| Tech Support
|
[
Tech Support ] [ Main Menu ] |
|
|
|
1794 |
|
|
Date: October 17, 2011 at 18:07:58
From: MCYoung/Tx, [DNS_Address]
Subject: I've Been Hacked and Need Help |
|
|
Please be aware my e-mail has been hacked/infected or something and I'm in process of trying to fix it..
If you get any e-mails from
me that does NOT have my usual name in the header then do NOT open!!!!
Another thing, appears this virus or whatever it is has hijacked every single address in my e-mail account
and is sending out massive spams to others using my addy and also those in my e-mail list...meaning
if you are infected then I suspect all your contacts are infected too.
This is what has happened with me.
So far I've not found a solution.
Any ideas? This is a veritable mess!
Have changed password but it's still happening.
I'm still recieving these e-mails from most everyone in my address list.
Not all though so hoping some of you caught the evil little thing at the pass!
I viewed SOURCE on these emails and am putting that info below.
None of it makes sense to me but may to you.
mc
Here is a Delivery Fail warning I got on a few along with an attached zip file which I did not try to open.
This is an automatically generated Delivery Status Notification. THIS IS A WARNING MESSAGE ONLY. YOU DO NOT NEED TO RESEND YOUR MESSAGE. Delivery to the following recipients has been delayed. mailer-daemon@kingdom.mybest-host.com
--Forwarded Message Attachment--
From:xxxxxxxxxxxxxxxx
Subject: hello
Date: Mon, 17 Oct 2011 07:34:20 -0500
hello
my friend
i just order an iphone4 from this company
good price and quality !
thoudans of products
sure you will like
VIEW SOURCE INFO:
x-store-info:SmXCjkY1Un5L3qlTmewTw69gy3Wq4YV3UGIZQSv35NKupCYaQ0jzM2kb4nrAYE1pDTjB/Mi8UAJCVzktxBFj1X3g4hMkag+bt1agMsiExliS3t8FhXwS92aD2edsMtmN
Authentication-Results: hotmail.com; sender-id=pass (sender IP is 207.251.201.57) header.from=tombstone68@localnet.com; dkim=neutral header.d=localnet.com; x-hmca=pass
X-Message-Status: n:0:n
X-SID-PRA: tombstone68
X-SID-Result: Pass
X-AUTH-Result: PASS
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MDtTQ0w9MA==
X-Message-Info: JGTYoYF78jEHjJx36Oi8+RoUWASv9Psf04i/4vDTdSCYdN/AMK5dzZ0Y9loAPMY280l7rrj4h40mvxuPbBFZLGU+c7ap8QF+bw9jucb+1aNHF6zoHGZyHAVJneYdcmDLMN4hK4n3FUs=
Received: from out-relay1.hw.buf.ny.localnet.com ([207.251.201.57]) by col0-mc3-f14.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 17 Oct 2011 15:08:55 -0700
Received: by out-relay1.hw.buf.ny.localnet.com (Postfix, from userid 30001)
id C3210392024; Mon, 17 Oct 2011 18:08:54 -0400 (EDT)
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on out-relay1.hw.buf.ny
Received: from out-gateway1.hw.buf.ny.localnet.com (lb-lpbk-vl204-254.buf-hw.ny.localnet.com [10.30.204.254])
by out-relay1.hw.buf.ny.localnet.com (Postfix) with ESMTP id 65D75392003
for ; Mon, 17 Oct 2011 18:08:54 -0400 (EDT)
Received: from hugh5c13ad5f2c (206.173.25.154.ptr.us.xo.net [206.173.25.154])
by out-gateway1.hw.buf.ny.localnet.com (Postfix) with SMTP id 062177FCA
for ; Mon, 17 Oct 2011 18:08:52 -0400 (EDT)
Message-ID: <00243667958E4210AA8DF9B118704065@hugh5c13ad5f2c>
From: "tombstone68"
To: "M.C. Young"
References:
Subject: Re: hello
Date: Mon, 17 Oct 2011 15:08:49 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0009_01CC8CDE.AC9E5DF0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6109
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=localnet.com;
s=localnet; t=1318889334;
bh=yvYdWDLXpxIJ+18BOrcwyTlOdSOw/VGtKTtPC+s3TLY=;
h=Message-ID:From:To:References:Subject:Date:MIME-Version:
Content-Type;
b=Fp+ATlT7ptb8fWQyS9FP1juY3vJBDT1mPmi0X5jM4AO47VhDxFCvZscDyPJ85eJMK
N46q+Xgsl3ZRpGBJl6LO2BOZtjQyvNGkxm/KejP8sfRan4SE0/oIbSRGyuMxS+PqUd
rTQiXoLXEX6pcJCj1qT9rbGAg45k2HDV1YHblv/E=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=localnet.com;
s=localnet; t=1318889334;
bh=yvYdWDLXpxIJ+18BOrcwyTlOdSOw/VGtKTtPC+s3TLY=;
h=Message-ID:From:To:References:Subject:Date:MIME-Version:
Content-Type;
b=Fp+ATlT7ptb8fWQyS9FP1juY3vJBDT1mPmi0X5jM4AO47VhDxFCvZscDyPJ85eJMK
N46q+Xgsl3ZRpGBJl6LO2BOZtjQyvNGkxm/KejP8sfRan4SE0/oIbSRGyuMxS+PqUd
rTQiXoLXEX6pcJCj1qT9rbGAg45k2HDV1YHblv/E=
Return-Path: tombstone68@localnet.com
X-OriginalArrivalTime: 17 Oct 2011 22:08:55.0270 (UTC) FILETIME=[5C832860:01CC8D19]
This is a multi-part message in MIME format.
------=_NextPart_000_0009_01CC8CDE.AC9E5DF0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
unfortunately, right now I need a monitor badly, motherboard, cpu, =
memory...thanx 4 the tip, will check out the website,,,Hugh
----- Original Message -----=20
From: M.C. Young=20
To: undisclosed-recipients:=20
Sent: Monday, October 17, 2011 5:34 AM
Subject: hello
hello=20
my friend=20
i just order an iphone4 from this company=20
=20
good price and quality !=20
thoudans of products
sure you will like
------=_NextPart_000_0009_01CC8CDE.AC9E5DF0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
|
|
|
|
|
Responses:
[1808] [1814] [1811] [1806] [1807] [1809] [1810] [1812] [1813] [1816] [1817] [1805] [1815] [1803] [1798] [1801] [1797] [1799] [1795] [1802] [1800] [1796] |
|
1808 |
|
|
Date: October 19, 2011 at 19:17:08
From: roy,Chesbay, [DNS_Address]
Subject: Re: I've Been Hacked and Need Help |
|
|
I could have written your msg about my travails.
First step I did was notify everyone on my email list ---who all had been sent similar e-mails----- I'd been hacked....also giving them a rough example of what they might see......and warning to NOT open it.
My puter got slower and slower and I tried everything I knew to do.
Then I took it to pros.
They found that my anti-virus had expired per contract 2 months before without notification to me.
The pros cleaned out the virus and also added the highest quality reasonable cost anti-virus---Kaspersky Anti-Virus 2011.
Generally my puter now runs about twice as fast as before it started to slow down.
I pray everything good for you.
|
|
|
|
|
Responses:
[1814] [1811] |
|
1814 |
|
|
Date: October 21, 2011 at 07:48:18
From: Sherry, [DNS_Address]
Subject: Go in and dump all cookies and history...... |
|
|
|
My husband had e-mail spam going out from his account, we dumped all cookies (even excepted ones) and history. The emails get in through cookies. Once you eliminate them the emails usually stop. Also make sure that your contacts are clean and no unusual contact has been added.
|
|
|
|
|
Responses:
None |
|
1811 |
|
|
Date: October 19, 2011 at 23:53:25
From: MCYoung/Tx, [DNS_Address]
Subject: Roy...is there a link to find this Kaspersky Anti-Virus 2011?(NT) |
|
|
|
|
|
|
|
Responses:
None |
|
1806 |
|
|
Date: October 18, 2011 at 23:49:17
From: freemind, [DNS_Address]
Subject: Two of mine have been too! |
|
|
I viewed the recent log in activity,
Someone in the Philippines has been really busy with one so I have changed the password.
The other has had log ins from Washington D.C., Texas and Nevada in the last 2 days! Password has been changed to something really complex on that one now!
I will keep you posted on any other activity.
I strongly suggest that you change your password MC.
|
|
|
|
|
Responses:
[1807] [1809] [1810] [1812] [1813] [1816] [1817] |
|
1807 |
|
|
Date: October 19, 2011 at 13:59:59
From: MCYoung/Tx, [DNS_Address]
Subject: Walter..Re: Two of mine have been too! |
|
|
Thanks I did..changed all pws.
I'm still attempting to find the source but nothing yet and what is odd is all antivirus/malware products are not picking this one up. The email security is picking up attempts to send more emails in my name though, several more today. However, these are failing since I changed passwords.
|
|
|
|
|
Responses:
[1809] [1810] [1812] [1813] [1816] [1817] |
|
1809 |
|
|
Date: October 19, 2011 at 20:05:12
From: freemind, [DNS_Address]
Subject: Re: Walter..Re: Two of mine have been too! |
|
|
It is the damnedest thing MC. I first started getting this spam from my daughters email.
Nothing picks it up.
|
|
|
|
|
Responses:
[1810] [1812] [1813] [1816] [1817] |
|
1810 |
|
|
Date: October 19, 2011 at 23:50:26
From: MCYoung/Tx, [DNS_Address]
Subject: Re: Walter..Re: Two of mine have been too! |
|
|
Yeah I've run scan after scan and nada.
