Codenstuff.com

Posted: **Thu Jun 10, 2010 1:15 pm**

Hi All
I just checked my emails at AOL and found that i had 91 (yes 91) returned emails, which i never sent :?
Whats going on??????

Maybe a Bug in my system??

Chris

Posted: **Thu Jun 10, 2010 2:11 pm**

Hello hungryhounduk,

Hmm that is a strange one. Does it say on the emails where they were sent or returned from? :?

Knowing AOL its probably a bug on their system lol

Posted: **Thu Jun 10, 2010 2:15 pm**

It says they were sent by Me?
But i did not send out 91 emails in the last 24 hours, I have just Deleted all the Contacts except about 6 Contacts, so hopefully i will get on top of the matter.

This is the time _ 04:28:06 and i was in bed ;)

Chris

This below is what each email that that has been returned says :?

Code: Select all

*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with its
delivery.  The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered.  The next line contains a second error message which is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail
administrator.

--AOL Postmaster



   ----- The following addresses had permanent fatal errors -----
<kris@pdf417.co.uk>

   ----- Transcript of session follows -----
<kris@pdf417.co.uk>... Deferred: Name server: pdf417.co.uk.: host name lookup 
failure
Message could not be delivered for 4 hours
Message will be deleted from queue

Final-Recipient: RFC822; kris@pdf417.co.uk
Action: failed
Status: 4.4.7
Remote-MTA: DNS; pdf417.co.uk
Last-Attempt-Date: Thu, 10 Jun 2010 09:33:42 -0400

Return-Path: <Hungryhounduk@aol.com>
Received: from imo-da04.mx.aol.com (imo-da04.mx.aol.com [205.188.169.202])
    by omr-d32.mx.aol.com (8.14.1/8.14.1) with ESMTP id o5A8S5e6022640;
    Thu, 10 Jun 2010 04:28:06 -0400
Received: from Hungryhounduk@aol.com
    by imo-da04.mx.aol.com  (mail_out_v42.9.) id z.ca3.71a236f9 (34923);
    Thu, 10 Jun 2010 04:27:55 -0400 (EDT)
Received: from smtprly-md01.mx.aol.com (smtprly-md01.mx.aol.com [64.12.143.154]) 
by cia-da03.mx.aol.com (v129.4) with ESMTP id MAILCIADA038-d4154c10a20916d; Thu, 
10 Jun 2010 04:27:55 -0400
Received: from webmail-m068 (webmail-m068.sim.aol.com [64.12.224.34]) by 
smtprly-md01.mx.aol.com (v129.4) with ESMTP id MAILSMTPRLYMD013-d4154c10a20916d; 
Thu, 10 Jun 2010 04:27:53 -0400
To: kris@krenna.co.uk, kris@pdf417.co.uk, kris@whorror.co.uk, kris@wydata.com,
        lam8retta@hotmail.com, lambretta.cottage@tesco.net,
        lambretta.man@blueyonder.co.uk, lambrettagetta@ntlworld.com,
        lammys4u@blueyonder.co.uk, landog@ntlworld.com
Content-Transfer-Encoding: quoted-printable
Subject: =?utf-8?Q?drugs_))=EF=BF=BD?=
Date: Thu, 10 Jun 2010 04:27:53 -0400
X-MB-Message-Source: WebUI
X-AOL-IP: 174.45.23.66
X-MB-Message-Type: User
MIME-Version: 1.0
From: hungryhounduk@aol.com
Content-Type: text/plain; charset="us-ascii"
X-Mailer: AOL Webmail 31888-MOBILE
Received: from 174.45.23.66 by webmail-m068.sysops.aol.com (64.12.224.34) with 
HTTP (WebMailUI); Thu, 10 Jun 2010 04:27:53 -0400
Message-Id: <8CCD68DF49BC86B-1E30-8FE@webmail-m068.sysops.aol.com>
X-Spam-Flag:YES
X-AOL-SENDER: Hungryhounduk@aol.com

Posted: **Thu Jun 10, 2010 2:21 pm**

Hello,

I would change your password if I was you because ive just noticed I got an email from you (atleast your email address) this morning. Subject said "health" and the email just had a link in it to a viagra website.

Not a sales rep are you? :lol:

Either that or someones sending emails and manipulating the sender name to say its from your email address which could also be why there being returned to your inbox :?.

