Pc Sending Spam Emails, No Trojan or Virus Found - Please Help!

[Pink Sparkle Girl]

Last night my PC started to send out spam emails (accompanied by Symantec
pop ups and various failiar notices). It starts of slowly and gathers pace
until I have to reboot. I have run a full Norton scan, and three Spyware
programmes with nothing found. I am using Win XP SP2 (up to date).

I have also run various scans in Safe Mode with no joy.

I hope somebody can help as I don't know what to do now. I tried System
Restore but it couldn't do it. What is sending out these emails? It's not
coming from Outlook Express.


How do I find and remove the program/virus etc that is sending the spam out?

 

[Marcin Domaslawski]

Hi,

Last night my PC started to send out spam emails (accompanied by Symantec
pop ups and various failiar notices).

What do you mean ? started by itself ?
How do you know that emails sent from your machine ?

Marcin Domaslawski

 

[Pink Sparkle Girl]

Hi, I use Symantec Norton 2005 and Microsoft Outlook Express for my email.
Norton scans the emails from OE before sending them. I noticed that my PC
started to send out emails even though Outlook Express wasn't open. Some of
the spam must go out while others Norton stops and alerts me with a warning.
When OE is open the outgoing spam doesn't show up in the sent folder or
anywhere. They are being sent else how.

I have logged directly on to the Tiscali email site (these are the accounts
that the spam is being sent through) and found no problems there. I have now
deleted my three Tiscali email accounts from OE, and Norton is now telling
me that the spam my PC is trying to send "was unable to be sent because your
email server rejected the message" or "unable to be sent because your server
rejected the sender". I think that the spam is now unable to be sent out but
it still doesn't stop the spam trying every few seconds.

My only theory is that I inadvertently downloaded/installed some scripting
that is undetectable by Norton or any other spyware programme. I can find no
advice on the internet even though quite a few people experience this
problem. Now I know that the spam sender is accessing Outlook Express to get
my email details how do I go about finding the bugger and removing it?!

Any advice gratefully received,
Sarah

_______________________________

 

[Guest]

Hi, I use Symantec Norton 2005 and Microsoft Outlook Express for my email.
Norton scans the emails from OE before sending them. I noticed that my PC
started to send out emails even though Outlook Express wasn't open. Some of
the spam must go out while others Norton stops and alerts me with a warning.
When OE is open the outgoing spam doesn't show up in the sent folder or
anywhere. They are being sent else how.

I have logged directly on to the Tiscali email site (these are the accounts
that the spam is being sent through) and found no problems there. I have now
deleted my three Tiscali email accounts from OE, and Norton is now telling
me that the spam my PC is trying to send "was unable to be sent because your
email server rejected the message" or "unable to be sent because your server
rejected the sender". I think that the spam is now unable to be sent out but
it still doesn't stop the spam trying every few seconds.

My only theory is that I inadvertently downloaded/installed some scripting
that is undetectable by Norton or any other spyware programme. I can find no
advice on the internet even though quite a few people experience this
problem. Now I know that the spam sender is accessing Outlook Express to get
my email details how do I go about finding the bugger and removing it?!

Any advice gratefully received,
Sarah

_______________________________

Download the autoruns and process explorer to see what running in real time
in the background:
AutoRuns for Windows v8.73
http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx

Then Go through these Cleaning steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Taps:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm
Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine:
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/

2- Download the Hijackthis and send the report to one of many
forums for analysis and troubleshooting:
http://www.merijn.org/index.php
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
Any error message, have a look in the event viewer and post them here.

HTH.
nass

 

[Pink Sparkle Girl]

Hi, before I followed much of this advice I deleted all my email accounts in
outlook Express. This caused the spam bug confusion as it seemed to no
longer be able to send the mail. I then carried on with the advice below
running several scans which found very little of interest.

I would like to point out that about 5 hours before the spam started Norton
detected two Trojans (both mail relay), but were both cleaned off my PC
before they could get started (or so I thought).

1. Trojan.Mitglieder
2. Trojan.Lodear

Norton has still found no evidence of anything else going on. About an hour
after deleting my email accounts from Outlook Express the spam began to
stop, or at least it isn't being scanned and sent via Norton.

I'm at a loss - has the problem been sorted is my PC just sending out spam
undetected now? I have just rebooted my PC with my email accounts now added
back into Outlook Express to see. As before, I shall wait and see if the
spam starts in about 5 minutes time...

_____________________________________________________________

Download the autoruns and process explorer to see what running in real
time
in the background:
AutoRuns for Windows v8.73
http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx

Then Go through these Cleaning steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Taps:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm
Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine:
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/

2- Download the Hijackthis and send the report to one of many
forums for analysis and troubleshooting:
http://www.merijn.org/index.php
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
Any error message, have a look in the event viewer and post them here.

HTH.
nass

 

[Elmo]

Hi, before I followed much of this advice I deleted all my email accounts in
outlook Express. This caused the spam bug confusion as it seemed to no
longer be able to send the mail. I then carried on with the advice below
running several scans which found very little of interest.

