Suggestions Needed

kendall.a · 23. May 2010, 08:07 PM

After breakfast this morning, I came down to my PC and opened up my email. In my Inbox (Outlook 2007), I found about 15-20 "returned emails" from "postmaster". I had apparently sent out a spam email automatically. A couple of people on my contacts list sent me emails to also tell me that I sent out a spam email.

Since then, I have run full scans using MSE, MalwareBytes, SAS, and HitmanPro. None of them found a thing. Now what? Any suggestions?

I've thought about running Housecall. Anyone have any ideas how my email program sent out an automatic email without me doing anything, yet everything shows up clean?

P.S. Yes, I did full updates on all the programs before running in-depth scans.

MidnightCowboy · 23. May 2010, 08:54 PM

Submitting a HijackThis log is about the most reliable method although there are some local things you can do as well.

Try checking your HOSTS file. Many bots rewrite this file to trick your PC into connecting to an incorrect and unauthorized IP address for a server. Typically the only line in this file will be 127.0.0.1 local host, although there may be some additional, inactive lines; these will be preceded by a #, indicating that they're to be ignored by the system. If you find other lines, make a backup copy of the HOSTS file (just in case), then delete the suspect lines and save the file.

Also, Process Explorer might help you to identify something you don't recognize, especially if it's in the top ten for memory consumption.

As you say, Housecall is an obvious choice for an online scan.

You might also take a look at this PDF which has some good tips - in pictures as well as words

(downloaded and scanned clean with Malwarebytes, HitmanPro and Panda).

http://www.ipa.go.jp/security/englis...asures_eng.pdf

Good luck!

kendall.a · 23. May 2010, 09:47 PM

Housecall clean as well.

MC, how do I find the hosts file in Windows 7 (64 bit)?

Nevermind....found it. Here it is:

Quote:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

Anything I should worry about?

kendall.a · 23. May 2010, 10:06 PM

BTW...nothing found with Sophos Anti-Rootkit either.

This is very odd.

MidnightCowboy · 23. May 2010, 11:48 PM

Although I know "of" these things I wouldn't trust my own ability to interpret someone else's results correctly. I'm more in tune with the prevention of host file manipulation as in this example:

http://antivirus.about.com/od/securi...ss/hosts_4.htm

I'd welcome some other input here for you, otherwise in view of what you might have encountered I still think a HijackThis analysis would be the best way forward.

You can copy/paste your log file here:
http://www.hijackthis.de/

This automated process though is not as accurate as a proper analysis but it is of course quicker than posting it in one of the tech forums.

kendall.a · 24. May 2010, 01:07 AM

I ran Hijackthis and pasted it into the site you posted. It shows everything as safe. I'd post the log here, but it is way too long. Besides, it's better to be pasted in a specific forum designed for such purpose.

26Dolphins · 24. May 2010, 01:19 AM

Hi kendall,

As I have a little bit of experience with "managing" spam, here are a couple of things:
1. Not long ago, I got a couple of "postmaster" messages stating that an email I tried to send could not be delivered. Funny thing was that:
1.1 Turned out one of them wasn't even a legitimate "postmaster" message - it was a spam itself.
1.2 The other had the alleged email attached and, after checking it, it turned out that it had nth to do with me (I was not the real sender).

So, are you and/ or your contacts absolutely sure that you really sent out a spam? You can verify that by checking the headers of both the spam and the "postmaster" emails - headers always tell the truth, even if the "From", "To", "Reply to", etc lines are spoofed.
Since all your scans come clean, it's a possibility to consider.

Of course, if we're talking about a very "private" email address, it's rather unlikely that it's being used for sending spam by a third party (not from your machine). If this is the case, you do need to look further into the chance of having some kind of infections and MC's advice is indeed the best I can think of myself.
I don't want to unnecessarily alarm you, but I've noticed that on "The Spamhaus Project" site a lot of "unknownXXX" bots are being reported lately ("XXX" stands for a comb of numbers, stating that the bots don't fall under any known ones) - maybe a reason for your scans coming clean? It's a wild guess and sure hope you're not that unlucky.

Good luck,
26Dolphins

kendall.a · 24. May 2010, 04:51 AM

I think I might know the problem. I think it is related to my MSN email account. If you Google "MSN sent email spam", you will find hundreds of links. This appears to be a very common issue with MSN email.

It might be time to switch over to my Gmail account?!

In the mean time, I've changed my MSN password and my security question/answer.

Of course, I've had this MSN email account since 2005. However, dumb me has never changed the email password. Probably not too smart. Well, it's changed now.

MidnightCowboy · 24. May 2010, 10:14 AM

Well, at least you've been able to identify the source. I don't use MSN - all I know about it is that the university network where my wife works is stacked with viruses and their own techs attribute most of this to MSN being used as the main communicator.

Taurus · 24. May 2010, 04:30 PM

Quote:

Originally Posted by kendall

It might be time to switch over to my Gmail account?!

The answer is a resounding yes! I would also plan on deleting and closing your MSN account.

