Seems like spam-bot. mbam finds nothing. hijackthis fails

[ChuckBradley]

We have a home network with three computers almost always on, all running Windows 7.

All run AVAST antivirus full scan every night; no virus found for a long time.

This morning, on Abby, there were a bunch of email messages from postmaster about

undeliverable mail. None of the "to:" addresses were familiar. It seems like Abby

has been highjacked for use as a spam distributer. I immediately ran MBAM quick scan

on all three systems. No problems detected. The 20MB security event log on Abby

was full, with the oldest entry only two weeks old. Many events were logins from

node MOE. The 20MB security event log on MOE is also full, with the oldest entry

only one day ago. The security event log on Alvin shows no unusual activity, as far

as I can tell. I tried to run hijackthis on Abby. I was blocked at the "Analyze"

step by a "No Internet Connection" message. There is an internet connection.

I can collect mail with Eudora and browse with Firefox. I used Abby, Moe, and

Alvin to download a fresh copy of hijackthis to each. Each failed at the "Analyze"

step, and each had an internet connection. I've since run mbam full scan on all

three systems. Abby (the one with the symptoms) reported nothing. Alvin is still

running, 765,000 things checked in 2 hours and 45 minutes. Moe reported one problem,

an ad maker in a kit that was installed in 2009 on a different system. The kit was

copied onto Moe as part of a collection of kits when Moe was new but was never

installed. I also have several TB of external storage that mbam will probably need

all night to examine. Those drives are used for backups only, so they probably will

not provide any clues. What do you suggest I do next? Thanks.

[David H. Lipman]

This is not necessarily the action of a SpamBOT. All that is needed is a 3^rd party generating spam and USING the email address in the "From" or "Reply To" fields.

Thus if a failed mail message is generated by the recipient's email server the failed mail message will be sent to the "From" or "Reply To" address.

[ChuckBradley]

Thanks for the reply. I agree with your analysis that the email address could have been selected as the from or reply to address for spam sent from elsewhere. Any suggestions for how to figure out which alternative is true are welcome. That still leaves the mystery of many logins and the mystery of hijackthis failures.

[David H. Lipman]

A more detailed analysis of the computers can determine if there are "other" issues at hand. Those that may exist can be coincidental.

There are situations where webmail accounts are compromised and are used to generate spam. In that case the sending account would get failed mail messages. However in that case the account holder's computer doesn't have to be compromised either.

Reading your first post leaves me a bit confused 'cause 'moe', "alvin" and 'abbey' are not well defined into context. If they are the names of Windows computers with NT Shares being accessed from peer systems on a SOHO network, one can expect events showing logins in the Event Log.

You also stated....

"I also have several TB of external storage that mbam will probably need all night to examine."

Not really. MBAM isn't an anti virus and doesn't target file types other than executables. If you have data on the external drive you need to scan it with a traditional anti virus application such as Avast, not MBAM.

[ChuckBradley]

Thanks again for considering this problem or apparent problem.

I tried to determine what information would be useful, and what would be extraneous.

At least some of my guesses were wrong.

All three named computers run 64 bit Win7 and are in workgroup ATHOME, not a homegroup.

Abby is an Acer Aspire 1 netbook, upgraded to 4GB and a solid state disk a few months ago.

Moe is ZT systems 8GB with a variety of SATA disks, hooked to our verizon.net router

through a gigabit switch. Alvin is an HP dv7 notebook upgraded to a SSD a few months ago.

Abby and Alvin are almost always wireless to the same router. The network also has a wireless

allin1 printer, a wired network disk, and two set top boxes. Some other PCs, a VAX, and an

Alpha have been on the network from time to time, but not lately. Nitely backups of data from

all three systems go to one or the other of the external disks and to the network drive. There

are also occasional explicit file transfers from one system to another, and a recipe collection

is pushed from Moe to Abby, Alvin, and an IPad every night. I don't understand why that

would fill the 20MB security log in one day on Moe or even in two weeks on Abby. How big

should I make the log files?

I'm aware mbam is not a virus scanner. I run a full Avast scan on all systems every night.

My estimate of overnight was based on watching the mbam full scans today. The quick scans

took a few minutes on each system. The full scans took a few hours. On Alvin, it took over

four hours to consider about 1.2 million objects. While it was running I saw a lot of .JPG

files mentioned on the screen. I'll post the results of the overnight scans tomorrow. I hope

your estimate is better than mine.

Any suggestions about what to do next are still welcome. Even if this problem is all in my

imagination, I'd still like to be able to analyze a hijack this log when there is a real

problem.

[daledoc1]

Hi, ChuckBradley:

Until DHL returns with his expert advice...

I could be wrong, but IIRC HijackThis doesn't perform well on Win7.

(DHL or one of the expert members or staff will correct me, if I am wrong about this.)

It has largely been replaced these days by DDS.

Instructions to run DDS are below.

Having said that, we don't typically review scan logs or work on malware related issues in this section of the forum.

So, if DHL feels that it's appropriate to investigate possible malware problems, please start with the recommendations in this pinned topic: Available Assistance For Possibly Infected Computers.

You'll then want to post your DDS logs in the malware removal section of the forum.

A malware expert will review them and guide you through any additional scans/cleanup.

If you have more than one computer, you'll want to start a separate thread for each system, including some sort of identifying verbiage in the subject line, e.g. "Computer 1", "Computer 2", etc.

HTH,

daledoc1

--------------------

DDS Instructions

Download DDS from one of the locations below and save it to your Desktop:

dds.scr

dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once it is downloaded, you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click dds.scr or dds.com to run the tool, on Vista or Win 7 right click and select Run as administrator

Click the Run button if prompted with an Open File - Security Warning dialog box.

A black DOS console should open and run for a moment.

• 
  When done, DDS will open two (2) logs:
• 
  
  1. DDS.txt
     
  2. Attach.txt
     

• Save both reports to your desktop
  
• Please attach both of the following logs to your next reply: DDS.txt and Attach.txt
  You can ignore the note about zipping the Attach.txt file in most cases.
  

[David H. Lipman]

It sounds like you are on FiOS with a mix of TCP/IP based devices including MoCA STBs.

I can't give you a best practice on managing the size of your Event Logs. You'll have to look them over and see what's going. Not just logins but failed logins and authentications that may be overly repetitive thus bloating the Event Logs. Looking at my Security Event Log its 20MB going back 1 year as a FIFO log.

As I was writing this Daledoc1 posted what I would have suggested (assisted forum analysis, just that I would have not have been as eloquent albeit it's canned message) to check the state of a questionable system.

[ChuckBradley]

Thanks, both of you. I'll ask the question in the malware removal section. The full mbam scan on the external disks found only the same copy of PUP.Adware.RKN in sddr.exe of a backup of a kit that was never installed on any of the three systems mentioned.

[David H. Lipman]

PUP.Adware.RKN

You aren't dealing with anything major here. PUP - Potentially Unwanted Program

Basically the lowest level of malware even in the Adware sub-type of trojans.