Virus has beaten me

[4ycr]

I need help with this one.

A business client has a computer that he keeps on getting return messages in his emails and the links are to adult sites but none are on his address book just generic yahoo email addresses.

I have looked in the usual places
all users system32\drivers etc...
but none have any unusual file or folder names.

I have scanned with
AVG (was installed on pc)
TDSSKiller
hitman pro
Vipre
malwarebytes
as well as bitdefender rescue cd.

Everything came up clean except for coockies

I don't know wireshark well enough to sniff for smtp, I tried using their online help but got errors.

Anyone any ideas

OS win7 pro with AVG IS

 

[compnet]

Is his computer infected or is his email hacked?

 

[HFultzjr]

If no other issues....sounds like e-mail hacked.
Did he try changing passwords?
Also change any secret question answers and other security related items.

I've seen a lot of these lately.

 

[4ycr]

it is a business email account that they are being sent through. I have been told it is only on this computer and I don't think it will have been hacked.

 

[HFultzjr]

Paste e-mail header in the following link.

Great for seeing where it originated.

http://www.iptrackeronline.com/email-header-analysis.php

 

[HFultzjr]

it is a business email account that they are being sent through. I have been told it is only on this computer and I don't think it will have been hacked.

Hi,

Any e-mail can be "hacked" (compromised)

Check the e-mail header and see where it is coming from or has been.

Use the link I've provided.

May be someone internal, ex-employee, etc.

 

[ZenTree]

and I don't think it will have been hacked.

assumption is the mother of all &%*($£ ups. My first gut from your post was email has been hacked and it will take all of two seconds to change the login details etc. I've dismissed things before because I've assumed it wasn't and found out many hours later that it was. If the fix for the possible cause is a quick one like this it's really not worth NOT doing it.

If you want to rule out the machine just nuke and pave to make sure, if they have the backups then it's quicker than trying to find some elusive virus. But i'd change the email password first and see how you go. IMO.

 

[nesrinamb]

maybe his email just got out and is being spammed by porn companies.

Or maybe i don't exactly get the question.

look up his email in Google if you can find it then its his email that got out.

 

[iisjman07]

I have little experience with Bitdefender; I'd recommend running an offline scan either from a boot cd or slaving the drive. My personal favourites are kaspersky and sophos.

 

[YeOldeStonecat]

See my other thread from a day or two ago...we've seen a TON of Yapoo accounts busted into and spamming away junk.....in just the past week or so. Including only people that use it via browser (web based)...and including a good friend of mine that is a Cisco engineer that does work for the military (so he is a security nut)...and he only runs home-spun linux distros.....so it's not getting infected from the workstation side.

I would not waste another minute of your time trying to scan his computer and find stuff...Yahoo accounts are getting busted from the inside. As they have been for years. yet another reason to not use freebie e-mail like that for business!

 

[HFultzjr]

I need help with this one.

A business client has a computer that he keeps on getting return messages in his emails and the links are to adult sites but none are on his address book just generic yahoo email addresses.

I have looked in the usual places
all users system32\drivers etc...
but none have any unusual file or folder names.

I have scanned with
AVG (was installed on pc)
TDSSKiller
hitman pro
Vipre
malwarebytes
as well as bitdefender rescue cd.




Everything came up clean except for coockies

I don't know wireshark well enough to sniff for smtp, I tried using their online help but got errors.

Anyone any ideas

OS win7 pro with AVG IS

Be careful working on "Business" machines.
All machines in fact.
When you don't know what is causing issues.
BACKUP, BACKUP, BACKUP.
Most stuff will be stored on their server, but A LOT of employees keep local copies on their hard drive in some pretty weird places.

Go with the simple stuff first.
E-mail comprimised
Change password
Change security questions, etc.

 

[mraikes]

Assuming (I know, I know . . .) that everything looks clean, I'd suspect plain old fashioned spoofing.

 

[NYJimbo]

If you want to rule out the machine just nuke and pave to make sure, if they have the backups then it's quicker than trying to find some elusive virus.

Pretty drastic if you asked me. What do you tell the customer if the N&P didnt fix it ? I think they will figure out real quick that the N&P was a big waste of money and their time since now they have to reload everything.

 

[ZenTree]

Pretty drastic if you asked me. What do you tell the customer if the N&P didnt fix it ? I think they will figure out real quick that the N&P was a big waste of money and their time since now they have to reload everything.

OP has run his scans and found nothing. I suggested changing the email settings first but if that doesn't work do you want to spent several days chasing a virus you can't find or do you want to spend half a day reloading the OS and then restoring from your backup?

I'm not saying it's not drastic but with business clients time is money and I know my business clients don't want to lose their system for X days whilst I try to find a virus which isn't showing up on the normal detection routines. Drastic Yes. But guaranteed fix if the previous steps didn't fix it, also yes.

 

[NYJimbo]

But guaranteed fix if the previous steps didn't fix it, also yes.

Not if there was an outside reason for the spams. I've seen people do an N&P and the problem comes back as something goofy and then the customer says "Wait a second.... why did we have to ....."

 

[4ycr]

thanks for the link. it was hacked.

It never even occurred to me that it would have been hacked, I thought they only went after public email accounts and not business ones.

Again many thanks for your help.

 

[HFultzjr]

thanks for the link. it was hacked.

It never even occurred to me that it would have been hacked, I thought they only went after public email accounts and not business ones.

Again many thanks for your help.

You're quite welcome.

I've used that link on many suspicious e-mails.....got some pretty surprising results.