Mailbox is highjacked

Discussion in 'adware, spyware & hijack cleaning' started by txsidewinder1, Mar 27, 2004.

Thread Status:
Not open for further replies.
  1. txsidewinder1

    txsidewinder1 Registered Member

    Joined:
    Mar 26, 2004
    Posts:
    6
    Location:
    Texas
    o_O My main mailbox is highjacked. I have ran a "Highjack This", and all of my other anti-spyware. They show nothing. The "Highjack" log shows all normal.

    Last November, I noticed that doubleclick.net; a1.adserver.com; and servedby.com was on my computer's main mailbox. I did have Bonzi and a couple more, but I was able to track them down and got rid of them. But these other three are something else. Since this computer forum is working on new things, I decided to see if someone can help.

    In November, I was running ME. Three weeks ago, I up graded my computer to XP. Everything I had was deleted or shredded. All I ran to re-install was microsoft software. I got rid of all my files since day 1. It was starting off like a new computer. However, guess what came with me. The above mentioned spyware. They are on my hard drive somewhere. They are embedded.

    The strange thing is that I have, by design, four mailboxes. They are not on my other mailboxesl Just on my provider, Earthlink.net. Everytime I go to my mailbox, my "cookie patrol" tells me if so and so can set a cookie. These three are always trying to put cookies on my computer. I just deny them.

    I have Spybot, Adaware 6, Pest Patrol, Scotty the Dog, and a couple of other programs. I do not download or open mail from persons I do not know. Even if I know the person and they send an attachment, that e-mail is not opened.

    PitStop looked at my "Highjack This" log and found one thing which I deleted. However, this was not any of the spies I was looking for.

    My question is, if these spies are on my hard drive, how in the world do you get rid of them? Is it possible?

    Then to make thing worse, BlackIce notified me that they had been hacked and someone had put a worm in their program. You did not even have to download anything. This worm just downloads itself to any computer that has "Black Ice." The bad thing is, they did not notify us until they had a cure for it. The cure was for their Attack Log. If the worm went into that, I do not have it. If this is not it, then I have it somewheres. However, my Black Ice Defender was not downloaded and the app. was stopped by my Norton's security and firewall. Their patch did not uninstall my Black Ice and I kept getting messages every two minutes saying that The Black Ice "Attack Log Cannot BE Found." I finally got that stopped.

    But anyway, I need to get the three spyware off my computer if I can.
     
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Even though you have run a hijackthis you need to follow the link and follow the instructions found there. Thank you


    http://www.wilderssecurity.com/showthread.php?t=15913
     
  3. txsidewinder1

    txsidewinder1 Registered Member

    Joined:
    Mar 26, 2004
    Posts:
    6
    Location:
    Texas
    Highjack This

    Please read
    Logfile of HijackThis v1.97.7
    Scan saved at 9:12:22 PM, on 3/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ISS\BlackICE\blackd.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\ISS\BlackICE\rapapp.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\PestPatrol\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\Program Files\ISS\BlackICE\blackice.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Internet Ally Suite\SpamDefense.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\mspaint.exe
    C:\Documents and Settings\Berle Johnson\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Popup Defense System - {B77A3B18-91AB-4344-9EFD-9D8BB33A3388} - C:\WINDOWS\System32\PopupDefenseSystem.dll
    O3 - Toolbar: Surf In Secret - {101B2544-8CDE-465B-BF8F-FA4AC11B1686} - C:\WINDOWS\System32\SurfInSecret.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
    O4 - HKCU\..\Run: [QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - Startup: Net Monitor.lnk = C:\Program Files\Free NetMon\NetMon.exe
    O4 - Startup: Spam Defense System.lnk = C:\Program Files\Internet Ally Suite\SpamDefense.exe
    O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38060.693599537
    O17 - HKLM\System\CCS\Services\Tcpip\..\{38F84611-8DE8-4561-966C-9D161AF18BCA}: NameServer = 207.69.188.187 207.69.188.186
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi txsidewinder :)

    I merged your other thread into this one so the experts will be able to read your first post on the problems u are having. ;)




    snowbound
     
  5. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi txsidewinder1,

    Your log looks clean.

