Solved

Infection is sending out spam from my AOL account.

Posted on 2008-10-09
20
4,541 Views
Last Modified: 2010-04-21
I have AOL 9.1 on my Windows Vista PC. I am getting Daemon-mailer message delivery failure notifications in my inbox. A few hundred or more everyday. They are due to spam being sent out from my AOL account. AOL said that I must clean my PC of the infection and then change my AOL password.

So far I have scanned with 5 programs and they have removed everything they've found. McAfee, Superantispyware, Adware Away, Malwarebyte's Anti-Malware, and Trend Micro House Call.

I am must still be infected because after changing my account password, someone/something is still able to send mail from my AOL account. Is anyone familiar with this infection. Have any suggestions for removing it. I've used Microsoft's Process Explorer to look at every running process and they all appear to be valid. This leads me to believe that one of my valid processes has an infected dll or something similar. I'd rather not have to wipe the PC and start fresh. Help!
0
Comment
Question by:rnapro
  • 8
  • 5
  • 3
  • +3
20 Comments
 
LVL 21

Accepted Solution

by:
silemone earned 500 total points
ID: 22681771
lol...well at this point you have to understand if someone had a virus that sent them back information they  probably have access to other accounts..what is your secondary email account (you know the account that your password is sent to in case you forget the password)?  maybe they have access to that where everytime you change emails, they get a copy of the change sent to that account...change your secondary account and then change password and see if that helps...also, they may have added a question that allows them to get the address of your account...
0
 
LVL 21

Expert Comment

by:silemone
ID: 22681779
oops
meant

also, they may have added a question that allows them to get the PASSWORD of your account...
0
 
LVL 15

Expert Comment

by:tenaj-207
ID: 22681804
I would take the hard drive out of your computer then scan it from another PC with multiple virus/spyware software.  Then put the hard drive back into your computer and rescan again.
0
 

Author Comment

by:rnapro
ID: 22681825
Would that really help in the detection of the infection? I typically take the hard drive out and scan from a different PC if I'm having trouble removing a detected infection. However my detection rate of infections has been far better when scanning the computer with it running, ie. it detects the infection running in memory
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 22681923
I can think of two quick things to try.
1) Run your scans in Safe Mode.
2) Run SFC SCANNOW
If you have an infected system file SFC SCANNOW should detect and replace it.
SFC SCANNOW normally takes between 15 and 40 minutes to complete. You will need your OS CD.  
http://www.updatexp.com/scannow-sfc.html
0
 
LVL 15

Expert Comment

by:tenaj-207
ID: 22682003
Spyware gets embedded into system and once it starts it puts blocks to keep it from being removed.  That's why putting the hard drive into and external enclosure and scanning it from a different machine does a better job then running spyware/virus scans on a live machine.

David-Howard suggest that you run the scan in safe mode.  This is for the same reason.  Spyware often doesn't start in safe mode so you can remove it more easily.

So the answer is yes, removing the drive does really help clean infections more throughly.
0
 

Author Comment

by:rnapro
ID: 22682053
OK I have changed the Primary Screen Name's password and security question and answer and then my account password, security question and answer. Will post on here if the problem persists.
0
 

Author Comment

by:rnapro
ID: 22682067
I agree that it helps to 'remove' infections. However I haven't had any issues with removing any infections that have been detected by the scans. Every infection that has been found has been successfully removed. Do you really believe that it will help to 'detect' an infection that has not been previously detected?
0
 

Author Comment

by:rnapro
ID: 22682075
"2) Run SFC SCANNOW
If you have an infected system file SFC SCANNOW should detect and replace it.
SFC SCANNOW normally takes between 15 and 40 minutes to complete. You will need your OS CD.  
http://www.updatexp.com/scannow-sfc.html"

Does this work in Vista?
0
 
LVL 15

Expert Comment

by:tenaj-207
ID: 22682150
Ye,s but you have to run it with an administrative prompt.  To do this click on start then in the Start Search bar type in cmd.  Right click on the cmd.exe icon that shows up in the list above and choose run as administrator.  This will open a command prompt with administrator rights.  Now you can type in sfc /scannow and with Vista you dont even need the OS CD.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:rnapro
ID: 22682691
I ran sfc /scannow and it didn't find any problems
0
 
