Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked Hotmail account?


  • Please log in to reply
13 replies to this topic

#1 andy_r

andy_r

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 25 April 2009 - 11:00 AM

I have Windows XP and Windows Explorer 7. My Hotmail account seems to have been hi-jacked. About a week ago I started to receive Delivery Status Notifications (Delay) from many unknown accounts and I discovered that my account had been sending out automated vacation replies with a message publicising an unknown website www.welt188.com. I junked these and used Superantispyware to find what was running on my computer. One programme was found that was not listed in my control panel or my screen list. This was from B's Recorder Gold Service Library and is a program called BGSVCGEN.EXE The messages are now going to all my contacts with a different advert. I have done a BITDefender scan today, which found and deleted 2 adware files: Gen Adware Heur 80C43B3B3B. Can anyone help?

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 26 April 2009 - 04:51 AM

Hi,

First, change your hotmail password on ANOTHER, clean, computer.

Then, do this:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

#3 andy_r

andy_r
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  

Posted 27 April 2009 - 04:27 PM

Thanks superbird.

I followed your instructions and here is the Mbam log:

Malwarebytes' Anti-Malware 1.36
Database version: 2050
Windows 5.1.2600 Service Pack 3

27/04/2009 22:11:41
mbam-log-2009-04-27 (22-11-41).txt

Scan type: Quick Scan
Objects scanned: 120894
Time elapsed: 23 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Security Tools (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\Wallpaper (Adware.Comet) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Screensavers.com\Wallpaper\Shannon.jpg (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\Wallpaper\Vida in Red.jpg (Adware.Comet) -> Quarantined and deleted successfully.

andy_r

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 28 April 2009 - 07:31 AM

Hi Andy,

Do a new full scan with MBAM, and post that logfile in your next reply. :thumbsup:
tell me also which problems you still have.

#5 andy_r

andy_r
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 28 April 2009 - 04:02 PM

Hi superbird,
Thank you for all your help so far. Maybe this is the end of it. Here is the info you asked for.
Here is the log of the Full scan from mbam:

Malwarebytes' Anti-Malware 1.36
Database version: 2050
Windows 5.1.2600 Service Pack 3

28/04/2009 21:40:59
mbam-log-2009-04-28 (21-40-59).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 282760
Time elapsed: 1 hour(s), 48 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

. . . . . .

There have been no more problems on my hotmail account. I did a scan with my Superantispyware and it shows that the BGSVCGEN.EXE program is still in my computer but still not showing in my programs lists. Here is the info:
BGSVCGEN.EXE C:\WINDOWS\SYSTEM32\BGSVCGEN.EXE
File Size (bytes)122512 MD5 Checksum/FingerprintBAC8633905235FA57FAB768C636D3963
Company NameB.H.A CORPORATION
File DescriptionB'S RECORDER GOLD SERVICE LIBRARY File Version2, 0, 1, 11
Product NameB'S RECORDER GOLD9 Product Version9, 0, 0, 0
Internal NameBGSVCGEN Original File NameBGSVCGEN.EXE
Legal CopyrightCOPYRIGHT© 2006 B.H.A CORPORATION ALL RIGHTS RESERVED. Legal Trademarks

I am not sure about this program. Is it the cause of these problems?

andy_r

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 29 April 2009 - 06:10 AM

Hi,

Let's do this:

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
If you need a tutorial, see here

#7 andy_r

andy_r
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  

Posted 30 April 2009 - 05:09 PM

Hi superbird,

Here is the Kaspersky scan:

KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, April 30, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, April 30, 2009 14:21:50
Records in database: 2111323
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 186205
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 03:11:30

No malware has been detected. The scan area is clean.

The selected area was scanned.

. . . . . . .

