Hello,

I’m worried I might have a virus or been hacked or something of the like.

Last night, I was on the aol.co.uk website and clicked a link on to one of the news items. A box popped up, but I didn’t see much of what it said…it was something like ‘windows is asking for’ something or other and there were two boxes for text in the box for, I assume, a username and password, but I clicked it away by the cross without thinking much of it (this definitely wasn’t an aol pop up, I’d never seen this before).

Today, I woke up to people emailing me to let me know that my email might be hacked cos they’d gotten emails from me with a url in. My email is also with AOL and I gain access to it via that same aol.co.uk site.

Having checked, there are no sent mails in my folder, and there are none of those undelivered mails either that you would usually get from old email addresses accessed in your address book if the email had been sent from my account. The emails, although they had my full name as the ‘from’, had different email addresses under it (so not using my actual email address, just my name as the identity).

So although it appears the emails weren’t physically sent from my email account, they used my full name and had definitely hacked or copied my address book for the recipient list, I recognised them all, even the really old ones. So while I had thought it was a spook, getting hold of my address book made me think hacked or virus.

So obviously I changed my password, but I came here remembering the weird pop up last night, in case I’d got hacked or virused or something.

Avast scan says nothing. Spybot search and destroy only found cookie rubbish, nothing serious. Malware bytes didn’t find anything either, but I’ve headed here cos I don’t trusts it.

While I was looking at this site, I had the aol.co.uk site open in another tab, that was like an hour ago now. A box suddenly popped up on the aol.co.uk tab, saying that I had to update my java, but it was bad grammar and didn’t seem at all authentic. I clicked the box away with the cross, but it still reloaded the AOL page to a page for downloading java but that looked dodgy:

h**p://dl35.shstny.com/topic/java/download.php?country=GB&ext=3&aid=137

At the bottom it even said the website wasn’t owned by the people who owned the software. But that was only the aol.co.uk page that happened on.

I’ve had other tabs and pages open while I’ve been looking it up and finding the tools to do the logs for you guys and it hasn’t (touch wood) happened on any other site, the weird stuff’s only been happening on the aol.co.uk site, so far at least.

Anyways, I’d appreciate your help in finding out if I have a virus from the first pop-up box last night. Otherwise, I can only think that the aol.co.uk site has been compromised, and that’s just weird cos it’s a big company so I doubt it.

Thanks in advance, I’ve attached all the logs needed (I think!). I’m not a very techy person so apologies in advanced if I need babysteps through anything!

Hi all I can see is a few orphans, unfortunately AOL has a penchant for getting hacked. I would imagine that your e-mail has been harvested and the address book copied. Changing the password is about all you can do.

Is the computer displaying any other symptoms ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File DPF: HKLM-x32 {4FF78044-96B4-4312-A5B7-FDA3CB328095} FF user.js: detected! => C:\Users\cbmin_000\AppData\Roaming\Mozilla\Firefox\Profiles\4c8u9c4b.default\user.js CMD: bitsadmin /reset /allusers CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %TEMP% REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Thanks for your reply!

The only other symptom was that dodgy java redirect, but I have no idea if that was my computer or the aol site.

Logs attached!

Looking at the logs I would suspect the AOL site. I have just visited it and one of the links I clicked asked for a password

If all is OK tomorrow let me know and I will tidy up

Thank you for your help…as always! LOL I’ll hop back on tomorrow and let you know how it’s going…thanks!

Just for your info re: h**p://dl35.shstny.com/topic/java/download.php?country=GB&ext=3&aid=137
http://zulu.zscaler.com/submission/show/974f27821412f6da55d9241b4df377ab-1406747718
http://urlquery.net/report.php?id=1406747905239
There is a detection in Suricata IDS and clicking the screen capture does show a dialog box
https://www.metascan-online.com/en/ipscan/MTkyLjE4Ni4xMzIuMTk0

See attached for Sucuri scan results (same h**p website tested).

BTW, something similar happened whilst visiting SI.com (see attached below): Likely also a part of a malware campaign targeting major websites. Just popped up completely unsolicited.

Hi,

Touch wood, there’s been no other problems, so I guess it was just a problem with the AOL UK site.

In that case methinks I will send you on your merry way

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe