Hidden Spam-spewing thing – Virus, Trojan, Spyware, and Malware Removal Help


I’ll lead off by saying I would never have even seen this one if I wasn’t running my own mail server.

 

I have a client who is using my mail server, and whenever his computer is online, my mail server basically instantly rate-limits him. We tried a few times to clean his machine, but even on boot-time scan Avast came up empty, so we just left it at that – he uses Thunderbird to read mail, and a webmail client on the mail server to respond, and it’s not ideal, but there was little else I could do because of where he is.

 

Then the same thing happened here. After some scrambling, we discovered that when my wife turned her computer on, my mail server (which is on a different network) would basically instantly rate-limit my entire network. I eventually got a hardware firewall in place on my network, set a rule to block her from sending email, and the rate-limiting stopped. The firewall logs show connection attempts to port 25 of my mail server ranging from once in 19 seconds up to three times a second. Apparently the malware is smart enough to read server information from Thunderbird’s settings – it’s only targeting my mailserver – but not smart enough to read the credentials, as every attempt is failing with a code suggesting bad or no credentials. And it seems to have no other effects – no pop-ups, no surprise redirects, no desktop strangeness – all it does is try to send mail.

 

The Windows 10 built-in virus scanner, both on quick and offline scans, came up empty; A fresh install of Avast Free came up empty on smart, full, and boot-time scans. Because this happens whenever her machine is on and connected, I believe it is not a browser or mailer plug-in but a service or start-up program.

 

FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 09-11-2021

Ran by jane (administrator) on DESKTOP-4EK7427 (ASUSTeK COMPUTER INC. VivoBook_ASUSLaptop TP420IA_TM420IA) (11-11-2021 12:38:13)

Running from D:BleepingC

Loaded Profiles: jane

Platform: Microsoft Windows 10 Home Version 21H1 19043.1348 (X64) Language: English (United States)

Default browser: FF

Boot Mode: Normal

 

==================== Processes (Whitelisted) =================

 

(If an entry is included…

Source…