Something sending spam from my computer

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by niceandspicy999, Dec 21, 2006.

  1. niceandspicy999

    niceandspicy999 Private E-2

    Hi, thanks in advance for any help.

    Today, my email service was shut off by my ISP because they said my IP is being logged as sending thousands of spam. We run 2 pcs here & at most, maybe 10-15 emails get sent each day.
    My ISP tech support suggested one of the pcs has some malware.

    Both pcs run XP2. I have finished "Run & Read Me" for one computer so I will post logs the for that one.

    First thing to note is, I had run Spybot Search & Destroy once. When I went to do it again a little later, I got a message saying "Spybot has been changed. Since Spybot does not change itself, check for mailware immediately!!"

    Second thing, I could not do any online scans in safe mode. I'm not sure if that matters, so they had to be done in normal mode.

    Below:
    bdscan included
    activescan - not included as it found nothing
    runkeys
    newfiles
     

    Attached Files:

  2. niceandspicy999

    niceandspicy999 Private E-2

    hijackthis attached
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We need the requested log from either CounterSpy or AVG Antispyware. You did not need to install both or did you install AVG Antispyware because your trial with CounterSpy expired?

    You did not do ALL of step 2 in the READ ME correctly! This can allow malware to hide from you. Please go back and follow the steps exactly to make sure that you have done what was requested.

    Did you look at the log from Bitdefender that showed a Mytob.AT infection? You need to
    make sure that all of those emails have been deleted from Outlook express and don't click
    on any attachments in those mails. They are not valid. It showed
    Is this what you thought was a notice of your email account being suspended? See the below link for info about this infection:

    http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=68753&sind=0



    Why did you disable low disk space checking on this PC as shown in the below registry key?
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer]
    "NoLowDiskSpaceChecks"=dword:00000001

    What are the below recent files on your Desktop?
    Code:
    "C:\Documents and Settings\Owner\Desktop\"
    138292~1.jpg  Dec 16 2006      141164  "138292040_0bc33611a6.jpg"
    zinc2.jpg     Dec 11 2006       77432  "zinc2.jpg"
    The first one with such a random strange name is ver suspect..

    You don't really show much in the way of malware! We just have a little to do.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O15 - Trusted Zone: http://www.doubleclick.net

    After clicking Fix, exit HJT.
    Now reboot in normal mode

    Now run this Disable/Remove Windows Messenger to remove Windows Defender


    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
     
    Last edited: Dec 22, 2006
  4. niceandspicy999

    niceandspicy999 Private E-2

    Thanks for replying. I will attached the new logs just as soon as I can get back on that computer to run them.

    To answer your questions,

    Counterspy found nothing so I didn't think I needed to include that log.

    The email message with the worm - I have searched all of Outlook but cannot find the message indicated anywhere. Bit confused by that. Should I run BitDefender again to see if it's still there?

    That email is not the reason I thought our email account was frozen though. I couldn't send out any email & called our ISP to see if they knew why. They told me that they had reports of over 1000 emails an hour coming from our IP & so stopped the account til we find the problem & fix it.

    Why did you disable low disk space checking on this PC as shown in the below registry key?
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer]
    "NoLowDiskSpaceChecks"=dword:00000001


    I have no clue about that. It is not something I have done. Does it need to be reversed? If so, how?

    The recent files you picked up are just photos from customers. I have scanned them to double check them & they are fine.
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! I don't need a log from it then. I doubt AVG Antispyware found much either.

    Yes scan again and attach a new log. It was reporting it in your Sent Items folder which could be the reason for the Spam! Your ISP said you were sending spam. I assume you are not sending this worm out to everyone on purpose so you need to make sure all of those are deleted.


    Yes we will fix it later after you finish the other steps.
     
  6. niceandspicy999

    niceandspicy999 Private E-2

    Hi Chas
    So sorry it took so long to respond - year end work to do and all that & I don't get to this pc much.

    New logs are attached. Bitdefender came up clean this time so looking good.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Also delete the below folder left over from CounterSpy:
    C:\Program Files\Sunbelt Software


    Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
  8. niceandspicy999

    niceandspicy999 Private E-2

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds