removing malicious software

Discussion in 'Et Cetera, Et Cetera' started by D_Gunther Snotpole, Mar 16, 2010.

  1. D_Gunther Snotpole

    D_Gunther Snotpole Account Disabled

    Joined:
    Oct 3, 2005
    Messages:
    14,610
    Likes Received:
    5
    Today, some malware took over my Yahoo email account and sent out advertisements for ED meds to everyone in that account's contacts lists.
    (Kinda hideous ... I mean, former employers, my elderly aunt, and stuff like that.)
    I am now 40 minutes into a spyware scan using software provided by my ISP.

    A couple questions:
    1) will anti-spyware software pick up pretty much all malware as well (i.e., does "spyware" equal "malware," or is spyware just a subset of malware)?

    2) If I have the right security software, does it tend to do the trick in cases like this?

    3) Should I also use System Restore to set my computer back to a date prior to the malware sinking its teeth in? (I'm using XP.)

    4) Is there any chance the problem lies with Yahoo and not with anything on my hard drive?


    This has never happened to me before. In another week or so, I will be using a computer with a Linus OS.
    I presume that machine will be far more immune to this type of crap.
     
    #1 D_Gunther Snotpole, Mar 16, 2010
    Last edited: Mar 16, 2010
  2. D_Jared Padalicki

    D_Jared Padalicki Account Disabled

    Joined:
    Mar 8, 2008
    Messages:
    8,104
    Likes Received:
    33
    I have no idea. I always make sure my antivirus program do a scan. I also delete the temporrary internetfiles...
    But I hope others will answer for you.
     
  3. B_spiker067

    B_spiker067 New Member

    Joined:
    Nov 17, 2006
    Messages:
    2,189
    Likes Received:
    0
    Ruby dear you'll never be 100% sure.

    But download windebug and the debug symbols. Also, download systinternal tools, they're free (procexp is what you want to learn to use). That won't prevent infection but it will tell you if you are compromised more so than an AV. It may even help you manually remove infections.

    If you've been root kitted you got problems and will probably want to install from scratch, but you'll never really know if you've been rooted unless you put up a Snort (and/or Splunk) machine on a stealth tap into your network and profile your network traffic.

    Or you could get a Mac and ClamXAV (and get relief for some time until China and the Eastern block hackers start targeting *nixes). :0)

    [if you go linux get something that installs apparmor

    Restore is a good idea. Also, try onecare.live.com online scan and use the registry cleaner.]
     
    #3 B_spiker067, Mar 16, 2010
    Last edited: Mar 16, 2010
  4. StaffnRod

    Gold Member

    Joined:
    Feb 1, 2008
    Messages:
    2,533
    Likes Received:
    347
    Gender:
    Male
    Location:
    Never Never Land
    My suggestion senorR.. from previous encounters,
    (& should you have any doubts as to current scans)

    -Your HD boots or starts Win. at least, so it is likely OK but infected by Malware/Spyware-
    -The very first thing many Help sites advise with such Win. performance issues - Is to get Malwarebytes and use 2 basic tools to cleanup a Windows system.
    }The reason for this is MalwB. finds certain insidious Trojans/Malw. embeds down to the core level...
    } These Can/Are totally missed by usual AVG daily scans.(& likely many other AV & AntiSpy)
    If you have not done already:
    Basic Disk Cleanup Tool:
    - From Start> My Computer> C: Right> Properties> Disk Cleanup> /all Temp.Inet files > OK to delete - (Or in FFox > Tools menu >select 'Clear Private Data'.)
    - From Start> Control Panel> System Prop.> Sys Restore tab> Turn off Sys Restore
    - Then Close & Reopen browser
    - Then D.load Free program(or copy) to Desktop from www.Malwarebytes.org
    - Open the folder/Find and click file- 'mbam###.exe'- Follow the install prompts
    - Close your Browser and Email programs complete
    Malwarebytes:
    - At First Main screen- click Update Tab > Check for Updates button (to insure latest)
    - Likely will have a reboot or Restart NOW....BUT Disconnect from the Modem FIRST
    - Open Malw.Bytes main page,.. Select Quick Scan.. (when time allows do- Full Scan> C:.. )
    - Accept any backups/deletions offered and MalwB. logs all steps (for reversal)
    - On reboot Normal (or to Safe Mode if many found), - Review MalwB. >Logs & Quarantine tab
    Check Disk Tool: (the setup steps)
    - Plan to Run 'Check Disk' - setup steps herein are for novices,(Sorry for abbreviations)
    - Start> My Computer > C: Right> Properties> Tools > Check Now button.. and Click both boxes > OK
    } message box pops up ... > OK 'to allow on next Restart' .. then choose based on ~ 2 hr. run time
    When Ready To activate / Run 'Check Disk' :
    - Close all Programs ..Disconnect from the Modem.. then Start > clickTurn Off button then Restart
    - Watch On a normal Restart ..... a blue screen appears informing of ChkDsk utility..
    - ChkDsk will start running, see if OK into phase 2 -- it takes 5 long phases so
    - Walk away to let ChkDsk run (try to note time of day)
    - Assuming all goes well and you return to a clean Win. desktop,
    - try to Open/Run several progs. MSWord, Adobe,etc.. and Start> My Computer > C: Right>Explore
    } CHECK IF .. all OK and Normal pages Open and function
    } From Start> Control Panel> System Prop.> Sys Restore tab> Turn ON Sys Restore
    }Note: ONLY NOW.. Reconnect the modem and ...again Reboot the computer
    -When back to Normal Windows, can right click the dual monitor icons next to time display to check the Status/Enable your Web connection, If needed.

