• Creator
  • #2148078

    Return of the Viruses


    by benjamin.egas ·

    Hello All,

    I am once again coming to you for help. I have a recurring issue on my network. Here it is …

    During my re-imaging of @ 30 systems, I found in particular that was receiving NDRs for email items he did not send. Obviously this points to malicious activity … so I went ahead and backed up the data and reloaded. The users data did not survive and never again saw our network.

    … Now I am seeing the EXACT same symptoms on the office manager’s system. This is one of 3 systems I have not yet reloaded with a good image.

    I would like to ask if anyone can offer up any advice at all. I have checked the system with 2 AV scanners and Ad-aware all to no avial. I would like to not have re-image this system as there is a TON of company data on it.

    Thank you all in advance for your support.

    Benjamin Egas

All Answers

  • Author
    • #2460853


      by benjamin.egas ·

      In reply to Return of the Viruses


    • #2460846

      Might not be a virus.

      by kenone ·

      In reply to Return of the Viruses

      If some spammer has gotten a hold of his/her e-mail address and is using it as a phony return. Then that person will recieve all the NDRs and rejection notices. I don’t know of any way to stop it other than changing his/her e-mail address and not forwarding to it. Sad.

      • #2460784

        Read more here…

        by Anonymous ·

        In reply to Might not be a virus.

        Please post back if you have any more problems or questions.

        • #2464129

          Still facing issues

          by benjamin.egas ·

          In reply to Read more here…

          Hello All,

          Once again with the same issues. This is driving me mad.

          Multiple systems are showing symptoms yet they do not have viruses or ad/mal/spy-ware. I have scanned them with numerous utilites and scanners all have come back clean.

          We have server running GFI Anti-spam utilites and an Exchange server with a connector to the GFI box. I am no Exchange guru, but from what I can see I can not find any faults with the setup.

          Thoughts, ideas … help?!

          Thank you,

          Benjamin Egas

        • #2464114

          It probably is not your systems doing it…. Welcome to the REAL world!

          by thumbsup2 ·

          In reply to Still facing issues

          More than likely, as previously stated, a spammer has gotten ahold of your email addresses and is spoofing your addresses (pretending to be one or more of your people) to send their spam out. When one of these spams gets bounced by the intended recipient, it gets returned back to your people because that is the email address the spammer put into his return email address when the spam was sent.

          So, get over it. Just delete them when you receive them. We all get them each and every day. Aside from joining an anti-spam movement, there’s nothing you can do except to change the email addresses of everyone in your company. Besides the obvious problems with that approach, it will only slow down the bounced emails until the spammers figure out your new addresses.

    • #2460841

      It’s possible that his email address is being spoofed.

      by robo_dev ·

      In reply to Return of the Viruses

      So it’s possible that his machine is not infected at all.

      Two online scanners that are pretty good:
      TrendMicro Housecall or Panda

      Is the email name a pretty simple one? Maybe a spammer is just spoofing his address?

      Sometimes if the user sent email to somebody else who is infected, then their address was harvested from there.

      Forum article below>> “One exchange user is getting spammed with NDR messages”

    • #2460799

      Confidence Check – Some Tools

      by ic-it ·

      In reply to Return of the Viruses

      There are a few very good tools that will allow you to determine startup items (and more).
      Use Spybot Search and Destroy (Free, beware of imitators) in advanced mode. Also check BHO’s and ActiveX (Tools Tab).
      Autoruns and or Process explorer.

    • #2464107

      This might be of help towards your e-mail issue…

      by Anonymous ·

      In reply to Return of the Viruses,289483,sid43_gci1114103,00.html

      Please post back if you have any more problems or questions.

Viewing 4 reply threads