I would like to point out that about 5 hours before the spam started Norton
detected two Trojans (both mail relay), but were both cleaned off my PC
before they could get started (or so I thought).

1. Trojan.Mitglieder
2. Trojan.Lodear

Norton has still found no evidence of anything else going on. About an hour
after deleting my email accounts from Outlook Express the spam began to
stop, or at least it isn't being scanned and sent via Norton.

I'm at a loss - has the problem been sorted is my PC just sending out spam
undetected now? I have just rebooted my PC with my email accounts now added
back into Outlook Express to see. As before, I shall wait and see if the
spam starts in about 5 minutes time...

_____________________________________________________________

Download the autoruns and process explorer to see what running in real
time
in the background:
AutoRuns for Windows v8.73
http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx

Then Go through these Cleaning steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Taps:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm
Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine:
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/

2- Download the Hijackthis and send the report to one of many
forums for analysis and troubleshooting:
http://www.merijn.org/index.php
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
Any error message, have a look in the event viewer and post them here.

If there's no longer an account for Norton to check, it could certainly
still be happening. If Norton is compromised, it wouldn't find the
culprit. There are stand-alone virus cleaners that can be run from Safe
Mode, or perhaps from a boot. They handle just a few of the recent
malware, I believe. Avast has this one:

http://avast.com/eng/down_cleaner.html

To run an online check. Try one of these free online virus scans:

This one has a choice of a Quick or a Complete check
http://www.pcpitstop.com/

Symantec
http://security.symantec.com/default.asp?productid=ssr&langid=ie&venid=sym

<url:http://security2.norton.com/us/home.asp?j=1&venid=sym&langid=us&plfid=20&pkj=IHBEXIBVEMBQAUWZKTK>
then click the Security check link.

http://housecall.antivirus.com/ free online virus scan

http://www.ewido.net/en/

http://www.pandasoftware.com/products/activescan.htm

 

[Guest]

Download the autoruns and process explorer to see what running in real
time
in the background:
AutoRuns for Windows v8.73
http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx

Then Go through these Cleaning steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Taps:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm
Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine:
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/

2- Download the Hijackthis and send the report to one of many
forums for analysis and troubleshooting:
http://www.merijn.org/index.php
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
Any error message, have a look in the event viewer and post them here.

HTH.
nass

Hi, before I followed much of this advice I deleted all my email accounts in
outlook Express. This caused the spam bug confusion as it seemed to no
longer be able to send the mail. I then carried on with the advice below
running several scans which found very little of interest.

I would like to point out that about 5 hours before the spam started Norton
detected two Trojans (both mail relay), but were both cleaned off my PC
before they could get started (or so I thought).

1. Trojan.Mitglieder
2. Trojan.Lodear

Norton has still found no evidence of anything else going on. About an hour
after deleting my email accounts from Outlook Express the spam began to
stop, or at least it isn't being scanned and sent via Norton.

I'm at a loss - has the problem been sorted is my PC just sending out spam
undetected now? I have just rebooted my PC with my email accounts now added
back into Outlook Express to see. As before, I shall wait and see if the
spam starts in about 5 minutes time...

_____________________________________________________________

Trojan.Mitglieder.C
http://www.symantec.com/security_response/writeup.jsp?docid=2004-012012-0813-99&tabid=2


Trojan.Lodear
http://www.symantec.com/security_response/writeup.jsp?docid=2005-110111-3344-99&tabid=2

Please run the Hijackthis and send the log file for analysis to one of many
forums specialised in Hijackthis analysis.
As you previously said, it looks like an executable file called every time
you are trying to access the Internet and the Remote control procedure start
from the offending party.
HTH.
nass

 

[Leythos]

Last night my PC started to send out spam emails (accompanied by Symantec
pop ups and various failiar notices). It starts of slowly and gathers pace
until I have to reboot. I have run a full Norton scan, and three Spyware
programmes with nothing found. I am using Win XP SP2 (up to date).

I have also run various scans in Safe Mode with no joy.

I hope somebody can help as I don't know what to do now. I tried System
Restore but it couldn't do it. What is sending out these emails? It's not
coming from Outlook Express.


How do I find and remove the program/virus etc that is sending the spam out?

It sounds like your OLD copy of Norton AV was not updating or was
compromised by something you did (even if you didn't know it).

The following links will take you to vendors sites for Spy Ware / Ad
ware removal tools and also for Antivirus tools. After you install any
of these applications and update them, run them in SAFE MODE to allow
them to properly clean your system.

First, make sure that your Java is updated to the latest version:
http://www.java.com/en/download/index.jsp

These sites are for downloading Anti-Malware and Anti-Spyware tools, in
order that I would use them myself:

Dave Lipman's tools:
Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe

Multi-Av will provide you with 4 quality AV scanners that will remove
this malware from your machine - follow the directions.


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)

 

[Pink Sparkle Girl]

Okay, I've done a few more scans and updates, plus re-installed Norton just
in case. There is still no sign of spam being sent out via Norton but still
no virus etc found and deleted to cause it to have just stopped. I have
posted a HijackThis to an appropriate forum in the hopes that something
might show up there. Is there anyway to see if there is any email activity
going on in the background?