Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Re:


  • Please log in to reply
5 replies to this topic

#1 rdrnnr

rdrnnr

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 26 June 2007 - 12:55 AM

I'm concerned because I have observed odd phenomena within Outlook Express while online and using OE as my email client.

The specific observation is movement within the Contacts pane that I did not initiate myself. In other words, while reading an email or composing one or doing something else, I will occasionally see (out of the corner of my eye) the highlighted email address in the Contacts pane change.

I run XP Pro SP 2 behind a Linksys cable router with NAT. I am periodically networked with another machine or two behind this NAT on my home network or at my office to my office network (same router set-up there, on a DSL connection). I don't always keep my Windows Firewall turned on, nor do I run a Third Party firewall.

I have not had virus infections or spyware trouble of any consequence, ever, over many years of computer use, in this same configuration. But this uninitiated movement from one email contact to another has me wondering.

Any suggestions?

BC AdBot (Login to Remove)

 


#2 Giedrius M

Giedrius M

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 26 June 2007 - 04:42 AM

you can check how many connections you have as typically, mailbombers use up as much as they can.
0. Turn off internet explorer and other programs
1. Go to start->run
2. cmd [enter]
3. netstat [enter]

post what you see.
My blog majauskas.com

#3 rdrnnr

rdrnnr
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 29 June 2007 - 11:12 AM

Looks like only one TCP connection right now.

Interestingly enough, I did receive a Delivery Status Notification (Failure) msg in my Inbox just this morning:

"This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed. dmn_nykagent@alireza.com"

The message source for the attached (returned) email -- which was a Viagra spam -- did show my email address for its Return-Path. A different (spoofed?) email address was showing as the message's Sender.

I feel violated. Now what?

#4 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:08:39 PM

Posted 29 June 2007 - 11:44 AM

A lot of spam will masquerade itself as a Mailer-deamon, since these can by-pass your provider's spam filters. Your address may have been harvested from the internet, or more likely was taken from an address list on another person's infected computer. If you have performed anti-malware scans of your hard drive, and cannot find the E-mail in question either in your client or E-mail provider's "sent mail" box, then you can be reasonably confident you are not at fault.
Regards,
John
Whereof one cannot speak, thereof one should be silent.

#5 rdrnnr

rdrnnr
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 01 July 2007 - 11:47 PM

More "unauthorized" movement within the Outlook Express Contacts pane.

I rechecked Netstat immediately after seeing this, and now there are four TCP connections open:

Two showed ports 1030 and 2478, with localhost 2479 and 7362 as the "foreign address." These were in "Time_Wait" state, when checked twice within a minute or so, then both dropped off.

Port 2476 appears to be in an established state to by2msg2204915.phx.gbl:1863. That connection has not changed over the past five mins or so.

Other connections showing up have been to somewhere at Google.com, and to a Windows Live ID log-in page.

I wish I knew better how to evaluate this stuff, so at least I could report more useful info. I also don't know how to cut and paste from the Command prompt window, or I'd just do that.

#6 buddy215

buddy215

  • Moderator
  • 13,302 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:39 PM

Posted 02 July 2007 - 10:17 AM

Have you scanned for malware? If not, suggest you follow the directions below.

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

--------------------------------------------------------------------------------

Post a Hijack This log in the Hijack This Forum by following the directions in the link below if the programs above have not removed ALL malware. DO NOT post the log in this forum.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
--------------------------------------------------------------------------------

How To start Windows in Safe Mode
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users