mail scanning tray icon show strange thing...

system · 2007-10-09T15:26:16.000Z

When the email client (TB 2.0.0.6) receives mail and i place the mouse arrow over the icon it shows :

avast! mail scanner [iamthewhiterabbit.net]

Is it OK?

Thanks
Roy

DavidR · 2007-10-09T16:30:49.000Z

Forget that it is showing strange things, what is more important is were you sending or receiving email at the time ?
Are any of the emails that you received from a sender at iamthewhiterabbit.net ?

The white rabbit gallery contains works that are adult in nature. Please use discretion when entering

This could mean that there is spam coming into your inbox trying to get you to visit the above site.

The avast email icon only appears when avast is scanning email. If you weren’t receiving or sending email it could be an indication that you have an undetected trojan spambot on your system.

system · 2007-10-10T08:55:00.000Z

It shows only when i send / receive mail from the server where my websites are located.
I have checked my PC with several programs and it is clean of any trojans and bots.
Also, non of the mail i receive is coming from iamthewhiterabbit.net.
Where avast is taking that domain name from?
Roy

alanrf · 2007-10-10T09:28:30.000Z

David,

sorry to disagree but the mouseover of the avast tray icon for email will never have anything to do with who an email is coming from or going to. It will only ever show the name of a server that avast is making an email connection to (either to receive email from that server or to send mail to that server).

To be clearer - if the mouseover ever shows the name of a server you have not deliberately selected in your mail client to send to or receive from then you are in trouble.

The only exception to this, as we have discussed before, is when you are using a P2P client connection to a server where you have been told to use a well known email port for the P2P connection.

DavidR · 2007-10-10T13:10:54.000Z

Thanks Alan.
That is what I thought (trouble) if the address is not one of your email account/s servers more so in this case when the domain refers to an adult site.

The strange thing being that this is happening when royroy is connecting to send or receive email and not as we would normally see connections outside when the user is connecting to their email server/s if this were a trojan spambot.

@ royroy
So to exclude the exception, are you using a P2P application and if so what one ?
I won’t ask if you may have visited the iamthewhiterabbit.net site in the past.

Lisandro · 2007-10-10T13:31:46.000Z

royroy, it will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG or Panda.

Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

system · 2007-10-10T17:11:54.000Z

DavidR,
I use Shareaza and for one day this week I have installed and used eMule too. I don’t know since when iamthewhiterabbit.net is there. I only noticed it two days ago.
As for the question you didn’t ask I have never heard of this site before.
Do you think that Shareaza is responsible for that?
Thanks

Tech,
I scanned my pc with RootkitReviler, adsspy, avg, system mechanic, spybot, ad-aware and avast and found nothing. it’s clean.

Thanks
Roy

DavidR · 2007-10-10T17:25:03.000Z

What Alan was alluding was that there is a P2P application that has a setting where by it uses one of the email ports for communication, this causes avast to attempt to scan that communication, but it fails as it isn’t using email protocols.

As far as I’m aware Shareasza and email use P2P ports and not any of the email ports, 25, 110, 119 or 143.

So I’m still at a loss as to why you are seeing this. The RootkitRevealer is a fine tool but it isn’t that much use as it just reports data that requires analysis and doesn’t detect, so it isn’t very user friendly.

Lisandro · 2007-10-10T18:16:28.000Z

royroy post:7:

It’s clean.

Roy, please, HijackThis log and RunScanner log could help the virus experts here to say the ‘final’ word about the health of the computer.

system · 2007-10-10T21:20:20.000Z

Tech

I have attached the two logs you asked for.

Thanks for your time.

Roy

DavidR · 2007-10-10T21:36:50.000Z

I don’t see anything obvious in your HJT log and I’m not familiar with the runscanner logs.

However, you appear to have a very old JAVA version that could leave you vulnerable, the latest is JRE version 1.6.0_03.

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

Ensure you have the latest version of JRE (JAVA Runtime Enviroment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://www.java.com/en/download/index.jsp

You also appear to have some remnants of Symantec.

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

alanrf · 2007-10-10T21:56:26.000Z

The issue with P2P is not the product you use.

The issue is that the peer you are connecting to decides which port they want you to connect to them on. So if they happen to be hosted on whiterabbit.net and they tell you they are listening on port 110 or 25 or 143 then that would be the connection you make and avast will scan it. The Internet Mail scanner icon will appear in the tray and the mouseover will tell you it is connected to whiterabbit.net.

DavidR · 2007-10-10T23:08:41.000Z

OK.
However as I said earlier, "the strange thing being that this is happening when royroy is connecting to send or receive email and not as would be the case if it were malware or as suggested by you P2P related as in the connection is established based on their settings.

So we need royroy to confirm that there was no P2P activity at the time this was going on at that time. I don’t know how he would do that as I don’t use P2p applications, though I would have thought that there would be some form of stats, etc.

alanrf · 2007-10-10T23:56:02.000Z

Most of the P2P applications have some form of logging (indeed sufficient to cause trouble enough to avast that at least one P2P product was removed from the avast scanner).

system · 2007-10-11T04:44:30.000Z

Question about anti spyware :
I know that Avast! is also good at detecting spyware but when it comes a true antispyware scanner, is AVG supposed to be better than Adaware 07 or do most of the well known Anti-spyware applications have strengths & weakness?

Lisandro · 2007-10-11T13:01:56.000Z

E post:15:

Question about anti spyware :
Is AVG supposed to be better than Adaware 07 or do most of the well known Anti-spyware applications have strengths & weakness?

Well, both are true.
AVG is better than Ad-aware in a lot of points, including detection rate and nowadays, the update speed.
And, the second, any application has strengths & weakness… 8)

system · 2007-10-11T16:48:58.000Z

Oh I see, ok Ill try somthing different.

system · 2007-10-12T05:52:13.000Z

mystery solved… I have contacted the web hosting company and asked them to check this on their side…
their answer was "… That means that the reverse DNS name assigned to your servers IP is still
‘iamthewhiterabbit.net’. (Previous owner of this IP) Use the “Reverse DNS Request”
tool at ".

So it seems that avast refers to the PTR value of the server the email client connect to.

DavidR · 2007-10-12T14:20:42.000Z

Thanks for the update panic over.

I would certainly get on that Reverse DNS Request tool asap as I wouldn’t want my IP address associated with any adult content site.

Announcements