    - See if this 3 step process gets you a clean, faster and normal Win. computer - hopefully
    -If not, simply close, advise with notes of any above-- messages seen/ or errant functions..
    - As there is one more crazy step, I may suggest you check before I would forward you on to true Win Help forum experts..
    BTW.. Our very own MOD Pecker is a true MS-OS guru (;D
    ..
     
    #4 StaffnRod, Mar 16, 2010
    Last edited: Mar 16, 2010
  5. JF

    JF
    Gold Member

    Joined:
    May 21, 2004
    Messages:
    6,296
    Likes Received:
    3
    Gender:
    Male
    Location:
    United Kingdom
    This could be it - your login credentials for your Yahoo account could have been compromised (maybe you logged on to that account elsewhere on a public / malware-infected computer ?). I'd advise changing your password for Yahoo as a starting point, and then working through any other online accounts which send mail to that Yahoo account (banking, online stores etc) and changing those passwords too. Remember never to use the same password at multiple sites.

    Of course, continue with the malware scans and use the most up-to-date OS patches / anti-virus definitions / malware definitions that you can lay your hands on.

    Here's a tip for making passwords for multiple sites that are easy to remember :

    Come up with a combination of 6 random characters, ensuring you include at least one number, one punctuation mark and one upper case character - e.g. r_1Ebk. This will form the core of your password at each site.

    For each site, take the first two letters of the site name (YAhoo, HOtmail, AMazon etc), reverse them and use them at the begining & end of the core - e.g. Ar_1EbkY for Yahoo, Or_1EbkH for Hotmail, Mr_1EbkA for Amazon.

    Et voila - you have different passwords for each site which are easy to remember, but obscure enough that if one was compromised it wouldn't give any details away as to your passwords on other sites.
     
    #5 JF, Mar 16, 2010
    Last edited: Mar 16, 2010
  6. nudeyorker

    Gold Member

    Joined:
    Nov 6, 2006
    Messages:
    42,918
    Likes Received:
    38
    Gender:
    Male
    Location:
    NYC/Honolulu
    Ohhhh so that e-mail was from you! I did not open it and sent it straight to the deleted bin. Maybe everyone else did the same. Sorry you are having problems... I mean with your computer.
     
  7. D_Gunther Snotpole

    D_Gunther Snotpole Account Disabled

    Joined:
    Oct 3, 2005
    Messages:
    14,610
    Likes Received:
    5
    Many thanks to everyone.
    I am switching to a new-to-me linux-operated computer very shortly.
    In the meanwhile, I will get cracking on many of the suggestions you kind folks have made.
     
  8. Incocknito

    Gold Member

    Joined:
    Jan 11, 2009
    Messages:
    2,567
    Likes Received:
    4
    Gender:
    Male
    Location:
    La monde
    Change your login details for Yahoo.

    Malicious software on your PC doesn't have access to your email account.

    Generally malicious software on your PC will slow it down but it won't be sending emails from your account.

    Personally I think its very simple to avoid account "spoofing" and virus and malware / scareware infections. I don't understand why people are still having these problems.

