email hijackers

By samlhop
Mar 14, 2005
Topic Status:
Not open for further replies.
  1. need help with email hijackers

    this is my first try at posting please bare with me. i have found falowing threads vary helpfull in the past.
    im runing xp home + sp2, on a dell laptop. i use mozila and fierfox not a big fan of bill G. & IE. use spybot, hyjackthis, adawareSE, spywareblaster, and macafe sercurity. i kep them all updated and run most once a day.

    today 3/14/05 i got the email i copyed below. it looks to me like fierfox got hyjacked and is being used to spam. there is no record in my outbox and i dont know the address. last time this hapend it was (mydoom) and i resalved it by falowing the directions on a thread hear at techspot.

    dose anybody have any direction for me on whare to start. the email has 2 atachments. if i right click opin on the info line for the second i get
    mailbox:///c|/documents%20and%20settings/samlhop/app......... thats all i can see. no other simaler complants have come back to me.

    how should i proced? thanks for your input. sam hopkins

    BANNED FILENAME ALERT

    Your message to: email removed
    was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED:

    Subject: Server Error (email removed)

    An attachment in that mail was of a file type that the Spam Firewall is set to block.

    Final-Recipient: rfc822; email removed
    Action: failed
    Status: 5.7.1
    Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, id=31351-02-3 - BANNED: data20342.pif
    Last-Attempt-Date: Mon, 14 Mar 2005 08:33:36 -0500 (EST)

    Received: from leapsoft.com (unknown [64.69.113.221])
    by barracuda.leapsoft.com (Spam Firewall) with ESMTP id E2FFB2011030
    for <email removed>; Mon, 14 Mar 2005 08:33:33 -0500 (EST)
    From: email removed
    To:email removed
    Subject: Server Error (email removed)
    Date: Mon, 14 Mar 2005 08:33:32 -0500
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
    X-Priority: 1
    X-MSMail-Priority: High
    Message-Id: <email removed>
  2. vhunter

    vhunter Newcomer, in training Posts: 89

    If you set your previous settings back to normal, does the hijacker reset them again? Meaning, if you plug your personal settings back, does the hijacker set them to malicious sites and stuff? Exactly what happened?
  3. isatippy

    isatippy Newcomer, in training Posts: 593

    Hello. :wave: :wave:
  4. samlhop

    samlhop Newcomer, in training Topic Starter

    vhunter i can tell that anthing has been changed. i cant find any record of sending a mesage to that address. and i have had no other notafacations of spam coming from my address. when i had (mydoom) mi ISP notide me that spam was coming from my address.

    thanks for the reply. got any ideas ? what setting should i check? thanks
  5. vhunter

    vhunter Newcomer, in training Posts: 89

    As far as I can tell, it doesn't appear that you have been hijacked. What has the message done to your computer? Slowed down? Homepage changed? Etc?
  6. samlhop

    samlhop Newcomer, in training Topic Starter

    all thats hapind is my in box got wipped put the stuff was still on the server so i could get it with my other box. i havent had any other notisis about my ip address spaming so i think your right. last time direcway notifyed me about large amount of mail. comertial volume is the way thay put it last time with mydoom. this is probly nothing.

    what would you look at? the hole idea is that its not redaly noticabull. would it show up in my outbox, or some mail seting? i ges im disnerved cus i dont know whare to look. hyjack this found no referince to mailbox///c|/ that loked lik a temp to me i could not any referince to it on my systom.
  7. vhunter

    vhunter Newcomer, in training Posts: 89

    What program are you using? If it's outlook, then it may have archived your box, then deleted the messages. Posting your HJT log would be very helpful. Just do a HJT scan, with the option to save the log selected, then on your next post, go down the page and attach the file. It will help.
  8. samlhop

    samlhop Newcomer, in training Topic Starter

    hjt log

    vhunter hear is the hjt log. im using mozila thunderberd and fierfox.
    most of this is over my head. if you see anthing that may shed some light on this let me know. thanks. samlhop.

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\WINDOWS\Explorer.EXE
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\samlhop\download\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:87
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.direcwaysupport.com;192.168.0.*;<local>
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MUSICMATCH MX Web Player (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
  9. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Boot in safe mode.
    Run Hijackthis on its own and put a tick-mark before these 2 lines:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=192.168.0.1:87
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = www.direcwaysupport.com;192.168.0.*;<local>

    Click on the 'fix it' button. Quit HJT.
    Reboot and see how it goes.

    Your log is not complete, there could me more evil lurking in there. Make a new log.
    See How to post your Hijackthis log-files.
  10. samlhop

    samlhop Newcomer, in training Topic Starter

    thanks for looking at this realblackstuff. i have fallowed some of your strings in the past and thay have been real helpfull.
    i thought the first R1 was for a print server.
    the second R1 looks to me like my satelite ISP
    but this is realy way past me.

    when boot without R1,s. i get halted "generic host process for win32 services" this coms up about 6 times when i go to check my email.
    thanks for your time. samlhop

    hjt ver, 1.99.0.1 i put the two R1's back seem to go with my ISP
  11. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Apart from this, your log is as clean as a whistle.

    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

    Fix it whenever you like, not urgent.
     
  12. samlhop

    samlhop Newcomer, in training Topic Starter

    thanks for your time realblackstuff. i read your post on "how to remove" a lot of vary helpful stuff. am i right that the 09 line above should look like this
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
    the //wwws. looks od to me put im a neofight.
    Please tack a look at this mesage that comes up when i start my pc
    Data execution prevention
    to help protect your computer m.s. has closed this program.
    "generic host process for win32 services"
    this is the what looks to me like a referince to a mini dump file that i got from yhe m.s. report.
    C:\docume~1\samlhop\LOCALS~1\temp\WER5455.dir00\SVCHOST.EXE.mdmp
    C:\DOCUME~1\samlhop|LOCALS~1\Temp\WER5455.dir00\appcompat.txt
    shude this be a seperate post? probuble but im still stuck on the origanal mesage that my ip address was the sorce of spam. and my concern that i had what i would discribe as a (trojen or proxe mail server runing)
    any direction at all would be helpfull.
    thanks samlhop
  13. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Sorry, I rarely read this new members forum, because it is NOT meant to announce your problems, that's what the windows etc. forums are for!
    Clean out everything in your Temp directory, regardless of whatever it is!
    Then see how it goes.
  14. xmaxflix

    xmaxflix Newcomer, in training

    I've noticed that you have a lot of anti-virus/spywaress installed. I would suggest that you run your email in another computer with one anti-virus in it and re-send all the mails that you are having problem. I think this will solve it because as for my experience it's not advisable to put a bunch of spyware, one or two is enough.

    Good luck.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.