Krade

When ever I start up outlook and then send and receive emails I keep getting this pop up.....



The great thing is McAfee will keep on popping up with this but it doesn't detect it with the virus scan which is uptodate. It makes no difference if I turn outlook off, it still pops up. I can't find it in task manager, and I can't find any reference in outlook to that email addy.

I am at a loss as to what to do, I don't have a clue where to go from here, any ideas?

Hanslow

Try running the free online one here just to make sure.

Looking at what it says makes it look like there is some keylogging software on your machine that is trying to send the keylog to that email address.

[Edited by Hanslow - 1/20/2004 9:22:22 PM]

krazy

U could also try a trojan scanner/remover, virus scanners are still not up 2 much detecting/removint these unfortunately..(but slowly improving)
Try google or something

online scan here http://www.trojanscan.com/

or one of the trials such as from

http://www.agnitum.com/

Also try nai's stinger prog

http://vil.nai.com/vil/stinger/

Krade

ran the online Hanslow posted nothing found.
Trojan scan found nothing.
Agnitum: none found.
Stinger: none found.


Looks like its gonna be a reformat

[Edited by Krade - 1/21/2004 12:54:02 AM]

Leg@cy

iTrader: (2)

I've had something like this in the past with Mcaffee......

you haven't got the email in your outbox waiting to be sent??

and every time you send and receive it is trying to send yet recognises it as being sent several times recently...

??

Krade

kind of like that.
One thing tho, I did have a trojan loader wich AVG got rid off buy quanenting it and I deleted something out the reg, could this be part of the same virus but nothing can find it as I have deleted some of it?

JackClark

Could be, try adaware or spybot search and destroy

Krade

adaware draws a blank
really am at a loss over this.

krazy

hmmm.. don't u just hate pc's..

Only other suggestion i thought of is run hijackthis and post the report log on one of the support forums..

http://www.spywareinfo.com/forums/

More info/download etc here..

http://mjc1.com/mirror/hjt/

prana

McAfee or any personal SMTP scanners will remove the socket call outbound to port 25 (SMTP) and replace it with its filter. In this case, you seem to have a process running that has its own SMTP engine. If I am not mistake, it is trying to send information out to vallium@mail.ru. I am not suprised if it contains either information about your computer or even keylogged passwords designed to be sent back to a designated place.

Since you cannot "hunt" down the trojan, it seems likely someone has backdoored you, so lets start the hunt process.

1. Look for any suspicious users installed on your PC. In command line type in "net user"

2. Look for rooted localgroups, such as administratoors group. Again in commandline try "net localgroup administrators" and look for things like guests or any strange results

3. look for strange ports saying established trying to reach out to an external port 25 via netstat "netstat -na" if you are using XP "netstat -nao". If XP, you can get the PID which is very useful in finding the trojaned program.

4. Look for any processes running in your PC, make sure you list processes from other users as well. Look for any names that seems to hog CPU power. For example, there is trojan called Trojan.Androv that sends information outbound which hides itself as Msuser32, another one is trojan.KeyLog

5. Look for anything installed in All Users "startup" folders.

6. Go through your registry key and look for
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run_Once and see any strange programs.

Check back here with your results. I suspect by the time you go through a few, you will have better clues already. You have been given a huge clue, you know something is tryng to access external port 25 without your consent ! FIND IT. It is a little hard for me to help you over this forum but.... If you get lost, check back here, when I get a chance, I will help you further if you still need it looked at.




[Edited by prana - 1/22/2004 7:18:20 AM]

prana

oh yes, feel free to post any results you get, and hide your personal information such as local users, IP address etc.

Then I can look at it closer

Krade

will have a proper go later tonight cheers guys

Krade

if ity helps any I am running a Linksys router/gateway/modem thingy which has a built in firewall.

Krade

I don't think Ive been hacked as I have a firewall and a rolling IP addy here is the router I have
Lynksys BEFDSR41W




1. "net user" = only thing I dont recorgnise is the support user??? although there is nothing in the user accounts to show a profile and settings ect.




2. "net localgroup administrators"= just me


3. "netstat -nao"= I have no idea what is what. if you need specifc ip numbers let me know and can get em.


4.Task manager= yet again I have no idea what half these things are so I could be here and I dont know it


5. Start up folders are empty for all users no hidden files either

6.Cant see anything that stands out, mind you again I don't really know what should and shouldn't be there...


run once



lastly here's a page from the log produced by my firewall if that can tell you anything.




So to me it looks like theres no backdoor activity.

What is
one last thing is that when I try to shut down I get this


Not sure if this is McAfee stoping the email or the email virus itself, I have search for this Programm and bring up several bits an pices but nothing in caps.

I am getting more and more p!ssed at this

Thanks for the help so far



[Edited by Krade - 1/22/2004 8:40:39 PM]

[Edited by Krade - 1/22/2004 9:08:49 PM]

prana

I can't find any sus proggies from your list, but that SMTP block is almost indicative of spyware.

The other thing is, the process may only show when triggered by you running Outlook, so it is intermittent. This looks like a really difficult one to get to.

It actually sounds like a keylogger.



From 134.102.96.232 to 212.158.235.181 is quite persistent, both high ports. The 134.102.96.232 is from Germany, outbound. Does that sound familiar ?


Actually, you should check sent items and other outbound for sus emails. It is really hard to help over the net, unless you know how to set up such things as sniffers and port redirectors, we can make a fake SMTP engine, and watch the contents being sent out. Failing that, you have ot make a decision as to reinstall or try a different AV engine.


[Edited by prana - 1/23/2004 1:00:17 AM]

JackClark

Is your version of VirusScan up to date?

Krade

Cheers Prana, as youve prob guessd this is all beyond me, I am gonna ask one of the IT guys at work to have a look, see if they can find it, its that or reformat