mtk4590
asked on
Outlook Express Identity Login screen pops up
I have an XP Home system and I use Outlook Express 6 and I have 2 identities setup. The problem is I'll be in a game or in Word and without requesting it, Outlook Express is starting up and the identity login screen pops up. This can be very annoying, especially in the middle of a game and it dumps the game to switch to OE. This is happening on a brand new load of XP Home. Could it be tied to MS Messenger?
Thanks,
Mike
Thanks,
Mike
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the suggestions. I ran Spy Sweeper, Ad-Aware, Spybot and hijack this and came up with zero spyware items. Also ran Norton antivirus and that also came up with zero. Could it have anything to do with the fact that I use a password protected identity? I also have a client with the same setup and he also gets these random pop ups of outlook express and he has also checked for spyware. Any other thoughts?
Thanks.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I ran rootkitreavealer and it found a pile of Temp internet files and a couple of Windows media files that were open when I ran the revealer. I have deleted the temp files.
Can I look at the Rootkit Revealer log file?
ASKER
Here is a copy of what root reveal found, this is the second time I ran it and I had removed the temp files and this is the result. I also have to admit it hasn't happened in a couple of days and seems to be random.
C:\$AttrDef 5/12/2006 9:00 AM 2.50 KB Hidden from Windows API.
C:\$BadClus 5/12/2006 9:00 AM 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 5/12/2006 9:00 AM 467.51 GB Hidden from Windows API.
C:\$Bitmap 5/12/2006 9:00 AM 14.61 MB Hidden from Windows API.
C:\$Boot 5/12/2006 9:00 AM 8.00 KB Hidden from Windows API.
C:\$Extend 5/12/2006 9:00 AM 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 5/12/2006 9:00 AM 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 5/12/2006 9:00 AM 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 5/12/2006 9:00 AM 0 bytes Hidden from Windows API.
C:\$LogFile 5/12/2006 9:00 AM 64.00 MB Hidden from Windows API.
C:\$MFT 5/12/2006 9:00 AM 69.88 MB Hidden from Windows API.
C:\$MFTMirr 5/12/2006 9:00 AM 4.00 KB Hidden from Windows API.
C:\$Secure 5/12/2006 9:00 AM 0 bytes Hidden from Windows API.
C:\$UpCase 5/12/2006 9:00 AM 128.00 KB Hidden from Windows API.
C:\$Volume 5/12/2006 9:00 AM 0 bytes Hidden from Windows API.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20060518. 017\vscanm sx.dat 5/18/2006 7:24 PM 2.02 KB Hidden from Windows API.
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0998NAV~.T MP 5/18/2006 7:26 PM 0 bytes Hidden from Windows API.
C:\$AttrDef 5/12/2006 9:00 AM 2.50 KB Hidden from Windows API.
C:\$BadClus 5/12/2006 9:00 AM 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 5/12/2006 9:00 AM 467.51 GB Hidden from Windows API.
C:\$Bitmap 5/12/2006 9:00 AM 14.61 MB Hidden from Windows API.
C:\$Boot 5/12/2006 9:00 AM 8.00 KB Hidden from Windows API.
C:\$Extend 5/12/2006 9:00 AM 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 5/12/2006 9:00 AM 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 5/12/2006 9:00 AM 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 5/12/2006 9:00 AM 0 bytes Hidden from Windows API.
C:\$LogFile 5/12/2006 9:00 AM 64.00 MB Hidden from Windows API.
C:\$MFT 5/12/2006 9:00 AM 69.88 MB Hidden from Windows API.
C:\$MFTMirr 5/12/2006 9:00 AM 4.00 KB Hidden from Windows API.
C:\$Secure 5/12/2006 9:00 AM 0 bytes Hidden from Windows API.
C:\$UpCase 5/12/2006 9:00 AM 128.00 KB Hidden from Windows API.
C:\$Volume 5/12/2006 9:00 AM 0 bytes Hidden from Windows API.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20060518.
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0998NAV~.T
The log looks OK. Not sure why you have $ sign inside most of the directory item. Maybe removing those Temp files have gotten rid of the rootkit.
ASKER
It must have been a hidden piece of spyware, problem has not returned since cleaning up with Antispyware products and running the rootkit reveal program. Thanks for sticking with me.
Mike
Mike
You are welcome, Mike!
war1 is right though if OE is closed there's probably something malicious trying to send unauthorised mail.
If nothing can be found using the tools suggested you could check what is trying to get out via your firewall settings
If you don't already have a third party firewall try ZoneAlarm (free version)
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload2.jsp
ZoneLabs are offering a free online scan on this page which you may find useful.
ZoneAlarm can be configured not to let anything out from your computer without checking with you first, it then learns what you want to allow and what to stop. ZoneAlarm will tell you if a program tries to send email or if another program on your computer is trying to launch Outlook Express without your permission.