Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Repeated IMAP requests from masked Windows Process


  • Please log in to reply
4 replies to this topic

#1 svnty8

svnty8

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 28 June 2014 - 08:19 AM

Hey all, I've got some sort of yuck on my new laptop and have had a bugger of a time even finding out what it is.

I'm running Windows 8 on a Dell Inspiron laptop.  From watching Wireshark, the Task Manager and checking services, I can see this horrible thing is masking itself as a Windows Process and making IMAP requests to my mail server using two of my email addresses and an old password.

Using Wireshark, I can see the requests typically look like this:
   IMAP Request: E8TA CAPABILITY
   IMAP Request: 1ZR4 ID ("version" "17.0.1119.0516" "os" "WINDOWS" "vendor" "Dell Inc." "device" "Inspiron 3537" "AGUID" "[My guid in here]")
   IMAP Request: 2HXR LOGIN "[My email]" "[My old password]"

The first four characters of the request appear to be randomly-generated and don't follow the numbering convention that Thunderbird does, but it has the machine information correct and the password I only had for a few months (a few months ago) so it's been acquired fairly recently.  The requests always start with "CAPABILITY" then it gives my machine info ("version", "os", etc) then it goes "LOGIN" and gives my email credentials that are only a few months old (but not current).

It runs independent of Thunderbird being on and doesn't run in Safe Mode.  Once I boot up, it takes about 5 minutes before it starts to run and only runs every 5-10 minutes.  As mentioned, from watching the services/apps running in Task Manager, I've seen this thing run as "Service Host: Local System (Network Restricted) (10)" or "Service Host: Local Service (Network Restricted) (7)" or "Client Server Runtime Process" or even one of the services used for "Search Indexing".  The reason I know it must have been this thing and not those legitimate services is because I've switched each of those things off in other ways and it's still there (there's no option to stop any of these services when this malware is using it).

I've restarted in Safe Mode (and again) and installed/run:
*Ad-aware antivirus
*AdwCleaner
*Avast Antivirus
*Avast Anti Rootkit - Did not run.  Claimed "Error: Can't access device C:".
*AVG
*Combofix.exe (only after nothing else worked)
*Dr Web
*HijackThis - Finds questionable services (file missing) but fails to shut them down.
*Hitman Pro
*Malware Bytes
*Norton Power Erase
*Rootkit Buster
*RUBotted
*SecurityCheck.exe
*Spybot S&D
*Super Antispyware Professional
*TDSSKiller.exe
*Wireshark

Most of the above find and clean tracking cookies and some have even found malicious code in PHP files from when a dev project years ago.  NONE of them have found what is running on my machine.  Even if something comes up in there that isn't a tracking cookie, "fixing" it does nothing.

Does anyone know of anything that would be running as a Windows Process and attempting to log into my mail server every 10 minutes with legitimate credentials?

I'm currently blocked by my mail server because of failed attempts and can't access the webmail either.  If anybody can offer any help, I'd much appreciate it heaps and heaps.

Cheers!



BC AdBot (Login to Remove)

 


#2 wpgwpg

wpgwpg

  • Members
  • 1,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US of A
  • Local time:04:45 AM

Posted 28 June 2014 - 11:40 AM

 To help in further diagnosing this problem Please download and run Speccy.  After running it click File -> Publish snapshot... Copy and paste the link it gives you into your next post.  Then download minitoolbox and run it with the following boxes checked:

List last 10 Event Viewer Errors
List Installed Programs
List Users, Partitions, and Memory size
List Minidump files
Copy the resulting log and paste into a reply here.
 
Good luck.

Everyone with a computer should back his system up to an external hard drive regularly.  :thumbsup:

#3 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,995 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:45 AM

Posted 28 June 2014 - 11:54 AM

Hi,

 

Did you check if the mail application included in Windows 8 isn't by any change configured to retrieve your mail?


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#4 svnty8

svnty8
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 29 June 2014 - 04:22 AM

Hi,

 

Did you check if the mail application included in Windows 8 isn't by any change configured to retrieve your mail?

Holy.  Cats.  And.  Yammers.

MATE!  That was it!

 

For the record, here's how this went down:

I got this laptop for Xmas from Wifeage, set up email (only two of my accounts) and then decided that Windows 8 is a peesacrap and wanted things to look The Way They Were, so I downloaded and installed Windows Start Menu 8.

It's great, I can use WIndows the way I have for 13 years again, but I totally forgot to go in and switch off all the Winders crap that PROBABLY SHOULDN'T BE RUNNING UNBIDDEN ANYWAY.

I am a picture of profound relief.  I was not hacked, I have not been compromised, I am only a victim of the megalomaniacal Microsoft.

 

Thank you for your help, I appreciate that you know what an absolute dolt I'm feeling right now.

 

Cheers!



#5 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,995 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:45 AM

Posted 29 June 2014 - 09:15 AM

Good. :thumbup2:


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users