All: I have had a problem the last few days w/ some sort of virus, somewhere. Not sure if it is in my computer or someone else’s.
I have rec’d three msgs about mail that was undeliverable – that I didn’t send. At least I didn’t knowingly send them. Also, I have rec’d three msgs from an address that I don’t recognize. They go immediately into the trash, no opening their attachments. Also, twice Norton has said, upon receiving an e-mail, that it detected a virus & deleted the msg. It identified the culprit as “Netsky.” Adaware has been routinely finding either 8 or 15 data miners in my memory daily. I have recently updated Norton & have run virus checks about every other day, none of them show any viruses detected.
Is there any way to check the guts of my software to find out if some nasty has captured my computer & is using it to send spurious msgs? It would probably help if I noted the times I’m connected on line and match against the times the returned msgs are reported to have been sent.
I’d send this directly to Luka, but he is probably totally absorbed in the 35,257 photos of necked wimmen he has rec’d from all the reprobates out there in the Tavern and can’t answer because he is busy protecting himself against prostate cancer – which is tough under that street light he uses for a computer room.
Don
Replies
I doubt that these messages are originating from your system. Rather, someone else with your email address in their address book has become infected and is sending the messages, "spoofing" your address.
Just continue to practice "safe sex" and delete the messages.
Dan: Well, I have answered one of my questions inadvertantly - wasn't home all day and rec'd rejected mail at a time when it was impossible for me to send it.
I have in the past gotten mail from other machines that I knew were from an infected machine using an address book. Rec'd enough msgs today that I now can narrow it down to one of about 600 people, based on the collection of addresses used. That's not too bad, really - at least I know where they are coming from and that I am not infected.
Ran a Norton scan today and it uncovered nothing. Since it apparently recognizes Netsky when it comes in through e-mail, I'm assuming that it would recognize it resident on my computer.
Thanks.
DonThe GlassMasterworks - If it scratches, I etch it!
In adddition to Adaware, consider using anbother ad blocker such as Spybot search and destroy.
I regularly run both back to back and each finds stuff the other hasn't.
The returned emails are probably using your email address as a dummy "from" - classic hacker technique.
It's amazing how these things get spread - I have one email address that I use exclusively for one of my church activities, and I only exchange emails with fellow course facilitators, and I get lots of bounced mail to that address because one of the other faciltators had her addres book purloined a few months ago.
One way of cutting down on virus activities is using non-MS products as much as possible: every hacker out there cut his teeth on mining Outlook for addresses!
"It is as hard for the good to suspect evil, as it is for the bad to suspect good."
-- Marcus Tullius Cicero, statesman, orator, writer (106-43 BCE)
Besides Norton, it's probably wise to install a firewall. Not a "must have" for someone on a dial-up modem, but a good idea, and a definite "must have" for anyone on DSL or cable.
PC Magazine on-line has a good article on how to set up to keep your PC safe:
http://www.pcmag.com/article2/0,1759,1621256,00.asp
most of those undelivered mail has the virus in its attachment so even if you know the dude and it come with an undelived message, delete it witout opening. DO NOT OPEN THE ATTACMENT NO MATTER WHAT.
I have rec'd three msgs about mail that was undeliverable - that I didn't send. At least I didn't knowingly send them.
Those are most (80%) likely "phishing" emails. If you try to reply to figure out what the deal is, they get a confirmed email address (which is worth about 4x what radndom culled addresses are).
There is a possibility that some lowlife is using your email as a spoof address, or that you are a "bounce" in their email traffic for what ever reason. Probably not a spoof address as the phishers sent emails in the thousands per day; redirection would be giving you hundreds of mailer daemon failure notices.
Best bet so far is to just delete them. It's a pain to try an filter them, as you have to dig into the header information to find out what the true send address is (not what is reported in the email).
Add spybot to your box of tools. I'm running spybot once a week and adaware right at every two weeks--most of the things I'm getting are tracking cookies. They are 80% nuisance (browser info to better display pop ups), and 20% convenience (like knowing where on the forum you've been).
Spybot has a nice innoculate feature for most IE threats. Pow! by Analogx is my popup blocker. All three have made my life easier enough to get money from me (spybot even uses PayPal).
Don,
I get about 3 a day of those same e-mails. They are worthless, although Netsky is a virus. If it is on your hard drive, you should probably remove it. I ran Norton on mine and I still get those messages.
Cole
Cole Dean
Dean Contracting
Well, I had to take a break from the battle because my hand is sore.
I'll have to type this slow for the same reason. So don't get too far ahead of me in your reading.
Reasons for the messages that you had sent mail and it was undeliverable...
