1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help identifying virus

Discussion in 'Windows XP' started by HeyBub, Feb 8, 2010.

  1. HeyBub

    HeyBub Flightless Bird

    I get an email. Almost instantly another email "arrives" with the same
    subject but containing the following text:

    --- begin quote
    Hello

    How are you doing recently?

    I would like to introduce you a very good company which i knew. Their

    website is www.ebakm.com They can offer

    you all kinds of electronical products which you need,like Laptops ,GPS ,TV
    LCD,Cell Phones,PS3,MP3/4,Watch etc........

    Please take some time to have a check ,there must be something you 'd like
    to purchase .

    Hope you have a good mood in shopping from their company !

    Best Regards!!!

    --- end quote



    I suspect it's a virus existing locally because the headers make no sense
    and SpamCop agrees that the header is incomplete/missing.



    Resident Avast has never complained and online scanning by both McCaffee and
    another found nothing.



    It's a mystery.



    Thanks for your help.
     
  2. David H. Lipman

    David H. Lipman Flightless Bird

    From: "HeyBub" <heybub@gmail.com>

    | I get an email. Almost instantly another email "arrives" with the same
    | subject but containing the following text:

    | --- begin quote
    | Hello

    | How are you doing recently?

    | I would like to introduce you a very good company which i knew. Their

    | website is www.ebakm.com They can offer

    | you all kinds of electronical products which you need,like Laptops ,GPS ,TV
    | LCD,Cell Phones,PS3,MP3/4,Watch etc........

    | Please take some time to have a check ,there must be something you 'd like
    | to purchase .

    | Hope you have a good mood in shopping from their company !

    | Best Regards!!!

    | --- end quote



    | I suspect it's a virus existing locally because the headers make no sense
    | and SpamCop agrees that the header is incomplete/missing.
    | Resident Avast has never complained and online scanning by both McCaffee and
    | another found nothing.

    | It's a mystery.
    | Thanks for your help.


    It's spam.

    Either post the headers (obfuscating personal information) or just delete it and forget
    about it.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
     
  3. HeyBub

    HeyBub Flightless Bird

    David H. Lipman wrote:
    > From: "HeyBub" <heybub@gmail.com>
    >
    >> I get an email. Almost instantly another email "arrives" with the
    >> same subject but containing the following text:

    >
    >> --- begin quote
    >> Hello

    >
    >> How are you doing recently?

    >
    >> I would like to introduce you a very good company which i knew. Their

    >
    >> website is www.ebakm.com They can offer

    >
    >> you all kinds of electronical products which you need,like Laptops
    >> ,GPS ,TV LCD,Cell Phones,PS3,MP3/4,Watch etc........

    >
    >> Please take some time to have a check ,there must be something you
    >> 'd like to purchase .

    >
    >> Hope you have a good mood in shopping from their company !

    >
    >> Best Regards!!!

    >
    >> --- end quote

    >
    >
    >
    >> I suspect it's a virus existing locally because the headers make no
    >> sense and SpamCop agrees that the header is incomplete/missing.
    >> Resident Avast has never complained and online scanning by both
    >> McCaffee and another found nothing.

    >
    >> It's a mystery.
    >> Thanks for your help.

    >
    >
    > It's spam.
    >
    > Either post the headers (obfuscating personal information) or just
    > delete it and forget about it.


    Of course it's spam, but not really inasmuch as it wasn't sent as an email.
    To restate the circumstances of its appearence:

    I get an email from a known source, then, almost instantly, another email
    "arrives" with exactly the same subject line as the righteous email but
    containing the aformentioned text as the body.

    The headers (probably) won't help. Here is a complete header, for what it's
    worth:

    --- begin "header"
    Date: Mon, 8 Feb 2010 07:46:57 -0800
    From: "(xxxxxx)" <(my name)>
    To: campaign@proflowers.com
    Message-ID: <63c388041002080746l16d91228v@mail.gmail.com>
    Subject: Hello Re: Thank you for your ProFlowers order: xxxxxxxx
    MIME-Version: 1.0
    Content-Type: text/plain; charset=ISO-8859-1
    Content-Transfer-Encoding: 7bit
    Content-Disposition: inline
    Precedence: bulk
    X-Autoreply: yes
    --- end header

    I get one of these on about half the legit emails. So far I haven't
    established a pattern.
     