23. May 2010, 08:07 PM	#1 (permalink)
kendall.a Been Here Since the Begin Join Date: Apr 2008 Location: Colorado, USA Posts: 2,345	Suggestions Needed After breakfast this morning, I came down to my PC and opened up my email. In my Inbox (Outlook 2007), I found about 15-20 "returned emails" from "postmaster". I had apparently sent out a spam email automatically. A couple of people on my contacts list sent me emails to also tell me that I sent out a spam email. Since then, I have run full scans using MSE, MalwareBytes, SAS, and HitmanPro. None of them found a thing. Now what? Any suggestions? I've thought about running Housecall. Anyone have any ideas how my email program sent out an automatic email without me doing anything, yet everything shows up clean? P.S. Yes, I did full updates on all the programs before running in-depth scans. __________________ Been here since the beginning.

23. May 2010, 08:54 PM	#2 (permalink)
MidnightCowboy Site Manager Join Date: Aug 2008 Location: South American Banana Republic, third bunch from the left Posts: 15,367	Submitting a HijackThis log is about the most reliable method although there are some local things you can do as well. Try checking your HOSTS file. Many bots rewrite this file to trick your PC into connecting to an incorrect and unauthorized IP address for a server. Typically the only line in this file will be 127.0.0.1 local host, although there may be some additional, inactive lines; these will be preceded by a #, indicating that they're to be ignored by the system. If you find other lines, make a backup copy of the HOSTS file (just in case), then delete the suspect lines and save the file. Also, Process Explorer might help you to identify something you don't recognize, especially if it's in the top ten for memory consumption. As you say, Housecall is an obvious choice for an online scan. You might also take a look at this PDF which has some good tips - in pictures as well as words (downloaded and scanned clean with Malwarebytes, HitmanPro and Panda). http://www.ipa.go.jp/security/englis...asures_eng.pdf Good luck! __________________ Buy a Hoover and prove technology sucks.

23. May 2010, 10:06 PM	#4 (permalink)
kendall.a Been Here Since the Begin Join Date: Apr 2008 Location: Colorado, USA Posts: 2,345	BTW...nothing found with Sophos Anti-Rootkit either. This is very odd. __________________ Been here since the beginning.

23. May 2010, 11:48 PM	#5 (permalink)
MidnightCowboy Site Manager Join Date: Aug 2008 Location: South American Banana Republic, third bunch from the left Posts: 15,367	Although I know "of" these things I wouldn't trust my own ability to interpret someone else's results correctly. I'm more in tune with the prevention of host file manipulation as in this example: http://antivirus.about.com/od/securi...ss/hosts_4.htm I'd welcome some other input here for you, otherwise in view of what you might have encountered I still think a HijackThis analysis would be the best way forward. You can copy/paste your log file here: http://www.hijackthis.de/ This automated process though is not as accurate as a proper analysis but it is of course quicker than posting it in one of the tech forums. __________________ Buy a Hoover and prove technology sucks.

24. May 2010, 01:07 AM	#6 (permalink)
kendall.a Been Here Since the Begin Join Date: Apr 2008 Location: Colorado, USA Posts: 2,345	I ran Hijackthis and pasted it into the site you posted. It shows everything as safe. I'd post the log here, but it is way too long. Besides, it's better to be pasted in a specific forum designed for such purpose. __________________ Been here since the beginning.

24. May 2010, 01:19 AM	#7 (permalink)
26Dolphins Senior Member Join Date: Nov 2009 Posts: 445	Hi kendall, As I have a little bit of experience with "managing" spam, here are a couple of things: 1. Not long ago, I got a couple of "postmaster" messages stating that an email I tried to send could not be delivered. Funny thing was that: 1.1 Turned out one of them wasn't even a legitimate "postmaster" message - it was a spam itself. 1.2 The other had the alleged email attached and, after checking it, it turned out that it had nth to do with me (I was not the real sender). So, are you and/ or your contacts absolutely sure that you really sent out a spam? You can verify that by checking the headers of both the spam and the "postmaster" emails - headers always tell the truth, even if the "From", "To", "Reply to", etc lines are spoofed. Since all your scans come clean, it's a possibility to consider. Of course, if we're talking about a very "private" email address, it's rather unlikely that it's being used for sending spam by a third party (not from your machine). If this is the case, you do need to look further into the chance of having some kind of infections and MC's advice is indeed the best I can think of myself. I don't want to unnecessarily alarm you, but I've noticed that on "The Spamhaus Project" site a lot of "unknownXXX" bots are being reported lately ("XXX" stands for a comb of numbers, stating that the bots don't fall under any known ones) - maybe a reason for your scans coming clean? It's a wild guess and sure hope you're not that unlucky. Good luck, 26Dolphins

24. May 2010, 04:51 AM	#8 (permalink)
kendall.a Been Here Since the Begin Join Date: Apr 2008 Location: Colorado, USA Posts: 2,345	I think I might know the problem. I think it is related to my MSN email account. If you Google "MSN sent email spam", you will find hundreds of links. This appears to be a very common issue with MSN email. It might be time to switch over to my Gmail account?! In the mean time, I've changed my MSN password and my security question/answer. Of course, I've had this MSN email account since 2005. However, dumb me has never changed the email password. Probably not too smart. Well, it's changed now. __________________ Been here since the beginning.

24. May 2010, 10:14 AM	#9 (permalink)
MidnightCowboy Site Manager Join Date: Aug 2008 Location: South American Banana Republic, third bunch from the left Posts: 15,367	Well, at least you've been able to identify the source. I don't use MSN - all I know about it is that the university network where my wife works is stacked with viruses and their own techs attribute most of this to MSN being used as the main communicator. __________________ Buy a Hoover and prove technology sucks.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode