Strange Undelivered Emails I DID NOT Send?

Discussion in 'Malware Help (A Specialist Will Reply)' started by techtitan, Oct 24, 2012.

  1. techtitan

    techtitan Specialist

    This morning I had five emails in the inbox of my Office Outlook 2010 that we're all "Mail Delivery Failure - Mail Delivery System." These of course are the kind of auto-response you receive if an email you send does not go through and bounces back. The problem is I did not send a single one of these messages. I have not sent anything from this account in over a week and I received these emails between 3:00am - 8:00am this morning when my computer was not even running!

    Here is the details of three of the emails. They all contain similar info. Hopefully this will lead to some information:


    If you Google any of these emails you see they are over-seas based in a foreign country. How is this getting sent/received in my personal email address?
     
    techtitan, Oct 24, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not completely sure. It could be malware on your PC or it could be that someone has your email account login and password. Go to a different ( and properly protected ) PC and change your email account password.

    And to check whether you are infected, it would be a good idea to complete the below.


    Please follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:
    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    chaslang, Oct 25, 2012
    #2
  3. techtitan

    techtitan Specialist

    Thanks for the reply. I am willing to take any steps it will take to troubleshoot, however, before I do the full-on Malware Removal Guide, I'd like to scratch the surface if this issue just a bit more to see what info we can ascertain.

    For instance:

    I spent the day updating/running my three primary virus scanners (MalwareBytes, SuperAntiSpyware and BitDefender Total Security - Deep System Scan). All three apps came back with 0 results of malicious or harmful software found. I also should mentioned that my system never connects to the internet unless it's Sandboxed first (automatically) and it auto-deletes itself upon close. I also am not in the habit of downloading any potentiality malicious files as I'm very caution in that regard. Also, an auto-response is usually a result of an email being instantly rejected after sending. These responses were received in the middle of the night when my computer had been turned off for many, many hours.

    My ISP also suggest my email address could have possibly been comprised. After Googling several of the email address in the "Delivery Failure Notices" I'm able to confirm two things; there all generated in ecelerity and they ALL have a path from foreign countries like the Ukraine and others (based on a Google search). My real concern is, if this is not a virus based from my computer, how did my email end up in the hands of overseas entities? Does this mean they also acquired my password? If so, how?

    The only thing I can think is that this email is used on sites like Netflix, Facebook etc where other members of the family input it into their laptops which run little security programs (not my choice but it's their equipment). Could this be a root cause?
     
    techtitan, Oct 26, 2012
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Possibly! There could be quite a few ways.
    • logging into your email account from a wireless network that is not secured
      • many people don't realize how unsafe wifi networks in malls, airports, and dozens of other spots are.
      • even a home wireless network that is unsecure is problematic.
    • logging into your email account from any other PC especially public PCs like those in hotels, libraries, coffee shops, boats,....etc. Those PCs could have been hacked.
    • Ever logged into your email account from a friend's PC? How do you know your friends PC is safe/not infected?
    • Logging into websites that have been hacked where you do things that may leave your PC open for file theft.
    • P2P, torrent,...etc downloading where your PC allows open connection to everyone in the world.
    Family members should not be using your email account. If they are, then you have no idea where it has been used. But yes, public having your email address posted on public mediums can be an issue since hackers can probably find ways to figure out your password. Making a very strong password is a must. At least 10 characters long and include both upper and lower case characters, numbers, and also at least one special character ( like #, !, % and so on ). And obviously the password should not be contain any strings of info that could be widely known or easily figured out about you.
     
    chaslang, Oct 26, 2012
    #4
  5. techtitan

    techtitan Specialist

    @ chaslang:

    Thanks for the info. I'm sure we'll be able to get to the bottom of this. But first, I'd like to take a step back (as you advised earlier) and ensure that my system here is not the source.

    As I said earlier, I've already ran full system scans of Malwarebytes, Super-Antispyware and BitDefender Total Security 2011 with 0 malicious results found. However, I went back and ran the READ & RUN ME FIRST. Malware Removal Guide steps.

    I have attached the logs for your review, but here are my finding at a glance:

    1) RogueKiller: Unsure of findings but nothing was fixed/removed (per guides instructions) and log generated

    2) Malwarebytes (Quick Scan): 0 threats found

    3) TDSSKiller: 1 result found which was the sptd.sys file that gets installed when using apps like Alcohol or Daemon Tools. Applied default action (Ignored) per guides instructions.