  4. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    Create a Message Rule that will automatically move such messages to Deleted
    Items folder and mark it as Read. Then delete the message(s) without opening
    them (of course).

    Message Rules Tips
    http://www.insideoe.com/tips/rules.htm

    Why doesn't my rule work?
    http://www.insideoe.com/faqs/why.htm#rules

    HeyBub wrote:
    > I get an email. Almost instantly another email "arrives" with the same
    > subject but containing the following text:
    >
    > --- begin quote
    > Hello
    >
    > How are you doing recently?
    >
    > I would like to introduce you a very good company which i knew. Their
    >
    > website is www.ebakm.com They can offer
    >
    > you all kinds of electronical products which you need,like Laptops ,GPS
    > ,TV
    > LCD,Cell Phones,PS3,MP3/4,Watch etc........
    >
    > Please take some time to have a check ,there must be something you 'd like
    > to purchase .
    >
    > Hope you have a good mood in shopping from their company !
    >
    > Best Regards!!!
    >
    > --- end quote
    >
    >
    >
    > I suspect it's a virus existing locally because the headers make no sense
    > and SpamCop agrees that the header is incomplete/missing.
    >
    >
    >
    > Resident Avast has never complained and online scanning by both McCaffee
    > and
    > another found nothing.
    >
    >
    >
    > It's a mystery.
    >
    >
    >
    > Thanks for your help.
     
  5. HeyBub

    HeyBub Flightless Bird

    PA Bear [MS MVP] wrote:
    > Create a Message Rule that will automatically move such messages to
    > Deleted Items folder and mark it as Read. Then delete the message(s)
    > without opening them (of course).
    >
    > Message Rules Tips
    > http://www.insideoe.com/tips/rules.htm
    >
    > Why doesn't my rule work?
    > http://www.insideoe.com/faqs/why.htm#rules
    >


    Thanks for the advice. I can already get rid of them. My question is not
    what to do with these oddball messages when they "arrive," but what causes
    them in the first place.
     
  6. 20100209

    20100209 Flightless Bird

    It is definitely a spam as David Lippy has authoritatively stated. I
    shall add that these spammers always send out probes to see if the
    account exists. The messages are generally blank or with nothing in it.

    The best thing is to open it (no as pig-bear says not to open it) with a
    view to finding out their tricks, which changes almost daily. What you
    mustn't do, however, is to reply to them or even to complain to their
    ISP because some ISPs are so stupid that they send the entire message of
    complaints (including your headers and email address) to the spammer and
    this ensures they know you exist and you get more spams.

    hth




    HeyBub wrote:
    >
    > I get an email. Almost instantly another email "arrives" with the same
    > subject but containing the following text:
    >
    > --- begin quote
    > Hello
    >
    > How are you doing recently?
    >
    > I would like to introduce you a very good company which i knew. Their
    >
    > website is www.ebakm.com They can offer
    >
    > you all kinds of electronical products which you need,like Laptops ,GPS ,TV
    > LCD,Cell Phones,PS3,MP3/4,Watch etc........
    >
    > Please take some time to have a check ,there must be something you 'd like
    > to purchase .
    >
    > Hope you have a good mood in shopping from their company !
    >
    > Best Regards!!!
    >
    > --- end quote
    >
    > I suspect it's a virus existing locally because the headers make no sense
    > and SpamCop agrees that the header is incomplete/missing.
    >
    > Resident Avast has never complained and online scanning by both McCaffee and
    > another found nothing.
    >
    > It's a mystery.
    >
    > Thanks for your help.
     
