I just think its indicative of a really lazy person, - too lazy to read pinned threads, too lazy to put their brain cells into gear and actually contribute rather than just headbutting their keyboards to post a random character...

(yes I have dealt with a lot of spam before grrr) :)

Well regarding the strange thigns found by spybot search and destroy (vs 2.6, running the root kit scanner) it found hidden directories (hidden to win 32 it says, but I can't find it on my 64 machine). called "boott! s" and "codet! s" and "config.msidbox" (on three different drives). (the drives also have a 'boot' dir, a 'code' dir and a 'config.msi' dir). While similar stuff was detected in the past, nobody ever linked it (it seems) to a piece of malware (so far).

Have you tried Rogue Killer? - I always use 3 scanners when cleaning a PC.

Malwarebytes, Rogue Killer and SUPERAntiSpyware. - I swear by Rogue Killer, it ferrets out stuff other scanners miss.

https://www.bleepingcomputer.com/download/roguekiller/

I`d run a good rootkit remover too if I were you. Mcaffee do one.


https://www.mcafee.com/uk/downloads/free-tools/rootkitremover.aspx

not yet, will do so after I finish my current batch of scans

Just an update, did more scans, found nothing. Talked to a few people who also had the same problem, didn't find anything that points to a common point of infection. I'm starting to think that the emails not being legit might perhaps be correct and I was wrong. (at least, the likelyhood of it being so has increased by a lot, unless this is magical FUD (fully undetectable, yes this is a stupid term, esp as security already has FUD (Fear, uncertainty and doubt) im sorry) malware). So if that is true, I apologize.

If I find discover more, I'll mention it here as several others seemed to be interested in it.

Edit: and thanks for the help everybody!

How many have done the "change passwords on a different device and don't use it on the old one for a whille and see if the emails stop"-trick and reported back results?

oddly enough, they all mentioned that it didn't stop then, but it stopped for me. (and double oddly, after login in using my password on my 'potentially infected' machine, the emails didn't restart). All pointing towards, perhaps it is spam. So im confused, and as this data doesn't fit my assumptions, I'm forced to reconsider my assumptions. Even if it is painful.

Also, as I'm not getting emails anymore, I can't do further research into it. But what I did was this:

* Change the email steam sends emails to
* Reinstall steam
* Change passwords on a different device

And then it stopped.

Before reinstalling I also looked at if logging into steam was sending my password somewhere, but it appears that didn't happen, at least not via an unencrypted message. (wireshark is your friend).

As other people reported different results with these steps, I'm confused and don't know what to think. And I just thought to update the people here, as some of you guys seem to be volunteer people who try to help people with problems and should be updated. (you da real mvp's!)

Foolproof detection of fake emails from "steam":
They arrive on a not-associated-anymore email

Just look at that.
Its so simple.

fqfqfqf

Yeah, Muppet, sadly, I can't test that, as I don't get the emails anymore :D. If I do get them, will report here again. Esp as that would give us all some proof.

Wouldn't you know it. I'm wrong and you guys who said it was spam are right. Got email at the wrong account.

Oddly enough, signed with the correct credentials from steampowered.com So no idea what is going on still, but at least, removes one worry.

Thanks for keeping us updated Soy, good to know progress is being made & the more info gathered, the closer we all are to a definitive answer.

Call gaben and pray "oh mighty god you may protect my steam account"

Hmm looking into it, I might even be a bigger idiot than assumed. The email uses a wrong type of adressing me.

Let me explain: The (valid) emails send to [emailadres@email.com] start with

I had not noticed before, as it matched, but the spam seems to make a mistake and send them to
See the difference?

So anybody getting this spam. Check if the "dear [username]" part correctly identifies your account name, and not the first part your email.

So say, my account name is soy, and my email is NotSoy@gmait.com.

The spam would say 'dear NotSoy'.

Publicado originalmente por Soy:

Hmm looking into it, I might even be a bigger idiot than assumed. The email uses a wrong type of adressing me.

Let me explain: The (valid) emails send to [emailadres@email.com] start with

"Dear [username], Here is the Steam Guard code you need to login to account [username]:

I had not noticed before, as it matched, but the spam seems to make a mistake and send them to

Dear [first part of emailadres], Here is the Steam Guard code you need to login to account [first part of emailadres]:

See the difference?

So anybody getting this spam. Check if the "dear [username]" part correctly identifies your account name, and not the first part your email.

So say, my account name is soy, and my email is NotSoy@gmait.com.

The spam would say 'dear NotSoy'.

That can show two things:

Headers can be faked
or
Actually an account with those details was created. Intentionally or coincidence.