Outgoing Spam

Avast 18.2.2328
Email client is Thunderbird, email service is Earthlink

My email account is reporting a lot of outbound spam sent from my computer, 100 messages in 24 hours, and continuing. Earthlink support says : “If you did not personally send this message, then your account may have been used by unauthorized persons and you should take action immediately to secure your account.” Sample message from Earthlink about items I did not send :
The following address(es) failed:
lynch@mc.net
host ismtp-02.mc.net [209.172.128.90]
SMTP error from remote mail server after RCPT TO:lynch@mc.net:
550 #5.1.0 Address rejected.

I ran an Avast scan and it found nothing amiss. Then I ran a Malwarebytes scan and it quarantined three items in the registry : PUP.Optional.InstallCore. But still my computer is sending outbound spam.

Is there anything that Avast can do about this? Or should I buy a special filter program for this one-time problem?

FWIW, here’s the MB log report :

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/7/18
Scan Time: 11:06 AM
Log File: f1759f50-2229-11e8-9968-b0104163fe6a.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.236
Update Package Version: 1.0.4246
License: Trial

-System Information-
OS: Windows 10 (Build 16299.248)
CPU: x64
File System: NTFS
User: DELL3647\John Earwood

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 326764
Threats Detected: 3
Threats Quarantined: 3
Time Elapsed: 3 min, 37 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 2
PUP.Optional.InstallCore, HKU\S-1-5-21-1914648859-788343595-4286043385-1001\SOFTWARE\csastats, Quarantined, [2], [260986],1.0.4246
PUP.Optional.InstallCore, HKU\S-1-5-21-1914648859-788343595-4286043385-1001\SOFTWARE\PRODUCTSETUP, Quarantined, [2], [481004],1.0.4246

Registry Value: 1
PUP.Optional.InstallCore, HKU\S-1-5-21-1914648859-788343595-4286043385-1001\SOFTWARE\PRODUCTSETUP|TB, Quarantined, [2], [481004],1.0.4246

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

(end)

We need the logs from Farbar Recovery Scan Tool … step 2 in instructions >> https://forum.avast.com/index.php?topic=194892.0

If avast detect FRST.exe … right click avast tray icon > manage shields and pause shields

Here’s the Farbar scans

Seems clean however…

  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
cmd: type C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
AlternateDataStreams: C:\Users\John Earwood\Desktop\The BothAnd Blog 01-30-2018.wpp:SummaryInformation [465]
AlternateDataStreams: C:\Users\John Earwood\Desktop\The BothAnd Blog 01-30-2018.wpp:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0]
AlternateDataStreams: C:\Users\John Earwood\Desktop\The BothAnd Blog 02-06-2018.wpp:SummaryInformation [465]
AlternateDataStreams: C:\Users\John Earwood\Desktop\The BothAnd Blog 02-06-2018.wpp:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0]
AlternateDataStreams: C:\Users\John Earwood\Desktop\The BothAnd Blog__Glossary 02-27-2018.wpp:SummaryInformation [475]
AlternateDataStreams: C:\Users\John Earwood\Desktop\The BothAnd Blog__Glossary 02-27-2018.wpp:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0]
AlternateDataStreams: C:\Users\John Earwood\Desktop\The BothAnd Blog__Index page_ 02-28-2018.wpp:SummaryInformation [479]
AlternateDataStreams: C:\Users\John Earwood\Desktop\The BothAnd Blog__Index page_ 02-28-2018.wpp:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0]
AlternateDataStreams: C:\Users\John Earwood\Documents\Retired Arch Card 04-08-2017.jpeg:3or4kl4x13tuuug3Byamue2s4b [83]
AlternateDataStreams: C:\Users\John Earwood\Documents\Retired Arch Card 04-08-2017.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0]
  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

SassD

I have attached the fixlog.txt file as requested.

All of the files in the fixlist are documents that I created myself in Serif WebPlusX8. All, but the last two, are earlier versions of a file I am currently working on, and are saved to the Desktop. Is it possible for a webpage file to be used by malware to send out emails?

PS__The fixlog says “ADS removed successfully”. What does that mean?

PS__The fixlog says "[b]ADS [/b]removed successfully". What does that mean?
If i should guess it is short for > [b]A[/b]lternate[b]D[/b]ata[b]S[/b]treams: > see code posted above by @Sass Drake

Change password for that email account and please report situation after that.

Last night, I changed the password for the email account that is sending a lot of Outbound Spam. This morning I got 25 messages reporting “outbound spam” and “mail delivery fail”. Apparently the spam malware is merely using my email client along with its account settings and passwords. Any other ideas?

PS__Specialized email spam blockers are available, but they are intended mostly for Inbound Spam, which is already filtered by my email service. Shouldn’t Avast be catching Outbound Spam? If I have to buy a spam blocker, does anybody know which brand is cheap and effective?

I have just realized that my Firefox browser has been hijacked to replace the default search engine Google with a fake Yahoo adware. Apparently it redirects your search to sites that pay for hits. I haven’t yet found a way to get Firefox back to normal.

I don’t know if “Yaahoo” has anything to do with sending outgoing spam. But is there any way Avast can search for the software and remove it? Is it a known PUP?

https://malwaretips.com/blogs/remove-search-yahoo-com/

Try AdwCleaner >> https://www.malwarebytes.com/adwcleaner/

PS__Specialized email spam blockers are available, but they are intended mostly for Inbound Spam, which is already filtered by my email service. Shouldn't Avast be catching Outbound Spam? If I have to buy a spam blocker, does anybody know which brand is cheap and effective?
I dont know of anyone that catch outbound spam, don't think there is one

If you uninstall your mail client and only use your mail accounts as webmail for a week, if it then still continue then it must be the mail account that is compromised and not your computer

Firefox has not been hijacked and Yahoo is legit search engine and Firefox search engine URL is legit. If password change didn’t help then it means that email domain you are using has been blacklisted due to spam from other users or email server was compromised. Can you write here part of your email address after “@”? (@gmail.com for example).

Firefox has not been hijacked and Yahoo is legit search engine and Firefox search engine URL is legit. If password change didn't help then it means that email domain you are using has been blacklisted due to spam from other users or email server was compromised. Can you write here part of your email address after "@"? (@gmail.com for example).
Today, the Firefox search is using Google instead of the fake Yaahoo adware. I don't know what made the difference.

After using several kinds of malware scanners, nothing related to email has been found. GlassWire has been tracking internet activity and reports only credentialed software so far. One item though, raised an eyebrow. Why is mrt.exe (Windows malicious software removal tool) connecting to the internet? Does it check in routinely, or only when it detects malicious activity?

Anyway, I still had 25 failed deliveries and reports of Outbound Spam today. So I may need to uninstall Thunderbird and reinstall. Depending on where the malware is located, that may not fix the problem.

My main email account ends with @mindspring.com. Other accounts are not affected.

In that case, you should contact Earthlink technical support. Your PC is clean.

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.