Hey all, I've got some sort of yuck on my new laptop and have had a bugger of a time even finding out what it is.
I'm running Windows 8 on a Dell Inspiron laptop. From watching Wireshark, the Task Manager and checking services, I can see this horrible thing is masking itself as a Windows Process and making IMAP requests to my mail server using two of my email addresses and an old password.
Using Wireshark, I can see the requests typically look like this:
IMAP Request: E8TA CAPABILITY
IMAP Request: 1ZR4 ID ("version" "17.0.1119.0516" "os" "WINDOWS" "vendor" "Dell Inc." "device" "Inspiron 3537" "AGUID" "[My guid in here]")
IMAP Request: 2HXR LOGIN "[My email]" "[My old password]"
The first four characters of the request appear to be randomly-generated and don't follow the numbering convention that Thunderbird does, but it has the machine information correct and the password I only had for a few months (a few months ago) so it's been acquired fairly recently. The requests always start with "CAPABILITY" then it gives my machine info ("version", "os", etc) then it goes "LOGIN" and gives my email credentials that are only a few months old (but not current).
It runs independent of Thunderbird being on and doesn't run in Safe Mode. Once I boot up, it takes about 5 minutes before it starts to run and only runs every 5-10 minutes. As mentioned, from watching the services/apps running in Task Manager, I've seen this thing run as "Service Host: Local System (Network Restricted) (10)" or "Service Host: Local Service (Network Restricted) (7)" or "Client Server Runtime Process" or even one of the services used for "Search Indexing". The reason I know it must have been this thing and not those legitimate services is because I've switched each of those things off in other ways and it's still there (there's no option to stop any of these services when this malware is using it).
I've restarted in Safe Mode (and again) and installed/run:
*Avast Anti Rootkit - Did not run. Claimed "Error: Can't access device C:".
*Combofix.exe (only after nothing else worked)
*HijackThis - Finds questionable services (file missing) but fails to shut them down.
*Norton Power Erase
*Super Antispyware Professional
Most of the above find and clean tracking cookies and some have even found malicious code in PHP files from when a dev project years ago. NONE of them have found what is running on my machine. Even if something comes up in there that isn't a tracking cookie, "fixing" it does nothing.
Does anyone know of anything that would be running as a Windows Process and attempting to log into my mail server every 10 minutes with legitimate credentials?
I'm currently blocked by my mail server because of failed attempts and can't access the webmail either. If anybody can offer any help, I'd much appreciate it heaps and heaps.