Avast Shows No Virus, But I Get Email Being Sent From Outlook?

Hi!

I'm wondering if someone can help me? I noticed the other day that Outlook was sending messages that do not appear in my Out box. It sends like 5-13 or 14 at a time in bunches. I am sure there is some virus or Trojan doing this, but I ran Avast (latest update) and it found nothing.

I am positive something is on my system, but I am not sure what tools to use to find out. Any ideas on other things I can use to scan my system and get to the bottom of this email sending thing?

Thanks!

 

Hello,

Phew... what a week.

OK here is my situation. As I mentioned above I have some sort of virus or Spam thing that is using Outlook to send spam.

Here is the background.

Things were running pretty fine on my system (I thought) till last week. I do download from the Torrent sites and sometimes get some nasties. But usually Avast catches them.

Last week I installed the new Office 2007 (awesome BTW). But then I started to notice in Outlook bunches of 13 messages being sent. Nothing was showing in my Outbox, so I figured for sure I have some sort of Trojan or virus or something that is harnessing my Outlook to send email spam.

Well, this week I got blacklisted by my web hosts server. They told me:
"Your IP was blocked because you had too many simultaneous HTTP/POP/SMTP connections to the server.".

So for sure I know something fishy was going on. I scanned with Avast, A-Squared Anti-Malware and other things and Avast did not catch anything and the A-Squared just confuses me!

So I posted here and then went about doing the Malware removal steps today. It's taken all day. I will post the logs and such below. I've only just got back online and have to watch my Outlook box to see if the behaviour is still going on, but I wanted to post things here in case you see anything, because this one really has me stumped!

Also, I ditched Avast and got AVG Free now. I have so many scanners and stuff I am not sure if it's all worth it. Somethings catch some, some don't. It's so difficult to find something comprehensive!

So for now my host white listed my IP so that I can even get onto the web sites I manage. I will have to keep my eye on mail as this is just ridiculous the amount of mail that was being sent from Outlook.

Below I will post the logs.

The only thing I have not done yet is to Toggle System Restore, becuase I am not entirely sure the nasties are gone.

Also, I noticed when I ran SpyBot S&D I found different things in the 2 different profiles I have. The first one I ran in Safe Mode in the Administrator profile. Then I decided to run the other one. SSD found different things and I will post the logs. The rest of the tests were just done in my normal boot mode so only my main profile was accessible. I'm not sure if this is right?

 

Spybot Search and Destroy for both profiles on this system.

 

Other Logs

Bitdefender

Panda (pre Smitfraud removal)

 

HiJackFree

A-Squared HiJack Free Logs

 

Newfiles and Runkeys

Logs from these scans

 

Smitfiles and Post SF Panda Log

SmitFiles

Post SmitFiles remover Panda Scan Log

 

A-Squared Log

This is the A-Squared Log

 

HiJack This Log Post Doing Everything

This is how things sit right now.

For some reason I can not find the Counterspy or AVG Antispyware logs. I will search for them.

My boyfriend tells me I should wipe and reformat my drive to really get rid of this junk. Do you think that is the best remedy right now if the email thing keeps happening?

 

Oh I am so sorry chaslang. I apologize for posting all those other logs. I just thought they might be helpful to you.

I will get right on the F-secure program and post back the log.

 

Chaslang, I can not for the life of me find the AVG and CounterSpy logs. I know I saved them. I did a search. What is the normal name for them?

I can't figure out where they went. I was saving everything in one folder.

If I can't find them, should I run those scans again for you?

 

BlacklightBeta Log

This is the log from the Blacklight Beta Scan

 

OMG I guess I did not run these scans. I am SO sorry. I've had a headache the size of texas this week due to all the disasters I've been going through with my computer and I must have not flipped the page that I printed with the instructions over.

Do I need to start the whole process again? It took me 24 hours to go thru this because my drives are big.

Please let me know.

I could just slap myself into kingdom come for this oversight!

 

I will run this scan now.

 

Counterspy

Oh wait. No it is saying I ran the scan for Counterspy yesterday. Attached is the log from that scan.

 

Re: Counterspy

Hi Chaslang,

I am not sure why CounterSpy did not fix things. It asked me to activate my copy and I have not purchased it. I can't really remember, the last week is a bit of a blur!

