This happens when enter the Steam login data on third-party sites or shared in other ways, including the Steam guard code.
A lesson so many haven't learned yet, follow this guide to recover the account.

https://steamcommunity.com/sharedfiles/filedetails/?id=1126288560

Originally posted by SmogrCZ:

I wrote to support is there any chance of getting the items or money back?
I don't understand how he got there without their identifier.
Can there be a virus in the PC or in the phone?

No, nothing will be given back.

Viruses don't cause accounts to be stolen, only by share login information.
There are no other ways.

The password and email remained the same, I noticed that on 31.1.2023 a Russian ip logged in there. My steam doesn't log in anywhere, only on my phone and PC. The strange thing is that it didn't ask for mobile identification during those logins. Chinese sold items and bought dota items worth 0.03euro for 0.81 to transfer money to his account.

Tvoje přítelkyně se někdy v minulosti přihlásila na podvodnou stránku, kde ukradli její údaje (například různé stránky se skiny). Řekni jí, že na žádnou stránku mimo Steam by se neměla nikdy přihlásit, ať už o ní mluví dobře kdokoliv a nikdo si na ni nestěžoval, protože oni díky tomu vytvoří API klíč a skrz něj lze obejít jakoukoliv formu obrany (heslo, Steam Guard) a můžou si s účtem dělat, co budou chtít. Často takhle lidé zneužívají ostatních a to někdy i po několika měsících, takže i zdánlivě bezpečná stránka je prostě a jednoduše scam. Předměty jí nikdo nevrátí, stejně jako peníze, které měla v peněžence. Tady má pak věci, které musí udělat a to přesně v tomhle pořadí (je to anglicky, protože jsem to zkopíroval od jiného člověka).

1. Scan for malware https://www.malwarebytes.com/adwcleaner
2. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
3. Change passwords from another, clean device
4. Generate new backup codes for your mobile app https://store.steampowered.com/twofactor/manage
5. Revoke the API key if you see any over there https://steamcommunity.com/dev/apikey

Do budoucna je důležité si pamatovat jedno - nikdy se nepřihlašovat kamkoliv mimo Steam samotný, ať už případná nabídka zní sebevíce lákavěji.

PS: Ten odkaz na profil smaž z toho svého příspěvku. Nic takového tady není povoleno.

Your OP suggests your girlfriend still has access to her account.

The info you need:

Originally posted by Crazy Tiger:

Phishing is the most likely cause, OP. When people get phished, they give out the account name, password and then active guard code. A bot quickly enters it and hijackers have access then. Ultimately 2FA is "just another code" that can be given away when getting phished. It's not a magical defense layer.

Secure your account:
- Scan for malware. https://www.malwarebytes.com/
- Deauthorize all devices https://store.steampowered.com/twofactor/manage
- Change your password on a secure device.
- Generate new back up codes. https://store.steampowered.com/twofactor/manage
- Revoke the api key https://steamcommunity.com/dev/apikey

Find out how you leaked your credentials. Phishing and malware are the two ways it happens, phishing is the most likely one. Either way, find out how you leaked your credentials.

Items are gone, they do not get returned nor will you get money back for them. The item restoration policy: https://support.steampowered.com/kb_article.php?ref=9958-MJDG-3003

Not all items require confirmation. https://steamcommunity.com/groups/community_market/announcements/detail/1705067494681435160

Originally posted by SmogrCZ:

even though she has Steam guard,

1. Steam Guard is just an extra key. It is NOT a magically make account immune to compromise. If someone gives away there username, password and a LIVE Guard code to someone else that person gets access. It's no different than giving a stranger your address along with your house keys. That stranger can walk into your home and do what they want.
This usually happens because someone tries to login to their account using a dodgy phishing website.

If she doesn't have access to the account have her follow the guide in post #1 If things have been changed she needs to use the I don't have/know this information to proceed to the next step.

If she has access she needs to do all the steps in post #5

Then tell her to stop using third party sites. If she insists on using third party sites do it the safe way

1. Open Web browser
2. Login on Steams Official page
3. Visit Third party site
4. Look for and use the one click login button
5. If 4 doesn't work and you're asked for you username, password and Guard code your on a phishing site. LEAVE and DO NOT use again

Can also use sites like scamadviser.com to check how trustworthy a site is before using it. Works for any site not just Steam related. Use it whenever entering login credentials or banking data

Her little brother is said to have signed up for farmskin and ♥♥♥♥♥♥♥♥. Could it be one of these sites? There is nothing else there. I also set the parental mode, do you think it will help? When I logged out of all devices, the farmskin website is still logged in. Is this just a bug or a password reset and logging out of websites has no effect?

Originally posted by SmogrCZ:

Her little brother is said to have signed up for [two sites well known for scamming and hijacking accounts]. Could it be one of these sites?

Yes. It may very well be the two known scam sites. Sounds like she willfully compromised her account by giving access to her brother, and he gave access to the scam sites he tried to use.

Nobody except the account owner should have access to the account for exactly this reason.

Originally posted by SmogrCZ:

Her little brother is said to have signed up for farmskin and ♥♥♥♥♥♥♥♥. Could it be one of these sites? There is nothing else there. I also set the parental mode, do you think it will help? When I logged out of all devices, the farmskin website is still logged in. Is this just a bug or a password reset and logging out of websites has no effect?

Yes, especially when one of those sites is filtered out.

Tell her to do all the steps to secure the account. post #4 & #5 Skipping one or more could mean a hijacker still has access to the account.

Parental mode won't do anything if the user tries to login on dodgy third party sites that phish a users login details.

Tell her to prevent her brother from accessing her account. Create his OWN account for him that way if he uses dodgy sites again it's HIS account.

Ano, je to jedna z nich, ale oboje jsou nevěrohodné. Rodičovský zámek nepomůže. Stačí jít podle těch kroků a jednoduše změnit pak heslo, takže její brácha ho nebude vědět. Případně mu může založit účet na Steamu a své hry s ním sdílet, takže její účet bude v bezpečí (jen teda pozor na to, že pokud on dostane ban přes sdílenou knihovnu, tak ho obdrží i ona). To poslední vypadá na bug, zkus vymazat paměť prohlížeče a uvidíš.

Thank you all for your help, I logged her out everywhere and changed the password, malwarebytes found nothing, I generated the codes and there was no api key. Hopefully no one will get there. Her brother was banned from the PC for two months.