Forum Moderators: phranque
We been using Ad-aware (now V6.0) for a while -- it's free, we're cheapskates, it's been very effective, so everythings ok. Until now, nearly every time one machine logs on an email is sent, usually within the first 180 secs. The only reason we know an email is sent is that Norton kicks in and scans.
Norton scans are all clean
Ad-aware does not show any traces
No record is left in Outlooks sent folder.
I'm stumped. Any advice?
TIA
Rich
But jsut some note about norton antivirus. i could NOT get NAV 2003 to scan inside system volume or soem hidden,system directores. i wewnt to some online scanner adn it found one virus that was hidden in soem system directory EVEN thought i have set that my winxp HIDES all system files.Norton doesnt even search any hidden or system files/maps if you dont make them visible in winxp.that sucsk. even more - i located the infected file with norton,i directly loaded it in nav but it didnt find virus.Definitons were totaly new.
i was very suprised about this that soem onlien scaner foudn virus that nav 2003 didnt. so try some onlienscanner (i forgot whcih one i used.was is sophos or panda?)
JonB, are you sure it was a virus? Lots of anti-virus software detect false positives.
Shawn
i think that problem was more that nav could not findthis file and not so that it would not find virus in file. this hidden and system attributes confused it.even when i directly chose that file.
I'm not sure the reasoning behind thinking it was spyware causing this?
Daizy
You're right, the discussion has got a bit off track... The original question was about an email being sent when a computer starts up, which could be due to spyware.
Could it be something else.
How do you have your mail prefernces sent. If you are using IE then you may have not disabled the automatic sending of receipts for emails asking for such a receipt.
Try checking your settings, it could be the reason you are sending emails that are not appearing in your sent folder.
I had one that I had to stop it from running in the task manager and then delete it from the start menu.
Hopefully the poster will reply back soon and let us know what he's done so far.
Daizy
When we're sucessful in stopping whatever is happening I will post with the results.
The reason for thinking it's spyware is that there is nothing else that could be doing it. All the other PC's on the network are clean and do not have this problem.
Rich
Something sounds terribly odd there. I'd be more inclined to think it's a setting in Norton's then.
As has already been suggested, install ZoneAlarm, and see what's trying to get out of your computer.
Just to be clear....... you've done the online scan?
Daizy
Welcome and yes
Rich
We took JonB advice here's the findings - everything seems to be cleared -- from the finding we suspect that it's Alexa which is causing the problem. The questionis what information are they sending out?
Found after installing spybotsd12.exe
Company: Alexa Internet
Product: Alexa Toolbar
Threat: Spyware/BHO/Unstable
Company URL: [info.alexa.com...]
Company product URL: [download.alexa.com...]
Company privacy URL: [alexa.com...]
Functionality
Internet Explorer toolbar providing additional information and related links about visited websites.
Description
The privacy statement says it all. They are storing quite a lot information, including personal data like accounts (if account data is used in URL). They give other companies access to their databases; those may only use the data to what it was retained for. The statements says what the data was retained for, but doesn't give exlusions what it isn't retained for.
Privacy Statement
ALEXA COLLECTS AND STORES INFORMATION ABOUT THE WEB PAGES YOU VIEW, THE DATA YOU ENTER IN ONLINE FORMS AND SEARCH FIELDS WHILE USING THE ALEXA SOFTWARE, AND, WITH VERSIONS 5.0 AND HIGHER OF THE BROWSER COMPANION SOFTWARE, THE PRODUCTS YOU PURCHASE ONLINE. ALTHOUGH ALEXA DOES NOT ATTEMPT TO ANALYZE WEB USAGE DATA TO DETERMINE THE IDENTITY OF ANY ALEXA USER, SOME INFORMATION COLLECTED BY THE SOFTWARE IS PERSONALLY IDENTIFIABLE. ALEXA AGGREGATES AND ANALYZES THE INFORMATION IT COLLECTS TO IMPROVE ITS SERVICE AND TO PREPARE REPORTS ABOUT AGGREGATE WEB USAGE AND SHOPPING HABITS.
[...]
We employ other companies and individuals to perform functions on our behalf, such as technical support services. To perform those functions, it may be necessary for them to obtain access to Alexa’s databases and servers, which may contain personally identifying information about users. They may not use such access or information for any purpose other than that for which they are retained.
Company: -
Product: Alexa Related
Threat: Possible Spyware
Description
The "Show related links" function of Internet Explorer opens a Microsoft search page that redirects to Alexa. Alexa is known for the Alexa toolbar. As the Alexa toolbar is classified as spyware, the Alexa search page may collect too much user information as well.
