I posted all about my troubles here (and in a previous post linked there): https://www.reddit.com/r/computerviruses/s/GKpyS8YPBF
I just ran a FRST scan on the system. I nuked it a couple weeks ago but I’m still having problems and want to be sure it’s clean
Keywords: wrapped-cipher , steady-boulder
I posted around 2 weeks ago about catching the ren.py virus. https://www.reddit.com/r/computerviruses/s/sOmU3374fR
I’m sorry in advance for the long post but I want to cover as much detail as I can with the hope that someone smart can tell me what’s happening to me. I was doing fine since my last post but I’m panicking a little now.
I nuked my computer pretty soon after it happened (reinstalled windows from a usb) and changed all of my important passwords from my phone. (I have an iPhone 12 which might matter? idk?)
I noticed earlier tonight that some old Twitter accounts I had forgotten about were sending login verification codes to my email. I was confused because I thought the session stealer malware would get the tokens for anything currently logged in? I went ahead and changed the passwords from my phone.
Then I got a verification code via SMS for a PayPal account and that freaked me out because I remembered having changed that password (from my phone) pretty quickly after I discovered the hacking. However, I wasn’t able to figure out if they were actually logging into my active PayPal account, or an unused one that had the same phone # stored for 2FA.
I thought oh shit maybe I was an idiot and let them stay logged into Google somehow, maybe they’ve got my stored passwords from Google? I went through on my phone and changed my Google password again, checked for active sessions and signed out everything but my phone, deleted every stored password from Google. There were no devices or sessions that looked unfamiliar to me but I wanted to cover my bases.
I was flipping between apps to deal with them having successfully logged in and changed personal information on an unused Apple account when I got the “is this you?” pop up in the Gmail app. This was only around 30 minutes after I had changed the password and signed out of extra sessions — from my iPhone!! What does that even mean! How would they be able to get that?
The warning and device shown was the same as in the second attached pic (which is an email Google sent me afterward). The first picture shows info from my security events tab.
The password I changed it to before (the 10:08 alert) was one I *THOUGHT* was new and unique, but apparently my previous self had come up with it once before; I found around 2 instances of that password saved in my Google password storage before I wiped it. Go figure. So then when I stopped the suspicious sign-in and Google made me set a new password I made sure it was a unique password and only written down IRL on paper.
I checked my account information for possible back doors. I deleted the two Windows Hello passkeys I found just in case, there was no info on location or IP addresses or anything there but one of them said it was created during a time when I was literally away from any PC and in a car??
I’m a bit dumb about these things sometimes but I’m pretty sure my iPhone itself shouldn’t be compromised or anything so it should still be safe to change my passwords on that device right? I’m really scratching my head about that blocked sign-in attempt though. If this is normal/expected after a session stealer then please explain it to me in crayons or something.
OH another note: I haven’t used that Google account on my PC yet post-reset. I am logged into an alternate Google account now, though not the one they were signing into today.
I didn’t run FRST or involve the trusted helpers in my previous post in the sub. I definitely am willing to try it if anyone can help.
TL;DR: Session stealer goobers somehow saw or guessed a password I set on my iPhone 30 minutes prior, AHH!