Posted: **Thu Jun 10, 2010 2:28 pm**

Yeah sounds like something wierd is going on?
and No I did not send you an email for Viagra

Yes i will change my Password and see if that cures it

Cheers

Chris

Posted: **Thu Jun 10, 2010 2:49 pm**

Just had a look at the deleted (91) emails and found one that had an Ip address, so i did a search and found this

Code: Select all

File SHA1: 052a1dae02608523194f4c636ff3686e4af1025b
File MD5 : 31a4a11a72ce76b5cbfbdfe676bb62b5
File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Additonal Info:
Source: Honeypot
Date: Sat Jan 30 07:10:38 MYT 2010
Final Score: 324
Possible Malware: YES
Scanner Information:-
W32/Virutas.FG
Virus.Win32.Virut.av
Win32/Virut.AV virus



#– Files Created: –

/WINDOWS/Fonts/unwise_.exe
/WINDOWS/Prefetch/NETSH.EXE-085CFFDE.pf

#– Registry Created: –

[SOFTWARE]
+ [software\Microsoft\Tracing\FWCFG]^M
+ [software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP]^M
+ [software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]^M
+ [software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]^M
+ [software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]^M
+ [software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]^M
+ [software\Policies\Microsoft\MRT]^M
+ [software\Policies\Microsoft\Windows\WindowsUpdate]^M
+ [software\Policies\Microsoft\Windows NT]^M
+ [software\Policies\Microsoft\Windows NT\Windows File Protection]^M
[SYSTEM]
+ [system\ControlSet001\Enum\Root\LEGACY_WINDOWS_HOSTS_CONTROLLER]^M
+ [system\ControlSet001\Services\napagent\LocalConfig\Enroll]^M
+ [system\ControlSet001\Services\napagent\LocalConfig\Enroll\HcsGroups]^M
+ [system\ControlSet001\Services\napagent\LocalConfig\UI]^M
+ [system\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]^M
+ [system\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]^M
+ [system\ControlSet001\Services\Windows Hosts Controller]^M
+ [system\ControlSet001\Services\Windows Hosts Controller\Security]^M
[SECURITIES]
[DEFAULT]
[NTUSER]

#– Malicious Running Processes: –

! “explorer.exe”,Process ID: “748″
! “lsass.exe”,Process ID: “272″
! “sample.exe”,Process ID: “1456″
! “svchost.exe”,Process ID: “524″
! “userinit.exe”,Process ID: “720″
! “wmiprvse.exe”,Process ID: “1268″

#– Malicious Processes Dump: –

^M^M::PID=::UID=::Action=
netsh.exe::PID=1496:1548::UID=0::Action=Ok.^M
netsh.exe::PID=1496:1608::UID=0::Action=Ok.^M
netsh.exe::PID=1496:1548::UID=0::Action=^M
netsh.exe::PID=1496:1608::UID=0::Action=^M
netsh.exe::PID=1496:1568::UID=0::Action=Ok.^M
netsh.exe::PID=1496:1568::UID=0::Action=^M
netsh.exe::PID=1496:1592::UID=0::Action=Ok.^M
netsh.exe::PID=1496:1592::UID=0::Action=^M
netsh.exe::PID=1496:1620::UID=0::Action=Ok.^M
netsh.exe::PID=1496:1620::UID=0::Action=^M
netsh.exe::PID=1496:1584::UID=0::Action=Ok.^M
netsh.exe::PID=1496:1584::UID=0::Action=^M
netsh.exe::PID=1496:1672::UID=0::Action=Ok.^M
netsh.exe::PID=1496:1672::UID=0::Action=^M
netsh.exe::PID=1496:1560::UID=0::Action=Ok.^M
netsh.exe::PID=1496:1560::UID=0::Action=^M

