Something sneaked in

Comcast blocked my port 25 today claiming that unauthorized email had been sent from my machine.

Did a complete system scan and NOD32 found something called a Trojan Clicker and deleted it.

I regularly use Ad-Aware along with Spybot S&D.

What else do I need to be running to keep this kind of thing from happening in the future?

 

Hi silversurferWV,

Do you by chance have a dynamic IP address? Are you on dial-up or cable etc.?

 

I don't know about a dynamic address. How is that determined.

I am connected to the Internet via a cable modem.

 

You would need to check with your ISP to find out if your IP address is dynamic, static or even shared.
I guess what I was alluding to is that although Comcast are saying it was from your machine, it could also have come from anothers machine using the IP address your currently on. There are many different reasons that may trigger an ISP to port block - it may have been entirely nothing to do with you.

Cheers

 

I will check with Comast about the dynamic or static or whatever address.

In the meantime if NOD32 did indeed let me down what other software do you recommend to supplement it?

 

A good firewall with outbound protection so you know if anything is sending data. There are several good ones around. I used to refer people to Sygate before they were over-run by another company. In the future a seperate firewall will not be necessary as there is a firewall module planned for a future version of NOD32. There's still plenty of mirrors for the free-for-personal-use Sygate product. If you like, you can try some of -->THESE<-- and you might find a -->USER MANUAL<-- handy as well.
Personally I use Lavasoft Ad-Aware SE and have done for many years although my need for it is decreasing daily. I can't remember the last time that NOD32 left it any real work to do, so since you already use that you should be covered quite nicely

Cheers

 

A firewall that scans outgoing traffic would probably alert you that a program is trying to send something out through port 25, before it ever gets to Comcast. The firewall that comes with Windows scans only incoming traffic, but most commercial firewall programs scan both inbound and outbound.

 

Are you behind a firewall of any type? Or just plugged right into your Surboard modem?

You technically have a dynamic IP with Comcast...but your IP doesn't change too often...couple of times a month maybe. Regardless...they can track your IP no problem..they know the MAC of your modem (since you registered and they provisioned it)...so any given second of the day...they know which customer an IP address is tied to.

You're not supposed to host a mail server..but as long as you don't "show up on their radar"...they won't take drastic measures. So for them to pick it up..you were probably pumping out some volume.

 

A previous ISP of mine just got thier blacklist from some .org somewhere - you couldn't even access your own POP mail on thier own servers half the time without hitting redial and hoping for a different IP address the next time.

 

What kind of 1/2 concocted nutjob was running those servers? LOL. Wow.

 

Outlook Express has a feature that is supposed to warn me when another application is trying to send email as me. I have always had that feature turned on. No warnings were issued to let me know that something was afoot the past few days or ever for that matter. Are the bad guys able to thwart this OE feature?

 

From what you have described I would be surprised if it was malware. Can you let us have some more info on the trojan clicker that NOD32 cleaned out? What was the file name and the specific of the type of trojan clicker? You should be able to get this from your scanner logs.

As for the baddies, it is possible that they have thier very own inbuilt SMTP engine but I believe that NOD32 can detect this type of behaviour heuristically I think.

 

F-Secure says:
"Trojan Clicker (generic description)
[FONT=Arial, sans-serif]Trojan Clicker is a trojan that remains resident in Windows memory and constantly tries to connect to certain websites on Internet. This is done to fake visit counters for certain pages in order to earn more money for displaying ads on these pages."[/FONT]

It seems not to send any emails. You maybe your Nod32 misconfoigured somehow, maybe it is not doing sceduled scanning? I think if this trojan had lauched itself Nod would have regognized it.

 

A trojan clicker that uses smtp? AFAIK the way trojan clickers work it would use http requests and not smtp. I think that the threat on your computer is other than a trojan clicker. I think might be a mass mailer or other trojan-proxy/bot relay software.