    It takes literally five minutes to put the preventative measures in place that would stop you getting these problems.

    It takes at least an hour to install Linux. And you probably lose some functionality.

    Basically:

    Block website scripts
    Don't open emails from people you don't know
    Use an antivirus with Email Scanner
    Don't download/install suspicious files; if you do then scan them with antivirus software

    Do that and you won't have any problems.

    Of course you can allow scripts for websites such as LPSG, Facebook, Google etc. Just block the majority.

    FYI there is an addon for Firefox called NoScript. That's all you need. Don't use Internet Explorer. Its about as safe as house with no door.
     
  9. green carnation

    Verified Gold Member

    Joined:
    Jun 15, 2007
    Messages:
    432
    Albums:
    2
    Likes Received:
    32
    Gender:
    Male
    Location:
    Birmingham (GB)
    Verified:
    Photo
    i had this exact problem, twice but with hotmail. Of course they said i had a bug on my computer but when i scanned it with three different scans, one they suggested, they found nothing. I dont believe it is on my computer as my computer mail is not affected only my web based email. i have deleted my contacts list and am considering closing my invocil account.
     
  10. green carnation

    Verified Gold Member

    Joined:
    Jun 15, 2007
    Messages:
    432
    Albums:
    2
    Likes Received:
    32
    Gender:
    Male
    Location:
    Birmingham (GB)
    Verified:
    Photo
    closing my hotmail account not my invocil account! Sorry. And i think we should all close our accounts until they help fix this problem.
     
  11. tripod

    Gold Member

    Joined:
    Jan 17, 2006
    Messages:
    5,250
    Albums:
    3
    Likes Received:
    465
    Gender:
    Male
    Location:
    Statesville N.C.
    Hmmm... your Yahoo account doesn't actually reside in your computer. It exists in the massive team of servers that Yahoo employs. Your Yahoo account being hacked might not have anything to do with your computer. Therefore a scorch and burn tactic of malware removal could possibly be useless and counterproductive.

    A Trojan Horse or even worse yet, a rootkit containing a keylogger would have accessed more than your Yahoo password by now... if that is the case, your Paypal account, eBay I.D., banking information etc. is at the same risk as your Yahoo account.

    Your Yahoo account password was could have easily been hacked by lifting it out of your online stream, but it was most likely cracked using brute force techniques somewhere in Eastern Europe or China. The attack was most likely on the Yahoo server system where your password ultimately resides.

    I'm just sayin'...
     
  12. D_Gunther Snotpole

    D_Gunther Snotpole Account Disabled

    Joined:
    Oct 3, 2005
    Messages:
    14,610
    Likes Received:
    5
    Today has been, well, um, exciting.
    This morning, I couldn't access the internet through Firefox but could through Internet Explorer.
    I did system restore early on, and then found I couldn't get onto the internet at all.
    I phoned my ISP and was walked through the procedure for reconnecting and got back on.
    Firefox still wouldn't work though, so I reinstalled Firefox.
    Now, I'm sorta back to where I was, minus a feeling of security in this computer.
    But the new 'puter is coming soon.
    Pray for me, kidz.
    I probably need it.

    Now, I'm going to Yahoo Mail and changing my password.
    I've had two really serious crashes in the past.
    This one is worrying but registers only so-so on the Cataclysm Scale.
    And now I have all data backed up on an external hard drive, so, while I don't wanna tempt The Fates, I figure I'm sitting prettier in this situation than I ever have before.
     
    #12 D_Gunther Snotpole, Mar 16, 2010
    Last edited: Mar 16, 2010
  13. HazelGod

    Gold Member

    Joined:
    Dec 11, 2006
    Messages:
    7,531
    Albums:
    1
    Likes Received:
    9
    Gender:
    Male
    Location:
    The Other Side of the Pillow
    Change them ALL while you're at it, and do it from another computer...or boot your machine from a LiveCD and change them. And if you bank online, keep an eagle eye on your accounts for the next several weeks.

    From your description, it sounds like your computer may have been infected with sniffer malware...gathering your id/password combinations as you surfed and relaying them to some remote server. Then his little botnet can log onto your Yahoo mail account and send messages to everyone whether your computer is on or not...not to mention, copying your address book and sending all your contacts an infected email that attempts to spread his little toy further.
     
