Isp says I'm a spammer!

RoadRunner says spam complaint-origination my isp address. I have done many av, anti trojan, etc scans-all negative. They (RR) suggest also I may have "open relay/proxy". What is this? Where do I find it? How do I close it?
Is this the right forum for this question?

Installed security: NOD32
ZoneAlarm 4.5 free
Spybot
Adaware 6.0 free
Spywareblaster
Spywareguard
a squared free

 

Post the scan log from HijackThis
Unzip it somewhere to keep and run hijackthis.exe - press Scan - the Scan button changes to a Save Log button
Save, and then copy and paste the entire log here.
Dont' choose to fix anything yet - most entries will be harmless

 

I didn't mention-as precaution I disabled system restore, rebooted, re-enabled. Here is HJT log:


Logfile of HijackThis v1.98.1
Scan saved at 11:37:55 PM, on 8/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Eset\nod32kui.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

 

Don't actually see anything there - do you think someone's spoofing your IP?
Is there more than one machine there (on a router ?)

If you turn SETI off - do you see network activity when there should be nothing happening ?

I guess that there is an outside chance that there is a new variant of something like
http://securityresponse.symantec.com/avcenter/venc/data/w32.hyd@mm.html
out there ?

------ edit
You are sure it came from your ISP and you didn't receive one of these ??
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.M&VSect=T

 

A precaution against what exactly?

Since what's sitting in SR is inert, not wise to wipe out your restore points and would only affect the system if you actually did a restore.

After you found a problem and solved it, then yes, go thru that procedure.

Regards - Charles

 

Thanks for response. Please excuse my vast lack of knowledge. I live in cottage next to landlord- he has master account (Roadrunner cable). Dont know details of setup (I get no bill!!) but must be some kind of hub or router and its not pirate. Will find out more.

Other than watching ZA icon where would I look for network activity? (problem did occur shortly after installing SETI, which is remaining off for now).

Here is notice I received


Dear Customer:

Road Runner has received a complaint of email spamming apparently originating from your computer. The IP address %%%%%%%%%was assigned to your computer at the date and time indicated in the email headers. Please see a copy of the email below. If you are not aware of this occurring, you may have a virus or have an open relay/proxy. Please take the necessary step to eradicate the virus or close the open relay.

Return-path: <biggs_vk@cdta.org.uk>
Envelope-to: gerd@holzmacher.de
Delivery-date: Tue, 03 Aug 2004 14:52:38 +0200
Received: from [219.159.8.126] (helo=3Dhutchinson.fr)
by mxng08.kundenserver.de with smtp (Exim 3.35 #1)
id 1BrymR-0007c7-00
for gerd@holzmacher.de; Tue, 03 Aug 2004 14:52:38 +0200
Received: from %%%%%%%%%% by smtp.cdta.org.uk;
Tue, 03 Aug 2004 12:50:30 +0000
Message-ID: <a2e501c47958$0e22afeb$b9c2f4c3@hutchinson.fr>
From: "Liza Biggs" <biggs_vk@cdta.org.uk>
To: gerd@holzmacher.de
Subject: We give you $200 bonus at Casino Zeal!
Date: Tue, 03 Aug 2004 20:50:04 +0800

STEPS TO REMOVE/ERADICATE OPEN PROXY/RELAY OR TROJAN HORSES:
Please ensure to backup all critical information before proceeding.
1) Run through the critical updates at http://windowsupdate.microsoft.com. You may need to run the update several times to ensure that all updates have been applied.
2) Update your antivirus program and run a scan on your computer. Several online ones are listed below.
3) Install some type of firewall program for additional protection from unauthorized access. See below for a portion of those available.
4) Utilization of P2P programs such as Kazaa, Morpheus or the like creates a vulnerable environment for a computer to get infected with a virus.
It is advisable to stop the use of such programs. These programs also render antivirus and firewalls vulnerable.
5) Search your computer for rogue programs that were not installed by you and remove them.
6) Reply back to this email with an update confirming the steps taken and removal of any viruses or open proxy/relay software.

To protect your computer and its files and to stop the unintentional distribution of viruses, we strongly recommend that you purchase, update and run a good commercial virus detection/elimination program. Also, please be sure that your file sharing and printer sharing options are turned off whenever connected to the Internet. It is also recommended to install some type of firewall program for additional protection.

If further complaints of this nature are received, we may be forced to temporarily disconnect your Road Runner service to stem the spread of these viruses. Your prompt attention to this matter is appreciated and will most likely prevent the need to interrupt your service.

Anti-Virus Software
Most anti-virus software will detect programs that may allow remote access to your computer (Trojans), or perform activities or functions that may corrupt data on your computer. If you decide to use an anti-virus program, remember to keep it updated so you will be protected from new viruses. Here are just a few of the anti virus programs available.

Free Antivirus and Firewall from Road Runner
http://www.rr.com/flash/index.cfm?startView=DOWNLOAD (EZ Armor). Remove any existing antivirus software before downloading EZ Armor. If you need any assistance in installing EZ Armor, please contact our National Help Desk at (800) 228-6604.

Other Antivirus Options:
http://housecall.antivirus.com
http://www3.ca.com/virusinfo/virusscan.aspx
http://us.mcafee.com/root/mfs/default.asp
http://www.grisoft.com/us/us_dwnl_free.php
http://security.symantec.com/ssc/home.asp?j=1&langid=ie&venid=sym&plfid=20&pkj=RWGUPJUIYCZRWEJGSSK

Other Trojan Detection Applications:
http://www.moosoft.com/thecleaner (The Cleaner - Trojan Cleaner)
http://download.com.com/3000-2144-10194058.html?tag=lst-0-1 (Spybot)
http://www.trojanscan.com/trojanscan/ (GFi)

Firewall Applications:
http://zonelabs.com (Firewall Products)
http://download.com.com/3000-2092-10184369.html?tag=lst-0-1 (Sygate)

How to Enable the XP firewall: http://www.microsoft.com/windowsxp/pro/using/itpro/securing/enableicf.asp

In addition, we recommend that you keep all software, especially Internet-related software, up to date and fully patched to assist in preventing unauthorized access and exploits. You can find more information on Windows updated by visiting the following web site:

http://windowsupdate.microsoft.com/

Time Warner Cable and Road Runner do not endorse or support any of these products. They are listed for your reference and represent a small portion of those commercially available.

Thank You & Aloha,
Oceanic Internet Services Hawaii Security Support
securitysupport@hawaii.rr.com
(80 625-8426


__________ NOD32 1.833 (20040803) Information __________

This message was checked by NOD32 antivirus system.
part000.txt - is OK
part001.htm - is OK

http://www.nod32.com

I did all my scans and replied. Only action I took was disable file and printer sharing which I'd neglected after recent reformat. Recieved acknowlege ment e-mail. All seemed authentic and consistent with previous communications with them.

Sorry for length of this and thanks again for your attention.

 

I'd guess that the landlord's machine is infected

 

I will have to wait for his return tomorrow. That e-mail was addresed to him also but I haven't been able to talk to him yet. Any further precautions you'd advise?

 

Not really - other than I hope you have no file shares with him?

I suspect that from the ISP's point of view - you both have the same IP at any given moment (fixed or assigned)

BTW - if you explicitly installed SETI - it's very likely not the source -- I'd worry if you weren't aware that it was present.

 

Thanks IMM. No file sharing. If anything interesting developes will report.

 

cadmus, or is your computer infected by a spambot? Is there any suspicious-looking program on your com? I think something on your computer is sending spam outwards.

 

Nadirah- not mine-the landlord didit as IMM suspected! The big house is unoccupied, protected by 5 security cameras. Dear landlord monitors the pc controlling these from his home pc. He decided since that was all the machine did he didn't need to renew anti-virus! (I am only a little bit smarter. )

 

LOL - a 'security computer'

send him to windows update for all the 'critical' updates

 

LOL, I'd say a LOT smarter!!!

TAS

 

In light of all this would I be wise to use a proxy? Frankly it's mostly a just a word to me, and I still haven't figured out what to do about that blinking Sygate icon when "your ports are being scanned".