I have a user whos mailbox has some trojan thats not seen by anti viru

[mobrien145]

I have a user whos mailbox has some thing that acts like a trojan thats not seen by anti virus or anti spyware. The reason I suspect the mailbox is everytime I take it of the network and run anti virus I find stuff (we use F-Secure, Sophos and Kaspersky) I then take a clean machine back put it on the network load MSOutlook try to open any hyperlink in his email (it doesnt matter which email they all have the same symptoms) off it goes and up come the Before You Know It installer even if you say yes to it the next hyperlink you open doesnt exactly the same. I have now cleaned the PC 4 times but can't get rid of the hypertext problem.
I need some drastic help guys and gals the other catch is he doesn't want me to delete his mailbox because he uses it as a filing cabinet

 

[Marcs41]

Pk, and now what is the Exchange Server got to do with that?
All you describe is a USER issue, something to tackle at user and/or PC level.
If that user does not want you to touch his e-mail, then do it anyway if you suspect it is causing trouble. Your network has priority over a 'difficult' user, regardless who this is.

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all.
Free Tip: The F1 Key does NOT destroy your PC![/sub]

 

[GreatSatan]

Sounds like exchange is owned. Hackers, once in, write all sorts of evil programs that do just what you describe. I would rebuild, from scratch -- do not restore from backup!! To go about this, EXMERGE the mailboxes into PST, or have your users (if smart enough) to archive all their mail into a pst. Then, buy new harddrives and re install both os and mail software.

Then I would put a firewall/SMTP proxy and filter out any non-necessary file types (.zip <--DO NOT EVER ALLOW ZIP FILES, it's just flat out retarded!!! .msi, .ocx, .rar, .exe, .scr, .pif, .bat, .htm, .cmd... Better yet, with your situation, I'd deny all and start allowing only what is needed) .

Make sure to only expose port 25, and nothing else. If your clients need OWA, POP3, or IMAP4, route it through an ISA server, or through and HTTP proxy that filters the same file type as listed above. I've yet to see a POP3 or IMAP proxy that was worth a damn...

I highly recommend any watchguard product. It's SMTP proxy has saved my hairy butt on numerous occasions. Not only will it filter whatever you tell it, but it's designed to only allow in mail that meets RFC standards. This way, if some hacker tries to exploit, he's unsuccessful.

 

[MarkhP]

I would think a process of elimination would be best, before drastic measures. Get the user (or do for him) to archive his entire mailbox to pst(s). Delete the mailbox and recreate. Rebuild the desktop and try to access to new mailbox. If everything goes ok, you can then open a copy of the .pst (offline) and work through that to delete the 'bad' emails. If you cannot delete, then maybe forward them to the user (plain text?) so that they get scanned and cleaned. If however, you found that a new mailbox on a new desktop install (without having browsed the internet) again has the problem, you know that it is not the users setup or mailfile and needs further investigation.

BTW - what does your AV packages find?

 

[Zelandakh]

May not be Exchange that is compromised, could just be Windows not something in email.

Try a hijackthis log on that box or a full sweep of the machine checking obvious things like temp, registry, msconfig etc. Then run anti spyware, anti virus. Then put on a software firewall and block all outbound with prompting and that should tell you what is doing it.