If other products still detect Alexa after you have cleaned it with Spybot-S&D, it is a false alarm. Spybot-S&D does replace the file responsible for connecting to Alexa with one using the Google related function instead, instead of deleting the whole "Show related links" function.
Company: Microsoft
Product: Internet Explorer
Threat: Security hole
Company URL: [microsoft.com...]
Company product URL: [microsoft.com...]
Company privacy URL: [microsoft.com...]
Description
There's a security hole in IE allowing websites to execute code without asking you first. You can find more information at [security.greymagic.com...]
Company: Engage, Inc.
Product: Cookie
Threat: Tracking cookie or cookie of tracking site
Company URL: [engage.com...]
Company privacy URL: [engage.com...]
Description
Targeted advertisemnt. Fair enough, they state the don’t keep the recorded IP. But they don’t need to if they save an unique ID in their cookie.
Privacy Statement
What anonymous information is collected on this site?
Anonymous clickstream information is collected for every visitor to this site. This includes pages viewed, date and time, and browser type. […]
How does this site use cookies?
Engage uses cookies to identify your browser as you visit pages on the Engage site or sites in the Engage media network. Cookies allow Engage to gather anonymous clickstream information. Cookies also allow Engage to provide more relevant, targeted advertising as you travel through sites in the Engage media network.
Company: Enliven
Product: Cookie
Threat: Tracking cookie or cookie of tracking site
Company URL: [enliven.com...]
Company privacy URL: [enliven.com...]
Description
A unique number and the IP would be enough for me to call it tracking; but to also save search terms is even worse.
Privacy Statement
Cookies
A cookie is a small text file that a Web site can store on a user's PC on a temporary or a permanent basis. The cookie set by Enliven when an advertisement is served to your computer contains only an anonymous, randomly generated unique identification number. Cookies by themselves (and especially those containing only anonymous ID numbers) cannot be used to find out the identity of any user.
At the point of getting a request for an ad from the Web page a user visits, Enliven collects the following data related to the current advertising transaction: IP address, Enliven cookie number, the Web page from which the ad is requested, Search Terms (if in a search context), Browser type, and Operating System type. […] We will update this privacy policy if our data collection and usage practices ever change.
Alexa: IE menu extension (Registry key, nothing done)
HKEY_USERS\S-1-5-21-606747145-1563985344-842925246-500\Software\Microsoft\Internet Explorer\MenuExt\Get Alexa Data
Alexa: IE menu extension (Registry key, nothing done)
HKEY_USERS\S-1-5-21-606747145-1563985344-842925246-500\Software\Microsoft\Internet Explorer\MenuExt\Alexa Web Search
Alexa Related: What's related link (Replace file, nothing done)
C:\WINNT\Web\RELATED.HTM
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-606747145-1563985344-842925246-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3
DSO Exploit: Data source object exploit test (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111111}
Engage, Inc.: Tracking cookie or cookie of tracking site (File, nothing done)
C:\Documents and Settings\Administrator\Cookies\administrator@engage.everyone[2].txt
Enliven: Tracking cookie or cookie of tracking site (File, nothing done)
C:\Documents and Settings\Administrator\Cookies\administrator@ads.enliven[1].txt
Windows Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-606747145-1563985344-842925246-500\Software\Microsoft\MediaPlayer\Player\Settings\Client ID=
Windows Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID=
--- Spybot-S&D version: 1.2 ---
2003-03-16 Includes\Cookies.sbi
2003-03-16 Includes\Dialer.sbi
2003-03-16 Includes\Hijackers.sbi
2003-03-16 Includes\Keyloggers.sbi
2003-03-16 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-03-16 Includes\Security.sbi
2003-03-16 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2003-03-16 Includes\Tracks.uti
2003-03-16 Includes\Trojans.sbi
Also installed
Perminant Internet Explored Immunity
[msn.mcafee.com...]
----------
Program Characteristics
This is a spyware application. It is not a virus or trojan, but is classified as a "potentially unwanted program" and may be detected accordingly with VirusScan 7 when scanning for potentially unwanted programs. The keylogger is designed to monitor system use. Information gathered includes:
Typed keystrokes including passwords
Screen shots
Websites visited
Windows clipboard
Logged information may be emailed to a specified address, or FTPed to a specified account. Additionally the program attempts to run hidden and bypass firewall programs.
--------------
After resetting Zone Alarm it now caught.