#– Malware Traffic – DNS: –

38.234.82.124.in-addr.arpa
cx10man.weedns.com
fx010413.whyI.org

#– Malware Traffic – Connections: –

124.82.102.80.139
124.82.106.186.139
124.82.106.186.445
124.82.106.197.445
124.82.107.243.445
124.82.11.112.139
124.82.118.31.445
124.82.118.59.445
124.82.119.116.445
124.82.119.163.445
124.82.119.71.139
124.82.119.71.445
124.82.12.194.139
124.82.12.194.445
124.82.120.130.139
124.82.120.130.445
124.82.120.220.139
124.82.120.220.445
124.82.120.98.139
124.82.120.98.445
124.82.121.124.139
124.82.121.124.445
124.82.121.157.139
124.82.121.157.445
124.82.121.228.445
124.82.122.183.139
124.82.122.183.445
124.82.122.219.139
124.82.122.219.445
124.82.122.83.139
124.82.122.83.445
124.82.123.142.139
124.82.123.242.139
124.82.123.68.139
124.82.124.113.139
124.82.124.160.445
124.82.135.196.445
124.82.139.3.445
124.82.14.245.445
124.82.14.93.445
124.82.140.35.139
124.82.141.121.445
124.82.141.243.139
124.82.141.243.445
124.82.144.165.139
124.82.144.165.445
124.82.144.61.139
124.82.144.61.445
124.82.145.224.139
124.82.145.224.445
124.82.146.173.445
124.82.149.254.139
124.82.149.254.445
124.82.154.216.445
124.82.154.251.139
124.82.16.43.445
124.82.164.179.445
124.82.166.124.139
124.82.166.124.445
124.82.166.136.139
124.82.167.251.139
124.82.167.251.445
124.82.168.146.139
124.82.169.105.139
124.82.169.105.445
124.82.169.123.139
124.82.169.123.445
124.82.169.156.139
124.82.169.41.139
124.82.169.41.445
124.82.169.76.445
124.82.169.79.139
124.82.169.79.445
124.82.17.102.139
124.82.17.75.445
124.82.170.121.139
124.82.170.121.445
124.82.170.138.139
124.82.170.138.445
124.82.170.145.139
124.82.170.145.445
124.82.170.215.445
124.82.171.13.139
124.82.171.13.445
124.82.171.191.445
124.82.171.197.139
124.82.171.197.445
124.82.171.223.139
124.82.171.223.445
124.82.172.1.139
124.82.172.250.139
124.82.172.250.445
124.82.172.27.139
124.82.172.27.445
124.82.173.150.445
124.82.173.54.139
124.82.173.54.445
124.82.174.209.139
124.82.174.209.445
124.82.18.128.445
124.82.18.134.139
124.82.18.134.445
124.82.18.161.139
124.82.18.161.445
124.82.18.179.139
124.82.183.7.445
124.82.184.52.139
124.82.19.187.445
124.82.19.193.139
124.82.19.193.445
124.82.19.220.139
124.82.19.220.445
124.82.19.238.139
124.82.19.238.445
124.82.191.128.445
124.82.191.238.445
124.82.192.232.445
124.82.193.113.139
124.82.193.113.445
124.82.193.246.139
124.82.193.246.445
124.82.194.172.139
124.82.194.83.445
124.82.195.109.139
124.82.195.154.139
124.82.195.154.445
124.82.195.187.139
124.82.195.187.445
124.82.20.146.139
124.82.20.146.445
124.82.20.246.139
124.82.20.246.445
124.82.203.1.139
124.82.203.48.139
124.82.203.48.445
124.82.203.89.445
124.82.21.205.139
124.82.214.166.445
124.82.214.189.139
124.82.214.189.445
124.82.215.108.139
124.82.215.154.445
124.82.215.246.139
124.82.216.107.139
124.82.216.107.445
124.82.216.83.139
124.82.217.165.139
124.82.217.165.445
124.82.217.60.139
124.82.217.60.445
124.82.218.233.139
124.82.218.233.445
124.82.219.145.139
124.82.219.145.445
124.82.219.82.445
124.82.221.231.445
124.82.221.27.139
124.82.222.107.139
124.82.222.157.139
124.82.222.157.445
124.82.222.62.139
124.82.222.67.139
124.82.222.67.445
124.82.222.80.445
124.82.222.86.139
124.82.223.121.139
124.82.223.121.445
124.82.223.139.139
124.82.223.216.139
124.82.223.216.445
124.82.223.94.139
124.82.223.94.445
124.82.224.180.139
124.82.224.20.139
124.82.224.20.445
124.82.225.79.139
124.82.225.79.445
124.82.23.102.445
124.82.231.210.139
124.82.231.210.445
124.82.231.60.445
124.82.232.233.139
124.82.233.209.139
124.82.241.195.445
124.82.241.246.445
124.82.243.31.139
124.82.244.149.139
124.82.244.239.445
124.82.246.57.445
124.82.247.110.139
124.82.247.110.445
124.82.25.136.139
124.82.26.66.139
124.82.27.181.139
124.82.27.181.445
124.82.37.39.139
124.82.37.39.445
124.82.37.7.445
124.82.38.143.139
124.82.38.175.139
124.82.39.234.445
124.82.40.32.445
124.82.40.6.445
124.82.41.110.445
124.82.41.14.139
124.82.41.59.139
124.82.42.124.445
124.82.43.228.139
124.82.43.228.445
124.82.44.236.139
124.82.44.236.445
124.82.57.5.445
124.82.57.61.139
124.82.57.61.445
124.82.57.75.139
124.82.57.75.445
124.82.58.85.139
124.82.58.85.445
124.82.59.240.139
124.82.60.131.139
124.82.60.131.445
124.82.60.96.139
124.82.60.96.445
124.82.67.142.139
124.82.67.219.139
124.82.68.201.139
124.82.68.23.139
124.82.68.23.445
124.82.69.5.139
124.82.69.5.445
124.82.69.50.139
124.82.69.76.445
124.82.70.31.139
124.82.70.31.445
124.82.70.58.139
124.82.70.58.445
124.82.70.64.139
124.82.71.117.139
124.82.71.117.445
124.82.71.212.139
124.82.71.212.445
124.82.71.214.445
124.82.71.237.139
124.82.71.29.139
124.82.71.29.445
124.82.71.90.139
124.82.72.16.139
124.82.72.16.445
124.82.72.4.139
124.82.72.4.445
124.82.72.74.445
124.82.73.131.445
124.82.73.39.445
124.82.8.92.445
124.82.81.224.445
124.82.82.148.445
124.82.87.105.445
124.82.89.223.139
124.82.89.242.139
124.82.89.242.445
124.82.9.172.445
124.82.9.195.445
124.82.90.27.139
124.82.90.27.445
124.82.90.46.139
124.82.90.72.139
124.82.91.126.139
124.82.91.126.445
124.82.91.99.445
124.82.92.158.139
124.82.92.235.139
124.82.92.235.445
124.82.93.223.139
124.82.93.223.445
124.82.93.39.139
124.82.93.39.445
124.82.94.48.445
212.54.2.171.3305

