and for what should I look for? I will tomorrow attempt to clean reinstall the Windows 10. Any tips for pre-steps before installing the windows after formatting the SSD? How to prevent these attacks in the future?
Thanks!
