A few days ago my husband made the mistake of clicking on a link from a friend of his. The email looked like and seemed to be written in a manner that did not make my husband suspicious so he clicked on it (his friend had sent similar emails before). He stated it took him to some weird ad site. Approx 1-2 days later he noticed his yahoo email started getting a ton of failure notice emails (from the MAILER-DAEMON@yahoo.com). It appeared that his email(maybe his computer?) got compromised when he clicked on the link.
He immediately contacted the friend and the friend confirmed it was some kind of virus email. From what we could tell it went though his entire contact list and emailed everyone with in his list with the bad link. We contacted all those on his list to let them know his email had been compromised.
It also added several emails addresses to his contact list that we did not recognize. We were freaked out so we deleted it - now I wish I wrote them down as that we can't recall what they were. All the bad emails that got sent out were similar in nature.
We deleted all the failure notice emails and ran Malware Bytes as well as MSE scans. The scans did not find anything. We also immediately changed all passwords and security questions.
However - we are really worried that our computer has some kind of trojan or worm or something worse that was not picked up by the scans?
Below is a copy of the email that went that had gone out and then came back as a failure notice. (Removed personal email addresses)
We would appreciate any help provided!
Received: from [18.104.22.168] by nm2.bullet.mail.bf1.yahoo.com with NNFMP; 31 May 2012 01:28:53 -0000
Received: from [22.214.171.124] by tm5.bullet.mail.bf1.yahoo.com with NNFMP; 31 May 2012 01:28:53 -0000
Received: from [127.0.0.1] by omp1045.mail.bf1.yahoo.com with NNFMP; 31 May 2012 01:28:53 -0000
Received: (qmail 75846 invoked by uid 60001); 31 May 2012 01:28:53 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1338427732; bh=/q9PpqusCdVpklG5qxJ7bjS/tc4xPMXqTz5qYvDF0mQ=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=jPp8F48VPhYPRwGREnrGAUBnJely3E/KWB1YJCb5qqUQzEK7y82b/jX1WjxZJTQi+hqmFeGTVWw+zHjroYU7YXi0ssh1ceKrjIfM0IisC4GT26dJ/G7dJDuB4kCYYxCq18HvFKHKSy4c/vJse7JPGIyva+Tcg3+JjWiIwUTZ5zM=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
Received: from [126.96.36.199] by web39406.mail.mud.yahoo.com via HTTP; Wed, 30 May 2012 18:28:52 PDT
Date: Wed, 30 May 2012 18:28:52 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
wow this is crazy check it out
httpxx://xxwww.stenews.net/biz/?news=9708457xxxx[/b] Mod Edit: Disabled potentially dangerous link - Hamluis.
Edited by hamluis, 02 June 2012 - 04:44 PM.