remote access trojan?

[Racudis]

I don't know if this is the place to discuss this, but I am new and have an issue I cannot resove. I used opened an e mail from a trusted perdon the other day. It was through hotmail. When I opened the file, It proceeded to open outlook express. Nothing happened then. Shortly after Zone alarm (firewall) starting asking to grant internet access permission to Unknown Process -150670 (Find Error). I denied it. Then it asked again for Unknown Process -248223 (Find Error). Again I denied it. Now When I use my Internnet Explorer, My firewall says it blocked access to my computer from 63.240.76.4:53. It blocks it about every 2-3 seconds. The source DNS is ns6.attbi.com. I have figured out that attbi is linked to "pc anywhere somehow" (remote access). I believe that someone or something is trying to connect with something on my p.c. from outside. "Spybot search & destroy" detected nothing. I wonder how I can find and remove what is trying to connect from my computer, or stop the site or person from trying to connect to my p.c.. I also believe that the trojan(?) is trying to use other programs to access the internet. Please help if u can. I am new to this. Thanx.

[MrLinus]

Didn't you put this in another thread? (Could've sworn I've seen this elsewhere)

Anyways, to answer your question.. try some of these:

1) scan with Anti-virus software in a safe mode without networking method

2) Get a trojan specific detection tool like The Cleaner

3) File a complaint with the ISP of the source attempting to connect. Do a traceroute on the IP or a whois tool like Sam Spade (have patience as it's a little slow these days) to resolve the IP to a FQDN. Send the complaint to "abuse@isp.com" (whatever isp.com is for the "attacker").

What makes you think it's attempting to use other programs?

[Racudis]

The reason I think it is trying to use other programs is because programs that I have LREdy granted permission to are asking again, but have been modified. When I look up the destination ip It is almost the same as the "Unknown Process -150679 (Find Error)" program that was trying to acces the internet. First My antivirus autoupdate tried, then with another that I cannot recall at the moment. Gonna try your advice. Although I am having trouble initiating the cleaner download, due to my firewall I believe. I have "window Washer" . Isthat comparable or should I get the cleaner?

[MrLinus]

Hrmm.. I thought that Window Washer was more of a privacy tool than a trojan detector. The Cleaner is a trojan detection tool.

[Tedob1]

did you check with your friend to make sure it was send by him and not by an internet worm using his name?

Query for 4.76.240.63.in-addr.arpa type=255 class=1
4.76.240.63.in-addr.arpa PTR (Pointer) ns6.attbi.com
76.240.63.in-addr.arpa NS (Nameserver) ns1.itv.att.net
76.240.63.in-addr.arpa NS (Nameserver) ns2.itv.att.net
76.240.63.in-addr.arpa NS (Nameserver) ns3.itv.att.net
76.240.63.in-addr.arpa NS (Nameserver) ns4.itv.att.net

these att's name servers are you using at&t as your isp. port 53 is the standard dns port

pcAnywhere uses tcp 5631 and udp 5632

do a netstat and dee if anything is listening you dont know about or connections are made that shouldn't be. like 6667 to some irc.ru

spybot s&d is meant to detect SpyWare/Adware you MUST scan your computer using anti-virus software with the latest definitions.

[Racudis]

I meant I had spytbot......But i see that spybot is not necessarilly what i need. I ran a virus check with my antivirus software earlier after I downloaded the latest definitions. It found nothing. Will checking it in safe mode be a better option?

[!mitationRust]

If your using XP hit control-alt-delete, got to view/select colums/check PID(Process Identifier)/ok/. Then Start/Programs/accessories/command Prompt/ Then in the command Prompt type:netstat -ano & then match the PID #'s to the exe.'s in the task manager.
And google what the name of the suspicious exe. that you do not reconize.

Hope it helps.

[Racudis]

My friend said she sent the email but when she sent it it had a link. There was no link when I got it, but it was kind of large.Hey what is a netstat and how do i do one?

[MrLinus]

Will checking it in safe mode be a better option?

Sometimes. Some virus/trojans start up and hide themselves (for lack of a better description) from anti-virus when running in full mode.

[Racudis]

I am using Windows ME. I am just learning about this stuff so I am not sure how to check my ports or if they are open or closed or who is listening. I like to think I am somewhat comp-literae though.