So I just finished dumping nearly all my files and all my e-mail contacts deleted and unsubscribed to all newsletters/feeds. Haven't recieved any new messages since changing my pw but I'm still recieving the fail messages so this evil little entity is still sending in my name.
|
|
|
|
|
Responses:
[1812] [1813] [1816] [1817] |
|
1812 |
|
|
Date: October 20, 2011 at 10:08:53
From: Skywise, [DNS_Address]
Subject: Re: Walter..Re: Two of mine have been too! |
|
|
It's sounding more and more like the problem is NOT on your computer. Someone somewhere else is sending out these emails and simply using your address as the sender name. So, when the emails bounce, they are returned to you.
Brian
|
|
|
|
|
Responses:
[1813] [1816] [1817] |
|
1813 |
|
|
Date: October 20, 2011 at 21:46:55
From: MCYoung/Tx, [DNS_Address]
Subject: Skywise.....Re: Two of mine have been too! |
|
|
|
Hmmm...you could be right. Hoping the change in pw solves this...so far no bounces since my previous post. Thank you.
|
|
|
|
|
Responses:
[1816] [1817] |
|
1816 |
|
|
Date: October 22, 2011 at 09:02:41
From: Puget Sounder, [DNS_Address]
Subject: Re: Skywise.....Re: Two of mine have been too! |
|
|
|
Just ran in to the same problem this morning on Always Off Line. Had to change passwords as well.
|
|
|
|
|
Responses:
[1817] |
|
1817 |
|
|
Date: October 22, 2011 at 10:52:12
From: Guy, [DNS_Address]
Subject: Re: Create a password that is NOT in a dictionary! |
|
|
To find out why you need a decent hard to break password Google> Hotmail dictionary attack
When creating a password, create the password using the below rules, making the password more secure.
Do not use a password that you have used in the past.
Try to change the password at least every 3-6 months.
Create a password that is at least six characters long.
Create a password with both digits and letters.
Do not create a password with a family name or family pet.
Do not create a password that is your phone number, house number, apt number, etc.
Create a password that is not in a dictionary.
Create passwords with spaces in them (if allowed).
|
|
|
|
|
Responses:
None |
|
1805 |
|
|
Date: October 18, 2011 at 19:28:30
From: anonymous, [DNS_Address]
Subject: Re: I've Been Hacked and Need Help |
|
|
What may help is to use CCleaner.
After use, also click on the blue registry icon
to the left and let it scan for problems, then
fix all. Hopefully, this will catch a lot of stuff
left on your computer and make further action unnecessary. The program is available in a free version. All this spam is anoying. Makes you think
that Snail Mail is acctually more secure than anything
else. Good Luck and best regards.
|
|
|
|
|
Responses:
[1815] |
|
1815 |
|
|
Date: October 21, 2011 at 07:50:34
From: Sherry, [DNS_Address]
Subject: ccleaner is great, I use it regularly, but it won't get rid of .... |
|
|
|
accepted cookies. You must check to make sure all accepted cookies are removed. You can then add your facebook, etc cookies back later.
|
|
|
|
|
Responses:
None |
|
1803 |
|
|
Date: October 18, 2011 at 12:18:52
From: Geeksquad, [DNS_Address]
Subject: Re: I've Been Hacked and Need Help |
|
|
Hi MC,
RE: (sender IP is 207.251.201.57)
GOTO www.easywhois.com and enter the number above resulting in:
207.251.201.57 whois record
207.251.201.57 may be AVAILABLE for registration!
Register it now for $11 »
#
# Query terms are ambiguous. The query is assumed to be:
# "n 207.251.201.57"
#
# Use "?" to get help.
#
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=207.251.201.57?showDetails=true&showARIN=false&ext=netref2
#
NetRange: 207.251.192.0 - 207.251.239.255
CIDR: 207.251.224.0/20, 207.251.192.0/19
OriginAS:
NetName: LOCALNETBLK1
NetHandle: NET-207-251-192-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Allocation
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1999-04-16
Updated: 2005-03-28
Ref: http://whois.arin.net/rest/net/NET-207-251-192-0-1
OrgName: LocalNet Corporation
OrgId: LCNT
Address: 325 Hampton Hill Drive
City: Williamsville
StateProv: NY
PostalCode: 14221
Country: US
RegDate: 1999-04-16
Updated: 2008-10-04
Ref: http://whois.arin.net/rest/org/LCNT
OrgAbuseHandle: ABUSE566-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-888-488-7266
OrgAbuseEmail: email address guarded from harvesters
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE566-ARIN
OrgTechHandle: ZL44-ARIN
OrgTechName: IP Administrator
OrgTechPhone: +1-716-632-1133
OrgTechEmail: email address guarded from harvesters
OrgTechRef: http://whois.arin.net/rest/poc/ZL44-ARIN
RTechHandle: ZL44-ARIN
RTechName: IP Administrator
RTechPhone: +1-716-632-1133
RTechEmail: email address guarded from harvesters
RTechRef: http://whois.arin.net/rest/poc/ZL44-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
You can call or email the whole thing with email headers showing to their abuse address to get them to stomp further emails maybe.