Is that it or should I still be concerned about the BGSVCGEN.EXE program?

andy_r

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 01 May 2009 - 05:18 AM

Hi,

Where is that file (BGSVCGEN.EXE) exactly?
Give me the full pathname, please. :thumbsup:

#9 andy_r

andy_r
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 03 May 2009 - 01:21 PM

Hi superbird,

Sorry for the delay.
The pathway is C:\WINDOWS\SYSTEM32\BGSVCGEN.EXE

andy_r

#10 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 03 May 2009 - 01:35 PM

Hi,

Go to www.virustotal.com
Now, upload this file: C:\WINDOWS\SYSTEM32\BGSVCGEN.EXE
Click Upload
Wait untill the scan process has ended. Then, copy the results in your next reply.

#11 andy_r

andy_r
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  

Posted 04 May 2009 - 02:52 PM

Hi superbird,

Here are the virustotal results:

File BGSVCGEN.EXE received on 05.04.2009 21:38:17 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 1/40 (2.5%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.04 -
AhnLab-V3 5.0.0.2 2009.05.04 -
AntiVir 7.9.0.160 2009.05.04 -
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.04 -
Avast 4.8.1335.0 2009.05.04 -
AVG 8.5.0.327 2009.05.04 -
BitDefender 7.2 2009.05.04 -
CAT-QuickHeal 10.00 2009.05.04 -
ClamAV 0.94.1 2009.05.04 -
Comodo 1149 2009.05.03 -
DrWeb 4.44.0.09170 2009.05.04 -
eSafe 7.0.17.0 2009.05.03 -
eTrust-Vet 31.6.6488 2009.05.04 -
F-Prot 4.4.4.56 2009.05.04 -
F-Secure 8.0.14470.0 2009.05.04 -
Fortinet 3.117.0.0 2009.05.04 -
GData 19 2009.05.04 -
Ikarus T3.1.1.49.0 2009.05.04 -
K7AntiVirus 7.10.723 2009.05.04 -
Kaspersky 7.0.0.125 2009.05.04 -
McAfee 5605 2009.05.04 -
McAfee+Artemis 5605 2009.05.04 -
McAfee-GW-Edition 6.7.6 2009.05.04 -
Microsoft 1.4602 2009.05.04 -
NOD32 4052 2009.05.04 -
Norman 6.01.05 2009.05.04 -
nProtect 2009.1.8.0 2009.05.04 -
Panda 10.0.0.14 2009.05.04 -
PCTools 4.4.2.0 2009.05.03 -
Prevx1 3.0 2009.05.04 -
Rising 21.28.04.00 2009.05.04 -
Sophos 4.41.0 2009.05.04 -
Sunbelt 3.2.1858.2 2009.05.04 -
Symantec 1.4.4.12 2009.05.04 -
TheHacker 6.3.4.1.318 2009.05.04 -
TrendMicro 8.950.0.1092 2009.05.04 -
VBA32 3.12.10.4 2009.05.04 suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics)
ViRobot 2009.5.4.1719 2009.05.04 -
VirusBuster 4.6.5.0 2009.05.04 -
Additional information
File size: 122512 bytes
MD5...: bac8633905235fa57fab768c636d3963
SHA1..: 77c1fbd1540b272636609cd8ba90c672c0b4bae1
SHA256: 3667a2a16ca3ba6dfda431215f00547501f89f0e099f8e39415869bfdd37f06c
SHA512: c806b9dc3cb8104a089fdd69f304ec4dbc28a9583f08f0c80818c9c58460790d
946121462acde4b5ce84aeacf4b8d7c6220681c5c7b2d4a1700fa547883b4c0e
ssdeep: 1536:8jCLBdQBrUGfP2uRST+acf/efp1Mib+JHwI2Qw8QYj7ctFdbn:MClMrUruR
Y7IQbUXsYj7ctFdr

PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xa7f6
timedatestamp.....: 0x4593b40f (Thu Dec 28 12:09:51 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x13fc7 0x14000 6.59 aaf48f5ed38588d1319bd4b27315589a
.rdata 0x15000 0x470c 0x5000 4.76 97f0264eb3bfea82b68659e87497e69b
.data 0x1a000 0x3704 0x2000 1.84 6bfc22f636ae10ef3767fd1fb9863e45
.rsrc 0x1e000 0xb9c 0x1000 4.57 ba3fc23bb4acf672dd26e08eb27a18d6