 

I should have written down the names of the files that NOD32 detected but failed to do so. It seems to me that one of them was an 8-letter alphabet soup with an extension of "qlr" or something like that. The other file was ipod.exe if memory serves.

Since this hassle arose I've installed McAfee's personal firewall software, which is free for Comcast customers, in hopes of preventing future occurrences.

I do not have NOD32 set for a scheduled scan. I thought that it was invincible and never expected anything to get by. Naive on my part.

 

You might like to have a run through this thread

You can see various security setups within the link of my signature.

Hope this helps...

Cheers

 

Here is what I gleaned from the NOD32 scan logs:

C:\DownLoad\ProductKeyFinderkf141.zip »ZIP »keyfinder.exe »RAR »xpkey.exe - Win32/PSWTool.RAS.A application

C:\DownLoad\ProductKeyFinderkf141.zip »ZIP »keyfinder.exe »RAR »officekey.exe - Win32/PSWTool.RAS.A application

C:\WINDOWS\SYSTEM32\ipod.raw.exe - Win32/TrojanProxy.Lager trojan – deleted

C:\System Volume Information\_restore{3EBA69B7-6ACF-4703-9817-9623F5C75513}\RP183\A0020577.exe - Win32/TrojanProxy.Lager trojan – deleted

C:\WINDOWS\SYSTEM32\mtfyxkmh.fql - Win32/TrojanClicker.Small.JS trojan - deleted

 

Well , you told us the names but I don't see these deleted or eliminted
I recommend you get into Safe Mode and perform full scan and clean everything nasty + the manually delete the whole ProductKeyFinderkf141.zip
because this is malware

First Turn System Restore OFF
>>> Right click on My Computer->Properties->System Restore
Check Turn off system restore.Click OK

Second
Download Ad-Aware SE Personal from Lavasoft
http://www.lavasoftusa.com
Download,install , update it

Third Make sure your NOD32 is updated
Start-Programs-ESET-NOD32 Control Center-Update-Update Now

Then Configure NOD32 for "MyProfile" as shown here
https://www.wilderssecurity.com/showpost.php?p=766371&postcount=6
https://www.wilderssecurity.com/showpost.php?p=766370&postcount=5


Now Boot your computer in SAFE MODE
Do this by repeatedly typing F8 while Windows is starting before
Windows logo appears.Then you'll open the Windows Advanced menu where you can choose to boot the hard drive in SAFE MODE

Open NOD32's on-demand scanner (Start-Programs-ESET-NOD32)
and perform full scan and clean .
https://www.wilderssecurity.com/showthread.php?t=37509&page=3
If you have set it to the instructions in the link above , NOD32 will automatically manage the files

When NOD32 is ready , start Ad-Aware SE Personal
Perform full scan and clean

Restart and again turn your system restore ON

Make sure you visit Blackspear's settings to configure NOD32 work correctly and don't download files such as ProductKeyFinderkf141.zip


HiTech_boy

 

i'd do those things too, but what if the email from Comcast is a phishing email? just to throw that in as a caution

 

Turning off the system restore to follow your instructions troubles me. Had a bad computer day recently and SR came to my rescue when things looked the darkest.

Will I get any benefit from your procedure if SR is left on?

 

These say that they already have been deleted. You may also wish to check Quarantine is enabled for any future events. There is an excellent extra settings guide -->HERE<-- you may wish to look at.

The benefit of turning off SR is that it will clear out anything malicious that windows has bade a backup copy of. Some malware also hides itself in the SR folder on purpose.

These two are tools for discovering your MS Product install keys. They are themselves no harm so long as they are present because you intend for them to be. Note they are each detected as 'PSWTool.RAS.A application'

 

Yes, a good thread. I went ahead and followed all the recommendations shown. A tip of the hat to Mr. Blackspear for developing this helpful and easy to follow posting.

Will now sit back and watch how NOD32 protects my system now that it is armed to the teeth.

Thanks for your insight and help also. Much appreciated.

 

No problem , you are welcome !

 

My pleasure.

Cheers