Laptop Starts Sending Uncontrolled E-mail When Connected to Network

I believe I have picked up something very nasty on my laptop. The evening of 1/9 while browsing with IE, Norton Anti-Virus reported that it was blocking viruses. I didn't write them down at the time but left the website immediatley. A few minutes later Norton e-mail scanner started to display the e-mail scanner pop-up windows across my entire screen. When I saw this happening I immediatly disabled my wireless card on the laptop.

First I ran a full scan of Norton Anti-Virus. Once I rebooted the computer with the network connected the workstation stared sending e-mail again.

Then I did a little searching on another workstation that I have here in the office and found this forum.

I ran all of the diagnostic software outlined on the forum. The first time I ran AVG it did not create a log file otherwise I would have included that as well. Everything appeared to be cleaned but as soon as I restarted with the network connection my computer would start to begin to e-mail again.

Current Status:
I have rerun all of the steps outlined in "Read and Run Me First". I have completed the steps outline in " Windows XP Cleaning."

I've attached the three log files. I have NOT connected my laptop to a network connection this time in order to avoid addition contamination once whatever is causing the problem.

I look forward to any assistance.

Jeff

 

Hi toasterman!
Welcome to Major Geeks!

Please do the following scans. These are lengthy (about 1-2 hours each) and they have to be run on Internet Explorer. Before you do them though, please uninstall your old Java and put in the current one. Here are the instructions:

1) Go to add/remove programs and uninstall the below:

- Java 2 Runtime Environment, SE v1.4.2

2) Reboot after uninstalling the above. (You must reboot before installing the new version!)

3) Install the current version of Sun Java from: Sun Java Runtime Environment


4) And now continue with the below instructions for the two online scans.

Please read the directions carefully to get the logs in the form we need them.


Bitdefender agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

Click-on the Detected Problems tab. Then select Click here to export the scan report

When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us.

Post the bdscan.txt file as an ATTACHMENT. You MUST attach the Bitdefender log even it it indicates no problems. We want to see it anyway!!!! Also if you run things out of order you will notice BitDefender showing the below which is a false detection from PandaActiveScan:


C:\WINDOWS\system32\ActiveScan\pskahk.dll
Infected with: Generic.Malware.SIMDWYNVdprn.D9407F4E

• Panda ActiveScan It will only fix certain viruses and trojans. Most items found will not be fixed. When it finishes the scan click on See Report . Then in the next window click Save Report. The default report name is Activescan.txt. Just save it where you can find it so you can attach to your message when you begin a thread with a request for help. If you have any problems trying to get a PandaActiveScan log, see the following link with more detail and follow it step by step: Using PandaActiveScan

If you use Avast antivirus and it gives you an error like below when trying to use Panda, just disable Avast while your run the scan. The error is a false positive. See the below link for more info.​

5) When you finish, attach the BitDefender and Panda logs in their requested form. Give me a progress report on your computer.

abri

 

abri:

I uninstalled - Java 2 Runtime Environment, SE v1.4.2
Rebooted
Installed the Sun Java Runtime Environment.

(For clarification I'm downloading the software from a workstation and transfering via a usb thumb drive to the laptop. I did the same for all of the intial software installs as well outlined in the first message.)

Initiated a network connection and within 30 seconds my laptop started to send e-mail, which I assume is spam. This process takes up 100% of my processor time as well as having Symantec e-mail scanner fill my workstation. So I'm unable to run Bitdefender or Panda Active Scan from within my laptops browser.

Any suggestions?

Thanks,

Jeff

 

Hi toastmaster,

I'm not sure if your computer sending e-mails is preventing you from working. It will be best if you print out these instructions, physically disconnect your computer from the internet and disable all antivirus and anti-spyware programs before we start. Then boot back up without an internet connection and use your flash drive to transfer the Avenger zip file to your desktop and extract the program to the desktop. Also, be sure CCleaner is installed. Otherwise you will need to install that as well. Here are the instructions for Avenger. ( If youi need the instructions for CCleaner they're in the : READ & RUN ME FIRST )

1) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

2) Empty the Norton Protected Bin.

3) Now run CCleaner at the default setting with the Windows tab as the top one.

4) Next I would like for you to see if you can find the e-mail setting which requires that you be notified before any e-mails are sent. Do you have a setting like that? Which e-mail program are you using?

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how this goes?
abri

 

abri:

Please see the attached logs.

Concerning your #4 questions.
Norton Antivirus 2006 is generating the "scanning e-mail" messages

I'm running Norton AntiVirus 2006 with the following settings related to email.
Email & Messaging
Settings-
Email Scanning is turned On
Email Scanning is configured to "Scan incoming Email"and "Scan outgoing Email"

How to respond when a virus is found
-Repair the infected file

How to increase protection
-Turn worm Blocking on
-Alert when scanning email attachements

Under the Advanced Email Options tab
-Protect against timeouts (Selected)
-display tray icon (Selected)
-Display progress indicator when sending email (Selected)


My assumption is that anything sent over smtp or pop3 is scanned by Norton AntiVirus.

