Wierd unknown emails being sent

Hi ..my name is Tim and I will be helping you with this. Please follow our standard procedures and then post the logs. We can not tell what is happening in your system without them.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Still need:

• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

 

Please use add/remove programs to uninstall:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 3

Reboot and install:
Java Runtime 6

NOw, please follow the instructions in the Read and Run First..
You did not follow the first instruction - CCleaner: removing all the temp. files.

You did not follow step 2 ..enabling the viewing of hidden files.

Where did you get those versions of ShowNew and Get Run? They are both old versions ..please uninstall and get the latest versions.

Finally, you did not follow the instructions for downloading and running HJT ...you put it exactly where we tell you not to put it and did not rename it as instructed.

Please correct these items and attach new logs.

 

Yes but a very long time ago!! You must always work from the current online version of the READ ME. Get the proper versions of them and get new logs.

 

Did you see message # 9?

See the last log from ShowNew that you posted. Tim was commenting on the fact that it show a load of files in

C:\Documents and Settings\mitchell\Local Settings\Temp\

And a few files in:
C:\WINDOWS\Temp\

 

Your logs look clean. You may uninstall any programs we had you download (including Counterspy).

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
* Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
* go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
* How to Protect yourself from malware!

 

Well, how rude!!

Lets see if you have a rootkit infection that is hiding GMER

Attach the log.

 

• Then click the Scan button. Wait for the scan to finish.
• Once done, click the Copy button.
• This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop. Attach this log to your next reply.

NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.

 

Mouse problems are rarely (if ever) related to malware. I suggest you first try another mouse and see what happens. In more than two dozen cases I have seen like this thus far, it has always been the mouse.

As far as email being sent from your PC. Are you sure it is really being sent? Shutdown your PC for a day or so (however long it takes to see test this) and then when you turn it back on see if there are reports of emails being sent during a time frame when your PC is turned off.

You could just be getting spammed and someone is spoofing your IP or email address.

 

What is your method of knowing these emails are being sent and who are they being sent to. Is it addresses in your email programs Address Book? What email program?

Yes it could be malware but I doubt it based on your logs. It is more likely something you have done. Are you sure you are not blocking it with anything? Check your firewall to make sure it is not blocking it. Even try temporarily disabling the firewall to see if that changes anything. Also make sure you did not put MajorGeeks in your Restricted Zone.

 

Perhaps you are cleaning the wrong PC! From what you are writing you are saying you have a server someplace else. We are cleaning your PC not the server. You need to find out if the server is sending emails.

If it only happen once during a small time frame then it could have been while MG's had a brief outage.

 

Sounds good! Do you know the name of what was found and where it was found? Was it in the System Volume Information folder which is System Restore? What scans did you run?


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Okay! Thanks for trying anyway!