SpywareHammer.com

SpywareHammer Malware Removal Forums => Completed Malware and Rootkit Removal Topics => Inactive Logs => Topic started by: helpmeifyoucan on April 04, 2014, 11:28:00 AM

Title: [Inactive] Hotmail repeatedly hijacked
Post by: helpmeifyoucan on April 04, 2014, 11:28:00 AM
Hello,
My Hotmail account got hacked into by a virus which sent all my contacts spam and then the account was blocked and I could no longer log in.  I tried making new hotmail accounts, but every time I tried to access the new accounts, they were also hijacked and blocked.  I tried accessing hotmail via ubuntu and there were no problems with another new account.  The previously blocked accounts were still blocked.  Therefore, I conclude that my windows laptop is infected with something that gets into Hotmail and hijacks it.  I think the virus came from the internet.

I tried using a different windows laptop that I had not used on the internet prior to infection but that had the same problem of hotmail getting hijacked.  I only tried hotmail after connecting the second laptop to the same wifi as the infected one and I also used a USB stick from the first laptop in the second, so the virus may have transferred itself somehow on the second laptop.  I think it's best if we just deal with the first laptop at this time.

I have tried the following tools without success:
Full scan with avast
Full scan with Kaspersky pure
Malware bytes free trial
Superantispyware
a rootkit checking utility

I spent hours using Wireshark to try to find keylogger packets or establish unexpected IP address when connecting to Hotmail but I found only what appeared to be legitimate communication over my network.   For this reason, I think it may be that the virus waits until I actually log in to Hotmail to gain access rather than sending my password elsewhere.
I have tried Opera instead of Firefox and got the same problem.

I have copied all my files to an external (esata) drive but am worried that if I reinstall windows from the recovery DVDs, I may get reinfected from the external drive.

I have never had a virus before, so I do not know very much about them or whether what I have said above is 100% correct as some of it is speculation and I have little understanding of antivirus tools.  Many thanks in advance for your help.

