Persistant Unauthorized SSL Mail Connections

Hello,

I am having a fairly nasty problem with something that appears to be a fairly complex hijacking of my IBM Thinkpad via virus or malware. My ISP contacted me and said that my IP address and cable modem had been the source of unauthorized spam. Below I will list the steps I have taken from other sections of this forum and the persistant symptom which I am still concerned about.

Remaining symptom - four (4) SSL mail connections to accounts that are not mine, nor do I have any info about logins etc.

Steps I have taken:

  1. Installed and ran Avast AV - 6.0.1091
  2. Installed and ran MBAM - 1.50.1.1100

Avast found and removed 13 viruses
MBAM found and removed 10 malware items

I am still concerned about these four SSL connections listed under the Avast real time mail shield. Is there some further action that can insulate this laptop from any further hostile actions? Thank you.

BC

Can you post an image of the avast SSL Accounts windows ?

I have some in the SSL Accounts, for which I don’t specifically have an email account. However these are legit as I have a BTinternet email account but BTinternet email is handled by Yahoo and those are the accounts seen in the SSL Accounts, but no BTinternet account. Are they actually using SSL/TLS to connect or is the Encryption column set to None ?

These SSL Accounts are how avast is able to scan your email before sending it off to the email server (using a secure connection).

What is your ISP ?

It is possible that what was removed by either avast or mbam could well have been a spambot, but they shouldn’t have been using your email program or email accounts as to do that they would have to know your logon information.

Also the avast Mail Shield should detect multiple emails in a short time frame as part of its Heuristic checks. If you haven’t done so already set the Mail Shield Heuristic settings to High.

Thanks for the note. My ISP is Brighthouse Cable (of Florida). I did set the heuristics to high, so far so good, but prior to the MBAM cleansing process all manner of crypt32t.dll files were quarantined in a continuous loop. No hostile activity has been noted since completing the above mentioned actions. Screenshot is below.

http://img156.imageshack.us/i/sslaccountshot.jpg/

http://img156.imageshack.us/i/sslaccountshot.jpg/

Curiously though, I have the same version and settings of AV running on 4 other machines and none of them have the hostile SSL accounts listed.

It would appear that your ISP uses RoadRunner for its email handling and that it doesn’t require SSL, is this correct ?
I don’t know if RoadRunner subsequently hand off to Yahoo as there are no settings shown for roadrunner…

See image example for the Tampa Florida settings example.
Note I have used the Additional Options, link in the post Reply to attach my image example, this means you don’t have to host the image and we don’t have to exit the forum to view it.

If yours is different for your email account settings, it may be worth deleting these Yahoo entries in the SSL Accounts and reboot, avast would recreate any accounts that are necessary. Those that don’t actually need SSL may not be recreated so don’t be surprised if that doesn’t happen.

Many thanks on the additional options. I have tried running search queries to see if this issue has already been addressed but I dont find much mention of SSL hostile accounts. Here are some clarifying bullets:

  1. All four of my PCs are running the exact same Avast AV and MBAM
  2. All four of my PCs access the same email
  3. Three of the PCs have no SSL connections listed on the mailshield, the one pc that was compromised does have four SSL accounts listed
  4. I deleted all four of the SSL accounts as you suggested, but now after a reboot, all four have popped back onto the list

It seems odd, I do not use Roadrunner for any email activity, all my accounts are run through cloud hosted email platforms (hotmail, yahoo, gmail)

BC