Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with email spambot malware


  • This topic is locked This topic is locked
11 replies to this topic

#1 marz1pan

marz1pan

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 PM

Posted 09 August 2013 - 09:27 AM

Hi there,

After reading some threads on the Norton Community forums, I have concluded that my laptop has been compromised and infected with an email spambot. I have come straight to this forum for assistance as Norton users experiencing these symptoms were being directed here.

I first started noticing symptoms on Monday 5th. I happened to be installing a new program called KMPlayer, a popular audio/video player. I was going through the setup when I got a taskbar notification from Norton that said a suspicious program was removed (see notif_01.txt attached). 9 minutes later, I got another similar notification (see notif_02.txt attached).

The following night, Norton removed another two suspicious programs (see notif_03.txt and notif_04.txt attached). I was away from my laptop before the last notification, and when I came back, I found a Norton pop-up window saying Email Error (see email_error_01.txt attached). After reading it, I clicked OK to close it, but another pop-up followed it immediately. This happened several times; there seemed to be no end to these error messages.

Some errors said my IP was not authorised to send emails (see email_error_03.txt attached). I was confused; I didnt even have my email client open, let alone did I try to send any of these emails. I didnt recognise any of the recipient addresses, nor did any of the sender addresses belong to me, and they were all different every time. I also noticed that all the recipient addresses appeared to be personal Gmail addresses and the emails were all about meds. I could tell it was all spam. So, I started to research my problem.

Yesterday, I installed Malwarebytes and ran a full scan on all drives (1 internal, 1 external, and 1 USB). Directly after the scan started, Norton removed one more suspicious program (see notif_05.txt attached). Upon completion, the scan had detected 13 items in total, and I removed all of them and rebooted as required (see mbam_log.txt attached).

Tonight, I turned on my laptop and connected to the internet to log on here (I registered on my Android phone earlier). So far, I havent received any more email errors from Norton, so it seems like Malwarebytes has helped a great deal.

I also ran DDS and added the dds.txt log at the bottom of this post as required (also see attach.txt log attached).

Id now like to know what to do next to ensure that my computer is clean, safe, and secure.

This is the first time Ive experienced something like this, so Id also like to know more about the risks. Will any of the other devices on my home network be affected? Could the malware have taken any personal information from my computer or browser, or is it unlikely because its a spambot? Is there anything else I should know or do?

Also, how on Earth did all this happen? Where did the malware come from? I havent visited any suspicious websites lately. Is it at all possible that KMPlayer has anything to do with this? I havent downloaded or installed anything else this fortnight. Or is it at all possible that my port forwarding has anything to do with this? I've heard that it's a risk in itself.

Thank you in advance to anyone who can help!

Logs deleted per poster request. Queen-Evie

Edited by Queen-Evie, 19 August 2013 - 09:50 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:26 PM

Posted 10 August 2013 - 09:56 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#3 marz1pan

marz1pan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 PM

Posted 14 August 2013 - 11:37 AM

Hi nasdaq! (By any chance, is your name related to the American stock exchange of the same name? :wink:)

Thank you for your speedy reply! Unfortunately, for some reason, I was never notified, despite having immediate email notifications turned on as per forum recommendation...

 

Anyway, I've followed your instructions above.

 

AdwCleaner seems to have changed since you wrote your guide and no longer has a "Delete tab", so instead, I just clicked the "Clean" button on the main screen and that seemed to do the right thing.

 

I also noticed AdwCleaner and JRT both removed some things from Firefox. JRT completely removed the SuperStart add-on, which I'm a little annoyed about because there's no quarantine that I can just restore it from so I've lost my settings/data, and AdwCleaner removed Firefox Jetpack and the Norton SafeSearch search extension, which I find a little odd considering they're not at all adware... It also removed some lines from my preferences, and I'm not sure what those were...

 

But all in all, everything went smoothly. I'm also not having any problems with my computer, but then I haven't noticed anything since I cleaned it with Malwarebytes last week. Hopefully it stays that way!


Edited by Queen-Evie, 19 August 2013 - 09:54 AM.
Logs deleted per poster request.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:26 PM

Posted 14 August 2013 - 01:14 PM

AdwCleaner seems to have changed since you wrote your guide and no longer has a "Delete tab", so instead, I just clicked the "Clean" button on the main screen and that seemed to do the right thing.


Thank you for the information.
I just updated the program and will change my canned speech.

This new version has a de-quarantine function.
It's under the tools menu.
===

I will inform the owner or the Junk Removal Tool of the False positive on the \superstar issue.

===

What are the remaining issues with this computer?

#5 marz1pan

marz1pan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 PM

Posted 14 August 2013 - 06:54 PM

Hi nasdaq,

 

I just want to make sure my computer is clean. Is there anything else I should download/run a scan of, or are you giving the all-clear?

 

I had some questions at the end of my original post, but I think I can answer all of them myself now, except for "where on Earth did this malware come from?" The only web related program I had open at the time was µTorrent. Could it have come through that? Could it have been from malware/etc. previously on my computer? Or is it all too difficult to tell?

 

Also, I have another home computer that I installed Malwarebytes on and ran a scan, which found some things. I'd like the same assistance with it, and I believe it would be a very similar removal process. Do I need to make a new post for it, or can I just paste the MBAM log in this thread?

 

Thanks!



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:26 PM

Posted 15 August 2013 - 09:00 AM

Please scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

The only web related program I had open at the time was µTorrent. Could it have come through that? Could it have been from malware/etc. previously on my computer? Or is it all too difficult to tell?

Could very well be from using uTorrent. Unable to tell.

As for the other computer please start a new topic.
Post the MBAM log and a DDS log.
Post the topic link here and I will expedite the matter.

#7 marz1pan

marz1pan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 PM

Posted 15 August 2013 - 09:48 PM

Hi nasdaq,

 


 

Thanks


Edited by Queen-Evie, 19 August 2013 - 09:55 AM.
Logs deleted per poster request.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:26 PM

Posted 16 August 2013 - 08:00 AM

Glad we could help.

#9 marz1pan

marz1pan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 PM

Posted 16 August 2013 - 11:15 AM

Glad we could help.


Is that everything? All clear?

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:26 PM

Posted 16 August 2013 - 12:45 PM

Yes unless you have other issues with this computer.

#11 marz1pan

marz1pan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 PM

Posted 16 August 2013 - 01:12 PM

Ok, thank you for your assistance.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:26 PM

Posted 16 August 2013 - 01:32 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users