Here are the DDS files:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16521  BrowserJavaVersion: 10.25.2
Run by User1 at 15:34:25 on 2014-04-04
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.6125.4340 [GMT 1:00]
.
AV: Kaspersky PURE 3.0 *Disabled/Outdated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
SP: Kaspersky PURE 3.0 *Disabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky PURE 3.0 *Disabled* {FB2ABE9A-01A4-4539-FCD2-C7EA1246D49E}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\3 Mobile Broadband\3Connect\BecHelperService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
c:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
C:\Program Files\Sony\VAIO Smart Network\VSNService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Apoint\Apoint.exe
C:\Users\User1\AppData\Local\FluxSoftware\Flux\flux.exe
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files\Jitsi\Jitsi.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Smart Network\VSNClient.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Care\VCSpt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SysWOW64\RunDll32.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Users\User1\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Sony\VAIO Update 5\VAIOUpdt.exe
C:\Program Files\Apoint\Apvfb.exe
C:\Program Files\Apoint\Apntex.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe
C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Browny02\BrYNSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Sony\VAIO Care\VCsystray.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Sony\VAIO Care\VCPerfService.exe
C:\Program Files\Sony\VAIO Care\listener.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Sony\VAIO Power Management\SPMService.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SVEE&bmod=SVEE
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SVEE&bmod=SVEE
uProxyOverride = <local>
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Kaspersky Passsword Manager Toolbar: {215BA832-75A3-426E-A4FC-7C5B58CE6A10} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\Kaspersky Password Manager\spIEBho.dll
BHO: PlusIEEventHelper Class: {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files (x86)\Nuance\PDF Viewer Plus\bin\PlusIEContextMenu.dll
BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\OnlineBanking\online_banking_bho.dll
BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\UrlAdvisor\klwtbbho.dll
TB: Kaspersky Passsword Manager Toolbar: {215BA832-75A3-426E-A4FC-7C5B58CE6A10} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\Kaspersky Password Manager\spIEBho.dll
uRun: [CAHeadless] c:\Program Files (x86)\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe
uRun: [F.lux] "C:\Users\User1\AppData\Local\FluxSoftware\Flux\flux.exe" /noshow
uRun: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler
uRun: [Jitsi] C:\Program Files\Jitsi\Jitsi.exe
uRun: [Workrave] C:\Program Files (x86)\Workrave\lib\Workrave.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun: [ISBMgr.exe] "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe"
mRun: [PMBVolumeWatcher] c:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [IndexSearch] "C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe"
mRun: [PaperPort PTD] "C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe"
mRun: [PPort12reminder] "C:\Program Files (x86)\Nuance\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\12\Config\Ereg\Ereg.ini"
mRun: [PDFHook] C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe
mRun: [PDF5 Registry Controller] C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe
mRun: [ControlCenter4] C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe /autorun
mRun: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
dRunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915 (http://go.microsoft.com/fwlink/?LinkID=122915)" /build:7601
StartupFolder: C:\Users\User1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\User1\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\UrlAdvisor\klwtbbho.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\Program Files (x86)\Evernote\Evernote3.5\enbar.dll
TCP: Interfaces\{FA6EF5B8-90EC-4FCE-8E26-C5C8F8089870} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{FA6EF5B8-90EC-4FCE-8E26-C5C8F8089870}\44F4651444F4 : DHCPNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\MP3 Skype Recorder\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-BHO: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -
x64-BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
x64-BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -
x64-BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\OnlineBanking\online_banking_bho.dll
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\UrlAdvisor\klwtbbho.dll
x64-TB: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -
x64-TB: avast! Online Security: {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3
x64-Run: [Apoint] C:\Program Files (x86)\Apoint\Apoint.exe
x64-IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
x64-IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\UrlAdvisor\klwtbbho.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\diskf9vw.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 CSCrySec;InfoWatch Encrypt Sector Library driver;C:\Windows\System32\drivers\CSCrySec.sys [2014-1-31 84536]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2013-3-14 55024]
R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;C:\Windows\System32\drivers\CSVirtualDiskDrv.sys [2014-1-31 66616]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\System32\drivers\klim6.sys [2012-8-2 28504]
R1 kltdi;kltdi;C:\Windows\System32\drivers\kltdi.sys [2012-10-18 54368]
R1 kneps;kneps;C:\Windows\System32\drivers\kneps.sys [2012-8-13 178448]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2013-10-10 144152]
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-10-9 169312]
R2 BecHelperService;BecHelperService;C:\Program Files (x86)\3 Mobile Broadband\3Connect\BecHelperService.exe [2013-11-13 1740696]
R2 CSObjectsSrv;CryptoStorage control service;C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [2012-12-21 819040]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-7-29 13336]
R2 PDFProFiltSrvPP;PDFProFiltSrvPP;C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [2010-3-9 144672]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2010-6-1 367456]
R2 regi;regi;C:\Windows\System32\drivers\regi.sys [2013-3-14 14112]
R2 rimspci;rimspci;C:\Windows\System32\drivers\rimssne64.sys [2010-7-29 94208]
R2 risdsnpe;risdsnpe;C:\Windows\System32\drivers\risdsne64.sys [2010-7-29 78848]
R2 SampleCollector;VAIO Care Performance Service;C:\Program Files\Sony\VAIO Care\VCPerfService.exe [2013-3-14 252416]
R2 uCamMonitor;CamMonitor;C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2013-3-14 104960]
R2 VAIO Power Management;VAIO Power Management;C:\Program Files\Sony\VAIO Power Management\SPMService.exe [2013-3-14 575856]
R2 VSNService;VSNService;C:\Program Files\Sony\VAIO Smart Network\VSNService.exe [2013-3-14 836608]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;C:\Windows\System32\drivers\ArcSoftKsUFilter.sys [2013-3-14 19968]
R3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2013-7-31 266240]
R3 huawei_enumerator;huawei_enumerator;C:\Windows\System32\drivers\ew_jubusenum.sys [2013-11-13 86016]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;C:\Windows\System32\drivers\klkbdflt.sys [2012-9-3 29280]
R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\Windows\System32\drivers\klmouflt.sys [2012-9-3 29280]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2013-3-20 95744]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2013-3-20 212992]
R3 SFEP;Sony Firmware Extension Parser;C:\Windows\System32\drivers\SFEP.sys [2010-6-2 12032]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2013-3-20 398112]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2014-2-1 418376]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2014-2-1 701512]
S3 AVP;Kaspersky Anti-Virus Service;C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe [2012-12-20 356128]
S3 BrSerIb;Brother Serial Interface Driver(WDM);C:\Windows\System32\drivers\BrSerIb.sys [2012-9-6 95344]
S3 BrUsbSIb;Brother Serial USB Driver(WDM);C:\Windows\System32\drivers\BrUsbSib.sys [2012-9-6 21872]
S3 btwampfl;Bluetooth AMP USB Filter;C:\Windows\System32\drivers\btwampfl.sys [2013-3-14 342056]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2013-3-14 39464]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;C:\Windows\System32\drivers\ew_hwusbdev.sys [2013-11-13 117248]
S3 ew_usbenumfilter;huawei_CompositeFilter;C:\Windows\System32\drivers\ew_usbenumfilter.sys [2013-11-13 13952]
S3 ewusbmbb;HUAWEI USB-WWAN miniport;C:\Windows\System32\drivers\ewusbwwan.sys [2013-11-13 421376]
S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2010-7-29 158720]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-2-1 25928]
S3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2010-5-31 7689216]
S3 SOHCImp;VAIO Media plus Content Importer;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2010-6-20 108400]
S3 SOHDms;VAIO Media plus Digital Media Server;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2010-6-18 423280]
S3 SOHDs;VAIO Media plus Device Searcher;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2010-6-20 67952]
S3 SpfService;VAIO Entertainment Common Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe [2010-6-6 304496]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-5-26 59392]
S3 VCFw;VAIO Content Folder Watcher;C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2010-6-17 851824]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2010-6-9 537456]
S3 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;C:\Program Files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2010-6-9 384880]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2010-6-9 101232]
S3 VUAgent;VUAgent;C:\Program Files\Sony\VAIO Update 5\VUAgent.exe [2013-3-14 1250160]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-5-26 1255736]
.
=============== Created Last 30 ================
.
2014-04-01 10:54:27    10521840    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8EC07985-E230-4DBA-ABC9-7B72BFF096C5}\mpengine.dll
2014-03-23 01:58:14    33240    ----a-w-    C:\Windows\System32\drivers\GEARAspiWDM.sys
2014-03-23 01:33:32    --------    d-----w-    C:\Program Files\Common Files\Propellerhead Software
2014-03-21 13:29:23    --------    d-----w-    C:\Program Files\PreSonus
2014-03-21 11:28:42    --------    d-----w-    C:\ProgramData\PreSonus
2014-03-21 11:28:40    --------    d-----w-    C:\Users\User1\AppData\Roaming\PreSonus
2014-03-07 13:08:40    --------    d-----w-    C:\b523a7fe3baefddf6c922ed504c7
.
==================== Find3M  ====================
.
2014-02-26 10:54:54    952    --sha-w-    C:\ProgramData\KGyGaAvL.sys
2014-02-01 22:32:05    91352    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2014-01-31 12:27:19    54368    ----a-w-    C:\Windows\System32\drivers\kltdi.sys
2014-01-31 12:27:19    178448    ----a-w-    C:\Windows\System32\drivers\kneps.sys
2014-01-31 12:27:18    29280    ----a-w-    C:\Windows\System32\drivers\klmouflt.sys
2014-01-31 12:27:18    29280    ----a-w-    C:\Windows\System32\drivers\klkbdflt.sys
2014-01-31 12:27:16    90208    ----a-w-    C:\Windows\System32\drivers\klflt.sys
2014-01-31 12:27:14    7717984    ----a-w-    C:\Windows\System32\drivers\kl1.sys
.
============= FINISH: 15:35:04.34 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 14/03/2013 18:39:36
System Uptime: 04/04/2014 15:29:03 (0 hours ago)
.
Motherboard: Sony Corporation |  | VAIO
Processor: Intel(R) Core(TM) i7 CPU       Q 740  @ 1.73GHz | N/A | 1734/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 453 GiB total, 381.733 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: TCP/IP Protocol Driver
Device ID: ROOT\LEGACY_TCPIP\0000
Manufacturer:
Name: TCP/IP Protocol Driver
PNP Device ID: ROOT\LEGACY_TCPIP\0000
Service: Tcpip
.
==== System Restore Points ===================
.
RP120: 04/04/2014 00:55:46 - Scheduled Checkpoint
.
==== Installed Programs ======================
.
3Connect
7-Zip 9.20 (x64 edition)
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop Elements 8.0
Adobe Premiere Elements 8.0
Adobe Reader 9.5.5
Alps Pointing-device for VAIO
Amazon Kindle
ArcSoft Magic-i Visual Effects 2
ArcSoft WebCam Companion 3
BBC iPlayer Desktop
Brother MFL-Pro Suite MFC-J825DW
CCleaner
Corel WinDVD
CrystalDiskMark 3.0.3
Dropbox
Evernote
Exact Audio Copy 1.0beta3
f.lux
GIMP 2.6.11
Google Chrome
Google Update Helper
HD Tune 2.55
Huawei modem
ImgBurn
Intel PROSet Wireless
Intel(R) Control Center
Intel(R) PROSet/Wireless WiFi Software
Intel(R) Rapid Storage Technology
Intel(R) Turbo Boost Technology Driver
Java 7 Update 25
Java Auto Updater
Java(TM) 6 Update 20 (64-bit)
Jitsi
Junk Mail filter update
Kaspersky PURE 3.0
Malwarebytes Anti-Malware version 1.75.0.1300
Media Gallery
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2010
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Mixxx 1.11.0
Mozilla Firefox 28.0 (x86 en-US)
Mozilla Maintenance Service
Mozilla Thunderbird 17.0.6 (x86 en-US)
MP3 Skype Recorder
MSVCRT
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB2758694)
Nuance PaperPort 12
Nuance PDF Viewer Plus
NVIDIA Display Control Panel
NVIDIA Drivers
OpenOffice 4.0.0
PaperPort Image Printer 64-bit
PMB
PMB VAIO Edition Guide
PMB VAIO Edition plug-in (Click to Disc)
PMB VAIO Edition plug-in (VAIO Image Optimizer)
PMB VAIO Edition plug-in (VAIO Movie Story)
PreSonus Studio One 2 x64
PVSonyDll
Realtek High Definition Audio Driver
Recuva
Renesas Electronics USB 3.0 Host Controller Driver
Scansoft PDF Professional
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Shapescape
Skype Toolbars
Skype™ 4.2
SmartSound Quicktracks for Premiere Elements 8.0
SUPERAntiSpyware
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
VAIO - Media Gallery
VAIO - PMB VAIO Edition Guide
VAIO - PMB VAIO Edition plug-in (Click to Disc)
VAIO - PMB VAIO Edition plug-in (VAIO Image Optimizer)
VAIO - PMB VAIO Edition plug-in (VAIO Movie Story)
VAIO Care
VAIO Control Center
VAIO Data Restore Tool
VAIO DVD Menu Data
VAIO Gate
VAIO Gate Default
VAIO Hardware Diagnostics
VAIO Manual
VAIO Media plus
VAIO Media plus Opening Movie
VAIO Movie Story Template Data
VAIO Sample Contents
VAIO screensaver
VAIO Smart Network
VAIO Transfer Support
VAIO Update
Vim 7.3 (self-installing)
VLC media player 2.1.0
WIDCOMM Bluetooth Software
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Wings of Fury 2 - Return of the legend version 3.4
WinPcap 4.1.3
Wireshark 1.10.5 (64-bit)
Workrave 1.9.4
XAMPP
Zero Assumption Recovery Version 9
.
==== Event Viewer Messages From Past Week ========
.
28/03/2014 14:04:14, Error: Microsoft-Windows-WMPNSS-Service [14365]  - Proximity detection failed due to unknown error '0x80004004'.  The best proximity time detected was -1 milliseconds.
04/04/2014 15:34:09, Error: Microsoft-Windows-DNS-Client [1012]  - There was an error while attempting to read the local hosts file.
04/04/2014 15:29:17, Error: Service Control Manager [7000]  - The Mobile IP Route Manager service failed to start due to the following error:  This driver has been blocked from loading
04/04/2014 15:29:17, Error: Application Popup [1060]  - \??\C:\Windows\SysWow64\drivers\mdvrmng.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
03/04/2014 17:05:18, Error: volsnap [36]  - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
.
==== End Of File ===========================
 
