Yahoo e-mail hijack; no browser redirect.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by gman863, Feb 21, 2011.

  1. gman863

    gman863 MajorGeek

    I have a friend who has had her Yahoo (AT&T) e-mail account hijacked. Please bear with me while go over the symptoms as they do not appear to be a standard redirect attack:

    * She checks, views and replies to e-mail online only using IE8. No e-mails are downloaded to a program such as Outlook or Eudora.

    * The spoofed e-mails hit in batches of up to 8 in 24 hours than may not happen again for a few days. They are automatically sent to everyone in her online e-mail file. When I receive one, the header and subject are:

    Betty J Smith
    bettyjsmith​

    In Outlook preview mode (as a recipient), only a hyperlink is displayed in the message body. It also shows "cc" to every other person in her address book.

    * The browser is not being redirected when going to the homepage or surfing. The e-mail home page appears to open normally and other pages can be typed in or chosen from favorites with no issues. No strange "pop-ups" or other typical malware symptoms.

    * She has two PCs: A notebook running XP Pro SP3 and a desktop running Windows 7 Premium 32-bit. Both are running up-to-date copies of AVG free and Advanced Windows Care 3.7.2 free. Windows Automatic Updates are enabled on both.

    * All toolbars have been disabled in IE8 and were uninstalled through Control Panel.

    * No other browsers (Mozilla, etc.) are in use.

    * A full scan of Malware Bytes found and removed 28 issues on the Win 7 PC. Malware Bytes found no issues in a full scan of the XP PC.

    * The junk e-mails ended for 48 hours, then a new wave of about 8 hit over a 12 hour period.

    * After the second wave of e-mails hit, I had her do a full rescan with Malware Bytes on both PCs; no problems found or fixed.

    * Although she has checked her e-mail online over the past two days, no more malicious e-mails have shown up. Her e-mail address is in my Outlook Contacts and nothing from her has been caught in the junk mail filter.

    I'm not seeing any obvious redirects in IE8 and Malware Bytes is showing a clean bill of health. What am I missing and how should I go about fixing it?

    Thanks in advance for your help.
     
    gman863, Feb 21, 2011
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    To fully rule out malware's presence on the machine the below will have to be followed.

    Welcome to Major Geeks!

    Please read ALL of this message including the notes before doing anything.

    Pleases follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    Kestrel13!, Feb 21, 2011
    #2
  3. gman863

    gman863 MajorGeek

    I ran the malware removal steps on both PCs in the house - one running XP Pro SP3, the other running Win 7 Premium. Both use IE8 as the primary browser.

    The strange part is the e-mail hijacker has come back twice. Each time it sends out about 7 or 8 spoofed e-mails (normally with just a hyperlink in the body) within a 24 hour period - then it stops for days or even a few weeks at a time.

    After the last two attacks, Malware Bytes (full scan) gave each PC a clean bill of health, as did AVG 2011 (on the XP machine) and Microsoft anti-virus (Win 7 PC).

    Other than the spoof e-mails sent to everyone in her address book there are no other issues (pop-ups, browser redirects, etc.).

    My friend swears she deletes suspicious e-mails without opening them and never clicks on any links or opens suspicious attachments.

    Here are the steps I plan to take on my next visit:

    * Set the browser to clear all cookies, history, etc. when closed (no stored names, passwords, etc.).

    * Set up MS Outlook to download all e-mails (currently she does all reading and sending online through her Yahoo e-mail homepage). Hopefully Outlook will do a better job of filtering things.

    What am I missing? Since the malware infection seems to hit-and-run without warning, I'm at a loss.

    Thanks in advance for any other tips or help you can provide.
     
    Last edited: Mar 6, 2011
    gman863, Mar 6, 2011
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Just tell your friend to change her email password using another machine. I don't think she in infected, it is just a spam problem.
     
    Kestrel13!, Mar 7, 2011
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds