Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo email hijacked, not sure how


  • Please log in to reply
16 replies to this topic

#1 mike_westley

mike_westley

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 27 June 2012 - 10:10 PM


This Monday AM I noticed my yahoo email account was sending spam mail to my entire contact list.

The emails appeared in my sent items folder, and had a link to businesslenews15.net/jobs/?alert=86255. I did not click on the link. A few of the people that got the email did.

The full header for the email looks fairly legit, except the from IP is in Warsaw, Poland. I am in the US.

I checked the login history from yahoo for my account. I did not see anything that looked like it was not me.

Here is what I did:
+ I changed my yahoo password. (as well as other critical pwds)
+ I checked that my password recovery email addresses were not changed.
+ I sent a mail to my contacts list telling them to delete the email and not click on the link.
+ I deleted all my contacts from yahoo.
+ I scanned my home pc using AVAST, Windows Defender and MalwareBytes (quick, then full scans). Nothing significant was found.

The home pc mentioned above has been running it's fan a little more than previously over the last month, but performance-wise it seems fine. Whenever the fan goes on, I check the processes running and they all seem to be something I kicked off.

I can think of one other PC I logged onto yahoo from since I last changed my pwd 6 months ago, and he ran a scan and found no issues (Norton). Of course, he also clicked the link in the email, so draw your own conclusions about that. He also had his yahoo email hijacked in a similar manner ~1 yr ago, but he changed his pwd and it stopped.

Here are my home PC particulars:
+ Core 2 Quad 9300, 8GB RAM
+ Windows Vista SP2 64bit
+ AVAST Free AV 7.0.1426
+ Windows Defender is on
+ Windows Firewall is on

I'd like some help to confirm my home pc does not have a keylogger, or just some recommended next steps, please.

Thanks,
Mike




BC AdBot (Login to Remove)

 


#2 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:04 PM

Posted 28 June 2012 - 01:31 AM

1. Update MBAM and do a full scan.
2. Please visit the Eset online scanner:

Note: You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin
Go to the Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Edited by ElFasso, 28 June 2012 - 01:32 AM.


#3 mike_westley

mike_westley
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 28 June 2012 - 01:09 PM

At work, will run these when back home.. Thanks for the help!

#4 mike_westley

mike_westley
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 28 June 2012 - 11:03 PM

MBAM log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.28.13

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Westley :: WESTLEY-MEDIA [administrator]

6/28/2012 4:55:43 PM
mbam-log-2012-06-28 (16-55-43).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 742695
Time elapsed: 2 hour(s), 42 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#5 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:04 PM

Posted 29 June 2012 - 05:43 AM

I need the Eset logs too. :graduate:

Edited by ElFasso, 29 June 2012 - 05:43 AM.


#6 mike_westley

mike_westley
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 29 June 2012 - 07:14 AM

I understand you need the Eset logs. I was just posting things as they finished.

ESET results:

C:\Windows\FixCamera.exe a variant of Win32/KillProc.A application
Operating memory a variant of Win32/KillProc.A application

Edited by mike_westley, 29 June 2012 - 07:16 AM.


#7 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:04 PM

Posted 29 June 2012 - 07:23 AM

Note: You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Repeat Eset scan, but this time:
Make sure that the option Remove found threats is ticked and the Scan Archives option is ticked.

#8 mike_westley

mike_westley
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 29 June 2012 - 08:03 AM

Ok, I started Eset again with all the same options as before except this time Remove found threats was ticked.

Off to work, will check on it when I get home.

Thanks.

#9 mike_westley

mike_westley
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 29 June 2012 - 07:56 PM

ESET Results 2:

C:\Windows\FixCamera.exe a variant of Win32/KillProc.A application cleaned by deleting - quarantined

#10 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:04 PM

Posted 30 June 2012 - 02:39 AM

Do you still have any issues with infection or signs of infection?

#11 mike_westley

mike_westley
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 30 June 2012 - 08:22 AM

I never really saw clear signs of infection, so I'm not sure.

My yahoo email has not been hijacked (as far as I can tell) since that one time this past Monday.

My computer fan still seems to spin up more frequently than before, but I wonder if this is computer age or the newest version of Adobe Flash using more CPU (it tends to happen a lot when watching Flash videos, one time I noticed the Adobe Flash was using a lot of the CPU while it was happening).

Thanks,
Mike

#12 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:04 PM

Posted 30 June 2012 - 08:29 AM


Edited by ElFasso, 30 June 2012 - 08:29 AM.


#13 mike_westley

mike_westley
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 30 June 2012 - 08:44 AM

8 GB RAM
I have a scheduled Defrag -- one ran this past Weds.
My password strength is usually strong when tested -- the account that was hacked (old password) got a 84% score on one of the links above.
Thanks for the links, they are interesting.

Mike

#14 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:04 PM

Posted 30 June 2012 - 08:51 AM

We can have look to on why the fans are to much spinning.

Publish a Snapshot using Speccy - http://www.bleepingcomputer.com/forums/topic323892.html/page__p__1797792#entry1797792

Edited by ElFasso, 30 June 2012 - 08:51 AM.


#15 mike_westley

mike_westley
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 30 June 2012 - 09:06 AM

Here is my snapshot:
http://speccy.piriform.com/results/QV6xlPOjo1TlfqBi7H8XUXJ




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users