hotmail hijacked

View previous topic View next topic Go down

hotmail hijacked

Post by Dignan on Sat 16 Oct 2010, 10:52 pm

Hi,

There is malware, or a virus, or something that is sending out malicious emails from my wife's hotmail account. This seems to be infecting many of our friend accounts, as we often get similar emails from them.

Any help would be greatly appreciated.

Thanks!

Dignan

Newbie Surfer
Newbie Surfer

Posts : 26
Joined : 2009-11-06
Operating System : XP

View user profile

Back to top Go down

Re: hotmail hijacked

Post by DragonMaster Jay on Sun 17 Oct 2010, 7:30 am

Hi

ComboFix

Note: the following tool is to only be used under the guidance of a malware helper. In the event you already have the tool, please delete the old copy and download a new copy.

Please download ComboFix from BleepingComputer.com

Alternate link: Forospyware.com (Click the green button on the page to download it).

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\combo-fix.exe" /killall
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    *NOTE*: If you already have the Recovery Console installed, ComboFix will skip this part and will continue scanning for malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: hotmail hijacked

Post by Dignan on Tue 19 Oct 2010, 7:57 am

Hi,

Here is the combofix log;

ComboFix 10-10-17.04 - Kathleen 10/18/2010 17:12:32.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1573 [GMT -4:00]
Running from: c:\documents and settings\Kathleen\desktop\combo-fix.exe
Command switches used :: /killall
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\pswi_preloaded.exe

.
((((((((((((((((((((((((( Files Created from 2010-09-18 to 2010-10-18 )))))))))))))))))))))))))))))))
.

2010-10-14 15:47 . 2010-10-14 15:47 -------- d-----w- c:\documents and settings\Default User\Application Data\Intel
2010-10-14 15:47 . 2010-10-14 15:47 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2010-10-14 15:47 . 2010-10-14 15:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2010-10-14 15:47 . 2010-10-14 15:47 -------- d-----w- c:\documents and settings\Tim\Application Data\Intel
2010-10-14 15:47 . 2010-10-14 15:47 -------- d-----w- c:\program files\Common Files\Intel
2010-10-14 15:44 . 2010-10-14 15:44 356352 ----a-w- c:\windows\system32\AegisI5Installer.exe
2010-10-14 15:43 . 2010-10-14 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2010-10-14 15:43 . 2010-10-14 15:43 -------- d-----w- c:\documents and settings\Kathleen\Application Data\Intel
2010-10-14 15:27 . 2010-02-25 00:39 675840 ----a-w- c:\windows\system32\NETwLc32.dll
2010-10-14 15:27 . 2010-02-25 00:37 2756608 ----a-w- c:\windows\system32\NETwLr32.dll
2010-10-14 15:27 . 2010-08-16 14:26 6607744 ----a-w- c:\windows\system32\drivers\NETwLx32.sys
2010-10-14 15:18 . 2009-10-26 13:47 4221952 ----a-w- c:\windows\system32\drivers\NETw5x32.sys
2010-10-14 15:18 . 2008-06-20 17:33 2756608 ----a-w- c:\windows\system32\NETw5r32.dll
2010-10-14 15:18 . 2008-06-20 17:32 663552 ----a-w- c:\windows\system32\NETw5c32.dll
2010-10-13 20:33 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 20:33 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-13 20:33 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 20:33 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-12 16:43 . 2010-10-12 16:43 -------- d-----w- c:\documents and settings\Kathleen\Application Data\Canon
2010-10-12 16:23 . 2009-10-19 20:29 307200 ----a-w- c:\windows\system32\CNC870L.dll
2010-10-12 16:23 . 2009-10-05 22:09 1310720 ----a-w- c:\windows\system32\CNC870C.dll
2010-10-12 16:23 . 2009-10-05 22:08 110592 ----a-w- c:\windows\system32\CNC870I.dll
2010-10-12 16:23 . 2009-10-05 22:05 102400 ----a-w- c:\windows\system32\CNC870U.dll
2010-10-12 16:23 . 2008-08-25 22:02 15872 ----a-w- c:\windows\system32\CNHMCA.dll
2010-10-12 14:19 . 2010-10-13 02:59 -------- d-----w- c:\program files\Cisco Systems
2010-10-12 14:07 . 2010-10-12 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems
2010-10-11 21:28 . 2010-10-11 21:28 -------- d-----w- c:\documents and settings\Kathleen\Application Data\Canon Easy-WebPrint EX
2010-10-11 21:21 . 2009-10-26 09:00 70656 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPPA7.DLL
2010-10-11 21:21 . 2009-10-26 09:00 27136 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPDA7.DLL
2010-10-11 21:21 . 2009-10-26 09:00 276992 ----a-w- c:\windows\system32\CNMLMA7.DLL
2010-10-11 21:21 . 2010-10-11 21:21 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2010-10-11 21:21 . 2009-09-10 09:00 179200 ----a-w- c:\windows\system32\CNMIUA7.DLL
2010-10-11 21:20 . 2010-10-11 21:20 -------- d--h--w- c:\program files\CanonBJ
2010-10-11 21:20 . 2010-10-11 21:20 -------- d-----w- c:\windows\system32\STRING
2010-10-11 21:20 . 2009-10-09 15:01 137216 ----a-w- c:\windows\system32\CNMNPUI.DLL
2010-10-11 21:20 . 2009-10-09 15:01 354816 ----a-w- c:\windows\system32\CNMNPPM.DLL
2010-10-11 21:20 . 2010-10-11 21:20 -------- d-----w- c:\windows\system32\CHM
2010-10-08 11:11 . 2010-10-08 11:11 -------- d-----w- c:\windows\A13A764803C54B6AB7C118CB04588E52.TMP
2010-10-05 17:56 . 2010-10-05 17:56 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\AVG Security Toolbar
2010-10-05 17:51 . 2010-10-05 17:51 -------- d-----w- c:\documents and settings\Tim\Application Data\AVG10
2010-10-05 10:09 . 2010-10-05 10:09 -------- d-----w- c:\documents and settings\Kathleen\Local Settings\Application Data\AVG Security Toolbar
2010-10-05 01:33 . 2010-10-05 01:33 -------- d-----w- C:\$AVG
2010-10-05 01:10 . 2010-10-05 01:10 -------- d-----w- c:\documents and settings\Kathleen\Application Data\AVG10
2010-10-05 01:09 . 2010-10-05 01:09 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-10-05 01:08 . 2010-10-05 18:39 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-10-05 00:55 . 2010-10-05 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-09-29 01:56 . 2010-09-29 01:56 -------- d-----w- c:\documents and settings\Kathleen\Local Settings\Application Data\Help
2010-09-26 20:38 . 2010-09-26 20:38 -------- d-----w- c:\program files\Fisher-Price

