Yahoo mail account hacked, please help :(

Hi there guys, my yahoo mail account got hacked last night & loads of spam emails were sent (spam link), this is my personal & business account, so this will have a major effect on me.

Yahoo also emailed me saying

"We detected a login attempt with valid password to your Yahoo! account from an unrecognized device on Mon, Mar 11, 2013 8:32 AM CET.

Location: Serbia (IP=178.148.103.66)"

In my sent box there doesnt seem to be any emails sent but many customers have replied saying they received the spam email. Any help here would be much appreciated, I have run a lot of searches on the subject but can't find any definite answers to prevent this happening again. I've changed my yahoo mail password, are there any other precautions? also, is there a way to see who this email was sent to? so I can email my customers with an explanation/apology.

Many thanks

 

change your password.

 

Thanks for the reply, I did that immediately, I also created a security seal (I still don't fully understand that). So that should do the trick? Im running the free AVG security, do you think there is any chance I have something on my computer? thanks again. Chico

 

Download -> HijackThis and post a Log, we'll see.

2oG

 

Hi there 2oldgeek thanks for the reply, I've downloaded hijackthis but im getting that message saying

" For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may not be able to fix this. If that happens, you need to edit the file yourself. To do this, click Start, Run and type: notepad C:\Windows\System32\drivers\etc\hosts and press enter. Find the line(s) HijackThis reports and delete them. Save the file as ‘hosts.’ (with quotes), and reboot."

I opened up the hosts file but I can't seem to find the hijack this reports they talk of, it's not on there or am I missing something maybe?

Thanks again for your help, it feels really awkward knowing all my customers have been receiving spam emails from me (a single dodgy link), these emails are not in my sent box though, I wish they was, then I would know who has been contacted so I can warm them that I was hacked & apologise etc. So this is much appreciated. Thanks again. Chico

 

You get that message because you have UAC turned on.. Just dis-reguard it, there are no reports..

Right click the HJT icon and run as administrator to by pass that error message.

Go to the Main Menu and click "do a system scan and save log file"

a log will pop up when scan is over. Copy it and post it here...

2oG

ps I may not get back to you tonight. but will soon as possible.

 

Hi there 2oG, no rush whatsoever, I appreciate you helping me at all.

Ok I have followed your instructions & I have pasted the log file. Many thanks again & speak soon.

Chico

-------------------------------
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:55:51 PM, on 3/12/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16464)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Users\damo\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\DYMO\DYMO Label Software\DymoQuickPrint.exe
C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://isearch.avg.com/?cid={C01BC703-FBFE-4252-8944-8EAE58D6B38F}&mid=f450ba74f89f4474b53645499a7cd636-5f39e13f0bead2f09c20a5e67fe7fd30e0cec00f&lang=en&ds=gm011&pr=sa&d=2012-07-22 15:52:08&v=12.1.0.20&sap=hp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\14.2.0.1\AVG Secure Search_toolbar.dll
O2 - BHO: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll
O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\14.2.0.1\AVG Secure Search_toolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [DLSService] "C:\Program Files\DYMO\DYMO Label Software\DLSService.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE -startup
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\damo\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DymoQuickPrint] "C:\Program Files\DYMO\DYMO Label Software\DymoQuickPrint.exe" /startup
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" -automount
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: iMindMap6 Preloader.lnk = C:\Users\damo\.thinkbuzan\imindmap6\preload\iMindMap6_Preloader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\14.2.0\ViProtocol.dll
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: BecHelperService - Unknown owner - C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DYMO PnP Service (DymoPnpService) - Sanford, L.P. - C:\Program Files\DYMO\DYMO Label Software\DymoPnpService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NitroPDFDriverCreatorReadSpool (NitroDriverReadSpool) - Nitro PDF Software - C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\Windows\system32\NLSSRV32.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - StarWind Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: vToolbarUpdater14.2.0 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe

--
End of file - 8444 bytes

 

Chico1984,

You’ve got some unknowns, a bad search engine and utorrent toolbar.

Any p2p software is bad. utorrent will call bad url’s and Trojans to infect your computer.

Let’s run some clean-up programs and see just how infected you are:
First let's clean out your Temp Folders:
Download and Run Temp File Cleaner (TFC.exe)

Download Temp File Cleaner and save it to your desktop.

You might want to Save any unsaved work. TFC will close ALL open programs... including your browser!

Double click to run it.
If you have a lot of junk files to remove, it could take a while, so please be patient and let it finish.
When it's done, it will report the total size of files removed. If it asks to Reboot, choose to do so. This will remove files that could not be removed while Windows was running.
After Restart, log back in to your usual account.

After Rebooting run the following progs and save the Log files:

1.) Security Application Check:

Please download and save SecurityCheck.exe to your Desktop from one of the links below.

Link 1 http://www.bleepingcomputer.com/download/securitycheck/
Link 2 http://screen317.spywareinfoforum.org/SecurityCheck.exe
• Double-click SecurityCheck.exe then follow the on-screen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt
• Please post the contents of the checkup.txt in your next reply.




2.) Scan with AdwCleaner:

Please download adwcleaner from here and save to your desktop.

Alternate downloads are here or here.
• Double click on adwcleaner.exe to launch the application.
• Now click on the Delete tab.
• Please post the contents of the log-file created in your next post.

Note: The log can also be located at C: >> AdwCleaner[XX].txt >> XX <-- denotes the number of times the application has been ran, so in this case may be something like R1.



3.) Junkware Removal Tool

1. Please download jrt.exe ... and save it to your desktop.
2. Please temporarily disable your security/protection software as found here, to avoid potential conflicts.
3. If running Vista or Win7... right-click jrt.exe and select "Run as Administrator",
otherwise just double click it.
The tool will open and start scanning your system. Please be patient, it can take a while depending on your system.
On completion, a log file JRT.txt is saved to your desktop and will automatically open.
4. Please copy and paste the contents of JRT.txt and post in your next reply.



4.) Rerun HijackThis

Please run HJT and post a Fresh Log after cleaning.

Please post the 3 Logs I have asked for plus the fresh HJT Log and we’ll see how well it cleaned you and if anything is left over.

Tnx
2oG