removing malicious software

[D_Gunther Snotpole]

Today, some malware took over my Yahoo email account and sent out advertisements for ED meds to everyone in that account's contacts lists.
(Kinda hideous ... I mean, former employers, my elderly aunt, and stuff like that.)
I am now 40 minutes into a spyware scan using software provided by my ISP.

A couple questions:
1) will anti-spyware software pick up pretty much all malware as well (i.e., does "spyware" equal "malware," or is spyware just a subset of malware)?

2) If I have the right security software, does it tend to do the trick in cases like this?

3) Should I also use System Restore to set my computer back to a date prior to the malware sinking its teeth in? (I'm using XP.)

4) Is there any chance the problem lies with Yahoo and not with anything on my hard drive?

This has never happened to me before. In another week or so, I will be using a computer with a Linus OS.
I presume that machine will be far more immune to this type of crap.

 

[D_Jared Padalicki]

I have no idea. I always make sure my antivirus program do a scan. I also delete the temporrary internetfiles...
But I hope others will answer for you.

 

[B_spiker067]

Ruby dear you'll never be 100% sure.

But download windebug and the debug symbols. Also, download systinternal tools, they're free (procexp is what you want to learn to use). That won't prevent infection but it will tell you if you are compromised more so than an AV. It may even help you manually remove infections.

If you've been root kitted you got problems and will probably want to install from scratch, but you'll never really know if you've been rooted unless you put up a Snort (and/or Splunk) machine on a stealth tap into your network and profile your network traffic.

Or you could get a Mac and ClamXAV (and get relief for some time until China and the Eastern block hackers start targeting *nixes). :0)

[if you go linux get something that installs apparmor

Restore is a good idea. Also, try onecare.live.com online scan and use the registry cleaner.]

 

[StaffnRod]

My suggestion senorR.. from previous encounters,
(& should you have any doubts as to current scans)

-Your HD boots or starts Win. at least, so it is likely OK but infected by Malware/Spyware-
-The very first thing many Help sites advise with such Win. performance issues - Is to get Malwarebytes and use 2 basic tools to cleanup a Windows system.
}The reason for this is MalwB. finds certain insidious Trojans/Malw. embeds down to the core level...
} These Can/Are totally missed by usual AVG daily scans.(& likely many other AV & AntiSpy)
If you have not done already:
Basic Disk Cleanup Tool:
- From Start> My Computer> C: Right> Properties> Disk Cleanup> /all Temp.Inet files > OK to delete - (Or in FFox > Tools menu >select 'Clear Private Data'.)
- From Start> Control Panel> System Prop.> Sys Restore tab> Turn off Sys Restore
- Then Close & Reopen browser
- Then D.load Free program(or copy) to Desktop from www.Malwarebytes.org
- Open the folder/Find and click file- 'mbam###.exe'- Follow the install prompts
- Close your Browser and Email programs complete
Malwarebytes:
- At First Main screen- click Update Tab > Check for Updates button (to insure latest)
- Likely will have a reboot or Restart NOW....BUT Disconnect from the Modem FIRST
- Open Malw.Bytes main page,.. Select Quick Scan.. (when time allows do- Full Scan> C:.. )
- Accept any backups/deletions offered and MalwB. logs all steps (for reversal)
- On reboot Normal (or to Safe Mode if many found), - Review MalwB. >Logs & Quarantine tab
Check Disk Tool: (the setup steps)
- Plan to Run 'Check Disk' - setup steps herein are for novices,(Sorry for abbreviations)
- Start> My Computer > C: Right> Properties> Tools > Check Now button.. and Click both boxes > OK
} message box pops up ... > OK 'to allow on next Restart' .. then choose based on ~ 2 hr. run time
When Ready To activate / Run 'Check Disk' :
- Close all Programs ..Disconnect from the Modem.. then Start > clickTurn Off button then Restart
- Watch On a normal Restart ..... a blue screen appears informing of ChkDsk utility..
- ChkDsk will start running, see if OK into phase 2 -- it takes 5 long phases so
- Walk away to let ChkDsk run (try to note time of day)
- Assuming all goes well and you return to a clean Win. desktop,
- try to Open/Run several progs. MSWord, Adobe,etc.. and Start> My Computer > C: Right>Explore
} CHECK IF .. all OK and Normal pages Open and function
} From Start> Control Panel> System Prop.> Sys Restore tab> Turn ON Sys Restore
}Note: ONLY NOW.. Reconnect the modem and ...again Reboot the computer
-When back to Normal Windows, can right click the dual monitor icons next to time display to check the Status/Enable your Web connection, If needed.

- See if this 3 step process gets you a clean, faster and normal Win. computer - hopefully
-If not, simply close, advise with notes of any above-- messages seen/ or errant functions..
- As there is one more crazy step, I may suggest you check before I would forward you on to true Win Help forum experts..
BTW.. Our very own MOD Pecker is a true MS-OS guru (;D
..

