Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probable trojan causing spam to be sent from my Hotmail account


  • Please log in to reply
No replies to this topic

#1 foxone

foxone

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 23 October 2011 - 03:16 AM

Hi,

A LONG-WINDED HISTORY AND WHAT I HAVE DONE SO FAR:
My problems probably commenced approximately two weeks ago, when I decided to watch a TV show I'd missed online. One dodgy website informed me that I didn't have the DivX codec, so I pressed 'Install Codec' using the automatic Chrome popup instead of going to the DivX site directly. This enabled me to watch the show, but also kindly installed what was supposedly a Symantec virus scanner on my machine. I believe at this stage I ran Microsoft Security Essentials, which found nothing. Without restarting, I removed the codec. The 'virus scanner' remained, and did not have an option to uninstall within Add/Remove Programs, nor did it come with an uninstall.exe. I used Microsoft's 'Autoruns' tool to determine that it had placed an entry to run its exe at startup, so deleted the registry entries and all the associated files. I scanned with MSSE again to no avail. Sadly I do not have a record of the exact file names.

Several days later, a friend came over with a USB drive. I have a laptop and desktop computer, and the USB drive was plugged into both machines. Both times, the Win 7 prompt for what to do appeared, and I never pressed any autoruns. The friend later went home and reported that Avira found "Winmazebat" on her drive (an autorun.inf type worm). Concerned that I had given this to her, I ran MSSE and a whole host of other antiviruses / malware removal tools including Kaspersky 2011 trial, Bitdefender trial, Malwarebytes trial, TDSSKiller and GMER on both my computers. NOTHING was found using any of these tools. I also did a manual search for all files associated with the worm to no avail, and made sure they weren't just hiding by trying to find any autrun.inf's in common locations using the Console and the attrib command. I also used the updated autorun policy settings and changed the applicable registry keys (using MS FixIt tool) to prevent autorun occurring in the future. I was therefore fairly confident it wasn't from my computer...

On the 1st of October, my Hotmail account sent a variety of spam messages to my contacts within the space of 30 seconds. I never use my Hotmail account for anything other than signing up for forums / anyone or anything that might send me spam; emails from Hotmail are forwarded to another address. The first indication of something awry was when I was forwarded the emails that had bounced because some of my contacts no longer existed. Upon logging in to Hotmail itself, the emails had actually come from someone (or at least an automated process...) that had actually logged into my account. I changed my password, ran Kaspersky etc again and assumed it must have been from the DivX / Symantec virus (if it actually was a virus... MSSE didn't pick it up) a few days earlier.

All was well until last night the same thing happened again... I have again run Kaspersky and Malwarebytes (trials), and might have become frustrated so *might* have run ComboFix (I'd provide the log straight up but you'd probably bite my head off; to the untrained eye it doesn't look like there's anything major going on).

I assume my password was either cracked again using a brute force attack, or that a trojan on my machine has sent back my new password from Windows Live Messenger, in which my password is saved so I can just press sign in and it loads up.

This all seems too coincidental to be a brute force attack or just a random case of suddenly being Hotmail-hacked, and I can only conclude there is some form of software running on my machine. Never had ANY problems with viruses etc prior to all of these events which have suddenly clustered together.

PROBLEM SUMMARY FOR THOSE WHO GOT BORED:
- Need to detect and remove a 'Hotmail trojan' on one or both of my computers that is sending my password back to home
- It behaves just like the Hotmail trojan/virus/hack that is reported by many other people on the internet
- A friend found Winmazebat on her USB drive after connecting it to my computers, so perhaps I have this as well, or it is part of the problem
- My known potential exposures are only the DivX codec and downloading less than 5 .avi TV shows from torrents
- So far, no anti-malware or anti-virus utilities I have used have found anything
- If it isn't something on my computer, how else could my Hotmail have been hacked twice, and how can I prevent this. Clearly changing the password is not sufficient.

SPECIFICATIONS:
Windows 7 x64. Google Chrome. Both computers now have had a trial version of Kaspersky 2011 and Malwarebytes running on them.

All help would be greatly appreciated. I have exams coming up and can't afford to waste any more time trying to find and fix it myself.

Thanks for your time,
Foxone.

Edited by foxone, 23 October 2011 - 03:20 AM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users