My main email account got blocked when my PC was first infected. I can put my username and password in and a screen comes up that says 'we have temporarily blocked your account'. I cannot access my inbox at all or send messages. To try to test if there was an infection, I created several new clean hotmail/outlook accounts. If I create a test account on a clean PC, there are no problems with using the new account. As soon as I log in to a clean test account from the infected PC, that account gets blocked. Any attempt to access hotmail with any account using the infected computer results in immediate account block. I have tried creating a new windows user on the infected pc and logging in from there, but the virus is still triggering the account to be blocked. When I used a clean HDD so that the PC was not infected, my latest test account did not get blocked. Therefore, hotmail have not blacklisted my IP address. I can also log in to a clean test account using thunderbird even on the infected PC without the account being blocked. Accounts that have already been blocked cannot log in with thunderbird.
I set up wireshark to monitor all network activity. I then logged into hotmail on the infected PC using a clean test account and wrote down every IP address that was being connected to. I then googled every IP address to see if they were legitimate. They were all normal e.g. microsoft owned or akamai, etc. That seems to rule out a key logger sending my keystrokes to an unauthorised machine.
My hypothesis is that there might be some malware that waits for me to start a session with outlook/hotmail using my web browser and as soon as I log myself in, it takes control of the account and tries to send spam as if it is me doing it through my session. This way there is no need for the virus to connect with the hacker's computer, it can work all by itself. The malware only gets in to my email when I use a web browser. I have tried other browsers but it does not help.
Could it be something to do with java? I disabled updates to preserve the state of the computer incase it helped locate the infection but I could try updating java. Also, are there any other settings I could change on my browser? Is there any way to monitor processes that might hijack my browser? If I could monitor java processes during my log in, maybe that would identify the problem?
Below I have copied some screenshots of what happens as the account gets hacked. Continued on next reply (4 pics limit)
So, I log in to the clean account and click new message. I compose the message and press send. Instead of sending the message, the bar shows 'please verify your account'. I have to do a captcha and after, it takes me back to the message I am composing. The next time I press send, the account gets blocked.