  7. Shenan Stanley

    Shenan Stanley Flightless Bird

    HeyBub wrote:
    > I get an email. Almost instantly another email "arrives" with the
    > same subject but containing the following text:
    >
    > --- begin quote
    > Hello
    >
    > How are you doing recently?
    >
    > I would like to introduce you a very good company which i knew.
    > Their website is www.ebakm.com They can offer
    > you all kinds of electronical products which you need,like Laptops
    > ,GPS ,TV LCD,Cell Phones,PS3,MP3/4,Watch etc........
    >
    > Please take some time to have a check ,there must be something
    > you'd like to purchase .
    >
    > Hope you have a good mood in shopping from their company !
    > Best Regards!!!
    > --- end quote
    >
    > I suspect it's a virus existing locally because the headers make no
    > sense and SpamCop agrees that the header is incomplete/missing.
    >
    > Resident Avast has never complained and online scanning by both
    > McCaffee and another found nothing.
    >
    > It's a mystery.
    >
    > Thanks for your help.


    <brought in from another part of the conversation>
    HeyBub wrote:
    > I get an email from a known source, then, almost instantly, another
    > email "arrives" with exactly the same subject line as the righteous
    > email but containing the aformentioned text as the body.
    >
    > The headers (probably) won't help. Here is a complete header, for
    > what it's worth:
    >
    > --- begin "header"
    > Date: Mon, 8 Feb 2010 07:46:57 -0800
    > From: "(xxxxxx)" <(my name)>
    > To: campaign@proflowers.com
    > Message-ID: <63c388041002080746l16d91228v@mail.gmail.com>
    > Subject: Hello Re: Thank you for your ProFlowers order: xxxxxxxx
    > MIME-Version: 1.0
    > Content-Type: text/plain; charset=ISO-8859-1
    > Content-Transfer-Encoding: 7bit
    > Content-Disposition: inline
    > Precedence: bulk
    > X-Autoreply: yes
    > --- end header
    >
    > I get one of these on about half the legit emails. So far I haven't
    > established a pattern.

    </brought in from another part of the conversation>

    PA Bear [MS MVP] wrote:
    > Create a Message Rule that will automatically move such messages to
    > Deleted Items folder and mark it as Read. Then delete the
    > message(s) without opening them (of course).
    >
    > Message Rules Tips
    > http://www.insideoe.com/tips/rules.htm
    >
    > Why doesn't my rule work?
    > http://www.insideoe.com/faqs/why.htm#rules


    HeyBub wrote:
    > Thanks for the advice. I can already get rid of them. My question
    > is not what to do with these oddball messages when they "arrive,"
    > but what causes them in the first place.


    You have an Internet email address and actively receive email. Welcome to
    the wonderful world of email.

    What I would do is compare the valid full email header with the obvious spam
    message that follows header and see where their pathing differs.

    It is entirely plausible your system has a trojan/virus, your email provider
    has one, the people sending the email have one or someone is doing an
    excellent job sniffing a network somewhere down the line and putting in
    words/phrases they can reproduce with a bot and emailing you.

    Then again - you might be seeing something (a pattern) where none exists.
    That's human nature.

    --
    Shenan Stanley
    MS-MVP
    --
    How To Ask Questions The Smart Way
    http://www.catb.org/~esr/faqs/smart-questions.html
     
  8. 20100208

    20100208 Flightless Bird

    Shenan Stanley wrote:

    >It is entirely plausible your system has a trojan/virus,
    >


    Hey Antipodean,

    How did you work this out? A trojan can perform the following operations:

    * Use of the machine as part of a botnet </wiki/Botnet> (i.e. to
    perform spamming </wiki/Spam_%28electronic%29> or to perform
    Distributed Denial-of-service </wiki/Denial-of-service> (DDoS)
    attacks)
    * Data theft </wiki/Data_theft> (e.g. passwords, credit card
    information, etc.)
    * Installation of software (including other malware)
    * Downloading or uploading </wiki/Uploading_and_downloading> of files
    * Modification or deletion of files </wiki/File_deletion>
    * Keystroke logging </wiki/Keystroke_logging>
    * Viewing the user's screen </wiki/Screen_scrape>
    * Wasting computer storage space

    Now HeyBoob has received completely innocent message offering:

    "you all kinds of electronical products which you need, like Laptops
    ,GPS ,TV LCD,Cell Phones,PS3,MP3/4,Watch etc........"

