Jump to content

Recommended Posts

Hey all,

 

So for the past couple months I have had emails being sent from my account to my contacts and other non-contacts which I have previously sent or received emails from.

The emails sent often contain a couple lines of bullshit text (e.g. Hey friend, check this out) and always contain a hyperlink which I assume is malicious.

 

I am 99% sure that these emails are being sent from my computer which accesses my email account due to a virus (as opposed to spoofing or remote access of my email account).

The emails sent do not show up in my sent folder, however I see "bounceback" in my spam folder from "mailer-daemon" (The rogers email automatic mail clerk) when some of the emails fail to send.

 

I have run many full scans using programs like MBAM, Bitdefender, Spybot S&D, Emsisoft, all to no avail.

Bitdefender does however keep quarantining files in the c:/windows/temp folders, so perhaps this is how the virus is staying alive (i.e. by recreating itself in these "empty" temp folders)

 

Attached is my FRST.txt, I have run it before so the Addition.txt is old and I am ofcourse willing to uninstall reinstall FRST to get a new Addition.txt, if requested.

 

Thanks for your time.

 

 

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello,

    

 

They call me TwinHeadedEagle around here, and I'll try to help your with your issue.

 

     

    

Before we start please read and note the following:

  • We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
  • Note that we may live in totally different time zones, what may cause some delays between answers.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
:excl: I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!

:excl: There are no silly questions. Never be afraid to ask if in doubt!

 

 

 

  warning.gif Rules and policies

 

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

 

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

 

 


warning.gif Multiple Resident Protection warning!

Always have one (and no more than one!) AntiVirus program! In this case having more of them will not provide you with better protection - instead they may cause slowness, lock-ups and even mark another ones as harmful, leading to leave your system unstable and even damaged. Please choose only one from the listed below to stay with and uninstall the others:

  • avast! Antivirus
  • Emsisoft Anti-Malware
  • Bitdefender Antivirus
Uninstallation procedure:
  • Press the WindowsKey.png + R on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for each uninstalled entry, right-click it and select Uninstall.
This should be done until any other steps will be taken.


I do not recommend usage of IOBIT products, they have bad reputation, and are prone to create problems. The company behind this product was found to be stealing the MBAM database. That is why I suggest to uninstall:

Advanced SystemCare

Driver Booster

Game Booster

IObit Malware Fighter

IObit Uninstaller

Smart Defrag

Surfing Protection

 

When you see a word "Booster", "Optimizer", "TuneUp" or similar it is often some kind of silly application. You cannot "boost" you system more than it actually is. Microsoft optimized Windows perfectly and they are constantly working on improvements, so these tools are just selling you nothing but "fog".

 

Only way to actually boost your system is to upgrade your hardware by adding SSD, more processor power or more ram memory.


remove%20outdated.jpg Uninstall some programs

 

We need to uninstall some unwanted/unneeded programs.

  • Press the WindowsKey.png + R on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search there for each entry mentioned below, right-click the entry and click Uninstall one at a time
  • The list of programs to uninstall:
    • Spybot - Search and Destroy
    After completing uninstalls, please manually reboot your machine!

     

    Note: If you get the message like: An error occurred while trying to uninstall, just press Yes.

Link to post
Share on other sites

Okay, let's get fresh reports:
 

FRST.gif Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

Link to post
Share on other sites

51a612a8b27e2-Zoek.png Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:

    createsrpoint;autoclean;emptyclsid;emptyalltemp;ipconfig /flushdns >>"%temp%\log.txt";b
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)
Upload it in your next reply.
Link to post
Share on other sites

They are sent to any contacts I have as well as any email accounts I have ever interacted with, such as people cc'ed that I don't necessarily have as contacts. 

 

I have just discovered that the emails "sent" on december 16 may have actually been sent on december 10 (before we cleaned the temp files), and that it just took 6 days for this "bounceback" to occur. I think this may be the case, and it is hard to tell for sure, because the malware always clears out the "sent" folder after issuing a round of emails and I rely instead upon my mailer-daemon to be informed of the fradulent emails sent.

 

I received the below "bounceback" at 2:40pm on december 16 as mentioned, and at first thought that meant it was sent on that date, but now I see the date referenced about halfway through of December 10 at 10:50am. By the way, that link at the bottom is the MALICIOUS link, I completely understand if this post must be removed due to the link, but atleast you will see what I am talking about first. I think I need more time monitoring the computers behaviour.
 

 
 
MAILER-DAEMON@moonspell.tek-art.com.pl 
To
scotthemy@rogers.com
 
Dec 16 at 5:24 PM
Hi. This is the qmail-send program at moonspell.tek-art.com.pl.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<stevedean@palgravetennisclub.com>:
216.200.145.235 does not like recipient.
Remote host said: 550 Recipient Rejected: No account by that name here
Giving up on 216.200.145.235.

<shaunasug@hotrmail.com>:
Sorry, I wasn't able to establish an SMTP connection. (#4.4.1)
I'm not going to try again; this message has been in the queue too long.

--- Below this line is a copy of the message.

Return-Path: <scotthemy@rogers.com>
Received: (qmail 4909 invoked by uid 0); 9 Dec 2015 20:57:01 -0000
Received: from localhost (HELO qcwk.com) (natalka@isolatka.art.pl@127.0.0.1)
  by localhost with ESMTPA; 9 Dec 2015 20:57:01 -0000
From: Scott Hemy <scotthemy@rogers.com>
To: "jessica0925" <jessica0925@live.ca>, "kelsey.hammerton" 
<kelsey.hammerton@hotmail.com>, "meagan.cormack" 
<meagan.cormack@gmail.com>, "shaunasug" <shaunasug@hotrmail.com>, "Steve Dean - PTC" <stevedean@palgravetennisclub.com>
Subject: Fw: new message
Date: Thu, 10 Dec 2015 10:50:14 -0800
Message-ID: <0000fd5a364a$32b7ae39$d81d77f8$@rogers.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0001_57CEA0DB.28DA944C"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AdE6O0XGPJm89c45IIKqp6NV14vjOg==
Content-Language: en-us

This is a multipart message in MIME format.

------=_NextPart_000_0001_57CEA0DB.28DA944C
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hey!



Open message <http://gricela.laigriega.es/justice.php?b>
Link to post
Share on other sites

51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware

Please re-run 51a46ae42d560-malwarebytes_anti_malware. Malwarebytes' Anti-Malware.

  • First of all, select update.
  • Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
  • In the same tab, under PUP and PUM detections make sure it is set to Treat detections as malware
  • Click the Scan tab, choose Threat Scan is checked and click Start Scan.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the newest Scan Log.
  • At the bottom click Export and choose Text file.
Save the file to your desktop and upload your next reply.


FRST.gif Scan with Farbar Recovery Scan Tool

 

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

    (XP users click run after receipt of Windows Security Warning - Open File).

  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please upload them into your next reply.
Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

FRST.gif Fix with Farbar Recovery Scan Tool

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif

icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

    (XP users click run after receipt of Windows Security Warning - Open File).

  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please upload it to your reply.

fixlist.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.