I do not remember installing or purchasing Personal Anti-Spy. I do not see it in my programs folder at all. When I looked in Add/Remove programs to see if it was there, I do not see any entry. I searched my folders and do not see anything named Personal Anti-Spy. Where should I look to get rid of it?

My Office 2007 is not legit . But my boyfriend is running it on his Windows Vista Machine and his copy is not doing what mine is. Mine is Windows XP SP 2.

I assumed Outlook was sending mails for 2 reasons;
1.) I saw "message 13 or 13 being sent" in the little task bar at the right, even when I was not sending mail. I saw nothing in my outbox and knew I was not sending messages. I know this to be spam behavior and I was alarmed by it.
2.) This week my Host blocked my IP address from their servers for too many simultaneous HTTP/POP/SMTP connections to the server. I don't send huge amounts of mail in Outlook, so I figured this span virus or whatever was harnessing outlook or my SMTP port to send massive amounts of emails.

I will say, I am not noticing the bunches of emails being sent today at all since I cleaned. I ran SSD again today and I don't see the DropSpam thing that I saw the other day.

FriendBlaster Pro: I use FriendBlaster Pro for marketing Bands (it's a service I do). It's only on when I am using it and I don't see any issues with it. It does not run in the background, only when I open the program.

abrViewer.NET 1.0.1: is a .NET application that allows me to see the hundreds of Photoshop Brushes I have (I design). I've had this for a few years and have not had issues. Could this be a potential hazard to have on my system? It is not P2P at all. I just lets me see thumbnails of my Photoshop brushes.

I just shelled out nearly $40 for A-Squared. So is there a way I can keep that one? I totally don't mind learning how to use it. I just haven't had time this week with all the disasters to learn. I really do want to keep it if possible.

So should I uninstall Windows Defender, a-squared HiJackFree 2.1, a-squared Anti-Dialer 2.1 instead?

I will also uninstall AVG.

Before I uninstall this stuff, should I run CounterSpy first. Or should I uninstall the stuff you mentioned and then run CS?

Thanks so much for the help. I totally appreciate it!

 

Counterspy Log

Hi chaslang,

I am attaching my latest Counterspy log. I see that Masterwriter is totally infected. Also I see that Anti-Spy thing you were talking about. But the thing is, I never installed that, I don't see it in any folders and I can't find it in Add/Remove programs.

Should I uninstall Masterwriter?

Bearshare is OK and I ignored that.

Will continue with your other instructions.

 

I am looking for the entries you specified to get rid of in Zone Alarm Program Control but they are not there. I searched for them also in the paths you specified, not there. I also began to use Search in Explorer to find them and I got this pop-up:

Data Execution Prevention
To help protect your computer, Windows has closed this program
Name: Windows Explorer
Publisher: Microsoft Corporation

When I click the link that says "what should I do" on this popup I got this come up in the Help and Support feature in Windows:

Understanding Data Execution PreventionData Execution Prevention (DEP) helps prevent damage from viruses and other security threats that attack by running (executing) malicious code from memory locations that only Windows and other programs should use. This type of threat causes damage by taking over one or more memory locations in use by a program. Then it spreads and harms other programs, files, and even your e-mail contacts.

Unlike a firewall or antivirus program, DEP does not help prevent harmful programs from being installed on your computer. Instead, it monitors your programs to determine if they use system memory safely. To do this, DEP software works alone or with compatible microprocessors to mark some memory locations as "non-executable". If a program tries to run code—malicious or not—from a protected location, DEP closes the program and notifies you.

DEP can take advantage of software and hardware support. To use DEP, your computer must be running Microsoft Windows XP Service Pack 2 (SP2) or later, or Windows Server 2003 Service Pack 1 or later. DEP software alone helps protect against certain types of malicious code attacks but to take full advantage of the protection that DEP can offer, your processor must support "execution protection". This is a hardware-based technology designed to mark memory locations as non-executable. If your processor does not support hardware-based DEP, it's a good idea to upgrade to a processor that offers execution protection features.

Is it safe to run a program again if DEP has closed it?

Yes, but only if you leave DEP turned on for that program. Windows can continue to detect attempts to execute code from protected memory locations and help prevent attacks. In cases where a program does not run correctly with DEP turned on, you can reduce security risks by getting a DEP-compatible version of the program from the software publisher. For more information about what to do after DEP closes a program, click Related Topics.

How can I tell if DEP is available on my computer?

To open System Properties, click Start, click Control Panel, and then double-click System.
Click the Advanced tab and, under Performance, click Settings.
Click the Data Execution Prevention tab.
Note

By default, DEP is only turned on for essential Windows operating system programs and services. To help protect more programs with DEP, select Turn on DEP for all programs and services except those I select.
Related Topics


Is this a bad sign?

What do you think the chances are that I will have to wipe and reformat my drive. My boyfriend thinks this is the only option and if it is, I am just going to cry!

 

Re: Counterspy Log

I got some slimmed down version of Bearshar that did not have the malware attached.

I'll do as you say though. I have to re-install counterspy as i had uninstalled it.

Sorry about that.

My system crashed after my last message to you.

I'll re-install counterspy. Bearshare is not actually installed in the traditional way. I double click the exe file to launch it, but it's not in Add/Remove programs. Would it help if I just deleted the folder and also ran CS?

With regard to Personal Anti-Spy, maybe I did install and then uninstall it. Basically I installed everything I could to get rid of my issues. It could be that I forgot about it. i don't see it in add/remove progs and can't find any trace of it now. I saw the instances of it in Zone Alarm and removed those entries.

I also uninstalled Masterwriter.

This may be a dumb question but is there a P2P with no malware attached to it?

Thanks so much chaslang.

 

OK some more weirdness going on. We are on a LAN at home, I can't see my own web sites (ones I've created), but my Boyfriend can. This is so weird. I thought we were all on one IP. Can my computer have it's own IP and do you think that's being blocked.

I just looked at www.whatismyipaddress.com and I checked that both our IP addresses are the same. Why is my computer blocking out me from viewing my own web sites, but my boyfriend (who's system is right next to mine in the office) can see the sites fine? Is there something on my system causing that?

Running CounterSpy again now...

 

Chaslang,

I'm doing Message 19 instructions.

I apologize if it seems I'm jumping around. It's just that various things are happening and I'm reporting them in case it's helpful. But since I see that it is not, I will just follow your instructions and report back. I also have noticed that some of the things you said to look for are not there, and i was just reporting that also.

Anyway, I will post back with the CS log and keep following your other instructions.

Thanks!

 

7:34 CounterSpy Log

Chaslang,

Attached is the latest CounterSpy Log.

I will be uninstalling it now and continuing on with the instructions in message 19.

I did notice that it detected the same things it was supposed to have deleted the last time I ran it. So it seems CounterSpy does not actually delete the issues. I'm not sure.

Will post back when the other tasks are done.

 

Not Sure If I Should Delete These

tmcomm.sys was found here:

C:\Documents and Settings\USER NAME\.housecall6.6
C:\Windows\system32\drivers

I see a couple of housecall 6.6 folders.
.housecall6.6
housecall65.trendmicro.com
C:\Documents and Settings\USER NAME\.housecall6.6\update\AU_Cache
But am not sure if I should delete these. I don't see it in Add/Remove Programs.

It's not where you indicated it would be, so I just want to make sure deleting this file from these locations is OK.

I did not find any instances Warez.exe

I will wait to hear from you to go ahead and run:
1. GetRunKey
2. ShowNew
3. HJT

 

I think it's safe to delete the folders and files no matter where they are. I don't need this Trend Micro stuff now. So I will delete and then run the other things. Sorry for Jumping again. I'm a bit of a jumpy person.

BOING!

 

Latest Logs

Chaslang,

Attached are the latest logs after following your instructions.

Thanks for dealing with the jumpy webgyrl

 

Re: 7:34 CounterSpy Log

Yes that is correct, I did not fix Bearshare. I saw the same bunch of entries as the last scan, but you are correct. They are in the System Volume info. Once I know I am clear of Malware, I will do the toggle as described in the initial scan instructions. I will wait for your explicit instruction on when to do this.

 

Re: 7:34 CounterSpy Log

OK great. I deleted everything with regard to the Trend Micro App.

Thank you Chaslang!

 

Chaslang,

I'm sorry I thought we were done and I went back to selective startup instead of Normal Startup before I ran the last 3 things.

I will do what you said and delete the illegal Office 2007. I will then do the last steps you suggest and toggle.

What should I run after the toggle to make sure that all those Volume info traces are gone?

Thanks!

 

OK I did that. I was just wondering if I should run something like Spybot S&D again to see for sure if everything is gone.

Thanks for all the help. All seems to be perfect now.