mysterious e-mails
Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: mysterious e-mails

  1. #1
    Senior Member
    Join Date
    Jun 2004
    Posts
    460

    mysterious e-mails

    Greetings, recently i got a link from a friend that brought me to a program that makes macros called marco. you can find it at this link: http://www.rstxt.150m.com/ezmac.zip

    my friend reccomennded it so i trusted that the program was OK. After i installed it i noticed my norton antivirus scanning outgoing messages. this didn't look right so i uninstalled the program. has anyone ever delt with this macro creator, and what information was it sending out. i am afraid that some of my passwords may have been compromised because it started sending messages AFTER i typed one in...

    the other thing is that now it is uninstalled something is still sending strange messages out. almost like it is recording everything i type and sending it out...
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  2. #2
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    666
    Hi

    No i don't lnow anything about that program..never seen before...it might have installed a backdoor on your system

    Hey norton antivirus scanning outgoing Packets when did norton Antivirus started doing it.I don't thnk Antivirus scanes for outgoing packets....... you mean Firewall...if you are using a Firewall block the outgoing request for connection........I didnt get it can you explain a bit what messages you talking about....

    Try netstat and Netstat -a at the command prompt and see if there a there is some extra port listening....or established a connection.........

    and do you have a Packet sniffer installed ....if yes you can check the out going packets......where thay are intended . and their sorce port.....etc.....

    Try scanning with Ad-Aware because it might have installed a Keylogger to log your keystrokes then send them to the destination

    and it might be a worm sending random messages from your computer try.. the Norton Antivirus..and a good trojan remover ..like moosoft the cleaner......



    --Good Luck--

  3. #3
    Senior Member
    Join Date
    May 2002
    Posts
    147
    He said it was scanning outgoing messages, as in email messages.

    First of all, get a firewall, so you can block the program's access to the internet...just disallow anything you don't recognise. Beware that it may try to pretend it's a legitimate program, so check carefully.
    Mama always said, keep your virus definitions up to date.

  4. #4
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    666
    oopsy My bad Sometimes my Eyes goes faster than my brain ...Sorry..

    Looks like are probably infected with a worm or trojan .......there are currently many worms propogating around that send out mass mails......I would suggest you downoad DiamondCS TDS 3 (trojan Detection System). Or Moosoft The Cleaner.........and yes Installing a firewall and restricting the programs access to internet is also a good option........But if you have a malware you would have to get rid of it........

    Check all the running Processes........If you find any suspecious process Google for it......and also check what processes are starting at startup.....if there is any suspecious process starting up stop it from starting.......But the malware can always use the name of a legitmate process making it harder to recognise.........Get scanning........ with a Antivirus, AD-Aware do not forget to update it first...............


    --Good Luck--

  5. #5
    Junior Member
    Join Date
    Jun 2004
    Posts
    11
    hmmmmmmmmm
    i guess its a worm. may be blaster or sesser because Mcafee detected the same to me. i mean when i got the worm Mcafee detected lot of email are being sent from random unknow email ids. may be more that 500 per minute. i guess thats the way they spread. so just get a security patch or a worm remover from mcafee.com or symantec.com. i am sure u will find one.
    Aladdin

  6. #6
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    i downloaded and installed zonealarm, however, before i did i was able to catch it sending another message out as soon as the computer started -- according to netstat, the server it was connecting to is:

    smtp-2.hotpop.com:smtp

    furthermore, i have identified 4 processes that i could not identify upon first sight:

    ccevntmgr.exe (started by system)

    carpserv.exe (started by my user)
    vcddaemon.exe (started by my user)
    scescomm.exe (started by my user

    i did an adaware/spybot/spywareblaster last night as well as an hour ago and nothing was picked up. furthermore, i have done a full system scan with Norton Antivirus and nothing was picked up.

    right now i am safe (i believe) but i would like some help in finding this process in order to expose it.

    thanks
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  7. #7
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    But have you d/l TDS or The Cleaner? your realy do need to get one of these in and scann your machine.. at this point don't trust jack from a Norton scann..
    You are on the right track looking for "strange Filenames"

    My recommendation:

    d/l to its own folder, then run a scann with HiJackThis, save the log and post a copy of that log here. (make sure that "View All Files"is enabled in windows explorer)
    Turn OFF System Restore,
    run a scann with TDS or the cleaner. (don't wait for us to analyse your HJT log)
    Disconnect your LAN and or Modem cables.
    run MSCONFIG.. disable ALL your startup items.. and restart..
    Run Msconfig again.. check the startup list.. any renabled? if there is .. suspect them.. any new entries that are enabled.. hehe we are going to have a little fun..

    probably too much for one post..

    A handy prog to try is TCPView ..

    Also I had a look at the web site associated with the prog.. I don't know waht to make of it.. Bloody **** layout.. certainly lin IE and Firefox.. makes me suspicious of anything I would get from that site.. certainly not software from a Profesional outfit.


    ccevntmgr.exe......at first glance this is a part of NAV..
    carpserv.exe .......looks ok
    vcddaemon.exe ...could be from CloneCD.. you will have the following folder "Elaborate Bytes"
    scescomm.exe...... I have no information on this one..

    Cheers

    BTW: a quick google found this:
    http://www.americansys.com/ezmacros.htm
    the screen shot used on the Marco d/l is the same.. I am going to check the original file to see what it is..

    BTW the http://www.rstxt.150m.com/ site is a FREE Hosted site..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  8. #8
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    i found out that this person has now become a member here and has created a user/thread... it is posted here zonealarm also caught this:

    refer to attached screenshot
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  9. #9
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    I get the feeling that those emails that left your machine are starting to be used. check this thread:

    http://www.antionline.com/showthread...hreadid=258946


    Cheers

    looks like a key logger..

    I would trust your instincts next time not your friends..

    We posted at the same time..

    Here is a copy of the other post:




    AntiOnline - Maximum Security for a Connected World - Microsoft Internet Explorer
    j[Home][End][Ctrl]
    mys
    mysterious e-mails
    Greetings, recently i got a link from a friend that brought me to a programs [Backspace][Backspace] that makes mar[Backspace]cros. you can find it at this link: [Ctrl][Ctrl][Left][Right] i thouth[Backspace][Backspace]ght the page looked fishy, but my frend [Backspace][Backspace][Backspace]i[Backspace][Back
    space]iend reccomennded it so i trusted that the program was OK. ra[Backspace][Backspace]After in [Backspace][Backspace] installed it i noticed my norton antii[Backspace]vifu[Backspace][Backspace]rus sending out [Backspace][Backspace][Backspace][Backspace][Backs
    pace][Backspace][Backspace][Backspace][Backspace][
    Backspace][Backspace][Backspace]scanning outgoing messages. this didn't look right so i uninstalled the t[Backspace]program. have [Backspace][Backspace][Backspace]s anyone d[Backspace]ever delt with this macro creator, and [Ctrl]


    seems the writter wants to talk with you..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  10. #10
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    HMM you do need to find and stop the following process:

    Exploer.exe

    it looks like Explorer.exe at first glance..
    Start up in safemode.. and look for this file.. and RENAME It
    then.. run regedit and search for that file name .. if it lkives in the HKLM/software/microsoft/windows/currentVersion/run just delet that entry.. but anywhere else it is mentioned.. GET THAT HJT LOG POSTED..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •