Go Back   Computer Forums > General Computing > Cyber Safety and Computer Security
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 12-20-2010, 11:14 AM   #1
Baseband Member
 
Join Date: Oct 2007
Posts: 82
Default I've got an email hijacking virus

I think a virus has hijacked my computer and is using it to send spam through my hotmail account to all my contacts. I'm running virus scans as we speak.

Is there anyone who can help me further?
__________________

gib65 is offline   Reply With Quote
Old 12-20-2010, 11:27 AM   #2
..m.0,0.m..
Site Team
 
iPwn's Avatar
 
Join Date: May 2010
Location: USA
Posts: 3,870
Default Re: I've got an email hijacking virus

Run HiJackThis and MalwareBytes in Safe Mode. Change your Hotmail password from a clean computer.
__________________

__________________
Me: You'd think as the dominant species we wouldn't be so effing stupid.
J: We're just intelligent enough to be completely effing stupid.
iPwn is offline   Reply With Quote
Old 12-20-2010, 03:20 PM   #3
Baseband Member
 
Join Date: Oct 2007
Posts: 82
Default Re: I've got an email hijacking virus

Thanks,

Would that include downloading and installing them in safe mode?
gib65 is offline   Reply With Quote
Old 12-20-2010, 03:26 PM   #4
In Runtime
 
codeman0013's Avatar
 
Join Date: Jul 2010
Location: USA
Posts: 164
Send a message via AIM to codeman0013 Send a message via MSN to codeman0013 Send a message via Yahoo to codeman0013 Send a message via Skype™ to codeman0013
Default Re: I've got an email hijacking virus

You can download them either way.. Generally its just better to do it in safe mode. Also please post the logs after you have ran the scans so we can give you furthur advice.
codeman0013 is offline   Reply With Quote
Old 12-21-2010, 11:18 AM   #5
Baseband Member
 
Join Date: Oct 2007
Posts: 82
Default Re: I've got an email hijacking virus

Okay, here's what I did:

I booted in safe mode.

I downloaded rkill, HijackThis, and MBAM.

I installed rkill, HijackThis, and MBAM (in that order).

I ran rkill, HijackThis, and MBAM (in that order).

Here are the reports:

rkill:
Quote:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 12/20/2010 at 15:56:15.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 12/20/2010 at 15:56:17.
HijackThis:
Quote:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:58:05 PM, on 12/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
E:\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1259791717640
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - Page Not Found | Facebook
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: SolidPDFCreatorReadSpool (SPDFCreatorReadSpool) - Solid Documents, LLC - C:\Program Files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfS ervice.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\spm\spmdib.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\intelxpv_v103\wdm\STacSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 5665 bytes
MBAM:
Quote:
Malwarebytes' Anti-Malware 1.50
Malwarebytes

Database version: 5363

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/20/2010 4:52:24 PM
mbam-log-2010-12-20 (16-52-24).txt

Scan type: Full scan (C:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 433470
Time elapsed: 49 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
e:\downloads\registryfix.exe (Rogue.Installer) -> Quarantined and deleted successfully.
f:\downloads\registryfix.exe (Rogue.Installer) -> Quarantined and deleted successfully.
g:\downloads\registryfix.exe (Rogue.Installer) -> Quarantined and deleted successfully.
Based on this, can you tell if the virus that's been hijacking my email has been squashed? I noticed the MBAM report doesn't tell what kind of threats have been detected. IIRC, the threats it detected were called "rogue" something. Are there any other logs that would help shed some more light on this?
gib65 is offline   Reply With Quote
Old 12-30-2010, 09:08 AM   #6
In Runtime
 
codeman0013's Avatar
 
Join Date: Jul 2010
Location: USA
Posts: 164
Send a message via AIM to codeman0013 Send a message via MSN to codeman0013 Send a message via Yahoo to codeman0013 Send a message via Skype™ to codeman0013
Default Re: I've got an email hijacking virus

I dont see anything on any of the logs that would be a concern to me I would just change your passwords and see if anything else happens related to your email.
__________________
Owner of Codeman's Computer Service
http://www.codemanscomputerservice.com
codeman0013 is offline   Reply With Quote
Old 12-31-2010, 09:17 AM   #7
Site Team
 
berry120's Avatar
 
Join Date: Jul 2009
Location: England, UK
Posts: 3,425
Default Re: I've got an email hijacking virus

Another thing to note, sometimes these viruses will "phone home" with your email address and your list of contacts, and even after you've cleared everything up will still spoof messages from your email address to your contacts. If this is the case there's not a lot you can do - but these things usually fade out eventually anyway (perhaps once the virus has picked up more targets.) It's worth knowing though, just because your contacts get messages supposedly from "you" doesn't mean you're still infected.
__________________
Save the whales, feed the hungry, free the mallocs.
berry120 is offline   Reply With Quote
Old 01-16-2011, 12:23 AM   #8
Beta Member
 
Join Date: Jan 2011
Posts: 2
Default Re: I've got an email hijacking virus

This is called phishing .Every body should know about phishing. Immediately I will write about phishing .you can also see my home page to know about this
__________________

realpcsolution is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 10:50 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0