Email worm
#1
Scooby Regular
Thread Starter
Join Date: Jun 2002
Location: The home of the game played with odd shapped balls
Posts: 2,037
Likes: 0
Received 0 Likes
on
0 Posts
When ever I start up outlook and then send and receive emails I keep getting this pop up.....
The great thing is McAfee will keep on popping up with this but it doesn't detect it with the virus scan which is uptodate. It makes no difference if I turn outlook off, it still pops up. I can't find it in task manager, and I can't find any reference in outlook to that email addy.
I am at a loss as to what to do, I don't have a clue where to go from here, any ideas?
The great thing is McAfee will keep on popping up with this but it doesn't detect it with the virus scan which is uptodate. It makes no difference if I turn outlook off, it still pops up. I can't find it in task manager, and I can't find any reference in outlook to that email addy.
I am at a loss as to what to do, I don't have a clue where to go from here, any ideas?
#2
Scooby Regular
Join Date: Mar 2001
Location: Derbyshire
Posts: 4,496
Likes: 0
Received 0 Likes
on
0 Posts
Try running the free online one here just to make sure.
Looking at what it says makes it look like there is some keylogging software on your machine that is trying to send the keylog to that email address.
[Edited by Hanslow - 1/20/2004 9:22:22 PM]
Looking at what it says makes it look like there is some keylogging software on your machine that is trying to send the keylog to that email address.
[Edited by Hanslow - 1/20/2004 9:22:22 PM]
#3
U could also try a trojan scanner/remover, virus scanners are still not up 2 much detecting/removint these unfortunately..(but slowly improving)
Try google or something
online scan here http://www.trojanscan.com/
or one of the trials such as from
http://www.agnitum.com/
Also try nai's stinger prog
http://vil.nai.com/vil/stinger/
Try google or something
online scan here http://www.trojanscan.com/
or one of the trials such as from
http://www.agnitum.com/
Also try nai's stinger prog
http://vil.nai.com/vil/stinger/
#4
Scooby Regular
Thread Starter
Join Date: Jun 2002
Location: The home of the game played with odd shapped balls
Posts: 2,037
Likes: 0
Received 0 Likes
on
0 Posts
ran the online Hanslow posted nothing found.
Trojan scan found nothing.
Agnitum: none found.
Stinger: none found.
Looks like its gonna be a reformat
[Edited by Krade - 1/21/2004 12:54:02 AM]
Trojan scan found nothing.
Agnitum: none found.
Stinger: none found.
Looks like its gonna be a reformat
[Edited by Krade - 1/21/2004 12:54:02 AM]
#5
Scooby Regular
iTrader: (2)
Join Date: Aug 2002
Location: South Wales - used to have a Legacy
Posts: 2,200
Likes: 0
Received 0 Likes
on
0 Posts
I've had something like this in the past with Mcaffee......
you haven't got the email in your outbox waiting to be sent??
and every time you send and receive it is trying to send yet recognises it as being sent several times recently...
??
you haven't got the email in your outbox waiting to be sent??
and every time you send and receive it is trying to send yet recognises it as being sent several times recently...
??
#6
Scooby Regular
Thread Starter
Join Date: Jun 2002
Location: The home of the game played with odd shapped balls
Posts: 2,037
Likes: 0
Received 0 Likes
on
0 Posts
kind of like that.
One thing tho, I did have a trojan loader wich AVG got rid off buy quanenting it and I deleted something out the reg, could this be part of the same virus but nothing can find it as I have deleted some of it?
One thing tho, I did have a trojan loader wich AVG got rid off buy quanenting it and I deleted something out the reg, could this be part of the same virus but nothing can find it as I have deleted some of it?
Trending Topics
#9
hmmm.. don't u just hate pc's..