( 6 imports )
> KERNEL32.dll: GetCurrentThreadId, FreeLibrary, MultiByteToWideChar, LoadLibraryExW, GetModuleHandleW, Sleep, MapViewOfFile, OpenFileMappingW, InterlockedIncrement, InterlockedDecrement, UnregisterWaitEx, SetEvent, SetLastError, RegisterWaitForSingleObject, OpenEventW, WaitForMultipleObjects, PostQueuedCompletionStatus, GetModuleFileNameW, GetCommandLineW, GlobalFree, GlobalAlloc, WideCharToMultiByte, DeviceIoControl, CreateFileW, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, FlushFileBuffers, LCMapStringW, LCMapStringA, GetStringTypeW, GetStringTypeA, GetSystemDefaultLangID, lstrcmpiW, FindResourceExW, FindResourceW, LoadResource, LockResource, SizeofResource, DeleteCriticalSection, InitializeCriticalSection, CreateEventW, WriteFile, WaitForSingleObject, ResetEvent, RaiseException, ReadFile, CreateNamedPipeW, CreateIoCompletionPort, ConnectNamedPipe, GetLastError, EnterCriticalSection, LeaveCriticalSection, lstrlenW, UnmapViewOfFile, GetQueuedCompletionStatus, CloseHandle, CreateFileA, GetConsoleMode, GetConsoleCP, SetFilePointer, GetOEMCP, GetCPInfo, LoadLibraryA, InterlockedExchange, GetACP, GetLocaleInfoA, GetThreadLocale, GetVersionExA, HeapDestroy, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, GetProcessHeap, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, ExitThread, CreateThread, GetStartupInfoW, VirtualFree, VirtualAlloc, HeapCreate, GetProcAddress, GetModuleHandleA, ExitProcess, GetStdHandle, GetModuleFileNameA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime
> USER32.dll: PostThreadMessageW, CharUpperW, CharNextW, GetMessageW, DispatchMessageW, TranslateMessage, MessageBoxW, LoadStringW, wsprintfW, UnregisterClassA
> ADVAPI32.dll: RegisterServiceCtrlHandlerW, RegEnumKeyExW, CreateServiceW, ChangeServiceConfig2W, RegQueryInfoKeyW, RegSetValueExW, RegQueryValueExW, RegOpenKeyExW, RegCreateKeyExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, RegisterEventSourceW, ReportEventW, DeregisterEventSource, ControlService, DeleteService, OpenSCManagerW, OpenServiceW, CloseServiceHandle, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, SetServiceStatus, StartServiceCtrlDispatcherW
> ole32.dll: CoTaskMemFree, CoTaskMemRealloc, CoTaskMemAlloc, CoCreateInstance
> OLEAUT32.dll: -
> SETUPAPI.dll: SetupDiDeleteDeviceInfo, SetupDiSetClassInstallParamsW, SetupDiEnumDeviceInfo, SetupDiGetDeviceRegistryPropertyW, SetupDiGetClassDevsW, SetupDiClassGuidsFromNameW, SetupDiDestroyDeviceInfoList, SetupDiChangeState

( 0 exports )

PDFiD.: -
RDS...: NSRL Reference Data Set
-
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=bac8633905235fa57fab768c636d3963' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=bac8633905235fa57fab768c636d3963</a>


Hope this helps.

andy_r

#12 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 05 May 2009 - 03:28 AM

Hi,

I don't think you have to be concerned about that file. :thumbsup:

#13 andy_r

andy_r
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 05 May 2009 - 03:54 PM

:thumbsup: Thanks superbird for all your patient help.

andy_r :flowers:

#14 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 06 May 2009 - 03:49 AM

Hi,

You're most welcome.

Everything looks clean again. :thumbsup:
Do this:

1. Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

2. Go to the Windows update site and download and install all available updates, so your computer is prtected against malware.

3. Read this page To prevent yourself against re-infection.

4. You can delete all used tools and programs.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users