Author Topic: [Inactive] Hotmail repeatedly hijacked  (Read 4141 times)

Offline helpmeifyoucan

  • Bronze Member
  • Posts: 15
Re: [In Progress] Hotmail repeatedly hijacked
« Reply #15 on: September 16, 2014, 01:56:36 PM »
I tried clearing browser history and all cookies, then using private browsing.  Then I tried other browsers: IE and installed Opera, but still the same problem.  Is there some other way they can blacklist me?  IP address or MAC address or some hidden id number in my CPU? (intel i7 740qm)

I have read that people have had their accounts blocked when they tried to log in abroad so that indicates that Outlook/Hotmail monitor IP addresses.  They also have the feature that you can link your account with your 'machine name' for security so that you can only log in from a specific device.   I tried a different USB modem with a different SIM card - still the same problem.  There are a lot of cases on other forums of people having their account hacked and then having problems using the reactivation code.  Perhaps they have the same problem?

Did you see anything in the logs?  What about the strange folders on F: and C:?

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27056
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Hotmail repeatedly hijacked
« Reply #16 on: September 16, 2014, 03:33:27 PM »
The bad problem is, those folders might be malware, or they might be part of windows. There is one more thing we can do to make sure before you contact hotmail to try and reactivate your account.

This needs to be done on a clean computer with a CD burner. If you don't have one, let me know. There are other instructions you can use with a thumbdrive.


Please download the Avira Rescue system on the clean computer. Then go here and there are instructions on how to burn the CD, how to run the scan with it, and how to save the log.

You need these instructions, because this scan is actually done after having booted to the CD which runs a Distro of Linux, so it is a little different from windows.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline helpmeifyoucan

  • Bronze Member
  • Posts: 15
Re: [In Progress] Hotmail repeatedly hijacked
« Reply #17 on: September 18, 2014, 11:57:53 AM »
I have a Samsung netbook, but it may also be infected.  I have ordered a USB to IDE cable to connect it to an IDE DVD burner
so I can copy my data off and create the AVIRA CD. 

First I need to get it clean, so I have a few questions. The internal hard disk has a recovery partition. 

Is there a chance the recovery partition is infected?  If I restore the machine using the recovery partition it will wipe everything back to factory but will it be clean? 

If I restore it using the recovery DVD instead, will it clean the whole PC, including the recovery partition?  I don't want to format the whole HDD because I want to keep a recovery partition in case I need it in future. 

How about formatting the whole disc with DBAN and then reinstalling via the DVD and making a new recovery partition based on what has been installed from the DVD that came with it?  Will that 100% guarantee it is clean?

I don't have a lot of data on the netbook, so I'm happy to wipe and reinstall to a get at least one clean machine.  Any advice on the best way
would be greatly appreciated.

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27056
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Hotmail repeatedly hijacked
« Reply #18 on: September 18, 2014, 01:52:16 PM »
Can recovery partitions be infected? Absolutely. But generally speaking they are not. Because there is an endgame for all the malware out there. It is either to get the author money or a tool to use in a larger scheme or for name recognition, something. An infection on the recovery partition the infection would accomplish nothing. And if it were infected, then chances are the recovery would not happen. The file signatures would not match.

A factory restore would probably work. But you can also use DBAN to wipe the drive and use the Recovery DVD's you created. Either way is your choice.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline helpmeifyoucan

  • Bronze Member
  • Posts: 15
Re: [In Progress] Hotmail repeatedly hijacked
« Reply #19 on: October 27, 2014, 10:01:07 AM »
I didn't use the netbook due to DVD drive malfunction.  Instead I bought a new esata external HD, removed the infected internal HD from my main laptop and used the recovery CDs to reinstall onto the clean external drive.  I tried hotmail with a test account and there were no hijackings.  My main email address still blocked.  This rules out hotmail blacklisting my IP or mac address.  The problem must be malare at my end.

