Jump to content

Hotmail account hijacked..NOW I need advice


Recommended Posts

Thanks!

  • Run OTL.exe
  • Under Custom Scans/Fixes post the following script:

:OTL
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - File not found
O3 - HKLM\..\Toolbar: (no name) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 88 bytes -> C:\WINDOWS\UNNeroShowTime.exe:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\rundll32.exe:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\osk.exe:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\msdtc.exe:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\ctfmon.exe:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\cisvc.exe:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\cidaemon.exe:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\Program Files\Internet Explorer\iexplore.exe:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\Program Files\Eset\nod32krn.exe:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Ron\MSSSerif120.fon:SummaryInformation
@Alternate Data Stream - 160 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9D1B94FD
@Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CD060F93
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6152D44C
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D74B6CF5
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6343C281
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CE11B51

:files
C:\Documents and Settings\Ron\Application Data\FrostWire
C:\WINDOWS\System32\-1

:Commands
[purity]
[emptytemp]

  • Then click the Run Fix button at the top
  • Let the program run unhindered,when it is done it will say "Fix Complete press ok to open log"
  • Please post that log in your next reply.

Link to post
Share on other sites

All processes killed

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{201f27d4-3704-41d6-89c1-aa35e39143ed}\ deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{3041d03e-fd4b-44e0-b742-2d9b88305f98} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041d03e-fd4b-44e0-b742-2d9b88305f98}\ deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.

ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.

ADS C:\WINDOWS\UNNeroShowTime.exe:SummaryInformation deleted successfully.

ADS C:\WINDOWS\System32\rundll32.exe:SummaryInformation deleted successfully.

ADS C:\WINDOWS\System32\osk.exe:SummaryInformation deleted successfully.

ADS C:\WINDOWS\System32\msdtc.exe:SummaryInformation deleted successfully.

ADS C:\WINDOWS\System32\ctfmon.exe:SummaryInformation deleted successfully.

ADS C:\WINDOWS\System32\cisvc.exe:SummaryInformation deleted successfully.

ADS C:\WINDOWS\System32\cidaemon.exe:SummaryInformation deleted successfully.

ADS C:\Program Files\Internet Explorer\iexplore.exe:SummaryInformation deleted successfully.

ADS C:\Program Files\Eset\nod32krn.exe:SummaryInformation deleted successfully.

ADS C:\Documents and Settings\Ron\MSSSerif120.fon:SummaryInformation deleted successfully.

ADS C:\Documents and Settings\All Users\Application Data\TEMP:9D1B94FD deleted successfully.

ADS C:\Documents and Settings\All Users\Application Data\TEMP:CD060F93 deleted successfully.

ADS C:\Documents and Settings\All Users\Application Data\TEMP:6152D44C deleted successfully.

ADS C:\Documents and Settings\All Users\Application Data\TEMP:D74B6CF5 deleted successfully.

ADS C:\Documents and Settings\All Users\Application Data\TEMP:6343C281 deleted successfully.

ADS C:\Documents and Settings\All Users\Application Data\TEMP:1CE11B51 deleted successfully.

========== FILES ==========

C:\Documents and Settings\Ron\Application Data\FrostWire\xml\schemas folder moved successfully.

C:\Documents and Settings\Ron\Application Data\FrostWire\xml\misc folder moved successfully.

C:\Documents and Settings\Ron\Application Data\FrostWire\xml\data folder moved successfully.

C:\Documents and Settings\Ron\Application Data\FrostWire\xml folder moved successfully.

C:\Documents and Settings\Ron\Application Data\FrostWire\themes\windows_theme folder moved successfully.

C:\Documents and Settings\Ron\Application Data\FrostWire\themes\frostwire_theme folder moved successfully.

C:\Documents and Settings\Ron\Application Data\FrostWire\themes folder moved successfully.

C:\Documents and Settings\Ron\Application Data\FrostWire\META-INF folder moved successfully.

C:\Documents and Settings\Ron\Application Data\FrostWire folder moved successfully.

C:\WINDOWS\System32\-1 moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: Ron

->Temp folder emptied: 2260593 bytes

->Temporary Internet Files folder emptied: 49414227 bytes

->Java cache emptied: 7787328 bytes

->FireFox cache emptied: 63538774 bytes

->Flash cache emptied: 169661 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 483 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 118.00 mb

OTL by OldTimer - Version 3.2.17.3 log created on 12032010_161419

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Link to post
Share on other sites

Please uninstall NOD32 antivirus system, download and install another one or again NOD32, but it's share software, so you should pay for it. Free alternatives are:

http://www.avast.com/free-antivirus-download

http://www.avira.com/en/avira-free-antivirus

http://www.microsoft.com/security_essentials

Update it and perform a full scan.

Let me know about the resaults.

Link to post
Share on other sites

Hi Maniac , sorry for the delay but ive just endured a 9 hour scan...

So what ive done is as follows; Downloaded Microsoft Security Essentials antivirus

Uninstalled NOD 32

Installed MSE , Updated, started full scan and started marathon wait

During scan ( about 2 hours and only 4%) I cancelled

Run custom scan ( 2 hours ) MSE antivirus detected trojan and removed while i wasnt looking, so here is the log , if you can call it that:

Trojan:Unix/Rootkit.C Severe Removed

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:

containerfile:C:\Documents and Settings\Ron\My Documents\My Pictures\New Folder\1000_Hacker_Tutorials_2008.rar

file:C:\Documents and Settings\Ron\My Documents\My Pictures\New Folder\1000_Hacker_Tutorials_2008.rar->1000_Hacker_Tutorials_2008\1000_Hacker_Tutorials_2008\1000 Hacker Tutorials 2008\Erasing_Your_Presence_From_System_Logs.txt

file:C:\Documents and Settings\Ron\My Documents\My Pictures\New Folder\1000_Hacker_Tutorials_2008\1000_Hacker_Tutorials_2008\1000 Hacker Tutorials 2008\Erasing_Your_Presence_From_System_Logs.txt

This morning I ran the full scan which took 9 hours and did not detect any threats. There isnt a log to post as MSE antivirus doesnt generate one unless its buried somewhere in my system..

Ive read windows firewall is no good which concerns me as Im currently using it .. Do you advise I change my firewall? If so which would you recommend ?

Any way I suppose you'll just make me do another scan ..jokes.. Well Im trying to be light hearted before I smash this thing

Link to post
Share on other sites

Hi Maniac Ive changed my hotmail password and noticed my cursor was moving slowly/delayed. I ran Malwarebytes flash scan and it detected Trojan Fake/av

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5253

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/6/2010 10:09:05 AM

mbam-log-2010-12-06 (10-08-52).txt

Scan type: Flash scan

Objects scanned: 105371

Time elapsed: 2 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\ere94fe5o32 (Trojan.FakeAV) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

What should I do?

Link to post
Share on other sites

Please do an online scan with Kaspersky WebScanner

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[*]Please post this log in your next reply.

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.