 

[JF]

4) Is there any chance the problem lies with Yahoo and not with anything on my hard drive?

This could be it - your login credentials for your Yahoo account could have been compromised (maybe you logged on to that account elsewhere on a public / malware-infected computer ?). I'd advise changing your password for Yahoo as a starting point, and then working through any other online accounts which send mail to that Yahoo account (banking, online stores etc) and changing those passwords too. Remember never to use the same password at multiple sites.

Of course, continue with the malware scans and use the most up-to-date OS patches / anti-virus definitions / malware definitions that you can lay your hands on.

Here's a tip for making passwords for multiple sites that are easy to remember :

Come up with a combination of 6 random characters, ensuring you include at least one number, one punctuation mark and one upper case character - e.g. r_1Ebk. This will form the core of your password at each site.

For each site, take the first two letters of the site name (YAhoo, HOtmail, AMazon etc), reverse them and use them at the begining & end of the core - e.g. Ar_1EbkY for Yahoo, Or_1EbkH for Hotmail, Mr_1EbkA for Amazon.

Et voila - you have different passwords for each site which are easy to remember, but obscure enough that if one was compromised it wouldn't give any details away as to your passwords on other sites.

 

[nudeyorker]

Ohhhh so that e-mail was from you! I did not open it and sent it straight to the deleted bin. Maybe everyone else did the same. Sorry you are having problems... I mean with your computer.

 

[D_Gunther Snotpole]

Many thanks to everyone.
I am switching to a new-to-me linux-operated computer very shortly.
In the meanwhile, I will get cracking on many of the suggestions you kind folks have made.

 

[Incocknito]

Change your login details for Yahoo.

Malicious software on your PC doesn't have access to your email account.

Generally malicious software on your PC will slow it down but it won't be sending emails from your account.

Personally I think its very simple to avoid account "spoofing" and virus and malware / scareware infections. I don't understand why people are still having these problems.

It takes literally five minutes to put the preventative measures in place that would stop you getting these problems.

It takes at least an hour to install Linux. And you probably lose some functionality.

Basically:

Block website scripts
Don't open emails from people you don't know
Use an antivirus with Email Scanner
Don't download/install suspicious files; if you do then scan them with antivirus software

Do that and you won't have any problems.

Of course you can allow scripts for websites such as LPSG, Facebook, Google etc. Just block the majority.

FYI there is an addon for Firefox called NoScript. That's all you need. Don't use Internet Explorer. Its about as safe as house with no door.

 

[green carnation]

i had this exact problem, twice but with hotmail. Of course they said i had a bug on my computer but when i scanned it with three different scans, one they suggested, they found nothing. I dont believe it is on my computer as my computer mail is not affected only my web based email. i have deleted my contacts list and am considering closing my invocil account.

 

[green carnation]

closing my hotmail account not my invocil account! Sorry. And i think we should all close our accounts until they help fix this problem.

 

[tripod]

Hmmm... your Yahoo account doesn't actually reside in your computer. It exists in the massive team of servers that Yahoo employs. Your Yahoo account being hacked might not have anything to do with your computer. Therefore a scorch and burn tactic of malware removal could possibly be useless and counterproductive.

A Trojan Horse or even worse yet, a rootkit containing a keylogger would have accessed more than your Yahoo password by now... if that is the case, your Paypal account, eBay I.D., banking information etc. is at the same risk as your Yahoo account.

Your Yahoo account password was could have easily been hacked by lifting it out of your online stream, but it was most likely cracked using brute force techniques somewhere in Eastern Europe or China. The attack was most likely on the Yahoo server system where your password ultimately resides.

I'm just sayin'...

 

[D_Gunther Snotpole]

Today has been, well, um, exciting.
This morning, I couldn't access the internet through Firefox but could through Internet Explorer.
I did system restore early on, and then found I couldn't get onto the internet at all.
I phoned my ISP and was walked through the procedure for reconnecting and got back on.
Firefox still wouldn't work though, so I reinstalled Firefox.
Now, I'm sorta back to where I was, minus a feeling of security in this computer.
But the new 'puter is coming soon.
Pray for me, kidz.
I probably need it.

Now, I'm going to Yahoo Mail and changing my password.
I've had two really serious crashes in the past.
This one is worrying but registers only so-so on the Cataclysm Scale.
And now I have all data backed up on an external hard drive, so, while I don't wanna tempt The Fates, I figure I'm sitting prettier in this situation than I ever have before.

 

[HazelGod]

Now, I'm going to Yahoo Mail and changing my password.

Change them ALL while you're at it, and do it from another computer...or boot your machine from a LiveCD and change them. And if you bank online, keep an eagle eye on your accounts for the next several weeks.