    The only thing suspicious I could see was "Internet Ally Suite" consisting of Spam Defense, PopUp Defense, and Surf in Secret (http://www.internetally.com). Their Terms of Use and Licence Agreement seem a little vague IMHO.... I assume you installed this software yourself?

    Other than that one suspicious program (It may very well be that the progran is OK. I just could not find out anything about it except on their own site.), your log looks clean.

    Are you having any specific issues or problems, and if so, could you please explain them here?

    Reading now that your mailbox is hijacked, it could very well be this program. I would suggest you remove it via your Add/Remove Programs Control Panel and see what happens.

    Regards,
    Kent
     
  6. txsidewinder1

    txsidewinder1 Registered Member

    Joined:
    Mar 26, 2004
    Posts:
    6
    Location:
    Texas
    Those two programs have just been added. I got them from a site much like this one. I have not seen where they are doing me much good and are time consuming. I was thinking about deleting them anyway. Your comments set my mind to it. However, I had the highjack problems before I added those programs. This problem has been there since November.

    I upgraded my computer two weeks ago today. I did not bring any program when I added this system. Everything was deleted. I was running ME and upgraded to XP. This computer was cleaned just like a new born baby. The only thing not changed was my hard drive. This is where I believe these highjackers lurk. They have invited more adware spies to my computer, but I can watch my mailbox and where it says "Done", I can watch each www going through. If I see a new program, I immediately start searching for it. When I track it down, I get rid of it one way or other. As you well know, these spys have a defense that makes it almost impossible to delete. If I can find the defense program, I can get rid of it all. I always find the defense program and get rid of it. If I am an expert in anything on the computer, it is spyware. However, the mentioned three highjackers have me baffled.

    If they are in my hard drive, can you get rid of them? or do you have to get new hardware?

    I read a report from some security experts that you cannot get rid of anything if you get highjacked. But the report was written in July of 2002. Defense has come a long way since then. I also suspect that earthlink has been penetrated or was penetrated about that period of time. Of course they deny this. As I said, earthlink is the only place that the highjackers are on. Earthlink is also the only place that tries to set spy cookies on my computer. I can go to msn or yahoo and do not get thisl However, being dumb before November, I could have opened an attachment at earthlink. Because of the security issues, this is also a plain invasion of my privacy.
     
  7. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi txsidewinder1,

    If you removed that program, post a new HJT log and we will look at it and see if anything new has shown up....

    Regards,
    Kent
     
  8. txsidewinder1

    txsidewinder1 Registered Member

    Joined:
    Mar 26, 2004
    Posts:
    6
    Location:
    Texas
    javascript:replaceText(' *puppy*')
    Here is my new log. Spam defense is still on it. It is suppose to stop spyware from settling onto my start menu.
    Logfile of HijackThis v1.97.7
    Scan saved at 11:22:16 PM, on 3/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ISS\BlackICE\blackd.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\ISS\BlackICE\rapapp.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\PestPatrol\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\ATI Multimedia\main\launchpd.exe
    C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\ISS\BlackICE\blackice.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Internet Ally Suite\SpamDefense.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\mspaint.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\mspaint.exe
    C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Documents and Settings\Berle Johnson\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
    O4 - HKCU\..\Run: [QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - Startup: Net Monitor.lnk = C:\Program Files\Free NetMon\NetMon.exe
    O4 - Startup: Spam Defense System.lnk = C:\Program Files\Internet Ally Suite\SpamDefense.exe
    O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38060.693599537
    O17 - HKLM\System\CCS\Services\Tcpip\..\{38F84611-8DE8-4561-966C-9D161AF18BCA}: NameServer = 207.69.188.187 207.69.188.186
     
Thread Status:
Not open for further replies.