Mail account hacked

Sailor · Jun 27, 2013

Hello, I am trying to clean up my fathers work PC. We have a corporate mail server with 6 addresses. Two days ago, one of those addresses started sending excessive spam and all the passwords were changed by our host. They informed me that the account had been hacked and that someone attempted to hack into the account again after the password was changed.

Note that the computer had malware issues a couple of months ago. Files went missing and it would launch no application at all. This was hastly fixed by creating a new user account, tranfering documents there, installing and running Kaspersky on this new account.

Back to the hacked mail account, before I type in the new passwords on Thunderbird, I want to make sure that the system is clean. I will be soon attaching the logs from all the scans indicated in the removal guide for Win XP.

chaslang · Jun 27, 2013

Sailor said: ↑

I will be soon attaching the logs from all the scans indicated in the removal guide for Win XP.
Click to expand...

Okay. Once you do this we can continue. In many cases hacked email accounts are just do to someone getting your login and passwords. Either due to week passwords or possibly from accessing the email account from a PC that has malware problems or that is in an unsecure network ( like public Wi-Fi ).

Sailor · Jun 28, 2013

Ok here are the logs. Looks like someone had installed a bad Photoshop on this PC. :-o Kind of embarassing but it is not my personal computer. Maybe it didn't have anything with the stolen password but I'm not qualified to tell.

Can you suggest of a way to protect myself when accessing email from a public pc? I often have to check my mails from university or a hotel PC. Could a portable workspace, booting from USB, help?

chaslang · Jun 29, 2013

Sailor said: ↑

Can you suggest of a way to protect myself when accessing email from a public pc?
Click to expand...

There is no guaranteed safe way. You cannot be sure whether the PC or network is safe.

Sailor said: ↑

I often have to check my mails from university or a hotel PC. Could a portable workspace, booting from USB, help?
Click to expand...

It is unlikely that the school or hotel PCs would allow you to use a USB or CD boot environment but this would be a safer choice than just using the PC in normal mode. Also you may not have the drivers require for network access to work. In addition you still cannot be guaranteed that a hotel PC and network is safe especially if it is wireless. A school network should be safer but you still don't know that the PC itself is not infected.
Sailor said: ↑
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com/?crg=3.1010000.10005&barid={C9598405-6BA0-11E2-8026-001FD0A6BAFB}
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: SweetPacks Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe

After clicking Fix, exit HJT.

Uninstall the below software:
Internet Explorer Toolbar 4.7 by SweetPacks
Java(TM) 6 Update 21
Java(TM) SE Runtime Environment 6 Update 1
SweetIM for Messenger 3.7
SweetPacks Toolbar For Firefox 1.11.0.2

Please download OTM by Old Timer and save it to your Desktop.

Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
(or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
the code box
Code:
:Processes
explorer.exe

 
:Files
C:\Documents and Settings\All Users\Application Data\McAfee
C:\Documents and Settings\DROP_2\Τα έγγραφά μου\Downloads\Adobe Photoshop CS5 Extended - Ελληνικό x86\
C:\WINDOWS\Temp\*.*
C:\Documents and Settings\DROP_2\Local Settings\TEMP\*.*


:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\esrv.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Funmoods]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
) and choose Paste.

Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.

If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

the C:\_OTM\MovedFiles log

the JRT.TXTlog

C:\MGlogs.zip

Make sure you tell me how things are working now!
Click to expand...

Sailor · Jul 1, 2013

One step did not go according to plan so I thought I should report it before proceeding. I did the HJT fix (explorers closed) and then I went on to uninstall the old Java RE. The problem is that I could not locate the Sweetpacks on the add/remove list, or the programs list from the Start menu. I did find a folder in the Program Files with an uninstaller exe (@ C:\Program Files\SweetIM\Installers). I clicked the uninstaller and it disappeared without doing much else. Does this complicate anything?

Other than that, the computer is running fine, I have accessed the emails with Thundebird but I didn't save the passwords, I copy/paste them every time.

chaslang · Jul 1, 2013

Sailor said: ↑

One step did not go according to plan so I thought I should report it before proceeding.
Click to expand...

Please just keep on going thru with the rest of the instructions

Sailor said: ↑

I have accessed the emails with Thundebird but I didn't save the passwords, I copy/paste them every time.
Click to expand...

This does not guarantee protection.

Log in or Sign up

Mail account hacked

Sailor First Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Sailor First Sergeant

Attached Files:

RKreport[0]_S_06272013_151027.txt

mbam-log-2013-06-27 (15-16-54).txt

TDSSKiller.2.8.16.0_27.06.2013_15.28.21_log.txt

HitmanPro_20130627_1544.log

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Sailor First Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member