From your description, it sounds like your computer may have been infected with sniffer malware...gathering your id/password combinations as you surfed and relaying them to some remote server. Then his little botnet can log onto your Yahoo mail account and send messages to everyone whether your computer is on or not...not to mention, copying your address book and sending all your contacts an infected email that attempts to spread his little toy further.

 

[StaffnRod]

That does sound unusual and very suspect, senorR
I thought maybe JF's easy Password solution would catch
your problem, as that seemed to be the source.
But your third sentence "did system restore" leads me to
believe you are afflicted with Malware/Spyware/root Virus.
That's due to the way XP restore points are chained &
the OS is feeding off them on each reboot; so once a
badboy file gets onboard, restoring only keeps it going.
- Now I would certainly suggest you follow the steps
given to get a Malwarebytes scan going on that machine.
- You can even do it by tapping F8 at bootup, select
'SAFE mode with networking' and still access the Web
using IE as it is still available.
- Again notice (or print) steps given - to disable system
restore (clears all points) and disconnect from modem.
- Willing to bet Malwb. will find bad issues and quarantine
- then "Create" a new clean Restore point & Continue..
(please excuse my instucts format- need to cleanup those)
Hope it helps- as JF's PW derivations & tripods tips advise.
Staffy
ED- Wise man to have backups to Ext. drive, hopefully to incl. the Windows\system 32 folder as well..

 

[deleted3782]

Today, some malware took over my Yahoo email account and sent out advertisements for ED meds to everyone in that account's contacts lists.

I got the same exact email from a family member's yahoo account this morning. You are not alone.

 

[D_Gunther Snotpole]

And if you bank online, keep an eagle eye on your accounts for the next several weeks.

I do pay bills online.
However, FWIW, I enter my password each time I open my online bank account ... the password is not memorized by my OS.
(Not sure how much safety this affords, if I have someone following my keystrokes.)

... your third sentence "did system restore" leads me to
believe you are afflicted with Malware/Spyware/root Virus.
That's due to the way XP restore points are chained & the OS is feeding off them on each reboot; so once a badboy file gets onboard, restoring only keeps it going.
- Now I would certainly suggest you follow the steps given to get a Malwarebytes scan going on that machine.
- You can even do it by tapping F8 at bootup, select 'SAFE mode with networking' and still access the Web using IE as it is still available.
- Again notice (or print) steps given - to disable system restore (clears all points) and disconnect from modem.
- Willing to bet Malwb. will find bad issues and quarantine
- then "Create" a new clean Restore point & Continue..
(please excuse my instucts format- need to cleanup those)
Hope it helps- as JF's PW derivations & tripods tips advise.
Staffy
ED- Wise man to have backups to Ext. drive, hopefully to incl. the Windows\system 32 folder as well..

In ten minutes, I will be beginning a Malwarebytes scan.
I'll keep you posted, stiffy.

I got the same exact email from a family member's yahoo account this morning. You are not alone.

I do take a certain misery-loves-company satisfaction from this.
But what's wrong with those fuckers that do these things?
(Dumb question, I know. Lowlifes are always with us. Give them a new route to predation and they'll take it.)

 

[deleted3782]

But what's wrong with those fuckers that do these things?[QUOTE]

I can answer that in one word. money

 

[D_Gunther Snotpole]

I'm sure you're right, Ex.
(Although a little more money would make me real virtuous.)

In other news:
I just tried to download Malwarebyte's antispyware software, but as I move from one page to another, I'm suddenly seeing a page for inKline Global's PC Repair Doctor.
Is this a legitimate part of the Malwarebyte site?
What does anyone advise?

 

[tripod]

I got the same exact email from a family member's yahoo account this morning. You are not alone.

This is further evidence that the attack was on Yahoo's servers and not on member's individual computers...

I just tried to download Malwarebyte's antispyware software, but as I move from one page to another, I'm suddenly seeing a page for inKline Global's PC Repair Doctor.
Is this a legitimate part of the Malwarebyte site?

You are fucked.

Oh and FWIW, much of the anti-malware removers out there are nothing but more malware! lol!

 

[StaffnRod]

I'm sure you're right, Ex.
(Although a little more money would make me real virtuous.)

In other news:
I just tried to download Malwarebyte's antispyware software, but as I move from one page to another, I'm suddenly seeing a page for inKline Global's PC Repair Doctor.
Is this a legitimate part of the Malwarebyte site?
What does anyone advise?

Whoa - just seeing this - that's not good
Try the SAFE with networking bootup given -
Then should try copy & paste or type the Malwarebytes link given prior into the address bar then Go.
Once on their main page a link to D.Load their Free version is available.. along the left side as I recall.
Then follow my instructs given (sounds like the culprit is even interfering with a proper install of Malw.bytes)
- if still fluky and any weird messg. like that appear
- I may have the answer having faced similar situation 12-'08
(Re; my last sentence in 1st reply here)

If further ?? PM me SenorR
-with your exact vers. of XP & AntiV. software update
Staffy