You guys have been lifesavers in the past, so I hope you can help with this curious issue I had with my hotmail account yesterday.

Around mid-day yesterday I noticed a number of bounced emails coming from my Hotmail account. It seems someone spammed some bogus email to like 50 of my contacts. I tried to sign-in and change my password only to find that it had been changed. After re-setting my password I was able to log-in, but when I tried to log in again later, it had been changed again. Same thing 30 mins later. At this point, I became worried about a key-logger and changed all of my passwords from another computer.

I downloaded Malwarebytes and ran a test: Nothing came up, which has me really confused (and happy?) Any idea, how this could happen with nothing being detected? Am I missing something? Here is my log:



Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.27.01

Windows Vista Service Pack 1 x64 NTFS
Internet Explorer 7.0.6001.18000
Austin :: AUSTIN-PC [administrator]

Protection: Enabled

6/26/2012 8:38:34 PM
mbam-log-2012-06-26 (20-38-34).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 361746
Time elapsed: 55 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

could be something its not detecting. at work recently had a java exploit with a downloader/keylogger that initially was not being detected by symantec.

I'd start with taking a look at the sticky in the forum here on if you think you have been infected : http://forumserver.twoplustwo.com/48...puter-1028333/

You might also take a look at this tool called Kludge (http://theinterw3bs.com/?p=503)
Made by a buddy of mine designed for doing intel gathering for incident response

Thanks for the reply elcamino,

I read and re-read the sticky, but didn't see anything relating specifically to a keylogger problem. Should I be running scans with the software from either TDSSKiller or OTL?

Apologies if I come off as ignorant, I'm admittedly not very computer savvy.

Are you on LinkedIn? 6.5million passwords were recently leaked.
You can see if your password was leaked here
https://lastpass.com/linkedin/

Is it possible your password wasn't getting changed after the first time, but that your account was locked to prevent hacking?

In my theory, the cycle was
1) sign up for LinkedIn and Hotmail using the same password
2) LinkedIn password gets leaked
3) Hotmail gets hacked
4) spam gets sent
5) You reset password
6) They keep trying to spam with your account
7) Hotmail automatically realizes something is up and locks account, pending identity confirmation (usually w/ captcha)
8) You reset password again
9) they get it locked again
10) goto 8

Malware that the typical tools don't pick up is harder to track down. Especially since you have to consider that system binaries could have been replaced.

If its something going all the time you can try and look at running processes, active network connections and items set to auto start.

Might find something there. I'm all for root cause analysis but if you've got your data backed up and can reload the system that may be the safest bet. Even when I've done a full forensic analysis on a system they still get reimaged before going back on the network but I know thats a corporate environment and not your home pc.

Hotmail spam = guessed password in all the cases I have seen upto now.
Change the password and you should be fine.

If not, come back here.

Guys, thank you.

Hopefully I won't have any more issues

In a case like this I'd recommend a MINIMUM of two separate malware scans (try Panda as a second). Keep in mind that your webmail account can be compromised if you are logged in while browsing a site which attacks your browser (if you have to stay logged in to an on-line account, try using two different browsers (ex., Firefox and Chrome) for different things). But like elcamino74ss said, the only way to be sure your computer isn't still infected is to reinstall the operating system. If you need to use something safe in the meantime, you can download and burn a Linux live-cd/dvd to boot your computer on (try Fedora KDE live CD, for a Windows-like experience).

Don't just change the password. Change the password reset questions to unguessable answers (and, better still, strong answers -with numbers, upper/lower case and special characters) - treat them as passwords themselves.

Check, too, whether you have another email account set up as a secondary account. Make sure you've changed all the access credentials on that too.

As Gabe says, most webmail "hacks" are simply guessed passwords or otherwise the result of a phishing site. If your password has been "hacked" twice then it's quite possible the attacker has access to a reset mechanism - either the questions/answers or the secondary account. I wouldn't put money on you being safe from a keylogger, but it's likely.