Solved My email and passwords have been compromised

[ozmuse]

Results of screen317's Security Check version 0.99.5
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
McAfee SecurityCenter
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 21
Adobe Flash Player 10.0.45.2
Adobe Reader 9.2
Out of date Adobe Reader installed!
Mozilla Firefox (3.5.11) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

 

[Broni]

1. Update your Firefox.

2. Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

 

[ozmuse]

Kaspersky online is still downloading database updates. And I am using Firefox - is that OK or should I make the firefox changes and then do the Kaspersky Online Scan?

 

[Broni]

It really doesn't matter, which goes first.

 

[ozmuse]

Kaspersky scan results

Scan finally completed - report attached

 

[Broni]

Kaspersky reported something suspicious in your current mail:
- C:\Users\Jenni\AppData\Local\Microsoft\Outlook\Outlook.pst
Since I don't want to remove a whole folder, you'll have to be careful with what you open there.

=====================================================================

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

======================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

11. Run defrag at your convenience.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[ozmuse]

Hi Broni thanks for this.

Thanks One question before I do the above...since doing the fixes for MBR I have actually opened some emails - opened only, I did not click on links or open attachments. Is it possible that the issue is in an actual email itself and by opening it again have re-activated the problem? ( I'm not sure which email it is, so I can't be sure if I have reopened the suspicious one. Should I rerun anything?

SOrry for delay between posts we are in different time zones and just got off work

 

[Broni]

I did not click on links or open attachments

That's perfectly fine.
Don't click on any unknown links and make sure to scan every attachment with your AV program before opening.
Simple mail reading won't harm you.

 

[ozmuse]

Thanks - I have followed all the advice. I really appreciate your help.
I am still unsure how the issue could have arisen in the first place and how my ebay account and other passwords got compromised. From what you saw in the logs throughout the fixing process would you have any suggestions? What had happened and what the particular infection could have caused?

 

[Broni]

Well, unfortunately, I don't have a straight answer for you.
Your computer was infected with a rootkit and couple of trojans.
Especially rootkit allows some outside source a complete access to your computer.
That's how your passwords could be stolen.
I can't tell, if that was the way, your eBay account has been compromised, or if it was just hacked.

In any case, you'll need to create new account and change all passwords.

Is your computer doing fine at the moment?

 

[ozmuse]

Thanks Broni. My computer is behaving oddly when online. Long delays in page loads and then unexpected page refreshes.
Hanging sometimes and refuses to allow task manager view - got a message that said something like missing security view was preventing task manager - it sadi press esc or power off. Never had that before


.

 

[Broni]

What browser?

got a message that said something like missing security view was preventing task manager

I'd like to see exact message.

 

[ozmuse]

Hi - I don't know what the exact message was but it said something like security was preventing task manager view it also said press escape or power down. which seemed like an odd message to get. I was using Firefox.

 

[Broni]

Was it one time occurrence, or you're still having problems?

 

[ozmuse]

unresponsive script

That particular window, which required a restart, has not re-occured. However I seem to have something interfering with my web browsing and other usage. e.g. typing into search field - nothing appears then after around 10 seconds the typed information appears - this is a new problem.
Also 100% CPU often and nothing visible in task manager to suggest why,

Also get a message re unresponsive script which is odd, as it references chrome and I do not have chrome - message attached.

 

[Broni]

However I seem to have something interfering with my web browsing and other usage. e.g. typing into search field - nothing appears then after around 10 seconds the typed information appears

Close Firefox. Go Start>All Programs>Mozilla Firefox, click on Mozilla Firefox (safe mode). Same thing?

Also get a message re unresponsive script which is odd, as it references chrome and I do not have chrome

Chrome is a CSS part of Firefox, but it's irrelevant in this case, because the above error is a particular website problem, not yours.

Also 100% CPU often

Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Attach the file to your next reply.

 

[ozmuse]

Firefox safe mode seems to stop the problem with the unresponsive script error.

I have attached the txt file from the procexp.

 

[Broni]

Firefox safe mode seems to stop the problem with the unresponsive script error.

It looks like some of your add-ons is causing your issues.
Restart FF in normal mode. Disable all add-ons.
Restart FF.
Doing fine?
If so, enable ONE add-on, restart FF.
Doing fine?
If so, enable next add-on.
Restart FF....and so on, until you find the culprit.

Main suspects are always toolbars, so start with them.


Something is not right in Process Explorer log. Your CPU usage really stays at 100%
Let's try to investigate.

Go Start>Run (Start Search in Vista), type in:
msconfig
Click OK (hit Enter in Vista).

Click on Startup tab.
Click Disable all
IMPORTANT! In case of laptop, make sure, you do NOT disable any keyboard, or touchpad entries.

Click Services tab.
Put checkmark in Hide all Microsoft services
Click Disable all.

Click OK.
Restart computer in Normal Mode.

NOTE. If you use different firewall, than Windows firewall, turn Windows firewall on, just for this test, since your regular firewall won't be running.
If you use Windows firewall, you're fine.

Post new Process Explorer log.

 

[ozmuse]

new process exp log

Have followed instructions and attached

 

[Broni]

It looks like McAfee is giving you issues.

Go back to "msconfig" and re-enable all startups and services, you just disabled.
Restart computer.

Uninstall McAfee, using McAfee Consumer Product Removal Tool: http://www.softpedia.com/get/Tweak/Uninstallers/McAfee-Consumer-Product-Removal-Tool.shtml

Download and install ONE of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
Make sure to turn Windows firewall ON.

Post fresh Process Explorer log.

 

[ozmuse]

Avast installed

Have removed Mcafee and installed avast.
New proc exp log attached.

 

[Broni]

Very nice
System Idle Process (CPU NOT used) is listed at 94.27% - perfect.
How is computer doing?

 

[ozmuse]

Hi - thanks. Computer running better, but I am a bit wary that something may still be amiss.
e.g. I keep getting messages that say windows updates are available which don't seem legitimate.

My Secunia scan shows that I needed 2 Firefox updates - one for Firefox 3.6 and one for Firefox 3.5. - not sure why I would even have 3.5 still - there is no úpdate 'that I can access to remove that Firefox 3.5 from my Secunia threats list.

 

[Broni]

I keep getting messages that say windows updates are available which don't seem legitimate.

Can you post a screenshot?

Don't worry about Firefox in Secunia report. As long, as you keep FF updated, you'll be fine.

 

[Broni]

The issue seems to be resolved.