Sending through Internet mail

My computer has been sending e-mails non-stop through Internet mail.

My setup is as follows: Win XP SP2, Outlook 2003 & Exchange client. My “normal” mail goes through Exchange/Outlook. I’ve run alot of Spyware removers and only one found spyware. It was called proxy.small.ck. I removed it and rebooted and the mails started sending again. I have attached a copy of my HijackThis log. Any help is appreciated.

What anti-spyware have you run ?
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

The Internet Mail provider, doesn’t send email it is scanning outbound email and is likely to be a trojan spam bot sending spam, probably using its own SMTP engine.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.

  1. Ewido, a.k.a. avg anti-spyware or SUPERantispyware or Spyware Terminator

I don’t see anything immediately obvious in your log, are you using a firewall if so what ?
A firewall should also stop unauthorised outbound connections such as the sending of this spam.

There is a program TCPview that should show what is connecting, that may indicate what is the file/application responsible for the email spam.

If you open the Internet Mail provider, set the Sensitivity slider to High, click the Customize button, you can change some of the settings to try and trip it up or at least identify the sending application see image.

David

So far I have run Ad-Aware, Spybot, CounterSpy, and AVG (Ewido). I have disabled the firewall temporarily. The firewall will block it, but I am blocking the sending of them with Avast. The e-mails being sent are your typical Viagra type messages. The to and from addresses are the same but unique to each message.

Ewido was the only one to find the cause and listed it as proxy.small.ck, but not a file name and location. After I click remove and reboot my system it reinstalls. I will download the others you suggested and see what I come up with. I will also download TCPView and see what that tells me.

One other thing - there is nothing in the Avast log about it. I thought all Warnings posted there. Maybe because it is not catching it as a virus, but as “too many identical e-mails”.

You should also consider running Blacklight:

Tutorial: http://www.bleepingcomputer.com/tutorials/tutorial124.html
Download: https://europe.f-secure.com/exclude/blacklight/

Do not rename anything yet, if BL finds something. Only post the reportfile(fsbl*.log file in the same folder you start BL from)

You need to disable System Restore and clean your temporary files, then run a boot time scanning with avast and send any infected file to Chest.
After booting, just run the other anti-trojan tools you’ve mentioned.

It looks like it is fixed. Thanks for all the advise and help. Tech hit the nail on the head. I had forgot to disable the system restore and delete the temp files (and I know better) which allowed it to reinstall. Thanks again to everyone.

Good to know. Feel free to come back any time you need help or just share experience 8)

I have similar problem. My comupter runs XP, spampal, aVast!, AVG Anti-spyware, Spyware Terminator.

Every time I boot up my computer, emails are sending automaticly and continuously.

I scan my computer with aVast!, online virus scan, and above spyware scanner. Remove any virus be found. And now no virus or spyware is found.

But the problem continued. Below are connections filtered by Spampal, it looks SvcHost sending email to Localhost and then outside. During sending, Internet Mail provider scans.

Please any one could advise to fix this problem?

Below are SpamPal connections

21:18:20 05/20/07 FILTERING SMTP CONNECTION FOR PROCESS ‘svchost.exe’
21:18:20 05/20/07 CONNECTION FROM 127.0.0.1 TO mta-v12.mail.vip.re4.yahoo.com:25

21:18:20 05/20/07 CONNECTION ENDS (0 fetches; 0 spam, 0 whitelisted)

21:18:21 05/20/07 FILTERING SMTP CONNECTION FOR PROCESS ‘svchost.exe’
21:18:21 05/20/07 CONNECTION FROM 127.0.0.1 TO mta-v12.mail.vip.re4.yahoo.com:25

21:18:21 05/20/07 CONNECTION ENDS (0 fetches; 0 spam, 0 whitelisted)

21:18:20 05/20/07 FILTERING SMTP CONNECTION FOR PROCESS ‘svchost.exe’
21:18:20 05/20/07 CONNECTION FROM 127.0.0.1 TO mta-v12.mail.vip.re4.yahoo.com:25
21:18:20 05/20/07 EMAIL ADDRESS: bucyrusvsn@seed.net.tw
21:18:20 05/20/07 I.P. ADDRESS: 127.0.0.1 in local ignorelist
21:18:20 05/20/07 ACCEPT: (MAIL FROM: bucyrusvsn@seed.net.tw) (RCPT TO: tony341@yahoo.com)

21:18:22 05/20/07 CONNECTION ENDS (1 fetches; 0 spam, 0 whitelisted)

