Hotmail Virus?

[gyoung]

The other day my wife's hotmail account sent 3 emails to her entire contact list in her hotmail account. The text of the email was:

Quote:

Dear friend:
We are wholesale company which can offer you laptops,Digital cameras,videos,GPS , cellphone,mp4,game console and many other electronic products with international guarrantee all over the world.
We can offer you both high quality products and good price. with the new beginning of 2008, we want to have a long term business with you/your company If you want to buy something ,please feel free contact us at:
our website : <http://www..com>
MSN : x@hotmail.com
E-mail : xhotmail.com
Welcome to x.com!　MSN: x@hotmail.com

I replaced the address with the x. No need to give them more traffic. Any idea how this could happen? How can a Hotmail account be compromised? I find it very hard to believe that they hacked her password. It was a strong password (> 8 characters) with no words. It was comprised of numbers, letters (in upper and lower case). One of her friends replied that she also received another email with the same message from another friend.

At first I thought it was a spoof of her email address, but I actually see the sent message in her sent message folder. It happened 3 times at 11:27am, 11:29am, and 11:32am.

[Keymaker]

Run a scan and post the results.

HijackThis Analyzer & Tutorial

It doesn't take a password to hijack the inter workings of things through maleware.

You can use this utlity to trace where the E-Mail came from. Paste the full headers in the utility.

[KarmaKiller]

Hi there.
My gf works in a office, that runs instant messengers, and she was telling me just the other day that they had a similar thing happen there. It spread through out the hole office though.
Their IT guy narrowed it down to a IM program though, so you might check that.
Also, he did mention it was a trojan, so you should run some virus/Adware scans.
Good luck

[gyoung]

Here is a copy of the log file. Also, one thing I should mention. This happened the day after I reinstalled Windows XP fresh on her laptop. I installed XP, drivers, and all service packs. The only websites visted during this were microsoft and lenovo.

I went to bed the night before and the next day she told me about it. It was then that I realized that I hadn't installed the anti-virus software yet. When I got home I installed it and scanned and didn't find anything.

Quote:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:54 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\program files\airset\airset.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\***** \*****\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CompanionLink] "c:\program files\airset\airset.exe" -Icon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1204995129746
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 7762 bytes

[gyoung]

email header:

Quote:

Content-Type: multipart/alternative;
boundary="_1b26284b-fb65-4caa-85f9-6a8d4badb0e7_"
X-Originating-IP: [58.39.172.238]

Whois search at whois.net returns:

Quote:

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

[2monsters]

Sounds like she got Phished. Change all her passwords.
http://en.wikipedia.org/wiki/Phishing

[Keymaker]

I don't see anything that would cause this. There are a few unknowns. Do you use Airset?

The IP address doesn't show up as a Phish site. At least not yet. The site is from China and information is lacking. Usually they will use a proxy so this doesn't say much. Meaning the true IP address is masked even the when the E-Mail headers are sorted out.

It could be that the person obtained info. from another E-Mail that was sent and opened, there by allowing some kind f virus that read the contacts list in the E-Mail account.

I would change the passwords and change the setting in the account to not download all the content when viewing E-Mail. I use an E-mail client called Thunderbird and have phish security installed through the use of addons. In web based E-Mail I use FireFox with an addon on called NoScript.

Has this happened more than once?

Use this to generate a good password


http://www.itsecurity.com/features/2...stakes-022807/

www.trashmail.net


www.opendns.com

[gyoung]

Yeah, we use airset. I don't think it was a phishing scam. She is pretty good about that but I don't know for sure. I had her change her password and it is strong (it was strong before).

And it only happened once. She did get an email the next day from a friend. Looks like it happened to her friend too. She also had a Hotmail address.

[BruceV]

Similar problem occurred Mar.31/08 I had this Electronics outfit send two emails to my entire contact list BUT when I went to look at my Contact list --IT WAS GONE! Two nites later they did it again EVEN tho my contact file was gone. They seem to be holding it captive. Two qwestions? Is Microsoft doing anything about this to anyones knowledge. Second My NOD32 scanner pick up nothing so please let me know if anyone finds a virus scan to find this & clean it??
Many thanks Balmybrucevivi

[sr71000]

If you do a search for the first sentence of that you can find stuff all over the web with nearly identical setups

I'd grab a trial copy of avg antivirus/antispyware. Well to be honest, I'd trash McAfee and buy the version of avg for $35. Much better protection. The only thing it's missing is the firewall but I'd think you're better off with a free firewall over McAfee's anyways. From my experience their software is junk!

Big question is, do you have a router? If she's aware of what she's doing on the web and you have a router, I may not even worry so much about a firewall...

-Kevin

BruceV - Post up scans using hijack this. I wouldn't trust just one anti-malware program if there's evidence of an infection. No av program is perfect! On a side note, you'd probably be better off opening your own thread for it, that way we can comment on each problem specifically rather than trying to help two people in one thread! The problems seem similar but they may be very different...