Mailbox is highjacked

My main mailbox is highjacked. I have ran a "Highjack This", and all of my other anti-spyware. They show nothing. The "Highjack" log shows all normal.

Last November, I noticed that doubleclick.net; a1.adserver.com; and servedby.com was on my computer's main mailbox. I did have Bonzi and a couple more, but I was able to track them down and got rid of them. But these other three are something else. Since this computer forum is working on new things, I decided to see if someone can help.

In November, I was running ME. Three weeks ago, I up graded my computer to XP. Everything I had was deleted or shredded. All I ran to re-install was microsoft software. I got rid of all my files since day 1. It was starting off like a new computer. However, guess what came with me. The above mentioned spyware. They are on my hard drive somewhere. They are embedded.

The strange thing is that I have, by design, four mailboxes. They are not on my other mailboxesl Just on my provider, Earthlink.net. Everytime I go to my mailbox, my "cookie patrol" tells me if so and so can set a cookie. These three are always trying to put cookies on my computer. I just deny them.

I have Spybot, Adaware 6, Pest Patrol, Scotty the Dog, and a couple of other programs. I do not download or open mail from persons I do not know. Even if I know the person and they send an attachment, that e-mail is not opened.

PitStop looked at my "Highjack This" log and found one thing which I deleted. However, this was not any of the spies I was looking for.

My question is, if these spies are on my hard drive, how in the world do you get rid of them? Is it possible?

Then to make thing worse, BlackIce notified me that they had been hacked and someone had put a worm in their program. You did not even have to download anything. This worm just downloads itself to any computer that has "Black Ice." The bad thing is, they did not notify us until they had a cure for it. The cure was for their Attack Log. If the worm went into that, I do not have it. If this is not it, then I have it somewheres. However, my Black Ice Defender was not downloaded and the app. was stopped by my Norton's security and firewall. Their patch did not uninstall my Black Ice and I kept getting messages every two minutes saying that The Black Ice "Attack Log Cannot BE Found." I finally got that stopped.

But anyway, I need to get the three spyware off my computer if I can.

 

Even though you have run a hijackthis you need to follow the link and follow the instructions found there. Thank you


http://www.wilderssecurity.com/showthread.php?t=15913

 

Highjack This

Please read
Logfile of HijackThis v1.97.7
Scan saved at 9:12:22 PM, on 3/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Ally Suite\SpamDefense.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mspaint.exe
C:\Documents and Settings\Berle Johnson\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Popup Defense System - {B77A3B18-91AB-4344-9EFD-9D8BB33A3388} - C:\WINDOWS\System32\PopupDefenseSystem.dll
O3 - Toolbar: Surf In Secret - {101B2544-8CDE-465B-BF8F-FA4AC11B1686} - C:\WINDOWS\System32\SurfInSecret.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Net Monitor.lnk = C:\Program Files\Free NetMon\NetMon.exe
O4 - Startup: Spam Defense System.lnk = C:\Program Files\Internet Ally Suite\SpamDefense.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38060.693599537
O17 - HKLM\System\CCS\Services\Tcpip\..\{38F84611-8DE8-4561-966C-9D161AF18BCA}: NameServer = 207.69.188.187 207.69.188.186

 

Hi txsidewinder

I merged your other thread into this one so the experts will be able to read your first post on the problems u are having.




snowbound

 

Hi txsidewinder1,

Your log looks clean.

The only thing suspicious I could see was "Internet Ally Suite" consisting of Spam Defense, PopUp Defense, and Surf in Secret (http://www.internetally.com). Their Terms of Use and Licence Agreement seem a little vague IMHO.... I assume you installed this software yourself?

Other than that one suspicious program (It may very well be that the progran is OK. I just could not find out anything about it except on their own site.), your log looks clean.

Are you having any specific issues or problems, and if so, could you please explain them here?

Reading now that your mailbox is hijacked, it could very well be this program. I would suggest you remove it via your Add/Remove Programs Control Panel and see what happens.

Regards,
Kent

 

Those two programs have just been added. I got them from a site much like this one. I have not seen where they are doing me much good and are time consuming. I was thinking about deleting them anyway. Your comments set my mind to it. However, I had the highjack problems before I added those programs. This problem has been there since November.

I upgraded my computer two weeks ago today. I did not bring any program when I added this system. Everything was deleted. I was running ME and upgraded to XP. This computer was cleaned just like a new born baby. The only thing not changed was my hard drive. This is where I believe these highjackers lurk. They have invited more adware spies to my computer, but I can watch my mailbox and where it says "Done", I can watch each www going through. If I see a new program, I immediately start searching for it. When I track it down, I get rid of it one way or other. As you well know, these spys have a defense that makes it almost impossible to delete. If I can find the defense program, I can get rid of it all. I always find the defense program and get rid of it. If I am an expert in anything on the computer, it is spyware. However, the mentioned three highjackers have me baffled.

If they are in my hard drive, can you get rid of them? or do you have to get new hardware?

I read a report from some security experts that you cannot get rid of anything if you get highjacked. But the report was written in July of 2002. Defense has come a long way since then. I also suspect that earthlink has been penetrated or was penetrated about that period of time. Of course they deny this. As I said, earthlink is the only place that the highjackers are on. Earthlink is also the only place that tries to set spy cookies on my computer. I can go to msn or yahoo and do not get thisl However, being dumb before November, I could have opened an attachment at earthlink. Because of the security issues, this is also a plain invasion of my privacy.

 

Hi txsidewinder1,

If you removed that program, post a new HJT log and we will look at it and see if anything new has shown up....

Regards,
Kent

 

javascript:replaceText(' ')
Here is my new log. Spam defense is still on it. It is suppose to stop spyware from settling onto my start menu.
Logfile of HijackThis v1.97.7
Scan saved at 11:22:16 PM, on 3/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Ally Suite\SpamDefense.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Berle Johnson\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Net Monitor.lnk = C:\Program Files\Free NetMon\NetMon.exe
O4 - Startup: Spam Defense System.lnk = C:\Program Files\Internet Ally Suite\SpamDefense.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38060.693599537
O17 - HKLM\System\CCS\Services\Tcpip\..\{38F84611-8DE8-4561-966C-9D161AF18BCA}: NameServer = 207.69.188.187 207.69.188.186