I've got an email hijacking virus

G

gib65

Baseband Member
Messages
82
I think a virus has hijacked my computer and is using it to send spam through my hotmail account to all my contacts. I'm running virus scans as we speak.

Is there anyone who can help me further?
 
Run HiJackThis and MalwareBytes in Safe Mode. Change your Hotmail password from a clean computer.
 
Thanks,

Would that include downloading and installing them in safe mode?
 
You can download them either way.. Generally its just better to do it in safe mode. Also please post the logs after you have ran the scans so we can give you furthur advice.
 
Okay, here's what I did:

I booted in safe mode.

I downloaded rkill, HijackThis, and MBAM.

I installed rkill, HijackThis, and MBAM (in that order).

I ran rkill, HijackThis, and MBAM (in that order).

Here are the reports:

rkill:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 12/20/2010 at 15:56:15.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 12/20/2010 at 15:56:17.
Click to expand...

HijackThis:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:58:05 PM, on 12/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
E:\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259791717640
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - Page Not Found | Facebook
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: SolidPDFCreatorReadSpool (SPDFCreatorReadSpool) - Solid Documents, LLC - C:\Program Files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\spm\spmdib.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\intelxpv_v103\wdm\STacSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 5665 bytes
Click to expand...

MBAM:
Malwarebytes' Anti-Malware 1.50
Malwarebytes

Database version: 5363

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/20/2010 4:52:24 PM
mbam-log-2010-12-20 (16-52-24).txt

Scan type: Full scan (C:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 433470
Time elapsed: 49 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
e:\downloads\registryfix.exe (Rogue.Installer) -> Quarantined and deleted successfully.
f:\downloads\registryfix.exe (Rogue.Installer) -> Quarantined and deleted successfully.
g:\downloads\registryfix.exe (Rogue.Installer) -> Quarantined and deleted successfully.
Click to expand...

Based on this, can you tell if the virus that's been hijacking my email has been squashed? I noticed the MBAM report doesn't tell what kind of threats have been detected. IIRC, the threats it detected were called "rogue" something. Are there any other logs that would help shed some more light on this?
 
I dont see anything on any of the logs that would be a concern to me I would just change your passwords and see if anything else happens related to your email.
 
Another thing to note, sometimes these viruses will "phone home" with your email address and your list of contacts, and even after you've cleared everything up will still spoof messages from your email address to your contacts. If this is the case there's not a lot you can do - but these things usually fade out eventually anyway (perhaps once the virus has picked up more targets.) It's worth knowing though, just because your contacts get messages supposedly from "you" doesn't mean you're still infected.
 
This is called phishing .Every body should know about phishing. Immediately I will write about phishing .you can also see my home page to know about this
 
You must log in or register to reply here.

Similar threads

M
Email Mailbox Sharing Alternative
Replies
1
Views
1K
mahmudulhasanrifat
M
B
i keep getting an alert from AVG every minute or so. super annoying!
2
Replies
18
Views
2K
alyssa.robert235
A
D
In Search of an Android Phone Email Client
Replies
3
Views
2K
doncallis
doncallis
B
got a new computer which needs an external wireless adapter - but internet is slow on it. how do i fix this?
2
Replies
12
Views
2K
pete.i
P
M
Laptop Mobile Hotspot not working w/o Browser/Internet
Replies
1
Views
528
tehnokraat
T
Back
Top Bottom