Strategies For Locating Malware?

  • Thread starter Thread starter (PeteCresswell)
  • Start date Start date
P

(PeteCresswell)

Emails are being sent from a friend's AOL account with her
address in From: and always eight address in "To:" (at least in
the ones I've seen).

I'm running MalwareBytes and McAfee's scans on the PC now. Dunno
about a boot-time scan yet, since I can't be there physically.

When I spot-check the nine spams I have on hand, most of the
"TO:" addresses can be found in the person's AOL address book.
The few that cannot look like they might be "From:" addresses in
emails that she has received (e.g.
(e-mail address removed))

I just edited her AOL address book and changed my own address to
one that I will receive - but know it could have come from only
one place.


But what now?

Suppose I start getting spammed at the new address?

Would that strongly suggest that the culprit is running on her
PC? Or could the AOL address book be in the cloud?

Does anybody have any suggestions for finding this thing and
driving a stake through it's heart?
 
Emails are being sent from a friend's AOL account with her
address in From: and always eight address in "To:" (at least in
the ones I've seen).

I'm running MalwareBytes and McAfee's scans on the PC now. Dunno
about a boot-time scan yet, since I can't be there physically.

When I spot-check the nine spams I have on hand, most of the
"TO:" addresses can be found in the person's AOL address book.
The few that cannot look like they might be "From:" addresses in
emails that she has received (e.g.
(e-mail address removed))

I just edited her AOL address book and changed my own address to
one that I will receive - but know it could have come from only
one place.


But what now?

Suppose I start getting spammed at the new address?

Would that strongly suggest that the culprit is running on her
PC? Or could the AOL address book be in the cloud?

Does anybody have any suggestions for finding this thing and
driving a stake through it's heart?

Probably won't have to go that far unless it's a vampire.
Li'll old trick I learnt, works for goo...gle aagghhh, and
probably others.

Send yourself a letter addressed to

(e-mail address removed)

Don't forget the "+" between your username and the random
letters.

see if you receive it, look at the headers.

Get the idea ?

[]'s
 
Per Shadow:
Send yourself a letter addressed to

(e-mail address removed)

Don't forget the "+" between your username and the random
letters.

see if you receive it, look at the headers.

Get the idea ?

That one whizzed right over my head.

I tried sending an email to (e-mail address removed) and
AOL's address check popped a dialog saying that "XYZ" was
suspicious.

I overrode the warning and told it to just send the message.

Then another dialog popped saying the message was not sent and I
should go to a "Challenge" page.

But when it tried to open the challenge page
(http://challenge.aol.com/en/us/spam.html) it threw "570 User
Identification Failed".

What would have been the implication of it had gone through and
appeared in my inbox? FWIW, I have a GoldList that would have
weeded out that "To:" address - or would I be looking for
somebody extracting my fake-but-deliverable address from the AOL
address book?
 
(PeteCresswell) said:
Per Shadow:

That one whizzed right over my head.

I tried sending an email to (e-mail address removed) and AOL's
address check popped a dialog saying that "XYZ" was suspicious.

I do not see the plus sign (+) in your test address.
 
Per Beauregard T. Shagnasty:
I do not see the plus sign (+) in your test address.

Mea Culpa - didn't realize it was literally supposed tb there.

Just sent one to "(e-mail address removed)"
and it did not get to me.

FWIW, one of those fake-but-deliverable addresses that I
substituted for my "real" address in the affected person's AOL
address book just received a spam: same deal as the others - 8
addrs in "To:", and just two lines in the body: an admonition to
check something out, and an accompanying link.

viz:
========================================================
...Choose the easiest way to earn money
http://www.marinadiportotorres.it/viev.site.php?jbSubCategoryId=46ce9
========================================================


I think I need to find out where this person's AOL address book
resides: in the cloud, or on her C: drive.

Would anybody agree?
 
Per (PeteCresswell):
I think I need to find out where this person's AOL address book
resides: in the cloud, or on her C: drive.

I think I have tentatively answered my own question: it seems to
reside in the cloud per
http://forums.mozillazine.org/viewtopic.php?f=39&t=2456369

Maybe I'm too immersed in this stuff for my own good, but that
looks butt-fugly to me.

So... I guess I still have no clue as to whether the culprit is
running on the user's PC or is hitting AOL from afar.

Now I'm thinking the next step sb to follow David's advice and
change the user's PW. Didn't want to do that at first bco
intruducing additional user-confusion....
 
Back
Top