LVL 21

Expert Comment

by:silemone
ID: 22686713
is it still sending out spam since email change...
0
 

Author Comment

by:rnapro
ID: 22686972
There are 2 PCs that use this AOL account. The home PC is the one that is the culprit. After it gets used a little more (maybe tonight or this weekend) we'll see if the problem persists. Then I will post on here again or accept an answer and award points.
0
 
LVL 31

Expert Comment

by:rid
ID: 22694170
The situation you describe could be an external problem. Someone else is sending SPAM with your address entered as sender (falsely). When the messages bounce (many do, as lots of SPAM messages go to nonexistant addresses), they return to "sender", which looks like it were you, as your address is in the "FROM" field in the mesage.

Before going to drastic measures on your system, make sure this above scenario is not the case.
/RID
0
 
LVL 15

Expert Comment

by:tenaj-207
ID: 22696167
To test out RIDs suggestion turn both computers off for a day or two.  Then when you come back if you see that a bunch of spam bounce backs were sent with your name on it then you know that it is as RID suggests.  
0
 

Author Comment

by:rnapro
ID: 22698182
rid and tenaj, thank you for your post. I guess I left some info out of my post. I've called AOL 3 times on this matter to see if that was the case. They insist that it's due to an infection or a hacker having my account credentials. Not that I ever believe AOL support, but this does appear to be the case. And I seem to have pinpointed that it is the home PC. After scanning and cleaning both PCs I then changed the account passwords on the AOL account. Primary and secondary accounts, and security questions and answers. Then just the work laptop was used for a day or two, no spam. Then almost immediately after logging on, on the home PC, for the first time since changing all the account passwords,  the spam started going out again and I started receiving the mailer daemon messages.
0
 
LVL 31

Expert Comment

by:rid
ID: 22698373
A failure message is inserted below. I sent it to a known nonexistant user at my workplace domain and promptly got a "mailer-daemon" failure message. Check your failure messages for the entry in the Received-from-MTA line: does it contain your LAN IP for your problem PC and your external IP? If not, it's not your PC that does it; if yes, it is and you need to "clean" it again, using other tools, perhaps.
*****************************

 - These recipients of your message have been processed by the mail server:
baduser@domai.com; Failed; 5.1.1 (bad destination mailbox address)

    Remote MTA mail.domain.com: SMTP diagnostic: 550 5.1.1 User unknown

Reporting-MTA: dns; pne-smtpout2-sn2.hy.skanova.net
Received-from-MTA: dns; [192.168.0.180] (MY_WAN.IP.IN.HERE)
Arrival-Date: Sun, 12 Oct 2008 20:23:43 +0200

Final-Recipient: rfc822; baduser@domain.com
Action: Failed
Status: 5.1.1 (bad destination mailbox address)
Remote-MTA: dns; mail.domain.com
Diagnostic-Code: smtp; 550 5.1.1 User unknown

Return-Path: <my.mail@myisp.com>

/RID
0
 
LVL 15

Expert Comment

by:tenaj-207
ID: 22698535
rnapro,

Did you try taking your hard drive out and scanning it with another computer?  To do this you'll need an external HD enclosure, which can be found at most electronic stores like BestBuy.  Then take out your hard drive from your computer and put it into the enclosure and connect it to your office computer.  Then scan your home drive with your office drive with anti-virus software and spyware software.  After you run these scans put the drive back into your home computer and rescan again to make sure it comes up clean.

Also make sure that you have system restore turned off by right clicking on My Computer and choosing properties.  Then go to the restore tab and make sure it's turned off.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22699687
Try running Combofix in Safe Mode and see if it finds any nasties.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall
.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
0
 

Author Closing Comment

by:rnapro
ID: 31504802
As Silemone suggested, I had to clean all infected PCs and THEN change all of my AOL account credentials. Primary account, secondary account, passwords, hint questions and answers.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
Email signatures have numerous marketing benefits. Here are 8 top reasons to turn your email signature into a marketing channel.
This video discusses moving either the default database or any database to a new volume.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now