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: Hoov on April 04, 2014, 01:09:11 PM
Hello, welcome to SpywareHammer.

I go by Hoov, and I will be helping you with your problem. I must ask you to do a few things for me.

First, tell me everything that you have done, if anything, to try and fix this problem.Also tell me any other problems you are having, no matter how small or long you have been dealing with them.

Second, please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

Third, follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go.

Fourth, Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

Fifth, if we start this fix, I need you to stick with me until the end. Just because your computer is running better does not mean it is fixed.

Before we start trying to fix your computer, you need to make sure your data is backed up. Also let me know of any software you have running that encrypts your harddrive.

One last thing, I need you to tell me if this computer belongs to a school or to a company or orginization of some kind. If it does, please let me know. Also tell me if there is an IT department responsible for this computer.

Now onto trying to fix your computer.

Can you please post logs from all the tools that you have used so far?

Also, do you use webmail, or do you use an e-mail client to download your e-mail to your computer? Where is your address book kept, on hotmail servers or on your computer?
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: helpmeifyoucan on April 05, 2014, 09:39:23 AM
Hi Hoov,  thanks for your quick response.

In an attempt to fix the problem I tried the following:

system restore to previous restore point
tried killing processes I did not recognise with task manager and then trying hotmail
Full scan with avast
Full scan with Kaspersky pure
Malware bytes free trial ful scan
Superantispyware free version full scan
a rootkit checking utility called GMER
Windows defender full scan
Wireshark searching for suspicious activity over network.

I spent hours using Wireshark to try to find keylogger packets or establish unexpected IP address when connecting to Hotmail but I found only what appeared to be legitimate communication over my network.   For this reason, I think it may be that the virus waits until I actually log in to Hotmail to gain access rather than sending my password elsewhere.
I have tried Opera instead of Firefox and got the same problem.

Here is a Malwarebytes log captured before the trial expired:

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
http://www.malwarebytes.org (http://www.malwarebytes.org)

Database version: v2014.02.01.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16521
User1 :: MANHATTAN [administrator]

Protection: Enabled

01/02/2014 21:35:30
MBAM-log-2014-02-01 (22-16-23).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 427776
Time elapsed: 39 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 3
C:\Program Files (x86)\Wajam (PUP.Optional.Wajam.A) -> No action taken.
C:\Program Files (x86)\Wajam\Firefox (PUP.Optional.Wajam.A) -> No action taken.
C:\Program Files (x86)\Wajam\IE (PUP.Optional.Wajam.A) -> No action taken.

Files Detected: 3
C:\Users\User1\Desktop\ARK\installers\SoftonicDownloader_for_kindle.exe (PUP.Optional.Softonic.A) -> No action taken.
C:\Program Files (x86)\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi (PUP.Optional.Wajam.A) -> No action taken.
C:\Program Files (x86)\Wajam\IE\wajamLogo.bmp (PUP.Optional.Wajam.A) -> No action taken.

(end)

A previous problem I had a few months back which I think is not related to the hotmail virus was that my PC kept freezing and rebooting everytime when watching flash videos e.g. youtube.  I cant rememeber how I fixed it I think just a system restore to a previous restore point seemed to stop it but it happened again once recently.

The following error details for the video crashing are:

Problem signature:
  Problem Event Name:   BlueScreen
  OS Version:   6.1.7601.2.1.0.768.3
  Locale ID:   2057

Additional information about the problem:
  BCCode:   116
  BCP1:   FFFFFA80056AA390
  BCP2:   FFFFF8800FC49970
  BCP3:   FFFFFFFFC000009A
  BCP4:   0000000000000004
  OS Version:   6_1_7601
  Service Pack:   1_0
  Product:   768_1

Files that help describe the problem:
  C:\Windows\Minidump\011914-19375-01.dmp
  C:\Users\User1\AppData\Local\Temp\WER-74989-0.sysdata.xml

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409 (http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409)

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt


Problem signature:
  Problem Event Name:   BlueScreen
  OS Version:   6.1.7601.2.1.0.768.3
  Locale ID:   2057

Additional information about the problem:
  BCCode:   116
  BCP1:   FFFFFA800C92C4E0
  BCP2:   FFFFF8800FC0D970
  BCP3:   FFFFFFFFC000009A
  BCP4:   0000000000000004
  OS Version:   6_1_7601
  Service Pack:   1_0
  Product:   768_1

Files that help describe the problem:
  C:\Windows\Minidump\011914-19250-01.dmp
  C:\Users\User1\AppData\Local\Temp\WER-69404-0.sysdata.xml

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409 (http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409)

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt


20/01/14:

Problem signature:
  Problem Event Name:   BlueScreen
  OS Version:   6.1.7601.2.1.0.768.3
  Locale ID:   2057

Additional information about the problem:
  BCCode:   116
  BCP1:   FFFFFA800E114010
  BCP2:   FFFFF8800FCAE970
  BCP3:   FFFFFFFFC000009A
  BCP4:   0000000000000004
  OS Version:   6_1_7601
  Service Pack:   1_0
  Product:   768_1

Files that help describe the problem:
  C:\Windows\Minidump\012014-40482-01.dmp
  C:\Users\User1\AppData\Local\Temp\WER-93772-0.sysdata.xml

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409 (http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409)

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt


21/1/14:

Problem signature:
  Problem Event Name:   BlueScreen
  OS Version:   6.1.7601.2.1.0.768.3
  Locale ID:   2057

Additional information about the problem:
  BCCode:   116
  BCP1:   FFFFFA800C932280
  BCP2:   FFFFF8800FC70970
  BCP3:   FFFFFFFFC000009A
  BCP4:   0000000000000004
  OS Version:   6_1_7601
  Service Pack:   1_0
  Product:   768_1

Files that help describe the problem:
  C:\Windows\Minidump\012114-54740-01.dmp
  C:\Users\User1\AppData\Local\Temp\WER-211225-0.sysdata.xml

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409 (http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409)

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt

26/1/14:

Problem signature:
  Problem Event Name:   BlueScreen
  OS Version:   6.1.7601.2.1.0.768.3
  Locale ID:   2057

Additional information about the problem:
  BCCode:   116
  BCP1:   FFFFFA800C9FF4E0
  BCP2:   FFFFF8800FBEE970
  BCP3:   FFFFFFFFC000009A
  BCP4:   0000000000000004
  OS Version:   6_1_7601
  Service Pack:   1_0
  Product:   768_1

Files that help describe the problem:
  C:\Windows\Minidump\012614-51324-01.dmp
  C:\Users\User1\AppData\Local\Temp\WER-74100-0.sysdata.xml

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409 (http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409)

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt

Problem signature:
  Problem Event Name:   BlueScreen
  OS Version:   6.1.7601.2.1.0.768.3
  Locale ID:   2057

Additional information about the problem:
  BCCode:   116
  BCP1:   FFFFFA8010B4A2E0
  BCP2:   FFFFF8800FC80970
  BCP3:   FFFFFFFFC000009A
  BCP4:   0000000000000004
  OS Version:   6_1_7601
  Service Pack:   1_0
  Product:   768_1

Files that help describe the problem:
  C:\Windows\Minidump\012614-28922-01.dmp
  C:\Users\User1\AppData\Local\Temp\WER-50497-0.sysdata.xml

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409 (http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409)

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt



Since the current infection, I have not done very much to fix the problem so as not to destroy evidence.  I have not updated my updates or run ccleaner so as to preserve evidence to help possibly identify the virus.

I always access hotmail via the web.  I could try accessing a new account with Thunderbird and see if it gets hijacked?

I have copied all my files onto an external HD but I am worried that it may also be infected.  I want to identify the virus and remove it so I can trust my drive.  If I copy the files from one external HD to another when plugged into Ubuntu laptop, will this stop the virus being transfered?

I hope that there may be something meaningful above.

Regards
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: Hoov on April 05, 2014, 12:43:48 PM
I have to leave for a bit, I just wanted to let you know if your files are infected then it does not matter what OS you move them with, they will still be infected.

The one thing I am curious about is why you are absolutely sure the problem is with your system. Yahoo has had their servers hacked in the past. I have gotten several spam from people who have my e-mail address but do not send me much. The only thing they have in common is Yahoo.

Are you seeing any other problems with your system, or is it doing anything (other than this e-mail issue) that makes you think that the computer is infected? How does it run? Does it ever bog down? Does it seem to be using the internet when you are not around?
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: helpmeifyoucan on April 05, 2014, 01:33:44 PM
I know it's a problem with my system because if I register a new Hotmail account from my system, it gets hacked as soon as I register it and is immediately blocked.  If I register an account the same way on another system (in the internet cafe), it has no problems.  As soon as I go home and log in from my laptop, it gets hacked.  If I try to log in to a clean hotmail account using my ubuntu laptop, I get no problems.  If I then try to log in from y windows laptop, it gets blocked straight away.  If I use the account recovery facility to unblock the account, it gets blocked again straight away.  I cannot recover my Hotmail account until this issue is resolved because it will get blocked again straight away.

It's a mystery, I have searched google for similar problems and tried lots of tools, but it remains invisible!

How long will you be gone for?

In the mean time, I will investigate by using Thunderbird to see if that makes a difference.
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: helpmeifyoucan on April 05, 2014, 01:37:42 PM
To answer your other question, there are no other problems that I have noticed.  However, it makes me worried that something is running on my computer and I don't know if it is doing anything else.
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: Hoov on April 05, 2014, 03:21:33 PM
I am back.


Please download RunScanner (http://www.runscanner.net/runscanner.exe)
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: helpmeifyoucan on April 06, 2014, 03:09:18 PM
Here is runscanner.run zipped
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: Hoov on April 07, 2014, 09:17:52 AM
I saw a few things in the log. Do you know why you have winPcap installed on your machine?

Also can you tell me what drive your F:/ drive is? Right now there is an autorun file that starts with windows.



* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix''s window while it''s running. That may cause it to stall
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: helpmeifyoucan on September 15, 2014, 09:37:34 AM
Hi, sorry for the delay, I had some emergencies to deal with and did not have access to the PC.  I am ready to run Combofix now.

winPcap was installed when I installed WireShark protocol analyser to investigate the problem.

The F: drive is a partition on my external HDD.  There are a number of folders on there with 'random character' names.  When you click on them, they turn 'padlocked'.  I did not make these folders.  Similar random folders are also on C:

I also have H: and G which are partitions on the same eSata drive.

When I ran runscanner, the external HDD was not plugged in.

I was unable to configure Thunderbird to work with any Hotmail account because I cannot create a new account to try it with without the new account getting blocked.

I hope that you can forgive me for the delay in continuing with this.  I am ready to run combofix and see this through to it's conclusion but thought I should check with you before running it that you are still able to help.  I really want to get to the bottom of this.  There seem to be many cases on forums of people's computers being blocked for outlook and hotmail and reactivation codes don't work, but some of them don't realise they may have malware, so I hope we can solve it here.

Thanks
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: Hoov on September 15, 2014, 10:06:10 AM
Go ahead and run Combofix. Has the computer been used why you were away, or was it turned off the entire time?
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: helpmeifyoucan on September 16, 2014, 06:10:00 AM
I used it for a while after I got back but tried not to change anything too much.  Firefox automatically updated by itself and I think some windows updates were automatically applied.  Malware Bytes and Kaspersky Pure expired.

Here is the Combofix log file and the Combofix quarantined files.txt is right after at the end:

ComboFix 14-09-16.01 - User1 16/09/2014  11:33:38.1.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.5101.3153 [GMT 1:00]
Running from: c:\users\User1\Desktop\ComboFix.exe
AV: Kaspersky PURE 3.0 *Disabled/Outdated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
FW: Kaspersky PURE 3.0 *Disabled* {FB2ABE9A-01A4-4539-FCD2-C7EA1246D49E}
SP: Kaspersky PURE 3.0 *Disabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2014-08-16 to 2014-09-16  )))))))))))))))))))))))))))))))
.
.
2014-09-16 10:42 . 2014-09-16 10:42   --------   d-----w-   c:\users\Default\AppData\Local\temp
2014-09-16 10:42 . 2014-09-16 10:42   --------   d-----w-   c:\users\equinity\AppData\Local\temp
2014-09-14 18:42 . 2014-08-21 03:43   11319192   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{9C6AD433-7D4C-4395-B53A-241D628E2841}\mpengine.dll
2014-09-13 16:48 . 2014-09-13 16:48   --------   d-----w-   c:\users\User1\Andy
2014-09-13 16:46 . 2014-09-13 16:46   --------   d-----w-   c:\program files\Oracle
2014-09-13 16:46 . 2014-09-13 16:57   --------   d-----w-   c:\program files\Bonjour
2014-09-13 16:46 . 2014-09-13 16:57   --------   d-----w-   c:\program files (x86)\Bonjour
2014-09-13 16:46 . 2014-09-13 16:46   --------   d-----w-   c:\programdata\Apple
2014-09-05 19:33 . 2014-09-05 19:33   --------   d-----w-   c:\program files (x86)\DVD Identifier
2014-09-01 15:33 . 2014-09-06 10:29   --------   d-----w-   c:\users\User1\AppData\Local\gtk-2.0
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-15 12:43 . 2013-10-11 10:10   163504   ----a-w-   c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10145.bin
2014-08-09 15:14 . 2014-08-09 15:14   225472   ----a-w-   c:\windows\SysWow64\drivers\truecrypt.sys
2014-08-05 08:20 . 2013-05-25 10:16   270496   ------w-   c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04   131480   ----a-w-   c:\users\User1\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04   131480   ----a-w-   c:\users\User1\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04   131480   ----a-w-   c:\users\User1\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"
[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
2012-12-20 18:20   459784   ----a-w-   c:\program files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\shellex.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CAHeadless"="c:\program files (x86)\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe" [2009-10-09 615808]
"F.lux"="c:\users\User1\AppData\Local\FluxSoftware\Flux\flux.exe" [2013-10-15 1013128]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]
"Jitsi"="c:\program files\Jitsi\Jitsi.exe" [2013-04-29 403208]
"Workrave"="c:\program files (x86)\Workrave\lib\Workrave.exe" [2011-03-24 3871246]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe" [2010-05-31 673136]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2010-06-01 600928]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 41056]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"IndexSearch"="c:\program files (x86)\Nuance\PaperPort\IndexSearch.exe" [2010-03-08 46368]
"PaperPort PTD"="c:\program files (x86)\Nuance\PaperPort\pptd40nt.exe" [2010-03-08 29984]
"PPort12reminder"="c:\program files (x86)\Nuance\PaperPort\Ereg\Ereg.exe" [2010-02-09 328992]
"PDFHook"="c:\program files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe" [2010-03-05 636192]
"PDF5 Registry Controller"="c:\program files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe" [2010-03-05 62752]
"ControlCenter4"="c:\program files (x86)\ControlCenter4\BrCcBoot.exe" [2012-08-28 143360]
"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2012-06-06 3076096]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\users\User1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\User1\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-8-15 36414752]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-6-9 1128224]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
R3 BrSerIb;Brother Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys;c:\windows\SYSNATIVE\DRIVERS\BrSerIb.sys
R3 BrUsbSIb;Brother Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys;c:\windows\SYSNATIVE\DRIVERS\BrUsbSIb.sys
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys;c:\windows\SYSNATIVE\DRIVERS\ew_hwusbdev.sys
R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys;c:\windows\SYSNATIVE\DRIVERS\ew_usbenumfilter.sys
R3 ewusbmbb;HUAWEI USB-WWAN miniport;c:\windows\system32\DRIVERS\ewusbwwan.sys;c:\windows\SYSNATIVE\DRIVERS\ewusbwwan.sys
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys;c:\windows\SYSNATIVE\drivers\Impcd.sys
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys
R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw5s64.sys
R3 SOHCImp;VAIO Media plus Content Importer;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe
R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe
R3 SOHDs;VAIO Media plus Device Searcher;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe
R3 SpfService;VAIO Entertainment Common Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys
R3 VCFw;VAIO Content Folder Watcher;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
R3 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe
R3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update 5\VUAgent.exe;c:\program files\Sony\VAIO Update 5\VUAgent.exe
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe
S0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\DRIVERS\CSCrySec.sys;c:\windows\SYSNATIVE\DRIVERS\CSCrySec.sys
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys
S1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\DRIVERS\CSVirtualDiskDrv.sys;c:\windows\SYSNATIVE\DRIVERS\CSVirtualDiskDrv.sys
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys;c:\windows\SYSNATIVE\DRIVERS\klim6.sys
S1 kltdi;kltdi;c:\windows\system32\DRIVERS\kltdi.sys;c:\windows\SYSNATIVE\DRIVERS\kltdi.sys
S1 kneps;kneps;c:\windows\system32\DRIVERS\kneps.sys;c:\windows\SYSNATIVE\DRIVERS\kneps.sys
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
S2 BecHelperService;BecHelperService;c:\program files (x86)\3 Mobile Broadband\3Connect\BecHelperService.exe;c:\program files (x86)\3 Mobile Broadband\3Connect\BecHelperService.exe
S2 CSObjectsSrv;CryptoStorage control service;c:\program files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe;c:\program files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys;c:\windows\SYSNATIVE\drivers\npf.sys
S2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe
S2 regi;regi;c:\windows\system32\drivers\regi.sys;c:\windows\SYSNATIVE\drivers\regi.sys
S2 rimspci;rimspci;c:\windows\system32\drivers\rimssne64.sys;c:\windows\SYSNATIVE\drivers\rimssne64.sys
S2 risdsnpe;risdsnpe;c:\windows\system32\drivers\risdsne64.sys;c:\windows\SYSNATIVE\drivers\risdsne64.sys
S2 SampleCollector;VAIO Care Performance Service;c:\program files\Sony\VAIO Care\VCPerfService.exe;c:\program files\Sony\VAIO Care\VCPerfService.exe
S2 uCamMonitor;CamMonitor;c:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe;c:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
S2 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe;c:\program files\Sony\VAIO Power Management\SPMService.exe
S2 VSNService;VSNService;c:\program files\Sony\VAIO Smart Network\VSNService.exe;c:\program files\Sony\VAIO Smart Network\VSNService.exe
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys;c:\windows\SYSNATIVE\DRIVERS\ArcSoftKsUFilter.sys
S3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe;c:\program files (x86)\Browny02\BrYNSvc.exe
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys;c:\windows\SYSNATIVE\drivers\btwampfl.sys
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys;c:\windows\SYSNATIVE\DRIVERS\ew_jubusenum.sys
S3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\DRIVERS\klkbdflt.sys;c:\windows\SYSNATIVE\DRIVERS\klkbdflt.sys
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys;c:\windows\SYSNATIVE\DRIVERS\klmouflt.sys
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys;c:\windows\SYSNATIVE\DRIVERS\SFEP.sys
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-03-14 15:24]
.
2014-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-03-14 15:24]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04   164760   ----a-w-   c:\users\User1\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04   164760   ----a-w-   c:\users\User1\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04   164760   ----a-w-   c:\users\User1\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04   164760   ----a-w-   c:\users\User1\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"
[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
2012-12-20 18:22   492040   ----a-w-   c:\program files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\shellex.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-10-17 13307496]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-10-14 2278504]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SVEE&bmod=SVEE
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\diskf9vw.default\
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
HKLM-Run-Apoint - c:\program files (x86)\Apoint\Apoint.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SampleCollector]
"ImagePath"="\"c:\program files\Sony\VAIO Care\VCPerfService.exe\" \"/service\" \"/sstates\" \"/sampleinterval=2000\" \"/procinterval=5\" \"/dllinterval=120\" \"/counter=\Processor(_Total)\% Processor Time:1/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:1\" \"/counter=\Network Interface(*)\Bytes Total/sec:1\" \"/expandcounter=\Processor Information(*)\Processor Frequency:1\" \"/expandcounter=\Processor(*)\% Idle Time:1\" \"/expandcounter=\Processor(*)\% C1 Time:1\" \"/expandcounter=\Processor(*)\% C2 Time:1\" \"/expandcounter=\Processor(*)\% C3 Time:1\" \"/expandcounter=\Processor(*)\% Processor Time:1\" \"/directory=inteldata\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10e.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-09-16  11:55:42
ComboFix-quarantined-files.txt  2014-09-16 10:55
.
Pre-Run: 351,617,875,968 bytes free
Post-Run: 360,349,966,336 bytes free
.
- - End Of File - - CA5BF7D23088F596BA0C4A12DF3304C1





2014-09-16 10:54:26 . 2014-09-16 10:54:26               80 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Apoint.reg.dat
2014-09-16 10:54:02 . 2014-09-16 10:54:02              232 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24}.reg.dat
2014-09-16 10:53:50 . 2014-09-16 10:53:50              377 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47}.reg.dat
2014-09-16 10:53:40 . 2014-09-16 10:53:40              230 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKU-Default-RunOnce-SPReview.reg.dat
2014-09-16 10:37:06 . 2014-09-16 10:37:06           14,150 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2014-09-16 10:31:30 . 2014-09-16 10:31:30               51 ----a-w-  C:\Qoobox\Quarantine\catchme.log
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: Hoov on September 16, 2014, 08:41:28 AM
Please update Malwarebytes' Anti-Malware and run a full scan of your system. Include all the drives that are currently connected, or that you may need to connect before we get this done. Are you still seeing any problems on your computer?
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: helpmeifyoucan on September 16, 2014, 11:34:45 AM
I updated MWB and ran the scan as below. 

My Hotmail was hacked on 28th February while I was logged in and load of spam was sent out until the account was blocked.  If I try to make a new Hotmail or Outlook account from this PC, no sooner than I register, I get an announcement that "Unusual activity has been detected in your account" and the new account is blocked.  The problem won't go away and I have successfully made new Hotmail accounts using the internet cafe but as soon as I log in on my PC, they get blocked. 

The folders with names like F:b523a7fe3baefddf6c922ed504c7 appeared at the same time as the infection.  Also, you mention an Autorun.inf on F:? 
Could it also be the case that the Hotmail Servers are able to identify my computer by hardware id and block every new account/log in attempt?


Malwarebytes Anti-Malware
http://www.malwarebytes.org (http://www.malwarebytes.org)

Scan Date: 16/09/2014
Scan Time: 17:39:21
Logfile: mwb.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.16.05
Rootkit Database: v2014.09.15.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: User1

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 363433
Time Elapsed: 8 min, 32 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.Softonic.A, HKU\S-1-5-21-626296814-2419440393-903187909-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\SOFTONIC\Universal Downloader, , [ada8618df18a2e08cc5c49da8e752dd3],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 3
PUP.Optional.Wajam.A, C:\Users\User1\AppData\Local\Wajam, , [460fba3453286acc689b4a8c6d95c33d],
PUP.Optional.Wajam.A, C:\Users\User1\AppData\Local\Wajam\Chrome, , [460fba3453286acc689b4a8c6d95c33d],
PUP.Optional.Updater.A, C:\Users\User1\AppData\Roaming\DSite\UpdateProc, , [064f6886b9c2ba7c62e2c927e61c916f],

Files: 2
PUP.Optional.Wajam.A, C:\Users\User1\AppData\Local\Wajam\Chrome\wajam.crx, , [460fba3453286acc689b4a8c6d95c33d],
PUP.Optional.Updater.A, C:\Users\User1\AppData\Roaming\DSite\UpdateProc\config.dat, , [064f6886b9c2ba7c62e2c927e61c916f],

Physical Sectors: 0
(No malicious items detected)


(end)
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: Hoov on September 16, 2014, 01:00:03 PM
Are you using the webmail part of hotmail? If you are, then it is probably a cookie being set on your computer that lets hotmail recognize you.

Try logging in on your hotmail and see what happens.
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: helpmeifyoucan on September 16, 2014, 01:56:36 PM
I tried clearing browser history and all cookies, then using private browsing.  Then I tried other browsers: IE and installed Opera, but still the same problem.  Is there some other way they can blacklist me?  IP address or MAC address or some hidden id number in my CPU? (intel i7 740qm)

I have read that people have had their accounts blocked when they tried to log in abroad so that indicates that Outlook/Hotmail monitor IP addresses.  They also have the feature that you can link your account with your 'machine name' for security so that you can only log in from a specific device.   I tried a different USB modem with a different SIM card - still the same problem.  There are a lot of cases on other forums of people having their account hacked and then having problems using the reactivation code.  Perhaps they have the same problem?

Did you see anything in the logs?  What about the strange folders on F: and C:?
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: Hoov on September 16, 2014, 03:33:27 PM
The bad problem is, those folders might be malware, or they might be part of windows. There is one more thing we can do to make sure before you contact hotmail to try and reactivate your account.

This needs to be done on a clean computer with a CD burner. If you don't have one, let me know. There are other instructions you can use with a thumbdrive.


Please download the Avira Rescue system (http://dlpro.antivir.com/package/rescue_system/common/en/rescue_system-common-en.exe) on the clean computer. Then go here (http://forum.avira.com/wbb/index.php?page=Thread&threadID=82163) and there are instructions on how to burn the CD, how to run the scan with it, and how to save the log.

You need these instructions, because this scan is actually done after having booted to the CD which runs a Distro of Linux, so it is a little different from windows.
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: helpmeifyoucan on September 18, 2014, 11:57:53 AM
I have a Samsung netbook, but it may also be infected.  I have ordered a USB to IDE cable to connect it to an IDE DVD burner
so I can copy my data off and create the AVIRA CD. 

First I need to get it clean, so I have a few questions. The internal hard disk has a recovery partition. 

Is there a chance the recovery partition is infected?  If I restore the machine using the recovery partition it will wipe everything back to factory but will it be clean? 

If I restore it using the recovery DVD instead, will it clean the whole PC, including the recovery partition?  I don't want to format the whole HDD because I want to keep a recovery partition in case I need it in future. 

How about formatting the whole disc with DBAN and then reinstalling via the DVD and making a new recovery partition based on what has been installed from the DVD that came with it?  Will that 100% guarantee it is clean?

I don't have a lot of data on the netbook, so I'm happy to wipe and reinstall to a get at least one clean machine.  Any advice on the best way
would be greatly appreciated.
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: Hoov on September 18, 2014, 01:52:16 PM
Can recovery partitions be infected? Absolutely. But generally speaking they are not. Because there is an endgame for all the malware out there. It is either to get the author money or a tool to use in a larger scheme or for name recognition, something. An infection on the recovery partition the infection would accomplish nothing. And if it were infected, then chances are the recovery would not happen. The file signatures would not match.

A factory restore would probably work. But you can also use DBAN to wipe the drive and use the Recovery DVD's you created. Either way is your choice.
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: helpmeifyoucan on October 27, 2014, 10:01:07 AM
I didn't use the netbook due to DVD drive malfunction.  Instead I bought a new esata external HD, removed the infected internal HD from my main laptop and used the recovery CDs to reinstall onto the clean external drive.  I tried hotmail with a test account and there were no hijackings.  My main email address still blocked.  This rules out hotmail blacklisting my IP or mac address.  The problem must be malare at my end.

I downloaded the AVIRA cd from the link you gave.  I removed the clean ext HD and put back the intected internal HD and booted the CD.  After a while, a GUI appeared but the mouse did not work.  The system tried to connect to the net to update itself but an error box appeared and I could not click the OK button.

I have found another AVIRA rescue CD download here:
http://www.avira.com/en/download/product/avira-rescue-system (http://www.avira.com/en/download/product/avira-rescue-system)

It is not the same as the one you told me to use but I will try it.  Let me know if there is a way to get the first one working if I need it specifically.