Also you may try some online scans by other AV software to see if it can detect what your AV is missing. You may have to disable your AV to do this scan (keep fingers crossed that you dont pick up any viruses too - depending on the source website). Lotsa of AV software catches soem but not other worms/viruses.
What AV are you using anyway?
You may also wish to email CERT and USCERT giving them the entire email with headers. This could allow quicker study and resolution of this type of virus or worm. All the AV companies stay tuned into them to quickly detect and solve virus type problems still on the loose.
(You may have a root tool kit install on your puter not detected by some AV software packages.)
You may also try and consider reinstalling your operating system files only (and leave data intact) to possibly restore possibly infected system files.
This op. may risk losing your data files though so you should back up first.
Another idea is to take your hard drive and have it installed on another computer where it runs a different virus checker software to see if it spots anything (done at a computer repair shop).
Another option is buy a brand new hard drive and reinstall your operating system after backing up your data files. What ever bug you caught would then get wiped off.
Check again for it after transferring your data files onto the new drive. This risks reinfection though.
If you use a proxy beware that some are set up by hackers and they will zombify your puter fast and possibly land you in jail if they put illegal content on your puter and turn it into a server. All the more reason to think about doing the new hard drive option to preempt any such scenario.
One last thing you can do is post all websites you've visited in the last 2-4 days or just prior to the time the bad emails started. Other brave souls can go visit these websites to see which one if any may have installed what type of virus on your puter (assuming their AV software is up to the job.) Then they could report back any findings on the exact virus type doing the infection.
Have fun and good luck.
|
|
|
|
|
Responses:
None |
|
1798 |
|
|
Date: October 17, 2011 at 20:53:09
From: unimportant in Mo, [DNS_Address]
Subject: Re: I've Been Hacked and Need Help |
URL: http://network-tools.com/ |
|
go here, plug in the strings of numbers... example..
207.251.201.57 the program will tell you where that addy is at..
plug in the other addys out-gateway1.hw.buf.ny.localnet.com see where THEY are at as well.
perhaps you can find the source..
|
|
|
|
|
Responses:
[1801] |
|
1801 |
|
|
Date: October 18, 2011 at 00:11:12
From: MCYoung/Tx, [DNS_Address]
Subject: Thanks...Re: I've Been Hacked and Need Help |
|
|
|
|
|
|
|
Responses:
None |
|
1797 |
|
|
Date: October 17, 2011 at 20:38:24
From: Skywise, [DNS_Address]
Subject: Re: I've Been Hacked and Need Help |
|
|
I took a glance through those headers and I have a question...
Are all that you are receiving are the bounce messages?
Brian
|
|
|
|
|
Responses:
[1799] |
|
1799 |
|
|
Date: October 18, 2011 at 00:07:37
From: MCYoung/Tx, [DNS_Address]
Subject: skywiseRe: I've Been Hacked and Need Help |
|
|
No...I'm recieving that i phone message as if it were from folks on my contact list...also since I posted about it many are responding they got the same from me.
All my scans come up with nothing.
|
|
|
|
|
Responses:
None |
|
1795 |
|
|
Date: October 17, 2011 at 18:47:45
From: Karin in . E. OR, [DNS_Address]
Subject: Re: I've Been Hacked and Need Help |
|
|
|
i got one of them :( it said something about ordering an iPhone, Hello in the subject line
|
|
|
|
|
Responses:
[1802] [1800] [1796] |
|
1802 |
|
|
Date: October 18, 2011 at 10:04:56
From: RIG, [DNS_Address]
Subject: Re: Me to... |
|
|
|
Yup... I recieved one as well...
|
|
|
|
|
Responses:
None |
|
1800 |
|
|
Date: October 18, 2011 at 00:09:40
From: MCYoung/Tx, [DNS_Address]
Subject: Mae and Karin..Re: I've Been Hacked and Need Help |
|
|
|
Yep that's the one...evil little entity...grrrrrr
|
|
|
|
|
Responses:
None |
|
1796 |
|
|
Date: October 17, 2011 at 20:17:50
From: Mae, [DNS_Address]
Subject: Re: I've Been Hacked and Need Help |
|
|
|
Ditto here, I figured it was not from MC or any reputable company as several words were not spelled correctly.
|
|
|
|
|
Responses:
None |
|
[
Tech Support ] [ Main Menu ] |