# My hotmail got hacked



## iLLegaL89 (Jan 27, 2005)

Hello!

I received an email earlier today asking for verification for an ebay password change. I ignored this, however later that day the password to my hotmail email / msn messenger got changed, so i quickly checked my ebay. and Yup, that had changed. I quickly got in touch with ebay, and had my account blocked. What the heck can I do with my msn, i reported it to them earlier, but what are the chances that I will get that account back ? It had ALOT of passwords in the emails and i'm sure it could get a lot worse than ebay.
Anybody else have any problems like this ? The security question to my hotmail also changed, so I cant do it that way either.

I'm thinking either hacked browser, or key logger. What type of software can i use to detect key loggers? All i have ran so far is ad-aware. What else could i run?


Thanks. ady


----------



## HalTrout (Mar 22, 2007)

Why do you have passwords in your emails? I would call or email MSN now. Get them to reestablish your account with a new userid and password. Explain that your account has been hacked. Sounds like someone hacked into your MSN options.

If you have a paypal account, make sure you change the password!!!!

You can establish another email account with gmail. That's what I use instead of hotmail/msn. I think gmail works much better than hotmail/msn.


----------



## DoubleHelix (Dec 10, 2004)

Reset your Hotmail password by answering your security questions. Then change the password on the account. You'll also want to have your system checked for keyloggers or spyware.

Unless you have a paid, premium account, you're not going to be able to get any support from Microsoft. They simply have too many customers.


----------



## Daredeval756 (Dec 11, 2006)

You didnt by chance go to a "figure out your friends email password" did you? the ones theat say they double beat the system and look something like this?

You Email:
You Password: 
Your Friends Email:

:Get That PW:


----------



## Byteman (Jan 24, 2002)

Hi, I'd be scanning for something in this case!

Let's have you post a log from Hijackthis and maybe we can spot anything out of place:
go to *Click here* to download HJTsetup.exe
Scroll down to find the *File Repository area* look on the upper right for *Download button*
Save HJTsetup.exe to your *desktop.*
Double click on the *HJTsetup.exe icon* on your desktop.
By default it will install to *C:\Program Files\Hijack This.* 
Continue to click *Next * in the setup dialogue boxes until you get to the *Select Additional Tasks dialogue.*
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then save the log and then the log will open in Notepad.
Click on *"Edit > Select All" * then click on *"Edit > Copy" *to copy the entire contents of the log.
Paste the log in your next reply.
DO *NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

*Also, please do this:*
Open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list in a reply._ _ _ _


----------



## Goku (May 17, 2007)

Daredevel756 is right.It is a trick used by most hackers to get a password from your MSN account.It is a major drawback in the mail system and has been a majoe cause of many account hacks.But as DoubleHelix said,change your password by answering the security questions.Also,if you want to generate a strong password,rgo here:-

http://www.goodpassword.com/

Enter a phrase that is easy to remember and they will generate a strong password for you.Also,you showed good presence of mind by blocking your ebay account.Good Luck.


----------



## iLLegaL89 (Jan 27, 2005)

DoubleHelix said:


> Reset your Hotmail password by answering your security questions. Then change the password on the account. You'll also want to have your system checked for keyloggers or spyware.
> 
> Unless you have a paid, premium account, you're not going to be able to get any support from Microsoft. They simply have too many customers.





HalTrout said:


> Why do you have passwords in your emails? I would call or email MSN now. Get them to reestablish your account with a new userid and password. Explain that your account has been hacked. Sounds like someone hacked into your MSN options.
> 
> If you have a paypal account, make sure you change the password!!!!
> 
> You can establish another email account with gmail. That's what I use instead of hotmail/msn. I think gmail works much better than hotmail/msn.


Well some sites paste your passwords in emails :S. Also they reset passwords by email recovery on basically any site i've registered with 
The security question also got changed....

Ok, im in the process of running a hijackthis, will post up in a minute


----------



## iLLegaL89 (Jan 27, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 13:28:00, on 20/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mouse\Laser Mouse\Panel.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 207.210.117.53 www.winmx.com
O4 - HKLM\..\Run: [wbgqybj.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wbgqybj.dll,tpgasig
O4 - HKLM\..\Run: [LASER Mouse] "C:\Program Files\Mouse\Laser Mouse\Panel.exe"
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,90/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,23/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://register3.valueactive.com/236/webolr/OCX/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4EACE00-4446-4DFE-A412-CC1FA2B95522}: NameServer = 212.159.13.49,212.159.13.50
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ddabx - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrkq32 - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## iLLegaL89 (Jan 27, 2005)

Got my account back, not surprised to see many emails from en ebay customer asking where to send the £700 item "nigeria" /sigh

I've been told i got spoofed via another "login" form i clicked which gave them my account details n such. Is there anything that can detect these ?


----------



## Goku (May 17, 2007)

Get an Internet Security Suite,my friend.This will save you from "Phishing" messages.Wow,you must really concern your security.Good Luck.


----------



## iLLegaL89 (Jan 27, 2005)

Well I turned off my zone alarm pro after I got a router.(stupid i now know!) I just installed comodo so hopefully that will be ok


----------



## Goku (May 17, 2007)

Well,I am talking about Antitphishing software and not Firewall.Here check out some of the best Antiphishing softwares:-

BitDefender
Kaspersky Internet Security Suite
TrendMicro
Avira Premium Security Suite
Zone Alarm Internet Security Suite

These are some of the best I have come across.Just google each of them one by one and you will get their official sites.Good Luck.


----------



## Byteman (Jan 24, 2002)

You indeed have some malware- please, unqualified posters do NOT post here, with any advice! See the TSG Rules:

Log Analysis/Malware Removal - In order to ensure that advice given to users is consistent and of the highest quality, those who wish to assist with security related matters must first graduate from one of the malware boot camp training universities or be approved by the administration as already being qualified. Those authorized to help with malware issues have a gold shield next to their name and authorized malware removal trainees have a blue shield next to their names. Anyone wishing to participate in a training program should contact a Moderator for more information.

Here is my response to non-qualified posters in malware removal threads/HJT log threads, etc:



Byteman said:


> ~~~~~~~~*Anyone else take notice!*~~~~~~~~~~
> Here's a copy of TSG's policy for help with malware removal (hijackthis logs are not the only thing covered)...A thread where *possible or obvious malware is being asked about, fixed, or is seen,* may not be replied to with directions on how to remove that malware, downloads to get, or what to do,* by anyone who is not a qualified security specialist here at TSG*...that constitutes a violation of TSG Rules:
> 
> _{See the TSG Rule for this above}_
> ...


*OK>> iLLegaL89- * *Please do this: You will need these directions saved for the part of the work done
in Safe Mode, you can print this out, or save the text to a blank Notepad and save the file as steps.txt onto your
Desktop so you can see it in Safe Mode.*

You will also need to REname Hijackthis.exe file to anything, for example to tool.exe. This is because Trojan Vundo can hide from hijackthis.exe....so it does not show all of it in your logs.

*You need to temporarily turn off Spyware Doctor's protection so you can run these tools!*

Do this: From within Spyware Doctor, click the "OnGuard" button on the left side. 
Uncheck "Activate OnGuard.

VUNDO FIX

Please download *VundoFix.exe* to your desktop.
Double-click *VundoFix.exe* to run it.
Click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click *OK*.
Turn your computer back on.
Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. 
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

SD FIX

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.

 Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Next:

COMBO FIX:
Download ComboFix from *Here* or *Here* to your Desktop. 

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*

Post those 3 logs and a new Hijackthis log, one made after you do the above.


----------



## REVENGE (Aug 7, 2007)

Hi there, How did you get your msn account back? Someone hacked my msn, too.


----------



## chelsss (Jun 26, 2007)

i still havent got my old addy back or contacts. ive set up a new e-mail address now but still need the lost contacts, ive tried running some of the programs posted by others to fix the problem but they havent worked. have you tried any?


----------

