Isp says I'm a spammer!

Discussion in 'other security issues & news' started by cadmus, Aug 4, 2004.

Thread Status:
Not open for further replies.
  1. cadmus

    cadmus Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    72
    Location:
    Maui, HI
    RoadRunner says spam complaint-origination my isp address. I have done many av, anti trojan, etc scans-all negative. They (RR) suggest also I may have "open relay/proxy". What is this? Where do I find it? How do I close it?
    Is this the right forum for this question?

    Installed security: NOD32
    ZoneAlarm 4.5 free
    Spybot
    Adaware 6.0 free
    Spywareblaster
    Spywareguard
    a squared free
     
  2. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Post the scan log from HijackThis
    Unzip it somewhere to keep and run hijackthis.exe - press Scan - the Scan button changes to a Save Log button
    Save, and then copy and paste the entire log here.
    Dont' choose to fix anything yet - most entries will be harmless
     
  3. cadmus

    cadmus Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    72
    Location:
    Maui, HI
    I didn't mention-as precaution I disabled system restore, rebooted, re-enabled. Here is HJT log:


    Logfile of HijackThis v1.98.1
    Scan saved at 11:37:55 PM, on 8/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\SETI@home\SETI@home.exe
    C:\Program Files\BHODemon 2\BHODemon.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\hjt\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
    O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  4. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Don't actually see anything there - do you think someone's spoofing your IP?
    Is there more than one machine there (on a router ?)

    If you turn SETI off - do you see network activity when there should be nothing happening ?

    I guess that there is an outside chance that there is a new variant of something like
    http://securityresponse.symantec.com/avcenter/venc/data/w32.hyd@mm.html
    out there ?

    ------ edit
    You are sure it came from your ISP and you didn't receive one of these ??
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.M&VSect=T
     
    Last edited: Aug 5, 2004
  5. zcv

    zcv Registered Member

    Joined:
    Dec 11, 2002
    Posts:
    355
    A precaution against what exactly?

    Since what's sitting in SR is inert, not wise to wipe out your restore points and would only affect the system if you actually did a restore.

    After you found a problem and solved it, then yes, go thru that procedure.

    Regards - Charles
     
  6. cadmus

    cadmus Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    72
    Location:
    Maui, HI
    Thanks for response. Please excuse my vast lack of knowledge. I live in cottage next to landlord- he has master account (Roadrunner cable). Dont know details of setup (I get no bill!!) but must be some kind of hub or router and its not pirate. Will find out more.

    Other than watching ZA icon where would I look for network activity? (problem did occur shortly after installing SETI, which is remaining off for now).

    Here is notice I received


    Dear Customer:

    Road Runner has received a complaint of email spamming apparently originating from your computer. The IP address %%%%%%%%%was assigned to your computer at the date and time indicated in the email headers. Please see a copy of the email below. If you are not aware of this occurring, you may have a virus or have an open relay/proxy. Please take the necessary step to eradicate the virus or close the open relay.

    Return-path: <biggs_vk@cdta.org.uk>
    Envelope-to: gerd@holzmacher.de
    Delivery-date: Tue, 03 Aug 2004 14:52:38 +0200
    Received: from [219.159.8.126] (helo=3Dhutchinson.fr)
    by mxng08.kundenserver.de with smtp (Exim 3.35 #1)
    id 1BrymR-0007c7-00
    for gerd@holzmacher.de; Tue, 03 Aug 2004 14:52:38 +0200
    Received: from %%%%%%%%%% by smtp.cdta.org.uk;
    Tue, 03 Aug 2004 12:50:30 +0000
    Message-ID: <a2e501c47958$0e22afeb$b9c2f4c3@hutchinson.fr>
    From: "Liza Biggs" <biggs_vk@cdta.org.uk>
    To: gerd@holzmacher.de
    Subject: We give you $200 bonus at Casino Zeal!
    Date: Tue, 03 Aug 2004 20:50:04 +0800

    STEPS TO REMOVE/ERADICATE OPEN PROXY/RELAY OR TROJAN HORSES:
    Please ensure to backup all critical information before proceeding.
    1) Run through the critical updates at http://windowsupdate.microsoft.com. You may need to run the update several times to ensure that all updates have been applied.
    2) Update your antivirus program and run a scan on your computer. Several online ones are listed below.
    3) Install some type of firewall program for additional protection from unauthorized access. See below for a portion of those available.
    4) Utilization of P2P programs such as Kazaa, Morpheus or the like creates a vulnerable environment for a computer to get infected with a virus.
    It is advisable to stop the use of such programs. These programs also render antivirus and firewalls vulnerable.
    5) Search your computer for rogue programs that were not installed by you and remove them.
    6) Reply back to this email with an update confirming the steps taken and removal of any viruses or open proxy/relay software.