    There is no evidence that Heyboob's machine was used as part of botnet for spamming purpose nor any theft has taken place nor any software has been installed or performed any of the operations mentioned above.

    It is completely ridiculous to suggest this without any evidence.

    hth
     
  9. Alex Clark

    Alex Clark Flightless Bird

    HeyBub,

    Apparently everyone else replying to you is either too lazy to read your
    message, or simply doesn't understand what you're saying, so maybe I can
    offer a few pointers.

    Have you actually tried installing antivirus (MBAM, AVG) and running a full
    scan of your system? What email client are you using? If it's Outlook (not
    Express) have you tried checking to see what plugins you have loaded? It
    sounds as though it may be some kind of malware that's installed itself as a
    plugin and is thus duplicating the incoming emails.

    If you are using Outlook, you could try using Outlook Express to receive
    emails to see if the same behaviour is duplicated there. When configuring
    your account options, tell it to leave a copy of the messages on the server
    so that you don't end up with half your emails in one app and the other half
    in the other.

    If the same thing happens in OE, then the malware is either operating at an
    OS level or possibly (but highly unlikely) some sort of hack has occurred on
    your ISP.

    Hope that helps,
    Alex Clark






    "HeyBub" <heybub@gmail.com> wrote in message
    news:eeqjH%23QqKHA.1948@TK2MSFTNGP05.phx.gbl...
    >I get an email. Almost instantly another email "arrives" with the same
    >subject but containing the following text:
    >
    > --- begin quote
    > Hello
    >
    > How are you doing recently?
    >
    > I would like to introduce you a very good company which i knew. Their
    >
    > website is www.ebakm.com They can offer
    >
    > you all kinds of electronical products which you need,like Laptops ,GPS
    > ,TV LCD,Cell Phones,PS3,MP3/4,Watch etc........
    >
    > Please take some time to have a check ,there must be something you 'd like
    > to purchase .
    >
    > Hope you have a good mood in shopping from their company !
    >
    > Best Regards!!!
    >
    > --- end quote
    >
    >
    >
    > I suspect it's a virus existing locally because the headers make no sense
    > and SpamCop agrees that the header is incomplete/missing.
    >
    >
    >
    > Resident Avast has never complained and online scanning by both McCaffee
    > and another found nothing.
    >
    >
    >
    > It's a mystery.
    >
    >
    >
    > Thanks for your help.
    >
    >
     
  10. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    Why do I keep getting adverts in my mailbox every week for stores &
    businesses I've never heard of, that are hundreds of miles away from my home
    and that I wouldn't patronize anyway?

    Junk mail, be it snail mail or email, goes straight to the circular file,
    unopened & unread.


    HeyBub wrote:
    > PA Bear [MS MVP] wrote:
    >> Create a Message Rule that will automatically move such messages to
    >> Deleted Items folder and mark it as Read. Then delete the message(s)
    >> without opening them (of course).
    >>
    >> Message Rules Tips
    >> http://www.insideoe.com/tips/rules.htm
    >>
    >> Why doesn't my rule work?
    >> http://www.insideoe.com/faqs/why.htm#rules
    >>

    >
    > Thanks for the advice. I can already get rid of them. My question is not
    > what to do with these oddball messages when they "arrive," but what causes
    > them in the first place.
     
  11. dadiOH

    dadiOH Flightless Bird

    PA Bear [MS MVP] wrote:
    > Why do I keep getting adverts in my mailbox every week for stores &
    > businesses I've never heard of, that are hundreds of miles away from
    > my home and that I wouldn't patronize anyway?


    You're missing his point...

    1. He gets an email from a known source

    2. He then gets SPAM with the *same subject* as the first - the one from the
    known source.

    --

    dadiOH
    ____________________________

    dadiOH's dandies v3.06...
    ....a help file of info about MP3s, recording from
    LP/cassette and tips & tricks on this and that.
    Get it at http://mysite.verizon.net/xico
     
  12. dadiOH

    dadiOH Flightless Bird

    HeyBub wrote:
    > I get an email. Almost instantly another email "arrives" with the same
    > subject but containing the following text:
    >
    > --- begin quote
    > Hello
    >
    > How are you doing recently?


