Possible spyware/keylogger in outlook

  • Thread starter Thread starter Peter Nolan
  • Start date Start date
P

Peter Nolan

Hi,
I am using outlook xp on win xp dell laptop...

When I sent emails out I am occasionally seeing 'sending 0 of n'
emails.

This usually only occurs when sending acknowledgements for emails and
in these cases there are no acknowledgments......

I scanned using McAffee and AdAware and it showed up a keylogger
installed onto the OS disk which I have rebuilt inside the last 40
days.........I deleted the key-logger but it was in the temp folder
for my user name on the laptop.

So I think what has happened is that I have been 'bugged' by a key-
logger that was most likley delivered by email but did not get
detected by mcafee as the email was opened and it has been sending
keystrokes to whoever bugged me......(hope they have better things to
do than read my typing)......

Has anyone seen such a delivery mechanism for bugging? If so, how
would I make sure that the bug is not in any of the emails I am
opening so that I do not re-infect myself..?

Or is there any way to check outlook to see where the bug might be
being invoked?

Thanks

Peter
 
is there anything in the sent folder? Assuming the keylogger were using
outlook to send email, it would most likely be in the sent folder.

if you have all windows and office updates and do not open blocked
attachments and do not visit questionable, untrusted websites and use the
default security settings (or tighten them), you should be ok.
 
in message
I am using outlook xp on win xp dell laptop...

When I sent emails out I am occasionally seeing 'sending 0 of n'
emails.

This usually only occurs when sending acknowledgements for emails
and
in these cases there are no acknowledgments......
Click to expand...
<snip>

I never send (automatically or via prompt) any read receipts so this
is a just a guess that Outlook doesn't count read receipts since YOU
didn't compose them. I wasn't aware that Outlook even gave you any
notification that it was sending a read receipt.

Do you have Outlook configured to automatically send read receipts
(when any senders requests them)? One of the first configuration
changes or checks you should do after installing Outlook is to ensure
that you neither automatically send read receipts or even bother with
the prompts for them. Set Outlook to *never* send read receipts.
 
in message





<snip>

I never send (automatically or via prompt) any read receipts so this
is a just a guess that Outlook doesn't count read receipts since YOU
didn't compose them.  I wasn't aware that Outlook even gave you any
notification that it was sending a read receipt.

Do you have Outlook configured to automatically send read receipts
(when any senders requests them)?  One of the first configuration
changes or checks you should do after installing Outlook is to ensure
that you neither automatically send read receipts or even bother with
the prompts for them.  Set Outlook to *never* send read receipts.
Click to expand...

Hi All,
more on this one...

1. No..there is nothing in the sent items for the 0 of n emails being
sent....does anyone know how to track what emails are being sent
especially these 0 of 1? Can the tcp port be logged to see what is
going over it? Or can Outlook be made to log in more detail?


2. The directory that the spyware is in is "F:\Documents and Settings
\Peter Nolan\Local Settings\Temp\AAWTMP\C658777" and it is
familykeyloggersetup.exe..

Interestingly, if I open this folder in exlporer the name of the
subfolder keeps changing. I guess this is it's attempt to hide...

3. I have a dual boot machine so I booted the other OS opened outlook
there and scanned using ad aware and ad aware + mcafee found the key
logger again, this time on the C drive....So it would seem to me that
the spyware is somehow attached to the outlook folder because the
instance of outlook was completely separate. Does anyone know how to
look for what programs are loaded when outlook starts up? Is there
a .ini file or something? I would think the spyware must be attached
to the startup of outlook via the folder that held the original bugged
email.

"If you have all windows and office updates and do not open blocked
attachments and do not visit questionable, untrusted websites and use
the
default security settings (or tighten them), you should be ok. "

I gather that I have received an email that had the bug in it.....they
have done a pretty good job since they avoided mcafee on the way
in...though mcafee finds it when scanned by ad aware....it is
interesting to note that mcafee does NOT find it if it is run by
itself....probably because of the changing folder name.......

4. I have not yet figured out how to make sure I can get rid of it so
no credit card numbers getting typed into this laptop any time
soon.....

All ideas most welcome....

I will also post to the mcafee site.

Thanks

Peter
 
The best way to remove it is to reformat. Yeah, it's a lot of work, but it's
the only way you'll know for sure that its gone.

Are you sure it came in via an email? Based on both the file name and
google, it looks like a spy program a suspicious spouse or parent would
install.
http://www.google.com/search?q=familykeylogger

Outlook does not load via an ini file. How that particular keylogger works
is something those who frequent security forums would know.
 
Additionally, I would inquire of my family members who have access to your computer what they had in mind when installing this piece of spyware. Sounds like there may be a trust issue there.

See http://www.spywareremove.com/removeFamilyKeyLogger.html for how to thoroughly remove this.

Then password protect your computer with a screensaver you can kick in automatically when you leave your computer and set a password on it.

I have created a simple shortcut to lock my computer when I leave it at work - no need to use it at home, cats don't have access to my desktop, they have their own laptops!) - then drag it to your quick launch bar:

%windir%\system32\rundll32.exe user32.dll,LockWorkStation

Works on Windows XP, not sure about Windows Vista.

--
Milly Staples [MVP - Outlook]

Post all replies to the group to keep the discussion intact. All
unsolicited mail sent to my personal account will be deleted without
reading.

After furious head scratching, Peter Nolan asked:

|| "Peter Nolan" wrote in message
||
|| ||
||| I am using outlook xp on win xp dell laptop...
||
||| When I sent emails out I am occasionally seeing 'sending 0 of n'
||| emails.
||
||| This usually only occurs when sending acknowledgements for emails
||| and
||| in these cases there are no acknowledgments......
||
|| <snip>
||
|| I never send (automatically or via prompt) any read receipts so this
|| is a just a guess that Outlook doesn't count read receipts since YOU
|| didn't compose them. I wasn't aware that Outlook even gave you any
|| notification that it was sending a read receipt.
||
|| Do you have Outlook configured to automatically send read receipts
|| (when any senders requests them)? One of the first configuration
|| changes or checks you should do after installing Outlook is to ensure
|| that you neither automatically send read receipts or even bother with
|| the prompts for them. Set Outlook to *never* send read receipts.
|
| Hi All,
| more on this one...
|
| 1. No..there is nothing in the sent items for the 0 of n emails being
| sent....does anyone know how to track what emails are being sent
| especially these 0 of 1? Can the tcp port be logged to see what is
| going over it? Or can Outlook be made to log in more detail?
|
|
| 2. The directory that the spyware is in is "F:\Documents and Settings
| \Peter Nolan\Local Settings\Temp\AAWTMP\C658777" and it is
| familykeyloggersetup.exe..
|
| Interestingly, if I open this folder in exlporer the name of the
| subfolder keeps changing. I guess this is it's attempt to hide...
|
| 3. I have a dual boot machine so I booted the other OS opened outlook
| there and scanned using ad aware and ad aware + mcafee found the key
| logger again, this time on the C drive....So it would seem to me that
| the spyware is somehow attached to the outlook folder because the
| instance of outlook was completely separate. Does anyone know how to
| look for what programs are loaded when outlook starts up? Is there
| a .ini file or something? I would think the spyware must be attached
| to the startup of outlook via the folder that held the original bugged
| email.
|
| "If you have all windows and office updates and do not open blocked
| attachments and do not visit questionable, untrusted websites and use
| the
| default security settings (or tighten them), you should be ok. "
|
| I gather that I have received an email that had the bug in it.....they
| have done a pretty good job since they avoided mcafee on the way
| in...though mcafee finds it when scanned by ad aware....it is
| interesting to note that mcafee does NOT find it if it is run by
| itself....probably because of the changing folder name.......
|
| 4. I have not yet figured out how to make sure I can get rid of it so
| no credit card numbers getting typed into this laptop any time
| soon.....
|
| All ideas most welcome....
|
| I will also post to the mcafee site.
|
| Thanks
|
| Peter
 
This isn't a key logger problem at all. I don't know why but all Outlook
2007s actually say they are sending whatever number of how many emails. I
sometimes see 24 of 26 and I am sending only 2 emails. Not sure what it is
all about but I know it is not spyware or otherwise related.
 
Diane,

Not even reformatting gets rid of everything. If someone wants to be THAT
paranoid, they really should dump the old drive and put a new windows on a
new hard drive not touched before assuming they are using legal windows
disks. However, if you are going to be that paranoid about things that may
get into your computer, the best advice is never to turn it on. That way
nothing gets into it.

Me, I like to live dangerously and turn mine on! :)
 
Reformatting will remove the bad stuff that affects the typical user. No
paranoia required. :)
 
Sorry, no. It doesn't get rid of everything. You don't have to believe me
though. Google is your friend.
 
Diamontina Cocktail said:
Sorry, no. It doesn't get rid of everything.
Click to expand...

Would you like to explain just WHAT reformatting does NOT get rid of?
(As a Systems accountant of some 20 years standing I would be very
interested to hear this....)
 
Diamontina Cocktail said:
Sorry, no. It doesn't get rid of everything. You don't have to
believe me though. Google is your friend.
Click to expand...

Cite just ONE of the Google references that supports you claim.
 
Diamontina Cocktail said:
This isn't a key logger problem at all. I don't know why but all
Outlook 2007s actually say they are sending whatever number of how
many emails. I sometimes see 24 of 26 and I am sending only 2 emails.
Not sure what it is all about but I know it is not spyware or
otherwise related.
Click to expand...

When people have more than one account, Outlook calculates those numbers
incorrectly.
 
Gordon said:
Would you like to explain just WHAT reformatting does NOT get rid of?
(As a Systems accountant of some 20 years standing I would be very
interested to hear this....)
Click to expand...

Boot block for one and other areas of the hard disk you consider out of
reach that are there, nevertheless. However, as I said, if you want to know
more, Google it.

Having been a "Systems accountant of some 20 years" then you should know
that about Google! :)
 
Diamontina Cocktail said:
Boot block for one
Click to expand...

Umm AFAIK "boot block" is a piece of code in the BIOS (which is resident on
the Motherboard NOT the HDD) and so is not affected by reformatting
anyway...
 
Brian Tillman said:
When people have more than one account, Outlook calculates those numbers
incorrectly.
Click to expand...

Ahh is THAT why? I never knew exactly why but I knew it was nothing any
spyware or other nasty was doing. Thanks for that.
 
Gordon said:
Umm AFAIK "boot block" is a piece of code in the BIOS (which is
resident on the Motherboard NOT the HDD) and so is not affected by
reformatting anyway...
Click to expand...

Not true. The book block is an area on the disk itself to which the
bootstrap code in the BIOS passes control after reaching the end of its own
code. Often there is more than one boot block on the disk so that in the
event one is lost, the disk is still bootable, but that depends on the
operating system.

Nonetheless, a repartition of the disk erases the prior boot block and a new
format restored a new copy, so DIamontina is wrong as well.
 
Gordon said:
This page says not:
http://www.pcguide.com/ref/mbsys/bios/compBoot-c.html
Click to expand...

From Microsoft's Knowledgebase:

On Intel-based computers, the system BIOS controls the initial operating
system boot process. After the initial Power On Self Test (POST) when
hardware components are initialized, the system BIOS identifies the boot
device. Typically, this is a floppy disk or a hard disk. In the case of the
hard disk, the BIOS reads the first physical sector on the disk, called the
Master Boot Sector, and loads an image of it into memory. The BIOS then
transfers execution to that image of the Master Boot Sector.

From Wikipedia:
A boot sector (sometimes called a bootblock) is a sector of a hard disk,
floppy disk, or similar data storage device that contains code for booting
programs (usually, but not necessarily, operating systems) stored in other
parts of the disk.

I can cite as many sources as you wish, including my own Computer Science
degree courses, indicating that the "boot block" or "boot sector" is on the
disk.
 
Back
Top