Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware which uses Outlook to send spam everywhere...


  • Please log in to reply
16 replies to this topic

#1 Pinotu

Pinotu

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 10 April 2015 - 10:13 AM

I need an advice relating the mail programs. I have used during many years Outlook
program without any troubles. Now, starting about 10 days ago, it sends mails to
several different addresses, so I receiive tons of "Delivery mails unsuccesful" or
something like this, and I was not able to stop this traffic.
 

 

I have deleted Outlook and installed TheBat, but the rain of "Delivery Status..." continues as before.

So I have run several Antimalware programs, with the following results:

1) Vipre (no results)
2) S&D Personal EDition (offline) (no results)
3) Malwarebytes Anti-Malware Premium (8 PUPs found and deleted)
4) Malwarebytes Anti-Exploit Premium (no results)
5) Malwarebytes Anti-Rootkit (no results)
6) Loaris Trojan Remover (12 malwares, practically all Adware)

 

I have deleted TheBat and reinstalled Outlook, but nothing changes. If I delete the password for the accounts, the waterfall of spams ceases, but it is not a permanent solution.

 

Help me please, Pinotu!!



BC AdBot (Login to Remove)

 


m

#2 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:50 AM

Posted 14 April 2015 - 03:33 PM

Hi :welcome: to Bleeping Computer

 

 

Are you sure that Outlook is sending those mails? Can you find record of them on the Sent folder?

 

Can you tell us what type of mail account is this? from your ISP, work or some free account like outlook.com or gmail.com?


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#3 Pinotu

Pinotu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 16 April 2015 - 10:58 AM

Many thanks for your reply, and I beg your pardon for my delay. I have an old (not very old, unfortunately, 22/3) TIB backup of my system, so i have uninstalled the actual system and reinstalled the old system. I am running a Win7 Ultimate SP1 x64.

I have also deleted and reinstalled Office 2007. I use Outlook 2007, the only mail prog I have on my system, with two free accounts (tiscali.it and alice.it) I have used in the last ten years, without any troubles.

Nothing changed...

My Outbox and Sent Items are empty.

 

So I am stuck............

 

However, thanks again.



#4 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:50 AM

Posted 16 April 2015 - 03:42 PM

Hi,

 

Because you restored the system I don't think the problem continues in your computer.

 

To start change now the passwords for both accounts to something secure, make sure you use two completely different ones for each account and different's from the old ones. This is necessary in case you had some infection before that captured your login details.

 

From the "Delivery mails unsuccessful reports" you received can you discover if the supposedly e-mail you sent is SPAM or malware?

 

Also I would like you check the mail headers from one of those return e-mail maybe they can contain some clue about the message source... to check the headers on Outlook 2007 follow this article


Edited by SleepyDude, 16 April 2015 - 03:42 PM.

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#5 Pinotu

Pinotu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 17 April 2015 - 02:39 AM

Probably the restored system ghost was not old enough. Now I don't have "Delivery mail..." because I have deleted them all, I will follow your suggestion when the first one will arrive.

 

I am going to change my password accounts just now...

 

Thanks again.



#6 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:50 AM

Posted 17 April 2015 - 03:28 AM

Probably the restored system ghost was not old enough. Now I don't have "Delivery mail..." because I have deleted them all, I will follow your suggestion when the first one will arrive.

 

I am going to change my password accounts just now...

 

Thanks again.

 

Ok, please keep us updated.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#7 Pinotu

Pinotu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 17 April 2015 - 08:19 AM

I have changed  both thepasswords of my accounts, but two hours after I have received six "Undelivered...", all addressed to one of my accounts (alice.it). Te content of the last one follows:

======================================

Undelivered Mail Returned to Sender

Mail Delivery System [MAILER-DAEMON@]

This is the mail system at host vmzcss01.epicura.lan.

I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can delete your own text from the attached returned message.

                   The mail system


Details
=====
Reporting-MTA: dns; vmzcss01.epicura.lan
X-Postfix-Queue-ID: BD1652C005E
X-Postfix-Sender: rfc822;
Arrival-Date: Fri, 17 Apr 2015 12:31:29 +0200 (CEST)

Final-Recipient: rfc822;
Original-Recipient: rfc822;
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; epicura.be
=================================


Edited by Pinotu, 17 April 2015 - 09:15 AM.


#8 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:50 AM

Posted 17 April 2015 - 08:26 AM

Hi Pinotu,

 

Please edit you post and remove the e-mail addresses because of SPAM bots.

 

Is it your e-mail @alice.it that is on the details?


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#9 Pinotu

Pinotu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 17 April 2015 - 09:17 AM

Is it your e-mail @alice.it that is on the details?

 

Yes, sir



#10 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:50 AM

Posted 17 April 2015 - 10:04 AM

Hi,

 

Is it your e-mail @alice.it that is on the details?

 

Yes, sir

 

It's a SPAM problem, possibly your e-mail addresses got collected in some infected PC, it could be yours or from someone that have your address on the PC. Most likely they found some insecure mail server and are using it to send the mails in your behalf.

 

 

Just to make sure your PC is clean after the restore please run the following scan.

 

Scan with ESET On-line Scanner

Download Eset On-line Scanner, run the tool and follow the prompts to install the program.
ESET_Scan.png

  • UNCHECK the box's Remove found threats and Scan Archives.
  • Click on Advanced Settings, an check the options:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Disable your AntiVirus and AntiSpyware applications to speedup the scan
    (If you have difficulty properly disabling your security programs, refer to this link)
  • Click Start and then wait for the scan to finish (it will take some time).
    The virus signature database will begin to download and the Scan will start automatically. Be patient this make take some time depending on the speed of your Internet Connection.
  • Once the scan is completed, close the program
  • Use Notepad to open the log file located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Use Notepad to open the log file located at C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt
  • Copy and paste the log contents to your reply
  • Enable your AntiVirus and AntiSpyware applications

 


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#11 Pinotu

Pinotu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 17 April 2015 - 01:10 PM

Hi, sleepy, just finished to run ESET Scanner, rather long, 1h 31m, in spite of the fact tha my system is on a SSD Disk . The final screen speaks about 724.266 files scanned with 82 infected files. I have closed the program, but, surpise, no log files. The c:\program files does not contain any ESET folder, the c:\Program Files (x86)contains a folder named ESET, with a ESET Online Scanner subfolder, unfortunately without any log file.

 

I am now re-running ESET scanner and I willl report the esults (if any). Thanks a lot, see yoy later!


Edited by Pinotu, 17 April 2015 - 01:16 PM.


#12 Pinotu

Pinotu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 17 April 2015 - 02:10 PM

Here are the e

results of ESET Scanner:

 

D:\Rete\Adguard\nfapi.dll    a variant of Win32/NetFilter.A potentially unsafe application
D:\Rete\Adguard\ProtocolFilters.dll    a variant of Win32/NetFilter.A potentially unsafe application
D:\ZIP\WinZIP\Utils\WzSysScan\WINZIPSS.exe    a variant of Win32/Systweak.L potentially unwanted application
D:\ZIP\WinZIP\Utils\WzSysScan\WINZIPSSHelper.dll    a variant of Win32/Systweak.N potentially unwanted application
D:\ZIP\WinZIP\Utils\WzSysScan\WINZIPSSPrivacyProtector.exe    a variant of Win32/Systweak.L potentially unwanted application
D:\ZIP\WinZIP\Utils\WzSysScan\WINZIPSSRegClean.exe    a variant of Win32/Systweak potentially unwanted application
D:\ZIP\WinZIP\Utils\WzSysScan\WINZIPSSRegistryOptimizer.exe    a variant of Win32/Systweak.L potentially unwanted application
D:\ZIP\WinZIP\Utils\WzSysScan\WINZIPSSSystemCleaner.exe    a variant of Win32/Systweak.L potentially unwanted application
D:\_Netfiles\Save\Today\Adobe Acrobat Pro DC 2015.007.20033 Multilingual\crack\xf-aarpxi\xf-aarpxi.exe    a variant of Win32/Keygen.HA potentially unsafe application
D:\_Netfiles\Save\Today\Adobe Acrobat Pro DC 2015.007.20033 Multilingual\crack\xf-adobecc2014\disable_activation.cmd    BAT/HostsChanger.A potentially unsafe application
D:\_Netfiles\Save\Today\Adobe Acrobat Pro DC 2015.007.20033 Multilingual\crack\xf-adobecc2014\xf-adobecc2014.exe    a variant of Win32/Keygen.HA potentially unsafe application
D:\_Netfiles\Save\Today\Grafici\FastStone Capture 8.1 Final\keygen.exe    Win32/Keygen.IE potentially unsafe application
D:\_Netfiles\Save\Today\System\Unlocker1.9.1\Unlocker1.9.1.exe    Win32/Adware.ADON potentially unwanted application
D:\_Netfiles\Save\Today\Virus\GridinSoft Trojan Killer 2.2.6.9\trojan.killer .64bit.-patch.exe    a variant of Win32/HackTool.Patcher.AD potentially unsafe application
D:\_Netfiles\Save\Today\Virus\GridinSoft Trojan Killer 2.2.6.9\trojan.killer. 32bit.-patch.exe    a variant of Win32/HackTool.Patcher.AD potentially unsafe application
D:\_Netfiles\Save\Today\Virus\Malwarebytes Anti-Malware Premium 2.1.4.1018 Multilanguage\KG\SND\keygen.exe    a variant of Win32/Keygen.HY potentially unsafe application
E:\Cracks\Microsoft Office 2007 Mega Keygen Pack\Office 2007.exe    Win32/Keygen.HB potentially unsafe application

 

Have a good day, I am going to bed...
 


Edited by Pinotu, 18 April 2015 - 02:30 AM.


#13 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:50 AM

Posted 18 April 2015 - 06:49 AM

You mention 82 infected files but the list above is way smaller!

 

ESET found some PUP's and several cracked programs! Using pirated software is illegal and one of the best ways to get infected, consider yourself warned.

 

You should run a scan with Malwarebytes Free and legit available here.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#14 Pinotu

Pinotu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 18 April 2015 - 11:05 AM

Many files have been arcived on CD or DVD, and I leaved them behind only for convenience reasons. I work on computers starting from twenty years, and I never have encountered a similar situation. I am retired from many years, and I don't use software for professional reasons, but only as pastime.



#15 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:50 AM

Posted 18 April 2015 - 12:20 PM

Hi,

 

Did malwarebytes detected anything?

 

Any new returned mails? Check them so see if any of those reports include the full e-mail message, some servers return the full e-mail message and the headers can eventually contain useful information to track the source of the e-mails.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users