Thanks
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: Hoov on October 27, 2014, 10:33:55 AM
That is the same file. I just gave you a direct link instead of giving you the page. That one does have an ISO file that you can burn to a CD (burn an image) instead of having it create a CD. That might work better for you.
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: helpmeifyoucan on October 27, 2014, 03:51:09 PM
I ran the new Avira CD and it was different to the other one and worked this time.  I scanned and it detected some viruses but I do not think they are the culprit.  Is there anything else that can be tried?  The logs are below:


Avira
Rescue System
Scan Report
Start: 18:53:47    End: 20:17:30
Detections:    2
Files treated:    2
Files scanned:    211527
Engine version:    8.3.24.40
VDF version:    7.11.181.158
Scan status:    Finished
Update Report
Update finished successfully!Updated files:
vbase031.vdf 7.11.181.132 -> 7.11.181.158
aevdf.dat 7.11.181.132 -> 7.11.181.158
Update finished successfully
Details
Detection:    /target/C:/users/user1/appdata/roaming/thunderbird/profiles/pve7kfs0.default/imapmail/imap.gmx.com/inbox
Virus name:    TR/Crypt.Xpack.66273    file renamed
Virus Type:    trojan    
Detection:    /target/C:/users/user1/appdata/roaming/thunderbird/profiles/pve7kfs0.default/mail/pop.gmx.com/inbox
Virus name:    TR/Crypt.Xpack.66273    file renamed
Virus Type:    trojan



Avira
Rescue System
Scan Report
Start: 20:39:23    End: 21:28:14
Detections:    1
Files treated:    1
Files scanned:    145757
Engine version:    8.3.24.40
VDF version:    7.11.181.186
Scan status:    Finished
Update Report
Update finished successfully!Updated files:
vbase022.vdf 7.11.181.62 -> 7.11.181.163
vbase023.vdf 7.11.181.63 -> 7.11.181.164
vbase024.vdf 7.11.181.64 -> 7.11.181.165
vbase025.vdf 7.11.181.65 -> 7.11.181.166
vbase026.vdf 7.11.181.66 -> 7.11.181.167
vbase027.vdf 7.11.181.67 -> 7.11.181.168
vbase028.vdf 7.11.181.68 -> 7.11.181.169
vbase029.vdf 7.11.181.69 -> 7.11.181.170
vbase030.vdf 7.11.181.70 -> 7.11.181.171
vbase031.vdf 7.11.181.158 -> 7.11.181.186
aevdf.dat 7.11.181.158 -> 7.11.181.186
Update finished successfully
Details
Detection:    /target/H:/adata hd710/manualbackup140313/users/downloads/adlsoft_uncompressor_v2_3.exe
Virus name:    ADWARE/InstallCore.Gen    file renamed
Virus Type:    virus
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: Hoov on October 27, 2014, 06:24:01 PM
You say your e-mail is still blocked? Are you meaning that you cannot login to it? Or you cannot send or receive email?
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: helpmeifyoucan on October 28, 2014, 08:43:20 AM
My main email account got blocked when my PC was first infected.  I can put my username and password in and a screen comes up that says 'we have temporarily blocked your account'.  I cannot access my inbox at all or send messages.  To try to test if there was an infection, I created several new clean hotmail/outlook accounts.  If I create a test account on a clean PC, there are no problems with using the new account.  As soon as I log in to a clean test account from the infected PC, that account gets blocked.  Any attempt to access hotmail with any account using the infected computer results in immediate account block.  I have tried creating a new windows user on the infected pc and logging in from there, but the virus is still triggering the account to be blocked.  When I used a clean HDD so that the PC was not infected, my latest test account did not get blocked.  Therefore, hotmail have not blacklisted my IP address.  I can also log in to a clean test account using thunderbird even on the infected PC without the account being blocked.  Accounts that have already been blocked cannot log in with thunderbird.

I set up wireshark to monitor all network activity.  I then logged into hotmail on the infected PC using a clean test account and wrote down every IP address that was being connected to.  I then googled every IP address to see if they were legitimate.  They were all normal e.g. microsoft owned or akamai, etc.  That seems to rule out a key logger sending my keystrokes to an unauthorised machine.

My hypothesis is that there might be some malware that waits for me to start a session with outlook/hotmail using my web browser and as soon as I log myself in, it takes control of the account and tries to send spam as if it is me doing it through my session.  This way there is no need for the virus to connect with the hacker's computer, it can work all by itself.  The malware only gets in to my email when I use a web browser.  I have tried other browsers but it does not help.

Could it be something to do with java?  I disabled updates to preserve the state of the computer incase it helped locate the infection but I could try updating java.  Also, are there any other settings I could change on my browser?  Is there any way to monitor processes that might hijack my browser?  If I could monitor java processes during my log in, maybe that would identify the problem?

Below I have copied some screenshots of what happens as the account gets hacked.  Continued on next reply (4 pics limit)
So, I log in to the clean account and click new message.  I compose the message and press send.   Instead of sending the message, the bar shows 'please verify your account'.  I have to do a captcha and after, it takes me back to the message I am composing.  The next time I press send, the account gets  blocked.
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: helpmeifyoucan on October 28, 2014, 08:48:54 AM
If I log out and log in again I type in my password and then the page below comes up saying my account has been blocked and I can go no further.  It requests a phone number, If I go through with this it sends a code and you put in the code to get back into the account and it just gets blocked again.  Something on my machine is invisibly joining in on my email sessions and I am going crazy trying to work out what it is!
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: Hoov on October 28, 2014, 10:22:55 AM
If you use a different browser can you go thru the verification and send emails?
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: helpmeifyoucan on October 28, 2014, 11:56:19 AM
No the browser makes no difference.  I have tried Firefox, Chrome, IE and Opera.
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: Hoov on October 28, 2014, 01:57:22 PM
OK, try this.

I need you to reboot windows cleanly. To do that please go to the run command and type in msconfig . Once that starts, select selective startup, and then uncheck the load startup items. Now click on the services tab, and down near the bottom of the window, check the box that says Hide all Microsoft Services now go up and uncheck all the services still listed, make sure you scroll down the list if need to unselect all the non Microsoft services. Now click apply, then click OK and reboot the computer.

Now run Ccleaner, and make sure to remove all the cookies on your computer.

Now try resetting one of the e-mail accounts and see if you can continue to logon and use it. Once you know one way or the other, run msconfig again and select Normal Startup and then click apply then all and reboot the computer. Let me know how it went.
Title: Re: [In Progress] Hotmail repeatedly hijacked
Post by: Hoov on February 16, 2015, 06:42:36 PM
This thread is being closed due to inactivity. If you need it reopened send me a PM. This applies to the originator only. Anyone else please start a new thread.