    To protect your computer and its files and to stop the unintentional distribution of viruses, we strongly recommend that you purchase, update and run a good commercial virus detection/elimination program. Also, please be sure that your file sharing and printer sharing options are turned off whenever connected to the Internet. It is also recommended to install some type of firewall program for additional protection.

    If further complaints of this nature are received, we may be forced to temporarily disconnect your Road Runner service to stem the spread of these viruses. Your prompt attention to this matter is appreciated and will most likely prevent the need to interrupt your service.

    Anti-Virus Software
    Most anti-virus software will detect programs that may allow remote access to your computer (Trojans), or perform activities or functions that may corrupt data on your computer. If you decide to use an anti-virus program, remember to keep it updated so you will be protected from new viruses. Here are just a few of the anti virus programs available.

    Free Antivirus and Firewall from Road Runner
    http://www.rr.com/flash/index.cfm?startView=DOWNLOAD (EZ Armor). Remove any existing antivirus software before downloading EZ Armor. If you need any assistance in installing EZ Armor, please contact our National Help Desk at (800) 228-6604.

    Other Antivirus Options:
    http://housecall.antivirus.com
    http://www3.ca.com/virusinfo/virusscan.aspx
    http://us.mcafee.com/root/mfs/default.asp
    http://www.grisoft.com/us/us_dwnl_free.php
    http://security.symantec.com/ssc/home.asp?j=1&langid=ie&venid=sym&plfid=20&pkj=RWGUPJUIYCZRWEJGSSK

    Other Trojan Detection Applications:
    http://www.moosoft.com/thecleaner (The Cleaner - Trojan Cleaner)
    http://download.com.com/3000-2144-10194058.html?tag=lst-0-1 (Spybot)
    http://www.trojanscan.com/trojanscan/ (GFi)

    Firewall Applications:
    http://zonelabs.com (Firewall Products)
    http://download.com.com/3000-2092-10184369.html?tag=lst-0-1 (Sygate)

    How to Enable the XP firewall: http://www.microsoft.com/windowsxp/pro/using/itpro/securing/enableicf.asp

    In addition, we recommend that you keep all software, especially Internet-related software, up to date and fully patched to assist in preventing unauthorized access and exploits. You can find more information on Windows updated by visiting the following web site:

    http://windowsupdate.microsoft.com/

    Time Warner Cable and Road Runner do not endorse or support any of these products. They are listed for your reference and represent a small portion of those commercially available.

    Thank You & Aloha,
    Oceanic Internet Services Hawaii Security Support
    securitysupport@hawaii.rr.com
    (80:cool: 625-8426


    __________ NOD32 1.833 (20040803) Information __________

    This message was checked by NOD32 antivirus system.
    part000.txt - is OK
    part001.htm - is OK

    http://www.nod32.com

    I did all my scans and replied. Only action I took was disable file and printer sharing which I'd neglected after recent reformat. Recieved acknowlege ment e-mail. All seemed authentic and consistent with previous communications with them.

    Sorry for length of this and thanks again for your attention.
     
  7. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    I'd guess that the landlord's machine is infected
     
  8. cadmus

    cadmus Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    72
    Location:
    Maui, HI
    I will have to wait for his return tomorrow. That e-mail was addresed to him also but I haven't been able to talk to him yet. Any further precautions you'd advise?
     
  9. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Not really - other than I hope you have no file shares with him?

    I suspect that from the ISP's point of view - you both have the same IP at any given moment (fixed or assigned)

    BTW - if you explicitly installed SETI - it's very likely not the source -- I'd worry if you weren't aware that it was present.
     
  10. cadmus

    cadmus Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    72
    Location:
    Maui, HI
    Thanks IMM. No file sharing. If anything interesting developes will report.
     
  11. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    cadmus, or is your computer infected by a spambot? Is there any suspicious-looking program on your com? I think something on your computer is sending spam outwards.
     
  12. cadmus

    cadmus Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    72
    Location:
    Maui, HI
    Nadirah- not mine-the landlord didit as IMM suspected! The big house is unoccupied, protected by 5 security cameras. Dear landlord monitors the pc controlling these from his home pc. He decided since that was all the machine did he didn't need to renew anti-virus! (I am only a little bit smarter. *puppy*)
     
  13. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    LOL - a 'security computer' :D

    send him to windows update for all the 'critical' updates
     
  14. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    LOL, I'd say a LOT smarter!!! :D

    TAS :)
     
  15. cadmus

    cadmus Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    72
    Location:
    Maui, HI
    In light of all this would I be wise to use a proxy? Frankly it's mostly a just a word to me, and I still haven't figured out what to do about that blinking Sygate icon when "your ports are being scanned".
     
Loading...
Thread Status:
Not open for further replies.