About a month ago I got an email from someone I know, which had a link and since I knew the sender I clicked on it. It was clearly spam and prob a virus of some sort. When i told the person who sent it that it was bad, she said it was her email sending messages without her knowledge.

Now i discover that my email is sending crap emails to my mailing list, I'm sure some of you have received these bad emails.

So I used my Norton to look for a problem but Norton doesn't seem to find the problem. I also scanned with spybot, it finds no problem either. My mail continues to spam my contacts. I know it seems that my email is hijacked but I cannot find the cause to rectify it.

I have confidence that someone here has a clue of how to fix this problem so I stop annoying my contacts. I'm hoping that the solution won't involve changing my email as i have had the same msn.com mail since I first got a computer many moons ago. I know that the person who I got the email from originally, has made a new email account, but her old one continues to send the spam to me and others. I delete them immediately.

Can someone help me PLEASE????

Hey sooz,

I downloaded and tried the malware. It seems to have found a couple of red flag problems. I got rid of them after the scan. Now i guess i just wait and see if it stops sending email. I suspect the hijack was the problem. thanks for the advice. Im hoping this is the end of the problem. this was the result of the scan

Scan type: Quick scan
Objects scanned: 157194
Time elapsed: 3 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\pezfile\shell\open\command\(default) (Rogue.MultipleAV) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Users\omax\AppData\Roaming\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\omax\AppData\Roaming\microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\omax\local settings\application data\opRSK (Malware.Trace) -> Quarantined and deleted successfully.

thanks a lot sooz

Ok here is the deal. While the malware, and norton and spybot, previously worked to remove this bug, It has returned. At least once a day it sends a few emails to my contacts. It appears to be happening when i have the computer off. Now when i run all the scans, no problems are found. But i know the problem is still there. I tried googling for a solution,, but no luck. If anyone has any suggestions please respond. And again im sorry if you were one of my contacts that got these emails.

Try this

http://support.kaspersky.com/viruses/solutions?qid=208280684

Run the scan and keep me informed

Also this

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

thanks jab,

I ran the kaspersky scan and it found nothing
i ran the Sophos scan and it found a bunch of hidden files that it said were removable but that clean up was not recommended. So the tech support instructions was to sent them  files from the scan and I did that. So now i will wait for a response.

Thanks for the advice.

Hi Jab,

I got the following reply from Sophos and now I have no clue what to do with their fix????

Hello Susan,

Based on the sample submitted we have created the following False Positive fix:

False positive fix: Chk/FP-AVE
[Published in fake-cda.ide
2010-12-20 12:18 BST]

Thanks for your submission.

Regards,

Clayton Seymour
Sophos Technical Support
http://www.sophos.com/sup.../services/technical.html

Support knowledgebase: http://www.sophos.com/support
Subscribe to email notifications: http://www.sophos.com/security/notifications
SophosTalk community (discussion forums): http://community.sophos.com

SOPHOS - simply secure

Well, not really anything to do with their fix.
Go ahead and send as much email as you can to blue@1602.us
Add that address to your contacts after you've sent a few.
Send more.
I wanna see what the deal is.

No problems so far. Maybe after a reboot? It's possible that somehow you disabled whatever is sending out mail on its own and it will start back up?
I just want to get one of those. That might give me a clue.

Uhmm, one more question.
How in the world did you come up with all your email subjects?

Another interesting observation...

Enter your IP# at http://network-tools.com/ and select "Spam Blacklist Check"
You are officially a spammer!

whois.rfc-ignorant.org has not blacklisted this IP
bl.spamcop.net has not blacklisted this IP
sbl.spamhaus.org has not blacklisted this IP
xbl.spamhaus.org has not blacklisted this IP
zen.spamhaus.org has blacklisted this IP and the response is 127.0.0.10
psbl.surriel.com has not blacklisted this IP

I've been blacklisted by zen.spamhaus.org too... I'm not aware of anything going out that shouldn't.

Most of us are black listed there. I guess "End-user Non-MTA IP addresses set by ISP outbound mail policy" is the reason for us lowly end users being black listed.
No reason for panic, Blue.

Hah! Got one this morning. Thanks for wishing me a Merry Christmas and your offer to let me in on your secret how you made all your money for Christmas. And you really want to let me in on this via an Argentine company?

Change your password at MSN hotmail immediately.

To check further if that shit starts at your computer get hijackthis and send me a scan report via pm. Although I doubt by now that your computer is the culprit. The spam is being sent from a different IP# than your real email.

I hope you have some other email other than hotmail for your important mail.
If your hotmail account is compromised and for example you do also online banking, paypal etc and you need to reset your passwords there, the freshly created passwords would be sent to hotmail, right into their laps.
If that's the case I'd be very worried.
If you don't have another email account (with your IPS for example) get gmail or anything else but hotmail.

"Hotmail (now called Windows Live Hotmail) has various automated methods for regaining control of your account. You can reset your password in three ways: by e-mail, by providing your secret answer, or by using the secure account validation page.

The specific step-by-step instructions from Microsoft are posted here.

Unfortunately, these steps are also known by the crafty hijackers, so it's entirely possible that they will change your secret answer and some of the other information that would allow you to regain control of your account.

When this occurs, you will have little choice but to work through the account validation page and wait (usually several days) to work through the process online. Because Hotmail is a free service used by hundreds of millions of people, there is no option to pick up the phone and call someone to get help."

I haven't used my Hotmail account in years.

So I changed my password using the link you gave me. I also changed my secret question.
I ran Hijackthis and it created a list. I cannot find any way to copy the list to send it to you.  I got a message when i did the scan and it said:
For some reason your system denied write access to theHosts file. if any hijacked domains are in this file, Hijack this may not be able to fix this.
If that happens you need to edit the file yourself. To do this click start, run and type notepad C:/Windows/System32/drivers/hosts
and press enter. Find the line(s) Hijackthis Reports and delete them. ave the file as "hosts" (with quotes), and reboot
For Vista simply exit Hijackthis, right click on the hijackthis icon, choose run a administrator. I tried to do this but run as administrator is not one of the options. I also looked for the file they mention above but when i searched it, it could not be found.
So now i have scan results but have no idea how to sent it to you...........
Im sorry im having so much trouble, you have the patience of a saint. by the way, if its being sent from another IP would the emails still appear in my sent file. They do appear there.
Im going to break the finger that clicked on the link now, but i shall return soon. LOL
Of course in a few minutes I may be rich from my Argentine business venture.

Sid,

Im very much a creature  of habit. I got my first computer with free msn service and i made my email there. that was in 2001 and i never used another address. I do have a comcast one but i dont use it.
since i been online i had the same address, password, screen name etc. I suspect thats not the best Idea LOL

jab one more question
If i did banking but did not change any passwords or have them sent to my msn mail, are my passwords there safe? Or do i still need to change it.