Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Email is recieving thousands of message failures


  • Please log in to reply
13 replies to this topic

#1 AzureDrag0n1

AzureDrag0n1

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 31 May 2012 - 06:20 PM

I am using Windows XP SP3.

At around May 30th Outlook 2003 at the receptionists desk started to receive thousands of mail delivery failures. At least 10,000 by now. Every time send/receive is hit we get a batch of a few thousand. Here is an example of one of them:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

efreeman@aluma.com
SMTP error from remote mail server after RCPT TO:<efreeman@aluma.com>:
host mail.beis.com [74.205.253.126]: 554 Service unavailable; Client host [ev1s-216-40-232-24.theplanet.com] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=216.40.232.24

------ This is a copy of the message, including all the headers. ------

Return-path: <networkreg@networkregroup.com>
Received: from 189.202.85.171.cable.dyn.cableonline.com.mx ([189.202.85.171]:31418 helo=MYSPACE-03)
by terrain.slmserver.com with esmtpsa (TLSv1:RC4-MD5:128)
(Exim 4.77)
(envelope-from <networkreg@networkregroup.com>)
id 1SZY60-0002sk-G2
for efreeman@aluma.com; Tue, 29 May 2012 20:53:08 -0500
From: Elodia Ramirez <networkreg@networkregroup.com>
To: efreeman@aluma.com <efreeman@aluma.com>
Subject: Buy Cheap Viagra Without Prescription
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 15.4.3538.513
X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3538.513Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64

VVNQUyBEZWxpdmVyeSBTaGlwcGluZyAxLTQgRGF5IFVTQSAmIEV1cm9wZQ0KUHJvZHVjdCBRdWFs
aXR5IDEwMCUgR3VhcmFudGVlZA0KVS5TLiAmIENhbmFkYSBMaWNlbnNlZCBQaGFybWFjaWVzDQoN
Cmh0dHA6Ly9tZWRpY2h1bW8ucnU=

I ran Avast and it found nothing. I turned off Avast and ran Malwarebytes and it found 21 objects. This is the log:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.31.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
djackson :: NRGWK02 [administrator]

Protection: Enabled

5/31/2012 3:11:12 PM
mbam-log-2012-05-31 (15-11-12).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 415930
Time elapsed: 1 hour(s), 17 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\Software\Wireshark Antivirus (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_QTUPDATE (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Detected: 13
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{00A6FAF6-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE|24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE|7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search| (Adware.Hotbar) -> Data: http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?s=100000336&p=ZRxdm889YYUS&si=&a=Aohm3Q1KpzTgNDy1k9hxjA&n=2011061009 -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MyWebSearch Email Plugin (PUP.MyWebSearch) -> Data: C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|mslivesvc.exe (Trojan.Agent) -> Data: C:\Documents and Settings\djackson\Application Data\mslivesvc.exe -> Quarantined and deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run|Protection Center (Rogue.ProtectionCenter) -> Data: "C:\Program Files\Protection Center\cntprot.exe" -noscan -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources|f3PopularScreensavers (PUP.MyWebSearch) -> Data: C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform|FunWebProducts (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|My Web Search Bar Search Scope Monitor (PUP.MyWebSearch) -> Data: "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Documents and Settings\djackson\Local Settings\temp\POS43.tmp (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\djackson\Local Settings\temp\POS44.tmp (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\Program Files\TotalRecipeSearch_14EI\Installr\1.bin\14EIPlug.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\Program Files\TotalRecipeSearch_14EI\Installr\1.bin\NP14EISb.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.

(end)

I removed everything it listed. I am still receiving thousands of mail delivery failures. In addition this has created another serious problem in that no one in the company is able to have their legitimate mail received because it is all being blocked as spam to whomever it is sent to. Now we get mail delivery failure to whomever we send it to so long as it is coming from @networkregroup.com.

I would like to add that the computer at the receptionist desk has had a history of malware infection in the past although only every few years or months.

What can I do to fix this?

Edited by hamluis, 31 May 2012 - 06:49 PM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,430 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:58 AM

Posted 31 May 2012 - 06:45 PM

Someone has access to your email accout and address book, IMO.

On a much smaller scale...same thing happened to me a couple of weeks ago...I started receiving these notices of undeliverable email to persons in my online address book...which I had not seen.

I changed the login/password for my online email account...and it ceased occurring.

Louis

#3 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:58 PM

Posted 31 May 2012 - 06:49 PM

I would recommend following this guide:

http://www.bleepingcomputer.com/virus-removal/remove-protection-center

Per the following:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run|Protection Center (Rogue.ProtectionCenter) -> Data: "C:\Program Files\Protection Center\cntprot.exe" -noscan -> Quarantined and deleted successfully

#4 AzureDrag0n1

AzureDrag0n1
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 01 June 2012 - 02:56 PM

Alright I did all this but how would I go about fixing the receiving of thousands of failure to send message emails or removing our legitimate emails from spam lists? I am still receiving thousands of message failed to deliver notifications.

I am also not sure about this but with Outlook you do not need any passwords to use that email normally. At least no passwords should have been compromised as they where never entered at anywhere near the times when the email account was hijacked. Email is set up on a POP3 server.

#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:58 PM

Posted 01 June 2012 - 03:04 PM

Is it just the one machine or the profile.

#6 AzureDrag0n1

AzureDrag0n1
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 01 June 2012 - 04:02 PM

Is it just the one machine or the profile.


What do you mean? Where the infection was at? If you mean infection then it was the machine and also the profile I think. If you mean email then the email info is in a profile.

The profile name was djackson.

Edited by AzureDrag0n1, 01 June 2012 - 04:07 PM.


#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:58 PM

Posted 01 June 2012 - 06:26 PM

I would rebuild the users profile, and see if the issues resolve. I would also delete the profiles from all the computers he has used.

#8 AzureDrag0n1

AzureDrag0n1
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 04 June 2012 - 03:49 PM

Ok seems like I figured it out. Somebody hacked our online server that had every bodies email accounts where the hacker then used email accounts that had little to no activity and sent out hundreds of thousands of email loaded with viruses. Changed the password for our online server and called everybody in the company to run their antivirus. This should hopefully fix the problem.

#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:58 PM

Posted 04 June 2012 - 03:59 PM

How big is the company?

#10 AzureDrag0n1

AzureDrag0n1
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 04 June 2012 - 04:24 PM

Not very large. Only a dozen or so employees at any one time.

#11 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:58 PM

Posted 04 June 2012 - 04:46 PM

What is your current anti-virus solution?

#12 AzureDrag0n1

AzureDrag0n1
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 04 June 2012 - 05:31 PM

Everyone has their own but I mainly use Malwarebytes and Microsoft Security Essentials. I think most people have AVG but one person has Avast that I recall.

#13 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:58 PM

Posted 04 June 2012 - 05:35 PM

I would recommend that you all use the same AV, and designate a night to have each machine scanned at a certain time.

#14 AzureDrag0n1

AzureDrag0n1
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 08 June 2012 - 02:42 PM

Is there any reason for everyone to use the same AV? Anyway what steps can I take to get us white listed again?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users