It May Be Time To Panic- Or Not

[TedBellLover]

Other events in my life led me to believe that I may have something like a keylogger on my system. Two days ago Comodo showed me a connection to a Hotmail server on port 443, which I understand is used for secure http connections. I have the IP address blocked for now but what I would like from you guys is confirmation (or denial) that I have a piece of malware on my system, and a way to find it. I don't want to just eliminate it, I want to trace it to its owner and bust him/them. BUT before I fly off the handle I would like to know if my assumption is true. What legit program would open a webmail connection without my knowledge? I'm sure the potential malware has all the data needed to logon to Hotmail contained within it. Thank you in advance for your help.

[wh666-666]

It may be a valid msn live/messenger service operating in the background, part of your operating system interacting with msn services or it could be malware .. Typically though port 443 shouldnt be open on a home computer as you said its used for secure connections but typically on web servers for page requests

Try http://www.superantispyware.com .. There are plenty of malware removers out there, thats just one of them to give a try .. Its best to eliminate it first, then concentrate on vendettas if it is proven to be malware

Now if it is malware it may be indentified .. You cant really get anyone busted for this very easily though .. Malware is crawling all over the world and proportionate to the amount of malware out there people rarely ever, ever get prosecuted .. Even companies produce malware to increase sales of their own software .. With the IP address sometimes it may be a geniune one of the originator or sometimes they can "hop" through other peoples addresses to mask their own location .. If you had an authentic, harmful IP then you could bring it down either by finding a way in through one of the ports or launching something like a denial of service attack ..

[TedBellLover]

If I may let me give you an update- it got through again. Comodo dutifully told me again, but it listed the originating address instead of the destination address, but still port 443. The destination address was a little different. It transmitted again exactly 75,000 bytes. I type alot but I doubt I type 75k in two days. It used a slightly different address. It looks like it's transmitting to a legit service- Hotmail. I'll bet it's as simple as the ne'er-do-well checking his webmail and finding the data as attachments. That means the malware could have all authenticating data stored locally, which I could find and use to identify the creep. I wrote a new rule blocking the complete range from 64.4.0.0 to 64.4.255.255. Any idea what it is transmitting? I suppose it could be a screencap but I run at 1600 by 1200. Could it also be some high-compression audio format? I figure at 20 kbps he could get 40 seconds of readable audio. So, any more ideas now that I have more data? Thank you again.

[TedBellLover]

Another update- I'm nothing if not persistent. Comodo shows one attempt to connect via 64.4.x x (Hotmail) and then two more via 207.46.x.x (Microsoft). As I recall before from the logs it would connect via http port 80, then if successsful via https port 443. I have also noticed activity on an EIDE drive that makes no sense, is not connected to any programs I know of. It's not the boot drive; intermittent activity on that drive is expected. Possibly this could be where the malware abides or where it drops its files. Here's an idea- if the files are hidden there, could I run Scan Disk on that drive and have it render any lost file fragments to files?

[rolling bear]

download rootkit revealer and scan your system, it's free. if you have something, and you find out what it is, then I'd say it can help