email hack attacks, nothing found

My wife manages her aol email addy via Outlook Express client app installed on her computer. About a week ago I received one of those single line spam emails from her, promoting some website, with "Hi, there" or similar in the subject field. In addition, she received messages from several friends alerting her that her system was inflected. I grabbed the latest definition file and ran MBAM. It found nothing.

A dozen or so delivery failure notices had arrived in her inbox... attempts to send messages to invalid email addresses in her outdated OE Address Book. So it's obvious the hacker has access to her address book.

I inspected the detailed header for the email I received. It does not appear to be a spoof, but appears to have been sent via aol webmail. This means the hacker must also have hacked her aol password (unless the bad guys have figured out a way to spoof the sever hand-offs shown in the header).

AOL locked her email account in response to suspicious activity, thus prompting a p/w change. She changed the p/w but two days later, another attack occurred with exact same MO. That means the process must still be alive on her computer, and able to hack stored p/w in OE.

This time, I had her change her password on my computer and told her NOT to store it in OE client on her PC. Five days have passed with no more attacks.

She can avoid further problems by using webmail or a different email client, but I gotta find and get rid of that virus!!

In addition to running MBAM, I checked running processes and services and found nothing unusual. Beyond that, I'm pretty much at the limit of my diagnostic ability.

So, I registered here and read carefully and followed the scanning / reporting instructions. Attached are log files. Nothing was found.

THANKS FOR MAKING THIS GREAT SERVICE POSSIBLE!

 

In case they prove useful, here are the message headers for the messages I received. The originating servers are in Asia (no surprise) but the messages appear to have been sent via legitimate AOL webmail servers, which would require the password.

 

I opted not to install SP3 due to some compatibility horror stories I read about when first introduced. In any case, I avoid OS upgrades until forced to do so. My own system still runs SP2. But with Windows XP support ending next month, I suppose I should go ahead and install SP3. Thanks for the reminder.

I refuse to run background protection s/w or a s/w firewall. Too many negative side effects and maintenance effort. Instead, I scan both systems every few months. I rarely find anything, which I attribute that to common sense browsing and email management, and using FF instead of IE (although I'm not sure that's still the factor it once was). I uninstalled Avira on my wife's system yesterday prior to running scans for this thread, and intend to replace with AVG (was already on my to-do list).

Indeed I was remiss in not cleaning up old JAVA and maintaining the latest version on my wife's computer. She relies on me to keep her system up to date. I just took care of that. Thanks.

I have used HijackThis over the years to remove certain unwanted processes, BHO's, etc., and use MSConfig as well as Services from Admin Tools to disable unnecessary services. For example, I only have about 17 background processes running after boot-up on my own PC, which helps with performance. I will be interested to read your page on MSConfig, as my methods are rather haphazard. On the other hand, I'm obsessive with making regular drive image backups. I'm hesitant to revert to a backup image in this case unless I can find the culprit.

To the point of this thread, I'm curious about your comment regarding spoofing. I was under the impression that a trained eye can always tell if parts of a msg header are spoofed. I forwarded headers to an internet security expert I happen to know in the UK and he said the routing information in the header is legit. The fact that no attacks have occurred since the 2nd p/w change six days ago is consistent with this. On the other hand, if another attack were to occur now that p/w is no longer stored in OE, I would have to question my friend's assertion re: legitimacy of routing info in the msg headers I provided.

In any case, the fact that my wife's address book was accessed suggests there must be an infection, although I suppose it's possible the process deleted itself.

Regarding MBR, what would cause it to show as 'unknown'? Is there another tool I could use for this?

Again, thanks for all of your advice.

 

Which is exactly why I'm interested in scanning her MBR. See last comment below.

According to my consultant, once the spammer sends the email, they can't affect routing headers that are automatically added as the message makes its way to the recipient's server. He said the spoofed routing declarations will always precede the real ones, meaning further down the string. The match-up of each subsequent IP's in the routing path would necessarily be broken if an entry is spoofed. That was not the case here, which is why he believes the hacker actually used AOL webmail, thus must have had her p/w. Recall when she changed her p/w after first attack, a second attack occurred the following day. How could that be explained if there's no script installed?

Aside from the fact that the hacker captured her second p/w right away, my wife has never, ever accessed her email other than from home on her own computer. She doesn't even know how, and she doesn't have a smart phone.

But even if my consultant is wrong about the limitations of msg header spoofing and hacker doesn't have her p/w and was able to spoof the AOL webmail routing, he definitely has her complete address book. She rarely sends emails, and never to more than one person. Moreover, I noticed some of the delivery failure notices were for msgs sent to invalid domains that obviously came from her address book. For example, I made a couple of typos when I manually entered email addys for some family member, (e.g, hotnail.com).

Is there a way a hacker can copy an address book without installing a script on the PC?

Thanks for the explanation. She has an IBM ThinkPad. No doubt ThinkPads have custom MBR. I will post in a ThinkPad forum I belong to see if anyone there knows of a MBR scanner that will work.

BTW, I upgraded both computers to SP3. It took 3 passes to get everything that applied. Thanks again for the discussion!

 

As I was posting a question in the ThinkPad forum regarding MBR, I remembered that I had used EASEUS Partition Master to create another partition. Would this explain the "unknown" MBR result? And if so, would removing the partition allow your tools to properly scan the MBR?

 

I read too much into your comment. I understood 'unknown' just meant the tools couldn't say yes or no for the boot sectors for that partition.

She doesn't use AOL webmail and thus never populated the online address book. Her addresses were only stored in OE, and as I said, she never sent emails to multiple recipients, thus ruling out involvement of a 3rd party. In fact, most of her address book entries were automatically captured by OE from professional newsletters and the like (I failed to turn off that option). Some of the delivery failure notices proved without a doubt that the perpetrator had access to her address book.

After posting my previous comment I went ahead and removed the 4GB partition and resized E: to recover that space. I re-ran RogueKiller (attached) and was surprised it still lists the BSP partition with the 'MBR Code unknown' annotation. The partition tagged as COMPAQ (partition 1 on original RK report) is gone. That means the partition I created with Partition Master (logical drive E: ) is the one that RK flags as unknown MBR code.

If the drive is truly not infected, the only logical explanation I can think of is that a script grabbed her address book and is no longer present, AND my consultant is incorrect about routing entries in the msg header not being spoofed. The fact that no further attacks have occurred since she changed her p/w suggest otherwise, but that's only circumstantial.

I really do appreciate your engagement. At this point, I'm declaring victory and moving on (even though the engineer in me demands a logical explanation

 

No gaming here, but based on folder date, WinPcap was installed by aTube Catcher, a video stream capture utility I installed in 2010. I only used it a couple of times to capture youtube videos my wife wanted to save on her HDD. I went ahead and uninstalled both programs.

I hear what you're saying about out-of-date software (although I did install SP3 and all subsequent security updates a few days ago). This is a deliberate strategy, a calculated risk if you will, to avoid all the time/hassle incumbent with constantly changing software, and to avoid the resource overhead.

I see the PC as simply a tool and as long as it accomplishes what I need it to do, I prefer to leave 'well enough' alone as much as possible. For example, I didn't upgrade to XP until '08 when I was unable to log into my bank account. I refuse to install Adobe products on my PC (bloatware), although I maintain a legacy version of Acrobat Reader on my wife's PC to print state tax forms, as they won't work with the PDF reader I use. Heck, I still routinely use legacy DOS software to manage my finances.

Over the years my unorthodox strategy has paid off in spades as I can count on less than one hand the issues I've had with viruses or other malware in more than a decade. Go figure. But in all previous instances I was able to identify the culprit and quickly recover.