Internet Mail scan going mad

[DanWeb]

I  noticed an icon pop up yesterday that turned out to be the internet mail scan on Avast Home. 

As I was not sending any mail, I investigated further in Avast and Discovered that my machine is sending out hundreds of spam mail.

I quick did research and decided to get a firewall (Zonealarm) to stop this mail being sent while I work out how to remove it.

I discovered if I disabled internet access for generic host for win32 services the Emails stop, but I can't find anyway of detecting what it is that my PC has.

Can Anyone Help please.

[DavidR]

You appear to have an undetected or hidden trojan spambot on your system.

Some ant-spyware tools might help find the trojan.
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
1.  If using winXP AVG anti-spyware (formerly Ewido) Resident scanner during trial On-Demand after trial ends. Or SUPERantispyware On-Demand only in free version. Or Spyware Terminator Resident scanner. Or a-Squared free On-Demand only with free version(if using win98/ME).

Recently I have seen a number of these spambot infection hidden by a rootkit, so if you get no joy from the above tools, check out these anti-rootkit tools, The three listed are probably the most user friendly and effective. Also see, anti-rootkit, detection, removal & protection.

http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- BlackLight - http://www.f-secure.com/blacklight/
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- AVG ANTI-ROOTKIT - AVG Anti-Rootkit http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5.

[YoKenny]

Unfortunately rootkits get so deeply into the hard drive that the only way to remove them completely is to backup your important information then physically disconnect the system from the Internet.

Boot with a DOS floppy diskette then completely FORMAT the hard drive then re-install the operating system ( OS ).

As you don't mention the operating system in use but it looks at least WinXP or Vista and if it is WinXP you can order a WinXP SP2 CD from Microsoft for Free that will update the OS to a base SP2 level and you will only have to install the latest updates:
http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx

With SP2 installed the Windows Firewall is automatically enabled.

You should also install Windows Defender that is not automatically installed with WinXP but is standard with Vista:
http://www.microsoft.com/athome/security/spyware/software/default.mspx

[DanWeb]

David, Thanks for the list of option unfortunately all the RootKit options come back saying they can't find anything,  I'm now having to use my laptop as another problem has started that when I enable the internet on the computer, the spam mail starts going out and then the PC Reboots.  Just about to try and use Superantispyware, will get back to you when it is completed.

YoKenny,  The computer is WinXP Pro SP2 with Avast Home, Windows defender and originally Windows Firewall running (Now Zone Alarm). Unfortunately It still didn't stop me getting it.  Was hoping not to have to resort to reinstalling windows, but seems my only option at this stage unless anyone else has any ideas

[DavidR]

Unfortunately rootkits get so deeply into the hard drive that the only way to remove them completely is to backup your important information then physically disconnect the system from the Internet.

Boot with a DOS floppy diskette then completely FORMAT the hard drive then re-install the operating system ( OS ).

Even if this were a rootkit (it was only a suggestion to check) there are other options and any format and start again is an option of last resort and I don't think we are anywhere near that option.

[DanWeb]

Update on Situation

Now my System always reboots about 1 - 2 minutes after enabling the internet connection, Tried SuperAntiSpyware on a intensive search in safe mode and came back with a list of things 174 to be exact, I then repaired rebooted to safe mode and ran again this time finding 1 item, I repaired and rebooted into normal mode.

David I have attached a copy of log from Super antispyware and a log of HijackThis in-case there is something that stands out to you or anyone else out there.

[mauserme]

Since you've already run ComboFix go ahead and post that log too.

You need to move HJT off your desktop.  There will be backups that we don't want to risk being deleted.  Move it to c:\hjt\

[DanWeb]

Having trouble running Combo Fix keeps telling me "FINDSTR: Search string too long"

[mauserme]

Hmmm ...

Well, upload this file to Virus Total and post the results


C:\DOCUMENTS AND SETTINGS\SCANAC~1\LOCAL SETTINGS\Temp\AutoDetect.exe


You'll have to fill in the blank on the SCANAC~ part.  Its an abbreviated user name.

[DanWeb]

Got it Working Attached is ComboFix log file & ComboFix quarantine log file

[mauserme]

Download - rustbfix.exe and save it to your desktop.

Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.
After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.


Also, don't forget to post the Virus Total results requested above.  What is the full path to that file?  I believe we will be deleting it but will need the user name to automate the process.

[DanWeb]

OK Here Goes,

The full path of file is : C:\Documents and Settings\Scan Account\Local Settings\Temp\autodetect.exe

The Rustock program, didn't reboot and only generated a pelog.txt file, which is attached also attached is the new hijackthis log file and the Virus Total File Relating to the autodetect.exe file.   It seems, (Not Getting my hopes up) that the spam mail has stopped being sent out from my PC, after running combofix.  Though haven't rebooted so may find it reinstalls itself after I reboot, Will hold off rebooting for time being.

[mauserme]

It seems, (Not Getting my hopes up) that the spam mail has stopped being sent out from my PC, after running combofix. 

That's entirely possible.  ComboFix killed several files.


Open HijackThis and click to Do a System Scan Only.  Place a check mark next to this line


O4 - HKCU\..\RunOnce: [Ceedo Repair] C:\DOCUME~1\SCANAC~1\LOCALS~1\Temp\AutoDetect.exe /repair /drive=I /name=PowerToGo


Close all other windows, including your browser, and click Fix Checked.


Now download the OTMoveIt by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


C:\Documents and Settings\Scan Account\Local Settings\Temp\autodetect.exe
C:\WINDOWS\system32\drivers\nmeydofjkccn.sys
C:\WINDOWS\system32\xpdx.sys


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

The last of those three files, xpdx.sys, was your rootkit.  It shows up in ComboFix, and rustbfix deleted it.  I've included it above just to make sure its gone.


After completeing all of the above please download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Close ALL OTHER PROGRAMS.
  
• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  Non-Microsoft Only
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Use the Add Reply button and Copy/Paste the information back here - or just attach it.  It will be quite long and may require multiple posts.  Make sure the last line reads < End of Report >.

I will review this in the morning.


BTW, I think you would be safe rebooting after killing those files with OTMoveIt.

[DanWeb]

Here it is

OTMove it log and WinPfind3 Log

[mauserme]

The only things I see in your  WinPFind log are some old versions of Java still installed on your computer.  You should download and install the current version here

http://filehippo.com/download_java_runtime/

Then uninstall all older versions in Add/Remove Programs in the Control Panel.  You have to do this manually as the update process will not take care of it for you.



Assuming your computer is still symptom free we can do a little clean up and be done.

Double click OTMoveIt once again and click the CleanUp! button. You may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.


Now download and install CleanUp, rebooting the computer if requested during installation

http://www.stevengould.org/index.php?option=com_content&task=view&id=29&Itemid=72

Open the program and click the Clean Up button in order to remove temporary files, browsing history, etc. It's a good practice to use this program from time to time as malware can lurk in some of these locations. I usually run this program after every browsing session.


Next we will re-set your restore points to make sure there is no malware hiding there. Then if you need to restore at some stage you will be clean.

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point; to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS 5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this 7. Accept the Warning and select OK again, the program will close and you are done.

I recommend  you keep SuperAntiSpyware and also consider AVG Antispyware.  A weekly scan with either of these will help keep your computer clean. 

Spyware Blaster is good prevention against many malware and uses no system resources other than during the update process.  Make sure to update and enable the definitions every 3 to 4 weeks.