I was a zombie for an hour

[tschofie]

My technophobe father checked his email on my computer while I was logged into my own email account, and shortly thereafter I discovered that I'd been flooding friends and family with, well, you know what.

I closed the browser; ran msconfig; updated SUPERanitspyware (free), Spybot S&D, Pandacloud, Spywareblaster, Avast antivirus (free); then got offline and ran 'em. Nothing, nothing. Next was McAfee's latest stinger, Rootkitrevealer, Sophos antirootkit. Nuthin'.

Now I'm really mad.

Either there's something devious going on, or one of my knee-jerk reactions obliterated the worm, or... I just don't know what to look for.

Anybody know what's going on? The spam itself was left in my outbox -- definitely not a neat job -- and seems to point to various corruptions of USnews' website, eg. 'us-newsonline dot net', 'read-usnews dot com', 'usnews9 dot com', etc. It's all weight-loss-type spam.

Halp!

[Farelf]

Well, we were warned about a mass-mailing worm - http://www.symantec.com/business/security_...-090922-4703-99 - but that sounds nothing like the operation you seem to be describing. You say "something" seems to be sending spam through your webmail? With copies in your outbox, just as if you sent them yourself? That would seem like someone has hijacked your account. First thing I would suggest is changing your password.

Is new spam appearing in your outbox?

What did you change in msconfig?

How secure is your internet connection? Wireless?

What version of Windows are you running?

What is your browser?

[tschofie]

Hiijacking is a possibility, I suppose... but my father also says his webmail account was also sending out spam. (Recipients were emailing him back.) I'd foolishly left my webmail open and logged in while I was gone. Still, thanks for the point about the password -- I'll go change it now.

No new spam is appearing at present.

I did not change msconfig, was just checking for anything weird. Should I change anything?

Connection isn't very secure -- just kind of standard. Wireless, WEP.

Windows XP, SP1 (could that be the problem? I'll get onto the other SPs.)

Trouble occurred under firefox; switched to chrome for the fixes.

Hijack This doesn't seem to show anything suspicious. I'll play around with packet sniffers a bit, too.

[Farelf]

Hiijacking is a possibility, I suppose... but my father also says his webmail account was also sending out spam. (Recipients were emailing him back.) I'd foolishly left my webmail open and logged in while I was gone. Still, thanks for the point about the password -- I'll go change it now. ...

Password change is always a good move. Not sure anything your father might do accessing his webmail from your computer that would cause this, short of inadvertently downloading a keylogger or something - and any such nastiness should have been detected by the scans you've done. Well, there are versions of these things that get out before the updates necessary to detect them are issued, won't hurt to re-scan with updated malware/virus updates from time to time. But it doesn't seem a highly likely explanation, especially if you've had your Hijack This listing scruitinized.

...No new spam is appearing at present.

I did not change msconfig, was just checking for anything weird. Should I change anything?

Connection isn't very secure -- just kind of standard. Wireless, WEP.

Windows XP, SP1 (could that be the problem? I'll get onto the other SPs.)

Trouble occurred under firefox; switched to chrome for the fixes.

Hijack This doesn't seem to show anything suspicious. I'll play around with packet sniffers a bit, too.

'No new spam' doesn't sound very zombified, especially a hypothetical variety so unsophisticated it leaves obvious evidence and allows AV updates. msconfig - I believe help with start-up applications is available at http://www.sysinfo.org/startuplist.php - I confess I haven't looked at more than a couple of the thousands of pages of listings there. Worth looking (at least an opportunity to tidy up your start-up list, providing you research it properly - otherwise possible pain).

Connection - I understand the WPA or WPA2 (if available) are very strongly recommended over WEP. Your main risk there is simply with someone piggybacking on your connection. If anyone had the ability to intercept and decrypt your data I would have though they might find something more imaginative to do than taking over your mail account. But, who knows? You should get off WEP just on principle.

Version of Widows doesn't matter - just if solutions emerge some of them might be version-specific. And XP usually isn't locked down to prevent the unquestioned execution of intruding code the way later versions are by default. I would say SP1 is a liability these days - all sort of unpatched vulnerabilities.

[tschofie]

Thanks for the help, Farelf! I'll do some more digging where you recommended. I confess, I'm otherwise downright stumped. Seems like people have had similar problems here: http://forums.techguy.org/general-security...ing-spam-4.html but I was using only webmail, not a client. Hn. :/

[Farelf]

Hope you get it sorted out - but upgrading your wireless security will be one good outcome in any event.

...Seems like people have had similar problems here: http://forums.techguy.org/general-security...ing-spam-4.html but I was using only webmail, not a client. Hn. :/

Your father wouldn't have used Outlook when he was checking his mail would he? Shouldn't think so but there are all sorts of backscatter implications associated with spam - and apparently compounded by the Outlook execution of the "X-Confirm-Reading-To:" header, even when its told not to and even from the junkbox.

But your case seems different if it is sending to your address book. The techguy forum is probably talking about a number of things including backscatter resulting from spoofed addresses and (particularly) including the involuntary "X-Confirm-Reading-To:" Outlook reflex that MS likes to call a "feature" (something worth knowing about, thanks for that lead). In either case that is the sort of behaviour expected when mainstream, massive-volume botnet spam is in the background.

I suppose you should try switching back to Firefox to see if the symptoms recur. Maybe a rogue Add-on. Other than that, the possibility of some sort of scripting, perhaps associated with MS Office (macros) or plain Windows (.scr) scripting. I almost suggested that to start with but the mail account hijack seemed much more likely. Most people can get by with scripting disabled.

It is possible the collective "we" here would know more if we saw an example of the spam you seem to have sent (as a Tracking URL to a cancelled report) but I'm guessing neither you nor any of the addressees you know about are SC reporters?

Whatever, if you can update us if you sort anything out, that would be good.

[petzl]

Thanks for the help, Farelf! I'll do some more digging where you recommended. I confess, I'm otherwise downright stumped. Seems like people have had similar problems here: http://forums.techguy.org/general-security...ing-spam-4.html but I was using only webmail, not a client. Hn. :/

My signature has links to windows virus- security protection (all free and as good as what you pay for)

Another problem with spammers getting email addresses is they are often obtained from "friends" infected computers not only yours

[mienrent]

Well same here...somehow my Server made it to send spam Mails to every contact in my list...automatically and I can't seem to be able to stop it from doing that. Is there anything I can do?

[turetzsr]

Hi, mienrent,

...First, disconnect the computer you normally use from the internet and find another computer from which you can use the internet until you can clean your main one.

...Next (on another computer than the one you usually use) do some searches with you favorite internet search tool to find ways of cleaning up your main computer. Finding some good tools to find and disable or isolate malware are probably going to be necessary. Some of these tools are inexpensive, some are free. Using more than one is a good plan, as some catch malware that others don't. Some tools can be found at the SpamCop Suggested Tools and Applications Forum.

...Next, find one or more good tools to keep malware off your system. Anti-virus tools, preferably more than one, are needed. A good personal firewall is often used. Some tools can be found at the SpamCop Suggested Tools and Applications Forum. In some cases, the tools to prevent malware are the same tools as clean malware, the subject of my last paragraph above.

...When you've assembled the needed tools, install them on the computer you normally use. If it does not appear that these tools resolve the problem, I think you have three alternative courses of action (others might be able to come up with others): get professional help to clean your computer, thoroughly clean your hard drives (remove all files and remnants -- merely deleting files leaves remnants, so that is not sufficient) or trash that computer and acquire a new one. It is not safe to copy anything from the computer you are currently using, as you might copy whatever it is that is causing your problem.

...Good luck!