Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Email Attack


  • Please log in to reply
3 replies to this topic

#1 JDoit

JDoit

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 18 July 2011 - 10:05 AM

Last Thursday morning I received an email from my brother that contained an email from my address of some verbiage and a link. It said: I always borrowed money knowing I couldn't pay it back I was at the end of the road this couldn't have worked out better...Then there was a link (I can supply the link if asked). This email was sent to 30 or so of the addresses in my address book which contains 158 address. These 30 are ones that I have used in the last year or so and are mostly friends and family. I do not have an email client on my computer, I always go to Comcast. There is no address book on my computer or contact list. I can't understand how the malware got into my Comcast account, I do not use "Remember Me", I keep all my passwords and UIDs in Norton Identity Safe and use it to fill in the login blanks. All my passwords are different and rated medium strong to strong. I Strongly supect a keylogger among other things.

I have changed my email address and password on comcast.

The email was sent at 12:10AM Thursday morning, I used my computer around 9:30PM, Wednesday and like a dummy I forgot to turn my radio switch off and the laptop was in sleep mode.

I ran Malwarebites (MB) and deep scans from Norton Security suite (provided by Comcast) both were up to date. Norton didn't find anything, MB found one infected file, Retrogamer/Decent, that I downloaded in April 2011 (Norton Security popup said that this file was safe before I downloaded it). I removed the program with Revo Uninstaller (RU). Ran MB again and it showed that Retro/Decent was still there; this time I used the MB remover and believe that it was successful.

Next I ran the RU tool, Autorun Manager; it showed that the conime.exe (%windir%\system32\conime.exe) file was invalid so I stopped it from running automatically.

Symptoms shortly before and after the attack: My computer startup and shutdown became slow and seemed to get slower through time. After the attack, slow response on startup and opening programs or even opening new pages on IE 9 lengthened to as much as 20 seconds to a minute. AFTER I disabled conime.exe my computer response times at all affected levels of operation returned to normal speed after reboot. There was no apparent change in the computer after removing Retrogamer/Decent.

Throughout, I have not received any error or warning messages at all.
I have a Sony Vaio 2010 running Windows 7 Premium and IE 9. Secunia shows 100% patched on all Apps.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:50 AM

Posted 18 July 2011 - 12:16 PM

Welcome aboard Posted Image

What are the current issues?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 JDoit

JDoit
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 18 July 2011 - 03:25 PM

Hi Broni: Currently, there are no obvious issues but I think something must have been left behind because:

1 I had to disable con file. Which, from my reading is a known patsy for viruses.
2 Anything sophisticated enough to cause a mass emailing without an email client to work with probably left me with a problem at least a keylogger.

I mean he's winning, why quit?
I would like to learn how to check and see.

Jdoit

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:50 AM

Posted 18 July 2011 - 03:30 PM

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users