I do not have an e-mail server for pop3 or smtp configured in outlook express. Outlook 2003 is installed but not configured on my laptop.

So my assumption is that some other malware application waits for the network connection then starts sending off spam from my laptop. It just happens that Norton AntiVirus is detecting the outgoing mail and also reporting messages when an e-mail is denied because its recipient is not valid or the e-mail is being blocked.

I hope this helps. Thanks!

Jeff

 

Hi toasterman,

1) You have a lot of tmp files that seem related to the problems you're having. You also have an outlook logging folder which may log both Outlook and Outlook Express but in any case it is an indication that Outlook is active. Could you go to C:\Documents and Settings\Jeffrey Jones\Local Settings\Temp\outlook logging and tell me what's in this folder? Don't open any files.

2) We need the GetLogs.bat file (in the MGTools folder) to run while you're connected to the internet. If Norton prevents you from running it, temporarily disable Norton long enough to run this. The program takes about a minute to run. Then go to C:\ and find the file MGlogs.zip and attach it here.

3) I would like for you to run some rootkit scans. Please go to Alternate Scans and scroll down about halfway down the page and you'll see a group of Rootkit scans. Please run BitDefender RootkitUncover, Rootkit Revealer and Sophos. Attach the results.

4) Run CCleaner at the default setting with the Windows tab as the one on top.

I am looking for a worm or else damage to your Nortons. Normally if you send out spam, your ISP will cut off your service until it is cleared up.

abri

 

abri:

1) C:\Documents and Settings\Jeffrey Jones\Local Settings\Temp\outlook logging
Contains one file: firstrun.log it's 111 bytes

2) See the Attached MGlogs.zip file.

3)
BitDefender RootkitUncover
Scanned Files - 58049
Hidden files - 0
Scanned preocesses - 56
Hidden processes - 0
Result - No hidden items were found on your system

Rootkit Revealer
See Attached Log

Sophos Anti-Rootkit
-No hidden items found by scan.

Let me know if there is a log file that I can send for BitDefender RootkitUncover or Sophos.

4) Ran CCleaner as instructed.

Thanks,

Jeff

 

Hi toasterman,

I'm not sure how problematic it is for you to be online with your computer while it's having this problem. The first item you can do without being on the internet. The 2nd one requires that you reconnect.

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

After you click fix, just close hijackthis.

2) Please scan the following file(s) at either jotti or VirusTotal and let me know the results. Whether anything is found or not, please zip them and attach them to your next post.

C:\Documents and Settings\Jeffrey Jones\Local Settings\Temp\CC101.tmp
C:\Documents and Settings\Jeffrey Jones\Local Settings\Temp\CC11F.tmp

abri

 

abri:

1) Completed the steps that you outlined.
2) Completed and attached scans from VirusTotal (jotti server was busy).

Thanks,

Jeff

 

Hi toasterman!

Please delete all those .tmp files like the ones you scanned.

Do you have a two-way firewall installed? If not, please go to How to Protect Yourself from Malware and select Zone Alarm and install it. Also, at the same webpage, look for AVG free antivirus and download the installation program but do not install it.

Now I would like for you to shut down your computer and disconnect it from the internet. Boot back up and uninstall Nortons. Then reboot and run the
Norton Removal Tool (SymNRT)

Install AVG free temporarily so your computer is not unprotected. Reconnect to the internet.

After this, please shut down any programs you don't need and see if your computer is still getting a lot of activity indicating outgoing traffic to the internet. This will be easiest to see if you have a two-way firewall. We want to see if your computer is actually sending out e-mails or if your Nortons got damaged.

Let me know how this goes.
abri

 

abri:

Completed the steps that you outlined. Everything looks good right now. To clarify, I didn't see any e-mail/network activity from the time that I deleted the information with HijackThis that you previously identified. I was able to run VirusTotal without any problems. I've had the computer online for about 15 minutes which before would have generated a lot of hard drive activity and pegged the processor. Right now CPU Usage is at 2%.

I do know for certain that the laptop was sending out messages because Norton would report "failed" e-mail attempts back from other servers. If email scanner was "damaged" I could understand it generating several scanning notifications but I wouldn't have received any failed e-mail attempts.

I'll let the laptop stay up on the internet overnight then check the ZoneAlarm log in the morning. I'll post if I see any activity or not.

Thank you again for all your assistance!

Jeff

 

You're welcome.
I look forward to hearing back from you.
abri

 

abri:

No activity in the Zona Alarm logs to report. I think that the problem is fixed.

Jeff

 

That's good!
I think we can go ahead with the final clean-up instructions.

abri