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-31 23:09 . 2009-06-24 21:32 28472 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-01-31 23:09 . 2009-06-24 21:32 185224 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-01-31 23:09 . 2009-06-24 21:32 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-06-24 21:32 . 2009-06-24 21:32 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-04-06 26102056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-10 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]
"nwiz"="nwiz.exe" [2007-06-06 1626112]
"NVHotkey"="nvHotkey.dll" [2007-06-06 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-06 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]
"MemoryCardManager"="c:\program files\Dell AIO Printer 948\memcard.exe" [2007-07-03 410248]
"Dell AIO Printer 948 Fax Server"="c:\program files\Dell AIO Printer 948\fm3032.exe" [2007-07-03 307848]
"SigmatelSysTrayApp"="stsystra.exe" [2007-07-10 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"dldfmon.exe"="c:\program files\Dell AIO Printer 948\dldfmon.exe" [2007-07-03 455304]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-09-28 185688]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2508104]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-09-28 140640]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2010-07-19 1400832]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-07-19 1206544]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2007-03-21 478800]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-11-28 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dldfcoms.exe"=
"c:\\Program Files\\Dell AIO Printer 948\\dldfmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldfpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldftime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldfjswx.exe"=
"c:\\Program Files\\Dell AIO Printer 948\\dldfaiox.exe"=
"c:\\Program Files\\Dell AIO Printer 948\\dldfafcn.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 14\\tmproxy.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 25680]
R2 dldf_device;dldf_device;c:\windows\system32\dldfcoms.exe -service --> c:\windows\system32\dldfcoms.exe -service [?]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [11/8/2007 9:19 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/8/2007 9:19 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [11/8/2007 9:20 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [11/8/2007 9:19 PM 566872]
R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [10/14/2010 11:27 AM 6607744]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/8/2007 9:20 PM 280392]
S2 dldfCATSCustConnectService;dldfCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldfserv.exe [11/28/2007 11:01 AM 98952]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/28/2009 10:41 AM 18560]
.
Contents of the 'Scheduled Tasks' folder

2010-10-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Kathleen\Application Data\Mozilla\Firefox\Profiles\jqa8kn38.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\Kathleen\Application Data\Mozilla\Firefox\Profiles\jqa8kn38.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-Malwarebytes Anti-Malware (reboot) - f:\malwarebytes' anti-malware\mbam.exe


.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1284)
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(4500)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dldfcoms.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\TRENDM~1\INTERN~1\PccGuide.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\stsystra.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-10-18 17:26:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-18 21:26
ComboFix2.txt 2009-11-08 15:46

Pre-Run: 198,041,202,688 bytes free
Post-Run: 198,501,785,600 bytes free

- - End Of File - - C1719FA8536714783F0E5ECFDC476471

Dignan

Newbie Surfer
Newbie Surfer

Posts : 26
Joined : 2009-11-06
Operating System : XP

View user profile

Back to top Go down

Re: hotmail hijacked

Post by DragonMaster Jay on Tue 19 Oct 2010, 9:32 am

Please download Malwarebytes Anti-Malware from Download.CNET.com.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Copy and paste the entire report in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: hotmail hijacked

Post by Dignan on Tue 19 Oct 2010, 12:18 pm

Hi,

Thanks again for your help. Here is the log from the malwarebytes scan.

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4876

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/18/2010 9:13:24 PM
mbam-log-2010-10-18 (21-13-24).txt

Scan type: Quick scan
Objects scanned: 151375
Time elapsed: 9 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Dignan

Newbie Surfer
Newbie Surfer

Posts : 26
Joined : 2009-11-06
Operating System : XP

View user profile

Back to top Go down

Re: hotmail hijacked

Post by DragonMaster Jay on Tue 19 Oct 2010, 4:16 pm

ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: hotmail hijacked

Post by Dignan on Wed 20 Oct 2010, 7:25 am

EST log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=dc32a0f384231148a616efef3fa54cd3
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-19 05:32:03
# local_time=2010-10-19 01:32:03 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777175 100 0 29116993 29116993 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=109949
# found=0
# cleaned=0
# scan_time=5029

Dignan

Newbie Surfer
Newbie Surfer

Posts : 26
Joined : 2009-11-06
Operating System : XP

View user profile

Back to top Go down

Re: hotmail hijacked

Post by DragonMaster Jay on Wed 20 Oct 2010, 7:14 pm

Now, would be a good time to change the password on the Hotmail account.



[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: hotmail hijacked

Post by Sponsored content Today at 9:48 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum