home hardware prices news articles forums photos user reviews
Go Back   Tech Support Forums - TechIMO.com > PC Hardware and Tech > Security and Privacy Issues
Ask a Tech Support Question (free)!

Hotmail Virus?

Reply
Get bargains at  »  Dealighted.com
 
Thread Tools Search this Thread
Currently Active Users: 1944
Discussions: 200,911, Posts: 2,378,954, Members: 246,279
Old March 12th, 2008, 09:37 PM   Digg it!   #1 (permalink)
Ultimate Member
 
gyoung's Avatar
 
Join Date: Oct 2001
Location: Carmel, IN
Posts: 1,045
Hotmail Virus?

The other day my wife's hotmail account sent 3 emails to her entire contact list in her hotmail account. The text of the email was:

Quote:
Dear friend:
We are wholesale company which can offer you laptops,Digital cameras,videos,GPS , cellphone,mp4,game console and many other electronic products with international guarrantee all over the world.
We can offer you both high quality products and good price. with the new beginning of 2008, we want to have a long term business with you/your company If you want to buy something ,please feel free contact us at:
our website : <http://www..com>
MSN : x@hotmail.com
E-mail : xhotmail.com
Welcome to x.com! MSN: x@hotmail.com

I replaced the address with the x. No need to give them more traffic. Any idea how this could happen? How can a Hotmail account be compromised? I find it very hard to believe that they hacked her password. It was a strong password (> 8 characters) with no words. It was comprised of numbers, letters (in upper and lower case). One of her friends replied that she also received another email with the same message from another friend.

At first I thought it was a spoof of her email address, but I actually see the sent message in her sent message folder. It happened 3 times at 11:27am, 11:29am, and 11:32am.
__________________
Athlon64 3000+,MSI K8T,2GB,X850,70GB 10k RPM RAID 0
HTPC-Sempron 3000+,MSI K8N,1GB,6200N,40GB
Toshiba P100-ST9012,T2400 Core Duo,2GB,7900GTX,80GB

Last edited by gyoung : March 12th, 2008 at 09:41 PM.
gyoung is offline   Reply With Quote
Old March 12th, 2008, 10:41 PM     #2 (permalink)
Banned
 
Keymaker's Avatar
 
Join Date: Jan 2005
Location: Loveland, CO
Posts: 5,492
Blog Entries: 2
Send a message via ICQ to Keymaker Send a message via Yahoo to Keymaker
Run a scan and post the results.

HijackThis Analyzer & Tutorial

It doesn't take a password to hijack the inter workings of things through maleware.

You can use this utlity to trace where the E-Mail came from. Paste the full headers in the utility.
Keymaker is offline   Reply With Quote
Old March 12th, 2008, 10:41 PM     #3 (permalink)
\m/(°-°)\m/
 
KarmaKiller's Avatar
 
Join Date: Feb 2007
Location: In my room
Posts: 12,764
Blog Entries: 5
Send a message via MSN to KarmaKiller Send a message via Yahoo to KarmaKiller
Hi there.
My gf works in a office, that runs instant messengers, and she was telling me just the other day that they had a similar thing happen there. It spread through out the hole office though.
Their IT guy narrowed it down to a IM program though, so you might check that.
Also, he did mention it was a trojan, so you should run some virus/Adware scans.
Good luck
__________________
Folding for Team TechIMO!
|
Q6600@4ghz| Team Stats|
My RIG
KarmaKiller is offline   Reply With Quote
Old March 12th, 2008, 10:55 PM     #4 (permalink)
Ultimate Member
 
gyoung's Avatar
 
Join Date: Oct 2001
Location: Carmel, IN
Posts: 1,045
Here is a copy of the log file. Also, one thing I should mention. This happened the day after I reinstalled Windows XP fresh on her laptop. I installed XP, drivers, and all service packs. The only websites visted during this were microsoft and lenovo.

I went to bed the night before and the next day she told me about it. It was then that I realized that I hadn't installed the anti-virus software yet. When I got home I installed it and scanned and didn't find anything.

Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:54 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\program files\airset\airset.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\***** \*****\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CompanionLink] "c:\program files\airset\airset.exe" -Icon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1204995129746
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 7762 bytes


Last edited by gyoung : May 16th, 2008 at 11:29 AM.
gyoung is offline   Reply With Quote
Old March 12th, 2008, 11:03 PM     #5 (permalink)
Ultimate Member
 
gyoung's Avatar
 
Join Date: Oct 2001
Location: Carmel, IN
Posts: 1,045
email header:
Quote:
Content-Type: multipart/alternative;
boundary="_1b26284b-fb65-4caa-85f9-6a8d4badb0e7_"
X-Originating-IP: [58.39.172.238]

Whois search at whois.net returns:

Quote:
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

I did this the day it happened, so I knew that something sent this out. I just was confused on what did it since scan came up empty.
gyoung is offline   Reply With Quote
Old March 12th, 2008, 11:13 PM     #6 (permalink)
Ultimate Member
 
2monsters's Avatar
 
Join Date: Feb 2007
Location: Illinois
Posts: 2,482
Send a message via Skype™ to 2monsters
Sounds like she got Phished. Change all her passwords.
http://en.wikipedia.org/wiki/Phishing
__________________
Crunching for the cure! Techimo Folding Team# 111
2monsters is offline   Reply With Quote
Old March 13th, 2008, 06:20 PM     #7 (permalink)
Banned
 
Keymaker's Avatar
 
Join Date: Jan 2005
Location: Loveland, CO
Posts: 5,492
Blog Entries: 2
Send a message via ICQ to Keymaker Send a message via Yahoo to Keymaker
I don't see anything that would cause this. There are a few unknowns. Do you use Airset?

The IP address doesn't show up as a Phish site. At least not yet. The site is from China and information is lacking. Usually they will use a proxy so this doesn't say much. Meaning the true IP address is masked even the when the E-Mail headers are sorted out.

It could be that the person obtained info. from another E-Mail that was sent and opened, there by allowing some kind f virus that read the contacts list in the E-Mail account.

I would change the passwords and change the setting in the account to not download all the content when viewing E-Mail. I use an E-mail client called Thunderbird and have phish security installed through the use of addons. In web based E-Mail I use FireFox with an addon on called NoScript.

Has this happened more than once?

Use this to generate a good password


http://www.itsecurity.com/features/2...stakes-022807/

www.trashmail.net


www.opendns.com

Last edited by Keymaker : March 13th, 2008 at 06:27 PM.
Keymaker is offline   Reply With Quote
Old March 13th, 2008, 09:15 PM     #8 (permalink)
Ultimate Member
 
gyoung's Avatar
 
Join Date: Oct 2001
Location: Carmel, IN
Posts: 1,045
Yeah, we use airset. I don't think it was a phishing scam. She is pretty good about that but I don't know for sure. I had her change her password and it is strong (it was strong before).

And it only happened once. She did get an email the next day from a friend. Looks like it happened to her friend too. She also had a Hotmail address.
gyoung is offline   Reply With Quote
Old April 3rd, 2008, 12:36 PM     #9 (permalink)
Junior Member
 
Join Date: Apr 2008
Posts: 1
Hotmail virus

Similar problem occurred Mar.31/08 I had this Electronics outfit send two emails to my entire contact list BUT when I went to look at my Contact list --IT WAS GONE! Two nites later they did it again EVEN tho my contact file was gone. They seem to be holding it captive. Two qwestions? Is Microsoft doing anything about this to anyones knowledge. Second My NOD32 scanner pick up nothing so please let me know if anyone finds a virus scan to find this & clean it??
Many thanks Balmybrucevivi
BruceV is offline   Reply With Quote
Old April 3rd, 2008, 01:52 PM     #10 (permalink)
Super F@D Folder
 
Join Date: Jun 2004
Posts: 5,083
Send a message via AIM to sr71000
If you do a search for the first sentence of that you can find stuff all over the web with nearly identical setups

I'd grab a trial copy of avg antivirus/antispyware. Well to be honest, I'd trash McAfee and buy the version of avg for $35. Much better protection. The only thing it's missing is the firewall but I'd think you're better off with a free firewall over McAfee's anyways. From my experience their software is junk!

Big question is, do you have a router? If she's aware of what she's doing on the web and you have a router, I may not even worry so much about a firewall...

-Kevin

BruceV - Post up scans using hijack this. I wouldn't trust just one anti-malware program if there's evidence of an infection. No av program is perfect! On a side note, you'd probably be better off opening your own thread for it, that way we can comment on each problem specifically rather than trying to help two people in one thread! The problems seem similar but they may be very different...

Last edited by sr71000 : April 3rd, 2008 at 01:54 PM.
sr71000 is offline   Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Exporting hotmail contacts from email address......then importing into new hotmail? _Switch_ General Tech Discussion 0 September 22nd, 2006 03:06 PM
"johnnie_blaze_ hotmail.com" is a virus. HaPeErKa Networking and Internet 3 February 7th, 2005 04:22 AM
Hotmail Virus Alerts robexe General Tech Discussion 1 March 2nd, 2004 09:31 PM
HOTMAIL: Virus SPAM MatrixmaN Security and Privacy Issues 7 September 26th, 2003 01:22 AM


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Most Active Discussions
Is It Just Me? (2821)
Why is Khalid Sheikh Mohammed even .. (7)
California Passes Anti-Flat-HDTV Le.. (39)
Is the PSU I received dead? (10)
Install XP pro and a Vista laptop ?.. (8)
HIS HD5770 graphic card question (15)
A good PSU? (10)
Foreign voltage (7)
Print spooler problem (9)
New Computer wont recognize XP disc (7)
Dept. of HS: NSA 'Helped' Develop V.. (12)
Ideal cheap graph card for PC-Gamin.. (15)
EVGA 9800 gtx help with finding a g.. (7)
Modern Warfare 2: Who Bought It? (60)
Recent Discussions
Print spooler problem (9)
windows vista security holes (3)
HIS HD5770 graphic card question (15)
Best file format to play on Windows H.. (0)
PSP Go bought in Japan (0)
Foreign voltage (7)
Asus P4G8X Mobo (3)
World's largest Monopoly Game using G.. (329)
EVGA 9800 gtx help with finding a goo.. (7)
Need hard disk drivers (4)
windows 7 internet problem (4)
What OS for a home server? (other tha.. (1)
Boot Problem? (0)
Logitech G9 laser gaming mouse $59.95.. (2)
$5 off any item with the purchase of .. (1)
Ideal cheap graph card for PC-Gaming? (15)
Install XP pro and a Vista laptop ?? (8)
Cloning old drive to new drive (6)
Amptron monitor G17FP-Black (0)
A good PSU? (10)
Is the PSU I received dead? (10)
HP Pavillion Laptop ze4220 won't turn.. (7)
Dept. of HS: NSA 'Helped' Develop Vis.. (12)
Convert 5 pin Keyboard to USB (11)
hybernate option (2)


All times are GMT -4. The time now is 11:03 AM.
TechIMO Copyright 2009 All Enthusiast, Inc.



1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28