I downloaded the AVIRA cd from the link you gave.  I removed the clean ext HD and put back the intected internal HD and booted the CD.  After a while, a GUI appeared but the mouse did not work.  The system tried to connect to the net to update itself but an error box appeared and I could not click the OK button.

I have found another AVIRA rescue CD download here:
http://www.avira.com/en/download/product/avira-rescue-system

It is not the same as the one you told me to use but I will try it.  Let me know if there is a way to get the first one working if I need it specifically.

Thanks

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27056
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Hotmail repeatedly hijacked
« Reply #20 on: October 27, 2014, 10:33:55 AM »
That is the same file. I just gave you a direct link instead of giving you the page. That one does have an ISO file that you can burn to a CD (burn an image) instead of having it create a CD. That might work better for you.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline helpmeifyoucan

  • Bronze Member
  • Posts: 15
Re: [In Progress] Hotmail repeatedly hijacked
« Reply #21 on: October 27, 2014, 03:51:09 PM »
I ran the new Avira CD and it was different to the other one and worked this time.  I scanned and it detected some viruses but I do not think they are the culprit.  Is there anything else that can be tried?  The logs are below:


Avira
Rescue System
Scan Report
Start: 18:53:47    End: 20:17:30
Detections:    2
Files treated:    2
Files scanned:    211527
Engine version:    8.3.24.40
VDF version:    7.11.181.158
Scan status:    Finished
Update Report
Update finished successfully!Updated files:
vbase031.vdf 7.11.181.132 -> 7.11.181.158
aevdf.dat 7.11.181.132 -> 7.11.181.158
Update finished successfully
Details
Detection:    /target/C:/users/user1/appdata/roaming/thunderbird/profiles/pve7kfs0.default/imapmail/imap.gmx.com/inbox
Virus name:    TR/Crypt.Xpack.66273    file renamed
Virus Type:    trojan    
Detection:    /target/C:/users/user1/appdata/roaming/thunderbird/profiles/pve7kfs0.default/mail/pop.gmx.com/inbox
Virus name:    TR/Crypt.Xpack.66273    file renamed
Virus Type:    trojan



Avira
Rescue System
Scan Report
Start: 20:39:23    End: 21:28:14
Detections:    1
Files treated:    1
Files scanned:    145757
Engine version:    8.3.24.40
VDF version:    7.11.181.186
Scan status:    Finished
Update Report
Update finished successfully!Updated files:
vbase022.vdf 7.11.181.62 -> 7.11.181.163
vbase023.vdf 7.11.181.63 -> 7.11.181.164
vbase024.vdf 7.11.181.64 -> 7.11.181.165
vbase025.vdf 7.11.181.65 -> 7.11.181.166
vbase026.vdf 7.11.181.66 -> 7.11.181.167
vbase027.vdf 7.11.181.67 -> 7.11.181.168
vbase028.vdf 7.11.181.68 -> 7.11.181.169
vbase029.vdf 7.11.181.69 -> 7.11.181.170
vbase030.vdf 7.11.181.70 -> 7.11.181.171
vbase031.vdf 7.11.181.158 -> 7.11.181.186
aevdf.dat 7.11.181.158 -> 7.11.181.186
Update finished successfully
Details
Detection:    /target/H:/adata hd710/manualbackup140313/users/downloads/adlsoft_uncompressor_v2_3.exe
Virus name:    ADWARE/InstallCore.Gen    file renamed
Virus Type:    virus

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27056
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Hotmail repeatedly hijacked
« Reply #22 on: October 27, 2014, 06:24:01 PM »
You say your e-mail is still blocked? Are you meaning that you cannot login to it? Or you cannot send or receive email?

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline helpmeifyoucan

  • Bronze Member
  • Posts: 15
Re: [In Progress] Hotmail repeatedly hijacked
« Reply #23 on: October 28, 2014, 08:43:20 AM »
My main email account got blocked when my PC was first infected.  I can put my username and password in and a screen comes up that says 'we have temporarily blocked your account'.  I cannot access my inbox at all or send messages.  To try to test if there was an infection, I created several new clean hotmail/outlook accounts.  If I create a test account on a clean PC, there are no problems with using the new account.  As soon as I log in to a clean test account from the infected PC, that account gets blocked.  Any attempt to access hotmail with any account using the infected computer results in immediate account block.  I have tried creating a new windows user on the infected pc and logging in from there, but the virus is still triggering the account to be blocked.  When I used a clean HDD so that the PC was not infected, my latest test account did not get blocked.  Therefore, hotmail have not blacklisted my IP address.  I can also log in to a clean test account using thunderbird even on the infected PC without the account being blocked.  Accounts that have already been blocked cannot log in with thunderbird.

I set up wireshark to monitor all network activity.  I then logged into hotmail on the infected PC using a clean test account and wrote down every IP address that was being connected to.  I then googled every IP address to see if they were legitimate.  They were all normal e.g. microsoft owned or akamai, etc.  That seems to rule out a key logger sending my keystrokes to an unauthorised machine.

My hypothesis is that there might be some malware that waits for me to start a session with outlook/hotmail using my web browser and as soon as I log myself in, it takes control of the account and tries to send spam as if it is me doing it through my session.  This way there is no need for the virus to connect with the hacker's computer, it can work all by itself.  The malware only gets in to my email when I use a web browser.  I have tried other browsers but it does not help.

Could it be something to do with java?  I disabled updates to preserve the state of the computer incase it helped locate the infection but I could try updating java.  Also, are there any other settings I could change on my browser?  Is there any way to monitor processes that might hijack my browser?  If I could monitor java processes during my log in, maybe that would identify the problem?

Below I have copied some screenshots of what happens as the account gets hacked.  Continued on next reply (4 pics limit)
So, I log in to the clean account and click new message.  I compose the message and press send.   Instead of sending the message, the bar shows 'please verify your account'.  I have to do a captcha and after, it takes me back to the message I am composing.  The next time I press send, the account gets  blocked.

Offline helpmeifyoucan

  • Bronze Member
  • Posts: 15
Re: [In Progress] Hotmail repeatedly hijacked
« Reply #24 on: October 28, 2014, 08:48:54 AM »
If I log out and log in again I type in my password and then the page below comes up saying my account has been blocked and I can go no further.  It requests a phone number, If I go through with this it sends a code and you put in the code to get back into the account and it just gets blocked again.  Something on my machine is invisibly joining in on my email sessions and I am going crazy trying to work out what it is!

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27056
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Hotmail repeatedly hijacked
« Reply #25 on: October 28, 2014, 10:22:55 AM »
If you use a different browser can you go thru the verification and send emails?

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline helpmeifyoucan

  • Bronze Member
  • Posts: 15
Re: [In Progress] Hotmail repeatedly hijacked
« Reply #26 on: October 28, 2014, 11:56:19 AM »
No the browser makes no difference.  I have tried Firefox, Chrome, IE and Opera.

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27056
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Hotmail repeatedly hijacked
« Reply #27 on: October 28, 2014, 01:57:22 PM »
OK, try this.

I need you to reboot windows cleanly. To do that please go to the run command and type in msconfig . Once that starts, select selective startup, and then uncheck the load startup items. Now click on the services tab, and down near the bottom of the window, check the box that says Hide all Microsoft Services now go up and uncheck all the services still listed, make sure you scroll down the list if need to unselect all the non Microsoft services. Now click apply, then click OK and reboot the computer.

Now run Ccleaner, and make sure to remove all the cookies on your computer.

Now try resetting one of the e-mail accounts and see if you can continue to logon and use it. Once you know one way or the other, run msconfig again and select Normal Startup and then click apply then all and reboot the computer. Let me know how it went.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27056
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Hotmail repeatedly hijacked
« Reply #28 on: February 16, 2015, 06:42:36 PM »
This thread is being closed due to inactivity. If you need it reopened send me a PM. This applies to the originator only. Anyone else please start a new thread.


Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

 

Click Here