21:18:22 05/20/07 FILTERING SMTP CONNECTION FOR PROCESS ‘svchost.exe’
21:18:22 05/20/07 CONNECTION FROM 127.0.0.1 TO mta-v12.mail.vip.re4.yahoo.com:25
21:18:22 05/20/07 EMAIL ADDRESS: flemingtonqfg@seed.net.tw
21:18:22 05/20/07 I.P. ADDRESS: 127.0.0.1 in local ignorelist
21:18:23 05/20/07 ACCEPT: (MAIL FROM: flemingtonqfg@seed.net.tw) (RCPT TO: tony3488_1999@yahoo.com)

21:18:25 05/20/07 CONNECTION ENDS (1 fetches; 0 spam, 0 whitelisted)

21:18:23 05/20/07 FILTERING SMTP CONNECTION FOR PROCESS ‘svchost.exe’
21:18:23 05/20/07 CONNECTION FROM 127.0.0.1 TO mta-v12.mail.vip.re4.yahoo.com:25
21:18:23 05/20/07 EMAIL ADDRESS: brinkley41@seed.net.tw
21:18:23 05/20/07 I.P. ADDRESS: 127.0.0.1 in local ignorelist
21:18:23 05/20/07 ACCEPT: (MAIL FROM: brinkley41@seed.net.tw) (RCPT TO: tony343@yahoo.com)

21:18:26 05/20/07 CONNECTION ENDS (1 fetches; 0 spam, 0 whitelisted)

21:18:26 05/20/07 FILTERING SMTP CONNECTION FOR PROCESS ‘svchost.exe’
21:18:26 05/20/07 CONNECTION FROM 127.0.0.1 TO mta-v12.mail.vip.re4.yahoo.com:25

21:18:26 05/20/07 CONNECTION ENDS (0 fetches; 0 spam, 0 whitelisted)

21:18:28 05/20/07 FILTERING SMTP CONNECTION FOR PROCESS ‘svchost.exe’
21:18:28 05/20/07 CONNECTION FROM 127.0.0.1 TO mta-v12.mail.vip.re4.yahoo.com:25

21:18:28 05/20/07 CONNECTION ENDS (0 fetches; 0 spam, 0 whitelisted)

21:18:30 05/20/07 FILTERING SMTP CONNECTION FOR PROCESS ‘svchost.exe’
21:18:30 05/20/07 CONNECTION FROM 127.0.0.1 TO mta-v12.mail.vip.re4.yahoo.com:25

21:18:30 05/20/07 CONNECTION ENDS (0 fetches; 0 spam, 0 whitelisted)

Can you check into your firewall logs which program is doing this?
Maybe you can use TCPView, a program form sysinternals (now Microsoft).
Didn`t any of your security programs detect anything? AVGas?

Maybe you can try SuperAntispyware. It will be free if you dont need the resident guard and wont conflict with other programs in your computer.

I do not know which program does it?

on Spampal is like:

Source Client Protocol Server
svchost.exe localhost SMTP *various servers

on AVG Anti-Spyware

Application Protocol Local address remote address
unknown TCP 127.0.0.1:ports 127.0.0.0:12025
svchost UDP 0.0.0.0:ports
svchost UDP/TCP 192.168.173.100:ports

I will install TCPView and SuperAntispyware and see what can be found.

svchost.exe seems to be hijacked to send emails by SMTP.
Seems a malware behavior. If you can’t find nothing, try on-line scanning:
Dr.Web Online URL verification: http://online.drweb.com/?url=1

Full computer on-line scanning:
Kaspersky
Trendmicro housecall
Ewido
F-Secure
Panda ActiveScan
BitDefender (free removal of the malware)
HitmanPro (new online scanner)

Tech,

Thanks. I install and scan with SuperAntispyware and fixed.

The scan log as below:

Trojan.Downloader-RPCC
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc
C:\WINNT\SYSTEM32\RPCC.DLL
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc#DllName
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc#Asynchronous
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc#Impersonate
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc#Startup

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#BPTV
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV

Adware.IST/ISTBar (Slotch Bar)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@ad.sa8.woowy[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.21cn[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@crackz[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@free.wegcash[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@homesexnetwork[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@windowsmedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.vibrantsex[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@yadro[1].txt

It’s becoming a better and better antispyware…
Did you test avgas, a-squared or spyware terminator?
Did you run a full scanning (or boot time scanning) with avast?

Before scan with SuperAntispyware, I scan with spyterminator, Ad-Aware SE Personal, Trend micro housecall, Symantec, Kerspersky, F-secure.

I although run full scan and boottime scan with avast.

But can not fix the problem, until SuperAntispyware.