Only other suggestion i thought of is run hijackthis and post the report log on one of the support forums..
http://www.spywareinfo.com/forums/
More info/download etc here..
http://mjc1.com/mirror/hjt/
Only other suggestion i thought of is run hijackthis and post the report log on one of the support forums..
http://www.spywareinfo.com/forums/
More info/download etc here..
http://mjc1.com/mirror/hjt/
#10
Scooby Regular
Join Date: Apr 2003
Location: Sydney, Aust
Posts: 341
Likes: 0
Received 0 Likes
on
0 Posts
McAfee or any personal SMTP scanners will remove the socket call outbound to port 25 (SMTP) and replace it with its filter. In this case, you seem to have a process running that has its own SMTP engine. If I am not mistake, it is trying to send information out to vallium@mail.ru. I am not suprised if it contains either information about your computer or even keylogged passwords designed to be sent back to a designated place.
Since you cannot "hunt" down the trojan, it seems likely someone has backdoored you, so lets start the hunt process.
1. Look for any suspicious users installed on your PC. In command line type in "net user"
2. Look for rooted localgroups, such as administratoors group. Again in commandline try "net localgroup administrators" and look for things like guests or any strange results
3. look for strange ports saying established trying to reach out to an external port 25 via netstat "netstat -na" if you are using XP "netstat -nao". If XP, you can get the PID which is very useful in finding the trojaned program.
4. Look for any processes running in your PC, make sure you list processes from other users as well. Look for any names that seems to hog CPU power. For example, there is trojan called Trojan.Androv that sends information outbound which hides itself as Msuser32, another one is trojan.KeyLog
5. Look for anything installed in All Users "startup" folders.
6. Go through your registry key and look for
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run_Once and see any strange programs.
Check back here with your results. I suspect by the time you go through a few, you will have better clues already. You have been given a huge clue, you know something is tryng to access external port 25 without your consent ! FIND IT. It is a little hard for me to help you over this forum but.... If you get lost, check back here, when I get a chance, I will help you further if you still need it looked at.
[Edited by prana - 1/22/2004 7:18:20 AM]
Since you cannot "hunt" down the trojan, it seems likely someone has backdoored you, so lets start the hunt process.
1. Look for any suspicious users installed on your PC. In command line type in "net user"
2. Look for rooted localgroups, such as administratoors group. Again in commandline try "net localgroup administrators" and look for things like guests or any strange results
3. look for strange ports saying established trying to reach out to an external port 25 via netstat "netstat -na" if you are using XP "netstat -nao". If XP, you can get the PID which is very useful in finding the trojaned program.
4. Look for any processes running in your PC, make sure you list processes from other users as well. Look for any names that seems to hog CPU power. For example, there is trojan called Trojan.Androv that sends information outbound which hides itself as Msuser32, another one is trojan.KeyLog
5. Look for anything installed in All Users "startup" folders.
6. Go through your registry key and look for
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run_Once and see any strange programs.
Check back here with your results. I suspect by the time you go through a few, you will have better clues already. You have been given a huge clue, you know something is tryng to access external port 25 without your consent ! FIND IT. It is a little hard for me to help you over this forum but.... If you get lost, check back here, when I get a chance, I will help you further if you still need it looked at.
[Edited by prana - 1/22/2004 7:18:20 AM]
#13
Scooby Regular
Thread Starter
Join Date: Jun 2002
Location: The home of the game played with odd shapped balls
Posts: 2,037
Likes: 0
Received 0 Likes
on
0 Posts
if ity helps any I am running a Linksys router/gateway/modem thingy which has a built in firewall.
#14
Scooby Regular
Thread Starter
Join Date: Jun 2002
Location: The home of the game played with odd shapped balls
Posts: 2,037
Likes: 0
Received 0 Likes
on
0 Posts
I don't think Ive been hacked as I have a firewall and a rolling IP addy here is the router I have
Lynksys BEFDSR41W
1. "net user" = only thing I dont recorgnise is the support user??? although there is nothing in the user accounts to show a profile and settings ect.
2. "net localgroup administrators"= just me
3. "netstat -nao"= I have no idea what is what. if you need specifc ip numbers let me know and can get em.
4.Task manager= yet again I have no idea what half these things are so I could be here and I dont know it
5. Start up folders are empty for all users no hidden files either
6.Cant see anything that stands out, mind you again I don't really know what should and shouldn't be there...
run once
lastly here's a page from the log produced by my firewall if that can tell you anything.
So to me it looks like theres no backdoor activity.
What is
one last thing is that when I try to shut down I get this
Not sure if this is McAfee stoping the email or the email virus itself, I have search for this Programm and bring up several bits an pices but nothing in caps.
I am getting more and more p!ssed at this
Thanks for the help so far
[Edited by Krade - 1/22/2004 8:40:39 PM]
[Edited by Krade - 1/22/2004 9:08:49 PM]
Lynksys BEFDSR41W
1. "net user" = only thing I dont recorgnise is the support user??? although there is nothing in the user accounts to show a profile and settings ect.
2. "net localgroup administrators"= just me
3. "netstat -nao"= I have no idea what is what. if you need specifc ip numbers let me know and can get em.
4.Task manager= yet again I have no idea what half these things are so I could be here and I dont know it
5. Start up folders are empty for all users no hidden files either
6.Cant see anything that stands out, mind you again I don't really know what should and shouldn't be there...
run once
lastly here's a page from the log produced by my firewall if that can tell you anything.
So to me it looks like theres no backdoor activity.
What is
If XP, you can get the PID which is very useful in finding the trojaned program
Not sure if this is McAfee stoping the email or the email virus itself, I have search for this Programm and bring up several bits an pices but nothing in caps.
I am getting more and more p!ssed at this
Thanks for the help so far
[Edited by Krade - 1/22/2004 8:40:39 PM]
[Edited by Krade - 1/22/2004 9:08:49 PM]
#15
Scooby Regular
Join Date: Apr 2003
Location: Sydney, Aust
Posts: 341
Likes: 0
Received 0 Likes
on
0 Posts
I can't find any sus proggies from your list, but that SMTP block is almost indicative of spyware.
The other thing is, the process may only show when triggered by you running Outlook, so it is intermittent. This looks like a really difficult one to get to.
It actually sounds like a keylogger.
From 134.102.96.232 to 212.158.235.181 is quite persistent, both high ports. The 134.102.96.232 is from Germany, outbound. Does that sound familiar ?
Actually, you should check sent items and other outbound for sus emails. It is really hard to help over the net, unless you know how to set up such things as sniffers and port redirectors, we can make a fake SMTP engine, and watch the contents being sent out. Failing that, you have ot make a decision as to reinstall or try a different AV engine.
[Edited by prana - 1/23/2004 1:00:17 AM]
The other thing is, the process may only show when triggered by you running Outlook, so it is intermittent. This looks like a really difficult one to get to.
It actually sounds like a keylogger.
From 134.102.96.232 to 212.158.235.181 is quite persistent, both high ports. The 134.102.96.232 is from Germany, outbound. Does that sound familiar ?
Actually, you should check sent items and other outbound for sus emails. It is really hard to help over the net, unless you know how to set up such things as sniffers and port redirectors, we can make a fake SMTP engine, and watch the contents being sent out. Failing that, you have ot make a decision as to reinstall or try a different AV engine.
[Edited by prana - 1/23/2004 1:00:17 AM]
#17
Scooby Regular
Thread Starter
Join Date: Jun 2002
Location: The home of the game played with odd shapped balls
Posts: 2,037
Likes: 0
Received 0 Likes
on
0 Posts
Cheers Prana, as youve prob guessd this is all beyond me, I am gonna ask one of the IT guys at work to have a look, see if they can find it, its that or reformat
Thread
Thread Starter
Forum
Replies
Last Post
oilman
Trader Announcements
15
01 October 2015 11:55 AM
Pro-Line Motorsport
Car Parts For Sale
0
27 September 2015 11:19 AM