Someone could have done it deliberately and loaded the email with a virus so when you looked at it to see what your isp was talking about... you'd get the virus. You don't have to open attachments anymore. You can get the virus anyway, just by opening it. And if you don't have paranoid settings in your email program, sometimes you can get the malware, simply by clicking on the email to select it for deletion, or whatever...
It could, of course, have been sent by your computer without your knowledge. Probably the least likely answer in your case.
Or, the very most likely scenario is that someone out there that has you in their address book, is infected. The virus sent out an email to everyone in the address book, and used another address in the book, as the spoofed "sent from" address. You got the return email because your address was used to send the email to the non-working email address.
Ignore all of these. Do not open them. Do not try to get the message back to someone that you think is infected. Do not bother your isp.
Doing any of these things can result in someone else getting your email address as a confirmed email address. In other words, an address that someone obviously cares enough about to actually be reading the recieved emails. Makes you more valuable both as an email list for sale, unwilling particpant, and as a mark for those who wish to use your computer to attack others.
I suggest you do the following... Do it step by step. You don't have to understand all of it, just follow the steps exactly. Do not leave anything out. A bit of time and patience now can save severe headaches in the future. Note, I have pretty much copied this list from a security forum. Nutshelled some of it, and added my own comments.
1.Immediately update your AV program. Then get off the internet. Physically disconnect if you have to. Run your av in as complete a mode as possible. All files of all kinds, everywhere on your computer. Every kind of scan possible. Including hueristics.
Do the same with any antispyware and antitrojan programs you already have.
Make sure that all other proccesses are stopped when you do these. Especially make sure there are no browser windows open. This goes for any of the rest of the steps as well. Common sense of course, will tell you that you need the browser open, and need to be connected for some of the stuff. Other than that, shut everything down except what you are running currently.
2. Go to : http://www.pandasoftware.com/products/activescan/ and do the online scan. Yes, you have norton. I won't get into what I think of Norton here. The simple fact is that no matter what you have for protection, it is not going to find everything. Just about everything can be compromised, sooner or later as well. You need to do an independant online scan. And Panda is one of the best. Don't use the online scanner from the same company that you have gotten your av program from. No matter what program you have.
Follow the directions there exactly, and have the patience to let it do it's job, even if it takes all day. This may take a long time.
Write down exactly whatever it says it finds. Let it fix the problems. If you let the problem remain, even if it is in a crucial area... you are wasting your time trying to be safe.
It's kind of like buying a box of rubbers, then cutting the ends off of all of them because they are too short. Or they don't feel good. Or whatever. What's the point ?
3. Download and run all of the following...
3.1. CWShredder (free) http://www.spywareinfo.com/~merijn/files/cwshredder.zip
Alternate download site: http://www.majorgeeks.com
a) Download and run CWShredder.exe.
b) If CWShredder immediately shuts-down, try running it again.
c) If CWShredder still doesn't run:
(i) Download PepiMK's CoolWWWSearch.Smartsearch killer. http://www.safer-networking.org/files/delcwssk.zip
(ii) Run CoolWWWSearch.Smartsearch.
(iii) The return to CWShredder to clean up.
c) In CWShredder, click "check for update".
d) If an update is available, click "Download and open the update".
e) Click "Scan only".
f) If Coolwebsearch keeps returning, or if a scanner says you have cws.searchx, you need to take some extra steps before you carry on to see what else you have, go here: http://www.spywareinfo.com/~merijn/cwschronicles.html
Post in the BBR Security Forum for specific assistance. http://www.dslreports.com/forum/security
If you need to find the "hidden appinit value" used by certain versions of CoolWebSearch, proceed with each step until you get to step 5.
3.2. Spybot S&D (donationware) If you have it, upgrade it. If you don't, get it from: http://www.safer-networking.org/
a) Download and install Spybot S&D.
b) Click on "Update" in the left column. (Do this even if you have just downloaded the program.)
c) Click on "Search for Updates".
d) Select a download location (usually one close to you).
e) Click "Download Updates" and wait for the updating process to finish.
f) Check that all Internet Explorer (web browser) windows are closed.
g) Click "Search and Destroy" in the left column.
h) Click "Check for Problems".
i) Have Spybot remove/fix all the problems it identifies in RED. The items not listed in red should not be touched at this time.