    <snip>

    Is there a pattern vis a vis the first email and the second? For example,
    the SPAM always follows legit mail from a specific person or IP...

    --

    dadiOH
    ____________________________

    dadiOH's dandies v3.06...
    ....a help file of info about MP3s, recording from
    LP/cassette and tips & tricks on this and that.
    Get it at http://mysite.verizon.net/xico
     
  13. HeyBub

    HeyBub Flightless Bird

    Alex Clark wrote:
    > HeyBub,
    >
    > Apparently everyone else replying to you is either too lazy to read
    > your message, or simply doesn't understand what you're saying, so
    > maybe I can offer a few pointers.
    >
    > Have you actually tried installing antivirus (MBAM, AVG) and running
    > a full scan of your system? What email client are you using? If
    > it's Outlook (not Express) have you tried checking to see what
    > plugins you have loaded? It sounds as though it may be some kind of
    > malware that's installed itself as a plugin and is thus duplicating
    > the incoming emails.
    > If you are using Outlook, you could try using Outlook Express to
    > receive emails to see if the same behaviour is duplicated there. When
    > configuring your account options, tell it to leave a copy of the
    > messages on the server so that you don't end up with half your emails
    > in one app and the other half in the other.
    >
    > If the same thing happens in OE, then the malware is either operating
    > at an OS level or possibly (but highly unlikely) some sort of hack
    > has occurred on your ISP.
    >
    > Hope that helps,
    > Alex Clark
    >
    >


    Thanks. The system has been scanned by three different AV tools.

    I'm using Outlook (not express). I've checked the add-ins and see nothing
    remotely suspicious.

    I'll try the Outlook Express trick. Thanks.
     
  14. HeyBub

    HeyBub Flightless Bird

    dadiOH wrote:
    > HeyBub wrote:
    >> I get an email. Almost instantly another email "arrives" with the
    >> same subject but containing the following text:
    >>
    >> --- begin quote
    >> Hello
    >>
    >> How are you doing recently?

    >
    > <snip>
    >
    > Is there a pattern vis a vis the first email and the second? For
    > example, the SPAM always follows legit mail from a specific person or
    > IP...


    No. The message always follows a legit email, but the original sender seems
    to be irrelevant. I'm reluctant to call it "spam" because I'm pretty sure it
    was not actually SENT by a spammer. I think it's being generated internally
    to my computer and stuffed in my in-box.
     
  15. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    It's not from a known source, it's from what looks to be a known source.
    This is called spoofing.

    dadiOH wrote:
    > PA Bear [MS MVP] wrote:
    >> Why do I keep getting adverts in my mailbox every week for stores &
    >> businesses I've never heard of, that are hundreds of miles away from
    >> my home and that I wouldn't patronize anyway?

    >
    > You're missing his point...
    >
    > 1. He gets an email from a known source
    >
    > 2. He then gets SPAM with the *same subject* as the first - the one from
    > the
    > known source.
     
  16. dadiOH

    dadiOH Flightless Bird

    PA Bear [MS MVP] wrote:
    > It's not from a known source, it's from what looks to be a known
    > source. This is called spoofing.


    OP says...
    "I get an email from a known source, then, almost instantly, another email
    "arrives" with exactly the same subject line as the righteous email but
    containing the aformentioned text as the body."

    I took him at his word :)

    dadiOH
    ____________

    > dadiOH wrote:
    >> PA Bear [MS MVP] wrote:
    >>> Why do I keep getting adverts in my mailbox every week for stores &
    >>> businesses I've never heard of, that are hundreds of miles away from
    >>> my home and that I wouldn't patronize anyway?

    >>
    >> You're missing his point...
    >>
    >> 1. He gets an email from a known source
    >>
    >> 2. He then gets SPAM with the *same subject* as the first - the one
    >> from the
    >> known source.
     
  17. Lem

    Lem Flightless Bird

    HeyBub wrote:
    > dadiOH wrote:
    >> HeyBub wrote:
    >>> I get an email. Almost instantly another email "arrives" with the
    >>> same subject but containing the following text:
    >>>
    >>> --- begin quote
    >>> Hello
    >>>
    >>> How are you doing recently?

    >> <snip>
    >>
    >> Is there a pattern vis a vis the first email and the second? For
    >> example, the SPAM always follows legit mail from a specific person or
    >> IP...

    >
    > No. The message always follows a legit email, but the original sender seems
    > to be irrelevant. I'm reluctant to call it "spam" because I'm pretty sure it
    > was not actually SENT by a spammer. I think it's being generated internally
    > to my computer and stuffed in my in-box.
    >
    >


    It might be a bit tedious, but to confirm whether these spurious
    messages are being generated locally or not, check the headers in your
    inbox on your ISP's server without actually downloading anything. That
    way you can see if messages with duplicate subjects are in fact arriving
    at your ISP.

    Some ISPs have a web interface to their POP3 mail. Or you might be able
    to telnet into your inbox. Or use one of the various email removers that
    work in a similar fashion (e.g., http://www.email-remover.com/index.htm)

    --
    Lem

    Apollo 11 - 40 years ago:
    http://www.nasa.gov/mission_pages/apollo/40th/index.html
     
  18. 20100209

    20100209 Flightless Bird

    HeyBub wrote:
    >
    > No. The message always follows a legit email, but the original sender seems
    > to be irrelevant. I'm reluctant to call it "spam" because I'm pretty sure it
    > was not actually SENT by a spammer. I think it's being generated internally
    > to my computer and stuffed in my in-box.


    Well in that case you can do only one thing and that will solve the
    riddle once and for all.

    1) Clone your HD and store it somewhere safe on an external drive;
    2) Re-install the OS from scratch after formatting the HD;
    3) Run your mail to see if the symptoms still persists;
    4) If everything is OK then it is time to put back your cloned HD, and
    this time copy only your main documents before wiping everything again.

    The reason for doing this is to save time because if the problem is in
    the mail server or at ISP then clearly there is no point in wiping
    anything from the HD. However, if the problem is in the drive itself
    then it is time to start all over again.

    I believe, I am the only one to claim that Anti-virus, Anti-Malware
    programs are NOT full proof to all evils on this land nor are they a
    silver bullet solution to all computer problems.

    hth
     
  19. Shenan Stanley

    Shenan Stanley Flightless Bird

    20100209 wrote:
    > I believe, I am the only one to claim that Anti-virus, Anti-Malware
    > programs are NOT full proof to all evils on this land nor are they a
    > silver bullet solution to all computer problems.


    Only because no one ever made the claim that you didn't make that I have
    seen anyway. ;-)

    --
    Shenan Stanley
    MS-MVP
    --
    How To Ask Questions The Smart Way
    http://www.catb.org/~esr/faqs/smart-questions.html
     
  20. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    Look at all the idiots in this newsgroup who post spoofing others. Do you
    take their posts to be the real thing?

    dadiOH wrote:
    > PA Bear [MS MVP] wrote:
    >> It's not from a known source, it's from what looks to be a known
    >> source. This is called spoofing.

    >
    > OP says...
    > "I get an email from a known source, then, almost instantly, another email
    > "arrives" with exactly the same subject line as the righteous email but
    > containing the aformentioned text as the body."
    >
    > I took him at his word :)
    >
    > dadiOH
    > ____________
    >
    >> dadiOH wrote:
    >>> PA Bear [MS MVP] wrote:
    >>>> Why do I keep getting adverts in my mailbox every week for stores &
    >>>> businesses I've never heard of, that are hundreds of miles away from
    >>>> my home and that I wouldn't patronize anyway?
    >>>
    >>> You're missing his point...
    >>>
    >>> 1. He gets an email from a known source
    >>>
    >>> 2. He then gets SPAM with the *same subject* as the first - the one
    >>> from the
    >>> known source.
     

Share This Page