    4) HitmanPro: DVDFab was detected as suspicious, however, I believe this is due to me running a mod that allows the program to load to the "Ripping" menu as opposed to the "Full DVD" screen upon load up. I'm using it for a project I'm working on right now and it's falsely seeing it as a threat. Anyway...definitely not a threat.

    So, at this point is it safe to say there are no threats running on my system that caused this issue and we've narrowed it down to an outside source?

    Thnx
     

    Attached Files:

    techtitan, Oct 29, 2012
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We need the requested log from MGtools to continue.

    Also note that you are very out of date with the program version of Malwarebytes that you are running. You need to download and install the version in from the link in the READ & RUN ME FIRST. A new scan should be run just to be safe.
     
    chaslang, Oct 29, 2012
    #6
  7. techtitan

    techtitan Specialist

    Oops, sorry about that. I saw that step earlier but I forgot to do it. Here you go.

    Thnx
     

    Attached Files:

    techtitan, Oct 29, 2012
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The only issue I see is the below hack to allow illegal use of Microsoft Office:
    Code:
    ----a-w               292 2012-10-30 01:13:22  C:\Windows\tasks\AutoKMS.job
d-----w                 0 2012-09-12 13:30:57  C:\Windows\AutoKMS
----a-w           151,552 2012-10-30 01:13:12  C:\Windows\KMSEmulator.exe
    Your logs are otherwise clean.
     
    chaslang, Nov 1, 2012
    #8
  9. techtitan

    techtitan Specialist

    Mmm, funny you should mention that. :confused A while back I contracted a "tech" guy on craigslist who was offering his services to install what he called an "OEM" copy of Office, which is why he said there was no documentation. It seemed a bit shady but I went with it...now I think I see why I got such a deal (the one and only time I let me guard down). Thanks for brining this to my attention. I'll address this issue separately.

    Thanks. I'm glad we at least eliminated the source on my end. I'm going to start the process of updating all my information and changing logins and passwords across the board.

    I am still wondering about the email address though. I really don't think there would have been any way to obtain the password along with the email address since we've already established there are no apps running on my system to do so and I never use that password for email outside Outlook on this system.

    I've read that sometimes people who spam emails will just data-mine email addresses randomly and can somehow use them as the return address even if they have no other information. Then, the returned mail gets bounced back to the user. Could that be the case here? If so, would changing the password have any real effect? Wouldn't I need a completely new email address?

    Thanks!
     
    techtitan, Nov 1, 2012
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    See what I posted in message # 4 again.

    Possibly. Spammers will try all kinds of tricks to get people to respond in some form or another so that they can collect valid email address. This would be the first time anyone came here with this problem.

    Changing a password would not help if this were the case. Yes a new email account may help but is it really necessary? Do you continue to have this emails showing up?
     
    chaslang, Nov 1, 2012
    #10
  11. techtitan

    techtitan Specialist

    Yes, they still trickle in. Maybe two every few days. I also read your post again in #4 above. I believe it is very possible that the email address itself has gotten out somewhere, possibly through an unsecured network when being used by a family members laptop in a hotel when logging into something like Netflix (one of many possible scenarios). However, this family member has never had accesses to my emails password and we've already established that no malware on my system is sending it out locally. When you say this would be the first time anyone has ever had this issue on the forum in your post above, what does that suggest? The nature of the emails seem to be that they have just somehow data mined it and used it in their scam. If there seems to be no indications they were able to obtain the password (and again, how could they have?) then are they not limited to what they can do with this email address (thus just using it for spamming as a return address)?

    Also, another thing I should mention. I was trying to block a programs update using BitDefender Total Security 2011's Firewall but it wouldn't work. It disabled Windows Firewall by default when installed. I reactivated Windows Firewall in order to block said program. This was about two days before this issue started. Is it possible I opened a security hole by having two firewalls running at once that we're conflicting that could have lead to this?
     
    techtitan, Nov 1, 2012
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Nothing really is suggested. It is just sort of a statement of facts that spammers will try all kinds of tricks to find out valid email address and to spam them.

    There never are in most of these kinds of case where some form of spamming is the problem and no malware is present. This is typically a sign that some how the email account was compromised and it may not have been compromised while using this PC.

    You MUST never have two firewalls activated. If you are going to use BitDefender you must leave the Windows Firewall disabled and only use BitDefender.

    While having two firewalls active could lead to issues, I'm not thinking that it is the cause.

    I would believe that using things like æTorrent were more likely to be a cause.
     
    chaslang, Nov 3, 2012
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds