Hi,

Hope someone might be able to help.

A week or so ago our network started to crawl and one of our PCs on our home network began sending out emails with a number of zipped files called confidentialdocs.zip.exe and hotpics.zip.exe. Luckily we picked up on this really quickly and prevented the mails from reaching their intended targets.

A sweep of our network revealed that these exe files were scattered around the PC and also on our WHS. I ran a boot scan and indeed there were a number of Trojans (thanks kids!!!). I also scanned our WHS and discovered and removed a trojan on that.

What really made me realise initially there was a problem though was that on sign in to Exchange in Outlook it was changing name of our email server. We are with 1and1.co.uk and generally it says "Connecting to <Name of server>. But on the infected PC it changed the wording to "Welcome back to <Name of Server>. But each time I logged in and out it changed the name of the server to variations of the 1and1 OWA (eg exchange.1and1.es, profimailer.de)

I had another PC running the same Outlook profile at the same time and it still had the correct "Connecting to <Name of Server>".

Once I had removed the Trojan and reinstalled the Outlook profile it still was playing up so I decided to reinstall Windows. This seemed to cure it until yesterday when my wife reported a sudden slowing down of the network and we noticed that the "Connecting to" wording had changed to "Welcome back" again. However, so far the server name has remained constant which makes me doubt this is a problem.



I also did a scan and both the PC and WHS and both seem to be clean.

So my questions are:

1. Is the "Connecting to" wording on the Exchange login specific to my mail profile or is it pushed by the Exchange Server to the Client? Is there any legitimate reason why it would change?

2. Is it normal for an OWA address to appear on an Outlook Exchange login? My other PC which is also 1and1.co.uk has a .xchg address which never seems to change. Though it is running Outlook 2003 whereas the infected PC is Outlook 2007.

3. Is it possible to open the script of the mail profile to see if it has been compromised. I looked through the registry for everything relating to the mail profile and all seemed OK.

4. Is it possible that in spite of reinstalling Windows the trojan could still be there. If so would the best course of action be a complete fresh reinstall having zapped the HD?

5. Or and I just being paranoid!?

Hope someone can help!

Chris