Urgent, my trip.....

[Tim Hall]

Hi - found your website previously when I had a problem on my pc which I managed to solve following your advice - my wife now has a problem on hers!!
Her email looks to have been hacked and her address (@btinternet.com) is sending messages to her address book contacts (although apparently sending under @yahoo.co.uk).
Message is titled "Urgent, my trip..." and says she has been mugged in the Philipines and can you send money blah blah blah
I've tried running Mcafee stinger (found nothing) and running Malwarebytes (off a stick) at present but nothing so far
I've hunted through your database but can't find this one but obviously may have started under something similar
Any ideas?
Any help gratefully received
Tim

Whoops - sorry, hers is Windows 7

 

[TwinHeadedEagle]

Hi,

In order to help you, we need some informations from victim system. Follow this topic and attach requested reports.

http://malwaretips.com/threads/malware-removal-assistance-how-to-get-help.20334/

 

[Tim Hall]

Hi,
really grateful for speedy response.
Hopefully I've attached what you were after
Sorry if I jumped the gun or did things in the wrong order
Many thanks
Tim

 

[TwinHeadedEagle]

Your PC seems clean, we will only clean some Adware.

From Control Panel uninstall:
- Ask Toolbar
- Ask Toolbar Updater

Restart your PC.


Then...


Download attached fixlist.txt on the same location as FRST (otherwise the fix won't work)

Open FRST, and click Fix. Attach me that report after it is finished.




Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

• Click on the Scan button.
• After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
• Post logfile will also be saved in the C:\AdwCleaner folder.

 

[Tim Hall]

Ok - Hopefully I've done it ok (afraid you're talking to a bit of a plank computer-wise)

 

[TwinHeadedEagle]

Ok, PC is clean, how is the situation now?

 

[Tim Hall]

Thats the problem I guess - not sure how you're supposed to know!
The emails seem to have been generated last night according to the people that keep phoning our house, but how I'm supposed to know if it will send another batch I'm not too sure. I was going to send an email to all her contacts but her address book seems to have been wiped - I can reset her passwords but not much point if bug is still there I assume.
I suppose all I can do is reset them and see if it happens again?

 

[TwinHeadedEagle]

Ok, let's make another scan, just to be sure:


1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
Note: ComboFix must be downloaded to your Desktop.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.
- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
- ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
Note:If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.

 

[Tim Hall]

Sorry for delay
Had to pick my boy up from school
Please find report attached

 

[TwinHeadedEagle]

Your PC is clean. You should reset all your passwords, and see if this is happening again?

 

[Tim Hall]

Brilliant - I've been reading up on some stuff on the internet and it seems BT is moving all its BT Yahoo mail users to BT and Yahoo have identified that "some" of its mail accounts have been compromised so it seems my wife isn't the only one. I'll change all the passwords and security questions and see what happens. Really appreciate all your help - at least I know that the rest of the PC is clean and it's sped up as well!
Hopefully it won't happen again
Really grateful for your time and help

 

[TwinHeadedEagle]

Yes, I had the problems with Yahoo myself lately. Since your PC is clean, we can remove used tools:



• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;

Remove disinfection tools

Create registry backup

Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

 

[Tim Hall]

Hi - sorry for late replying - we're actually moving house so I've had to pack all weekend.
After finding out about the problems with BT Yahoo accounts I took my life in my hands and went through BT and just thought I'd give you update in case you get anyone else with same problems - turns out there seems to have been a major problem with BT Yahoo mail accounts getting compromised - they won't say how many but it's a *significant* number. I went to the live chat with a BT rep and soon as I said it was a BT Yahoo mail account that had been hacked they phoned me back and got their second level team (whatever that is) to speak to me - went on a shared screen and spent about 20mins on the phone and took me through various menus in their email system and deleted various rogue email settings that had been input by the hackers. Once all traces had been removed I changed all the passwords and both accounts are now apparently clean.Suprisingly enough, the whole thing went pretty well (anyone who has spent chunks of their life on the phone with BT trying to sort out problems will know what I'm talking about) which tends to make me think they know they've got a major problem and are throwing resources at it.
Anyway, along with what you did we've now got a clean PC , clean email and fast responses
Many thanks for time, patience and help - really is much appreciated

Unfortunately my wife isn't in Manila asking for euros to be sent to her - she is here telling me to pack another box

Tim