Help! I've been hacked - how do I stop it?

[vaskidmark]

Somehow something got hold of my address book and is sending out spam of all sorts to everybody, including me.

I've run the antivirus (AVG w/ firewall) and several anti-spyware programs (Spybot S&D, SuperAntiSpyware) and as far as I can tell my machine is clean.

How do I find whatever bugger is crapping all over the internet with my address bookm and then how do I kill it?

Remember, I know just enough to get onto the internet.  I have not yet takeb the training wheels off, although they are now off the ground unless I start to lean too far over to the side.  So KISS might be a bit advanced for me.

Thanks, oh gurus of APS.

stay safe.

[Jim147]

I would try downloading Malwarebytes. http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=contentMain;contentAux

You might have to install and update from safemode.

jim

[RoadKingLarry]

It is also possible that someone is spoofing your email address and the emails are not coming from your machine.

[AJ Dual]

It is also possible that someone is spoofing your email address and the emails are not coming from your machine.

This.

Switch mail applications, especially if it's outlook. switch to Thunderbird or something.

Also use Combofix.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Make sure you get it from the links here. Other places called "combofix" in the URL are semi-scams selling their utility cashing in on Combofix's name/reputation.

[Monkeyleg]

See if anyone you know can copy the header information from one of the spam emails. That should tell you whether it's coming from your machine or if somebody is spoofing your email address.

[GigaBuist]

1)  Where is your address book?  If it's local your machine might be compromised.  If you use something like Gmail or Hotmail they probably got to your account, not your machine.

2)  Run MalwareBytes as has already been suggested.

3)  Are you SURE they got your address book?  It could be anybody in your social network that they hacked.  Just because the email says it's coming from you doesn't mean that you were actually the source of the email addresses and it doesn't mean that your machine has ever been involved.  There's absolutely no security what so ever on what appears in the "From:" field on an email.  They could have hacked a buddy of yours and now people are getting emails that look like they're from you simply because they're phishing for responses and there's a high probability that if person B (you) knows person A (who was hacked) that person C (in A's address book) also knows person B (you).

[Perd Hapley]

Add a bunch of Congressional email addresses to your Contacts list.

[roo_ster]

Add a bunch of Congressional email addresses to your Contacts list.

Don't neglect the other two branches.  They need spam love too.

[CNYCacher]

It's not coming from your computer.  There isn't much of anything you can do except warn your contacts that you are not sending the spam, and that you will not be travelling to Nigeria anytime soon and while you are not there, you will not suffer some type of catastrophic tragedy and be in need of a western union anytime soon.

[MechAg94]

A while back, I got an email from a guy I never heard of asking why I sent him an attachment and is it safe to open.  I never heard of him and never sent him an email.  It was kind of funny at the time.  Yeah, someone was spoofing my email in the from box.

[Ron]

My mothers computer picked up a nasty bug that required I reformat.

Afterward folks were getting spammed from her email address. The machine was clean as best I could tell so I had her change her password for that email account. No more spam after that. 

[Hawkmoon]

My sister and her husband just changed their e-mail accounts for this exact reason. They had both been using MSN.com, and their addresses were being spoofed.

[vaskidmark]

It stopped for a while.  Now it's back.  Here's the headers from the latest offering of Viagra I'm sending to myself because it must be such a good deal.

Return-Path: <pmhenick@aol.com>
Received: from imd-dc11.r1000.mx.aol.com (imd-dc11.r1000.mx.aol.com [172.29.10.108]) by air-di01.mail.aol.com (v129.4) with ESMTP id MAILINDI012-eab74c6290061c; Wed, 11 Aug 2010 07:56:54 -0400
Received: from mtain-df11.r1000.mx.aol.com (mtain-df11.r1000.mx.aol.com [172.29.64.223])
   by imd-dc11.r1000.mx.aol.com (Inbound Mail Deferral) with ESMTP id 18702701AD426
   for <pmhenick@aol.com>; Wed, 11 Aug 2010 07:56:53 -0400 (EDT)
Received: from kpn.net (unknown [92.64.5.58])
   by mtain-df11.r1000.mx.aol.com (Internet Inbound) with ESMTP id 6B1D6380084C6
   for <pmhenick@aol.com>; Wed, 11 Aug 2010 07:18:53 -0400 (EDT)
From: Viagra from US factory <pmhenick@aol.com>
To: pmhenick@aol.com
Subject: Hey pmhenick, welcome to our Sale. In
Date: Wed, 11 Aug 2010 13:11:30 +0200
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
x-aol-sid: 3039ac1d40df4c62871d60d0
X-AOL-IP: 92.64.5.58
X-AOL-SPF: domain : aol.com SPF : neutral
Content-Transfer-Encoding: quoted-printable
X-Mailer: Unknown (No Version)
Message-ID: <c83.562f4f60.3993ea0d@UNKNOWN>


Any ideas?

Thanks.

stay safe.

[Ron]

Did you change your email account password?

[vaskidmark]

Did you change your email account password?

Must have missed that hint.  Be back in a minute.

stay safe.

[vaskidmark]

OK.  Password changed.  Now I wait to see what happens - or does not happen - next, right?

stay safe.

[GigaBuist]

Well, it started in the Netherlands from an IP that lives in a really small block of addresses assigned to a business of some sort.  My hunch is they've got their own mail server and it's wide open as a spam relay.

I'm going to stand by my assumption that either your address book or one of somebody in your circle was lifted (somehow) and you're all the target of some pretty generic spam.