#– Malware Traffic – www: –

#– Static Header: –

++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++

TimeStamp: 4AD12F08 Sun Oct 11 09:04:08 2009
Subsystem: 2 (Windows GUI)
Image Base: 00400000 Size: 00283FFF
Code Base: 00001000 Size: 00035800
Data Base: 00037000 Size: 00240E00
Entry Point: 0027CFFF (file offset 00022BFF)

++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++

1: .text RVA: 00001000 Offset: 00000400 Size: 00020600 Flags: E0000060 (CDERW)
2: .rsrc RVA: 0027A000 Offset: 00020A00 Size: 00001200 Flags: E0000020 (CERW)
3: peei RVA: 0027C000 Offset: 00021C00 Size: 00002BFF Flags: E00FFFF0 (CDUERW)

++++++++++++++++++++++++++++++++ IMPORTS +++++++++++++++++++++++++++++++++

DLL: Kernel32.dll
Addr: 0027C035 hint: 0(0000) Name: LoadLibraryA
Addr: 0027C039 hint: 0(0000) Name: GetProcAddress

I did last night sign up to a webhosting site, so maybe that was the cause of it, as i did not have all this beforehand :?

Posted: **Thu Jun 10, 2010 2:51 pm**

Hello,

and No I did not send you an email for Viagra

Thats a shame I was going to ask for a discount :lol: .

Yes it looks like someones sending out emails using your email as the sender, the addresses it sent to are in alphabetic order so it looks like an email list of some kind:

kris@krenna.co.uk, kris@pdf417.co.uk, kris@whorror.co.uk, kris@wydata.com,
lam8retta@hotmail.com, lambretta.cottage@tesco.net,
lambretta.man@blueyonder.co.uk, lambrettagetta@ntlworld.com,
lammys4u@blueyonder.co.uk, landog@ntlworld.com

Damn spammers. Wonder how they got my email address though :?

Hmm havent got a virus have you? you should give your computer a good scan just incase.

Posted: **Thu Jun 10, 2010 2:55 pm**

Yes it looks like someones sending out emails using your email as the sender, the addresses it sent to are in alphabetic order so it looks like an email list of some kind:

kris@krenna.co.uk, kris@pdf417.co.uk, kris@whorror.co.uk, kris@wydata.com,
lam8retta@hotmail.com, lambretta.cottage@tesco.net,
lambretta.man@blueyonder.co.uk, lambrettagetta@ntlworld.com,
lammys4u@blueyonder.co.uk, landog@ntlworld.com

Damn spammers. Wonder how they got my email address though

Hmm havent got a virus have you? you should give your computer a good scan just incase

Hi Codenstuf
mmm I dont think i have a Virus, as everything is running ok, but i will do a scan as you suggested just to be on the safe side.
That email above that i posted was just 1 of the (91) so as your Email address was in my Contacts, then they must have got it from my contacts.

** I did a full system Scan and that produced nothing"" so even though it did not pick up anything , at least it is error free

I have been checking my emails all day since and nothing has come back, mind you i have deleted all my contacts in my address book except 6 contacts, so hopefully that will be that end of it.

Cheers

Chris

Codenstuff.com

Jeez what a weird one??

Jeez what a weird one??

Re: Jeez what a weird one??

Re: Jeez what a weird one??

Re: Jeez what a weird one??

Re: Jeez what a weird one??

Re: Jeez what a weird one??

Re: Jeez what a weird one??

Re: Jeez what a weird one??