3.3 Ad-aware (donationware): http://www.lavasoftusa.com/software/adaware/
Alternate download site: majorgeeks.com
a) Download and install Ad-aware.
b) Click "Check for updates now" in the lower right. (Again, even if you have just downloaded the program.) (Note, there may be a newer version of the program itself. Go look and find ot. Don't just wait for it to say hey buddy they got a newer program. If so, download that, install it, upgrade it and run it.)
c) Click "Connect" and then "OK".
d) When the updating process finishes, click "Finish".
e) Click on the gear icon in the upper right (Settings).
f) Click "Scanning".
g) Select:
- "Scan within archives"
- "Scan my IE Favorites for banned URLs"
- "Scan my hosts file"
h) Click "Tweaks".
i) Click "Cleaning Engine".
j) Select "Automatically try to unregister objects prior to deletion".
k) Click "Proceed".
l) Click "Start".
m) Select "Use custom scanning options".
n) Click "Next" and wait for the scanning process to complete.
o) Select all the items found for removal. ("Removal" actually puts things in quarantine, so you can generally recover them if you need to.)
p) Reboot your computer.
q) Repeat from step (L) through step (P) until no more items are found. Yes. Repeat.
4. Download, install and update an anti-trojan (AT) program. Record exactly the names of any problems it turns up. Then quarantine and cure the malware.
TDS-3 and Port Explorer (30 day free trial): http://www.diamondcs.com.au
Do a trojan scan:
a) Download and run TDS-3.
b) Click "TDS" and "Update TDS Databases Now".
c) Click "System Testing" and select a "Full System Scan".
d) Record the results.
e) Follow the instructions to quarantine and cure any unexplained files.
f) Reboot and re-scan.
g) Repeat steps (c) through (j) until nothing new is detected.
Investigate the open ports:
h) Unplug your computer from the Internet.
i) Disable any software firewall you may be running (for example, ZoneAlarm, Sygate, Kerio, NPF).
j) Click "Network" and select "LocalHostScanner".
k) In the targeted ports tab, select "trojan.txt".
l) Make sure the IP/Hostname is 127.0.0.1.
m) On the scanner tab, click start and wait for the scan to complete.
n) Note which ports it says are open (listening) (it is normal to have some ports open, so don't be alarmed).
o) Determine what programs are listening on the open ports using the procedures here: http://www.dslreports.com/faq/9444
p) Save the information above and include it in your posting in the BBR Security forum.
q) Now you may re-activate your software firewall, and then plug back into the Internet.
TrojanHunter (30 day free trial): http://www.misec.net/products/
Trojan hunter is the one trojan protection program I have actually bought. It is good.
BOClean: http://www.nsclean.com/boclean.html
This should solve any problems you may have. If it doesn't, then I'll direct you to a program called HiJack This. You will run a scan... AND DO NOT FIX ANYTHING WHATEVER. Just get the log, and we'll submit it at DSLReports security to see if there is a real problem.
Spyware blaster is also an exelent program to have installed and protecting your computer.
StartDreck is another program slightly similar to hijack this. Sometimes, what one finds, the other doesn't.
Always keep your security programs up to date. Both in updates, and in upgrades. Never connect to the internet without a firewall. Hardware firewalls are the best. But it is good to have a software firewall even then, because they can block outbound traffic and most hardware firewalls don't.
"Criticism without instruction is little more than abuse." D.Sweet
Luka: Good grief!!! I hope you kept a copy of that epic - someone else may ask the same question a few months down the road.
I will start on your list tomorrow - too late now to do that much work.
I have identified two separate address lists that I am on, so I can now almost tell whose computer is infected by the names I get back.
Really insidious.
Thanks for the help.
DonThe GlassMasterworks - If it scratches, I etch it!
I'm doing better than that for everyone who attends Rhodefest.
I am going to make up a cd with all the needed programs, and some text files to explain each program. And a list to follow, that may be a bit more comprehensive than the above.
I will not be selling them.
The programs will be freeware or shareware. Maybe with some recommendations for programs that cost.
Anything like the above, (From dslreports security forum.), that I use, (even if I make a lot of changes), will be credited.
I think I'll copy this to the fest forum.
"Criticism without instruction is little more than abuse." D.Sweet
Luka: Took first two steps today - running Ad-aware & Norton w/ everything closed down. I got a fresh update from Norton, closed down & ran everything. Norton found nothing; Ad-aware found 16 items, all data miners. Don't have a printer here at house - it's in shop, so I can only do what I can remember. I pick up an average of 15 data miners per day, and all of them seem to repeat - makes sense, I always go to the same places. Other than here, Bob Walker & Pino would have a cow over them. Piffin would probably approve.
At least I got strikes in my first two frames. On the way to a 300 game - I hope.
Thanks again.
DonThe GlassMasterworks - If it scratches, I etch it!
I can vouch for spybot and adaware, both free and easy! Try also the free virus scan from Trend Micro, also easy to do, just takes a little time.
http://housecall.trendmicro.com/housecall/start_corp.asp
This free scan found and removed harmfull things that my Norton subscription could not even find.