Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake yahoo.com zip file attachment messed up Explorer!


  • Please log in to reply
12 replies to this topic

#1 Kid_Icarus1217

Kid_Icarus1217

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 17 June 2005 - 11:01 PM

I received an email that purported to come from account_support@yahoo.com that said my account had been suspended and to see the attached zip file for details. Since I had reached my limit in daily emails a couple of times telling my lenthy list of friends and email buddies about finishing my new book, I thought (well, thought is a kind word to what I did) that it might be legitimate and opened the file. Uh oh!

Now, I cannot log in to yahoo mail, or my mail boxes at my internet hosting company's site for my website, not my paypal account nor my aweber autoresponder account and other site using internet explorer because it says that I have to enable cookies, but I am unable to do that due to the apparent virus. I am also unable to re-install explorer or to repair or re-install Windows XP Pro, despite following every suggestion I could find at Microsoft. I keep getting "newer version detected" messages (and I tried the suggested regedit solution at MS).

At first, I was able to get explorer back on line with a system restore, but then the problem re-appeared and after a couple of more system restores that stopped fixing it even temporarily.

I installed Netscape's latest, (8.0) but that still does not fix all the access problems (can't get into my website email still) and it does not let me send messages in anything but text.

Can anyone help? This is a total disaster for me!

Thanks,

Kid Icarus

//Mod edit: Commercial Site URL removed persuant to BC forum Discussion Rules.//

Edited by KoanYorel, 18 June 2005 - 12:48 AM.


BC AdBot (Login to Remove)

 


#2 jgweed

jgweed

  • Staff Emeritus
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:12:01 AM

Posted 18 June 2005 - 01:14 AM

Have you run your resident anti-virus (probably best to do this in safe mode)? The attachment was obviously a fake, and the file most likely contained a virus or trojan.
Regards,
John
Whereof one cannot speak, thereof one should be silent.

#3 Kid_Icarus1217

Kid_Icarus1217
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 18 June 2005 - 01:19 AM

Thanks for the suggestion- I'll try it. I ran the anti-virus (Norton2004) three times. It found and deleted a couple of files the first time,. but the problem continued. The second two times found no problems. Haven't run it in safe mode though. I'm thinking that the virus has already made some changes that remain after it is gone.

#4 Kid_Icarus1217

Kid_Icarus1217
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 18 June 2005 - 06:17 PM

Tried the anti-virus in safe mode - no help! And now, I cannot re-install Explorer after I tried to uninstall it - I keep getting a message that a newer version is already installed and that I cannot proceed. Same thing for Windows XP Pro.

I think the virus may be gone, but it has left changes behind that keep me from logging in except in Netscape 8.0 (Mozilla Firefox), but I am still unable to log into my mailboxes at my webhosting site. And I cannot send html in emails either.

This thing is nasty! I have found that it also prevents me from sending email from my yahoo.com email accounts to my webhosting account. It shows as sent, but they do not get the email. I was able to send them an email from hotmail.

Help folks - this is ruining me!

#5 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:12:01 AM

Posted 18 June 2005 - 07:36 PM

That virus is one of the MYtob variants. I've been seeing those for a few days, with the zipped "message" and its always from my mail provider, yeah right. Take a look at this page, go through the Mytob variants and see if you can find the run key that is setting it off.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#6 Kid_Icarus1217

Kid_Icarus1217
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 19 June 2005 - 10:46 PM

Sorry, but that did not work either! I looked at the info for all the mytob and other viruses from June 2 forward. None of the added files or registry values cited in the mytob virus descriptions could be found on my computer. Great info though.

Now, thanks to trying to delete explorer so I could reinstall it, I am unable to re-install. I am also unablle to log in to any of my website mail boxes, nor log in just about anywhere if I switch the view form Firefox to Explorer in my Netscape 8.0 browser.

This thing is killin' me!

#7 Kid_Icarus1217

Kid_Icarus1217
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 20 June 2005 - 03:22 PM

Some more info, in the hopes it will help:

When I try to send an email from my yahoo email to account-support it appears to send, but does not ever reach the intended recipient (sounds like Mytob - but again, none of the added files, commands or registry values listed in the Mytob virus descriptions are showing on my computer).

When I try to log-in to my website mailboxes, I either get a log-in time out message or else a message that the information I supplied is incorrect (and account support has checked and re-checked and THEY are able to log-in with the same info).

Also, when I hit my login icon to get back into the computer, it has a message underneath it that says I have 56 unread messages - which I do not (or not that I can see).

Maybe that will help. I think that somewhere there are some files and/or commands that I just need to find and delete. The virus appears to be gone since the first time I ran Norton, but it left instructions and damage in it's wake that I cannot find or correct.

#8 Kid_Icarus1217

Kid_Icarus1217
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 20 June 2005 - 05:17 PM

Sorry for all the posts, but it just keeps getting better (worse actually).

First of all, I figured "what an idiot"and went to my Norton antii-virus logs and surely enough, there was a record of the virus MytobEB@mm being removed on June 17th. In the virus descriptions, it first showed up the day I began having troubles too. Even though I could find none of the added files or commands, I was cheered to see that Norton/Symantc had a specific Mytob virus removal tool.


So, I followed the intructions, turned off system restore, downloaded and ran the tool. It came back with the message Mytob virus not found, but did evidently change or delete some files, because I got messages to that effect that some files were not found when I re-booted. Sounded good, BUT when I tried to log-in to emails, still the same problems.

arrrrrrrrgggghhhh!

Would it help if I posted a list of what processes are running from taskmaster?

And by the way, all the Symantec/Norton removal instructions talk about file named "currenly running" along with the file "run". I have the "run" file, but not the other.

#9 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:01:01 AM

Posted 20 June 2005 - 07:35 PM

So you ran this tool:here.

If not...Download it, run it, and let us know if it finds anything.

After that, you could also run a couple of the online scans to ensure that it is gone.
Make sure they are set to clean automatically:

TrendMicro's HouseCall
ActiveScan

You should try to delete any files that these scanners are unable to clean.
Let us know if that helps.
JC

#10 Kid_Icarus1217

Kid_Icarus1217
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 20 June 2005 - 08:22 PM

Yes, I did run that tool. When I try to run the other tools you suggest, I get the old must have explorer message when I try to used Firefox, and must have cookies enabled when I try to switch to Explorer view messages.

I am about at the point of just re-formatting and re-installing XP Pro - but I am afraid that if I do that, I will have a problem like I did on another computer - I could not get the computer to recognize the CD rom to reinstall . . . .

And I really hate the idea of doing that - I will lose so much software. But each day that goes by where I cannot read or respond to emails is ruining me, so . . . . . . .

:thumbsup:

#11 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:01:01 AM

Posted 20 June 2005 - 09:58 PM

Sorry about the scans, I should have tried them with Firefox before I had you try them.
You mentioned trying some settings suggestions from Microsoft, was it this one?

http://support.microsoft.com/kb/318378/EN-US/

If not, try them ...or even if you did... try them again.
Do you have a good back-up of your data? This would be a good time to get one.

I am about at the point of just re-formatting and re-installing XP Pro - but I am afraid that if I do that, I will have a problem like I did on another computer - I could not get the computer to recognize the CD rom to reinstall . . . .


I believe you are talking about the boot order in your BIOS. It tells your computer the order of your boot devices. What you need to do is get into the BIOS and change the order around so that the CD is the first device your computer looks at when it boots up.
Is that what you meant...??You couldn't boot up to your XP set-up CD?
JC

#12 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:12:01 AM

Posted 21 June 2005 - 06:05 AM

Excuse me if I butt in. :thumbsup:

Have a look in your Norton Quarantine to see what files are there. Quite often, an anti-virus program will quarantine files that can't be repaired, thus making them unavailable to the operating system. If you can identify these files, you can then extract them from your XP CD and replace them with good copies. If you do this, you will need to go to Windows Update afterwards to make sure that these older files don't open up a previously patched vulnerability.

Another option at this point is to do a Repair Install of XP. This will reinstall XP without affecting your other data. Again, if you do this, you will need to reinstall all the Windows Updates as your OS will only be current as of the date your CD was written. See How to Repair Install on that page.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#13 Kid_Icarus1217

Kid_Icarus1217
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 21 June 2005 - 05:30 PM

Thanks to everyone for the suggestions. I think I will try the slipstream method of re-installing SP2, although I do no know if that will uncover the hidden files and commands that I have been unable to locate. It just keeps getting worse too!

Now, I find that I when I am viewing some of my main websites, such as yahoo.com, hotmail, my webhost Frontpageworldhosting.com, Paypal.com, etc., that I cannot navigate to one of the other sites! I have to a site such as this one and then go to one of those accounts. At Paypal, I now find that the navigation tabs at the top of the page are missing so that I cannot go to the merchant's area to modify my payment button, which I need to do because, taaadaaaa, my website has suddenly been suspended. Supposedly it was suspended for spam. Perhaps because my inablility to access my mailboxes for over a week led to a huge backlog of marketing emails, or maybe there were complaints. Maybe the bug hijacked my info and used my mailboxes to send out real spam. What I sent was from leads at a paid service that is supposed to be completely opt-in and 2004 compliant (they get email addresses from people who are allowed to post for free to FFA links in exchange for agreeing to receive emails from other FFA posters). I have a feeling that perhaps a number of them did not read the fine print and did not realize that they would get so many emails - on the other hand, only a very small number replied with "REMOVE" instructions. So now I have websites, ads and a sizable number of emails promoting a very legitimate e-book I wrote and they all point to a website that pulls up as SUSPENDED! Isn't life great? OK, sorry, I suppose I was venting a bit there . . . but I just think about all of the bogus emails wanting to steal my information and then I spend almost five years researching, finish an ebook and try to promote a proven cancer remedy (a commercial version has passed clinical trials) that has saved thousands of lives (I know several personally), something that really works and saves lives and go through hell to do so (including being pursued by hired thugs posing as US Marshalls and a three time felon and white supremecist connected to the OK City bombing, east coast syndicates and the roosky mob - seriously! - and I get a crippling virus and lose my website! ARRRGGGHHH! And no, this is not promotion in any way, just a bit of background and chance to rant a bit! Again, sorry!

Maybe I should just get an abacus and send smoke signals - my computer does not seem to be working so well . . .

Thanks again - you guys and/or gals have been great so far, just no cigar yet!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users