I Keep Sending Emails to Unknown Addresses

I have been turning to Major Geeks for quite some time to solve my problems and usually am able to fix things by refering to other users' posts. However, I haven't been able to solve this one.

Whenever I connect to the internet, I start sending emails to random people. The "Symantec Email Proxy" from my Norton Antivirus starts scanning several messages to be sent and I get popups whenever the send fails with messages such as "You message to ....@....com with the subject of RE: could not be sent becauase...."

I have followed all the instructions from READ & RUN ME FIRST and I have attached the scan logs.

I was not able to go through the steps in safe mode because when I enter the safe mode, the window only fills a square in the center of my screen and the rest is a black border. I don't know how to change the size.

Please help me!

 

See the thread below and run smitRem.exe and attach this log to your next post.
SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal

After you complete the above, please see the below thread on how to install and run Spy Sweeper and Ewido Anti-Malware. After you ran both programs, attach the logs to your next post along with a fresh HJT log from normal mode.

• Running Spy Sweeper...
  
  
• Running Ewido Security Suite ...

 

Ok. I did the steps you asked me to. Remember that I had to do them in Normal Mode.

I ran smitRem.exe and did not find any of the listed lines in my HijackThis log. I also did not find any of the listed files in Windows Explorer. I have the smitfiles.txt and PandaActiveScan log.

I have the SpySweeper and Ewido logs and a fresh HijackThis log.

There is one line in the HijackThis that I thought looks suspicious:
O4 - HKCU\..\Run: [8856147] C:\PROGRA~1\8856147\8856147.exe

It looks whatever was causing the email relaying has now stopped, but now I cannot click on links in websites. (For example, if I click on the three links in your post, nothing happens. I need to manually type in the website URLS to get to those pages.)

Since I cannot click on links, I cannot click on the attachment link to add my logs to this post!

 

OK I managed to get the attachments to work. If I click on a link and wait for 5 minutes, it sometimes manages to go through.

 

I'm unable to get the attachment link to work again in order to post my HijackThis log, but I'll keep trying.

 

I still cannot click on links in my browser so I couldn't click on the attach option.

I am posting this fresh HijackThis log from another computer.

 

Before we begin a fix, are you familiar with the WinPcap?

 

No, I am not.

 

Look in Add/Remove Programs and uninstall "WinPcap" if you see it. Afterwards reboot and attach a fresh HJT log.

 

I removed WinPcap from my computer and have posted a fresh HijackThis log. Sorry it took so long, I had to go to another computer to post the attachment.

 

Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
F0 - system.ini: Shell=Explorer.exe c:\windows\system32\msiexec16.exe
F1 - win.ini: run=c:\windows\system32\msiexec16.exe

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe
O4 - HKCU\..\Run: [8856147] C:\PROGRA~1\8856147\8856147.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\8856147 ← Delete this whole folder if it exist!

C:\WINDOWS\alt.exe

C:\WINDOWS\system32\msiexec16.exe

Next, run CCleaner to clean up cookies and temp files.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Hey,
I fixed all the things you told me to in HijackThis. A fresh log is attached.

I didn't find any of those files you listed when I searched from Normal Mode. I did however notice WinPcap appear on my programs list again so I removed it again.

I still cannot boot properly in Safe Mode because the screen size is small. I have attached an image file to show what my Safe Mode looks like.

The problem of clicking links in my browser seems to be fixed now. I was able to attach these two files from my computer without any problems.

 

Your HJT log looks good, to be sure nothing is hiding follow the below.

Please download Blacklight to its own folder...

F-Secure Blacklight

After download is complete, double click to run the program. Click "Accept" to procede. Then click SCAN to begin scanning your system.

Once the scan is complete it will attempt to clean the found infections. There should be a log in the folder that you ran the program from, attach this log to your next post along with a fresh HJT log.

 

Blacklight did not find any problems.

 

You have been infected by a RAT from the Optix family. One of its less sinister abilities is to allow its controller to monkey with your screen size.
It looks like a newer version of an old baddie - considering the demise of Evil Eye Software.
Perhaps that cocky and tongue-in-cheek page was a bit premature and others from the crew are carrying on the nastiness . . .

I'm surprised BJ didn't see this - maybe you guys should pursue this avenue further to see if that is indeed the root of the problem.

Best Luck
PP

 

Thanks PhilliePhan

So how would I go about fixing it?

 

Since it's been a while, I would like three new logs. First, I would like the "Panda", "Bit Defender" and a fresh "HJT Log". Also, can you explain what your current problems are??

Also, is this a laptop or desktop?