  14. StaffnRod

    Gold Member

    Joined:
    Feb 1, 2008
    Messages:
    2,533
    Likes Received:
    347
    Gender:
    Male
    Location:
    Never Never Land
    That does sound unusual and very suspect, senorR
    I thought maybe JF's easy Password solution would catch
    your problem, as that seemed to be the source.
    But your third sentence "did system restore" leads me to
    believe you are afflicted with Malware/Spyware/root Virus.
    That's due to the way XP restore points are chained &
    the OS is feeding off them on each reboot; so once a
    badboy file gets onboard, restoring only keeps it going.
    - Now I would certainly suggest you follow the steps
    given to get a Malwarebytes scan going on that machine.
    - You can even do it by tapping F8 at bootup, select
    'SAFE mode with networking' and still access the Web
    using IE as it is still available.
    - Again notice (or print) steps given - to disable system
    restore (clears all points) and disconnect from modem.
    - Willing to bet Malwb. will find bad issues and quarantine
    - then "Create" a new clean Restore point & Continue..
    (please excuse my instucts format- need to cleanup those)
    Hope it helps- as JF's PW derivations & tripods tips advise.
    Staffy
    ED- Wise man to have backups to Ext. drive, hopefully to incl. the Windows\system 32 folder as well..
     
    #14 StaffnRod, Mar 16, 2010
    Last edited: Mar 16, 2010
  15. exwhyzee

    Gold Member

    Joined:
    Jun 5, 2005
    Messages:
    4,578
    Likes Received:
    36
    Gender:
    Male
    I got the same exact email from a family member's yahoo account this morning. You are not alone.
     
  16. D_Gunther Snotpole

    D_Gunther Snotpole Account Disabled

    Joined:
    Oct 3, 2005
    Messages:
    14,610
    Likes Received:
    5
    I do pay bills online.
    However, FWIW, I enter my password each time I open my online bank account ... the password is not memorized by my OS.
    (Not sure how much safety this affords, if I have someone following my keystrokes.)


    In ten minutes, I will be beginning a Malwarebytes scan.
    I'll keep you posted, stiffy.


    I do take a certain misery-loves-company satisfaction from this.
    But what's wrong with those fuckers that do these things?

    (Dumb question, I know. Lowlifes are always with us. Give them a new route to predation and they'll take it.)
     
  17. exwhyzee

    Gold Member

    Joined:
    Jun 5, 2005
    Messages:
    4,578
    Likes Received:
    36
    Gender:
    Male
     
  18. D_Gunther Snotpole

    D_Gunther Snotpole Account Disabled

    Joined:
    Oct 3, 2005
    Messages:
    14,610
    Likes Received:
    5
    I'm sure you're right, Ex.
    (Although a little more money would make me real virtuous.)

    In other news:
    I just tried to download Malwarebyte's antispyware software, but as I move from one page to another, I'm suddenly seeing a page for inKline Global's PC Repair Doctor.
    Is this a legitimate part of the Malwarebyte site?
    What does anyone advise?
     
  19. tripod

    Gold Member

    Joined:
    Jan 17, 2006
    Messages:
    5,250
    Albums:
    3
    Likes Received:
    465
    Gender:
    Male
    Location:
    Statesville N.C.
    This is further evidence that the attack was on Yahoo's servers and not on member's individual computers...

    You are fucked.

    Oh and FWIW, much of the anti-malware removers out there are nothing but more malware! lol!
     
  20. StaffnRod

    Gold Member

    Joined:
    Feb 1, 2008
    Messages:
    2,533
    Likes Received:
    347
    Gender:
    Male
    Location:
    Never Never Land
    Whoa - just seeing this - that's not good
    Try the SAFE with networking bootup given -
    Then should try copy & paste or type the Malwarebytes link given prior into the address bar then Go.
    Once on their main page a link to D.Load their Free version is available.. along the left side as I recall.
    Then follow my instructs given (sounds like the culprit is even interfering with a proper install of Malw.bytes)
    - if still fluky and any weird messg. like that appear
    - I may have the answer having faced similar situation 12-'08
    (Re; my last sentence in 1st reply here)

    If further ?? PM me SenorR
    -with your exact vers. of XP & AntiV. software update
    Staffy
     
    #20 StaffnRod, Mar 16, 2010
    Last edited: Mar 16, 2010
Draft saved Draft deleted