Spamcop Blacklist

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by JLDSystems, Nov 5, 2006.

  1. JLDSystems

    JLDSystems Private E-2

    Hello all,

    It started a week ago when I could not send an email because my IP was blacklisted on spamcop.

    I followed the Read & Run me first procedure. I found several things I believe were corrected.

    I still continue to be blacklisted almost immediately after automatic delisting. And since I have been trying to troubleshoot this problem, spambayes no long filters my outlook email (I have uninstalled and reinstalled several times) and Firefox can't find the server at en-us.start.mozilla.com. (or any other).

    I have 10 PCs connected to the network. How do I figure out which one is the problem if it's not this one?

    Jeff

    Edit: I forgot to attach the files.
     

    Attached Files:

    JLDSystems, Nov 5, 2006
    #1
  2. JLDSystems

    JLDSystems Private E-2

    And another file. Note:Runkeys.txt is zero length
     
    JLDSystems, Nov 5, 2006
    #2
  3. matt.chugg

    matt.chugg MajorGeek

    Please post the shownew and runkeys logs.

    NOTE: you need to extract all the files in the zip file or they won't run properly. This is probably why your runkeys is zero bytes
     
    matt.chugg, Nov 6, 2006
    #3
  4. JLDSystems

    JLDSystems Private E-2

    I unzipped shownew and runkeys. I attached newfiles.txt.

    When I run getrunkeys.bat I get the following message:


    ---------------------------
    Notepad
    ---------------------------
    Cannot find the C:\runkeys.txt file.

    Do you want to create a new file?
    ---------------------------
    Yes No Cancel
    ---------------------------


    The command window says:

    find: Windows 2000: No such file or directory
    The process tried to write to a nonexistent pipe.
    The process tried to write to a nonexistent pipe.
    find: Windows XP: No such file or directory
    The process tried to write to a nonexistent pipe.
    The process tried to write to a nonexistent pipe.
    find: Version 5: No such file or directory
    The process tried to write to a nonexistent pipe.
    The process tried to write to a nonexistent pipe.
    find: Windows 95: No such file or directory
    The process tried to write to a nonexistent pipe.
    The process tried to write to a nonexistent pipe.
    find: Windows 98: No such file or directory
    The process tried to write to a nonexistent pipe.
    The process tried to write to a nonexistent pipe.
    find: Windows Millennium: No such file or directory
    The process tried to write to a nonexistent pipe.
    The process tried to write to a nonexistent pipe.
    Your OS Version is Unsupported
     

    Attached Files:

    JLDSystems, Nov 6, 2006
    #4
  5. matt.chugg

    matt.chugg MajorGeek

    Sorry for the delay

    hmm thats a little odd, the OS finding worked in shownew fine and its exactly the same code, can you try copying the files to a different location and rerunning them...
     
    matt.chugg, Nov 13, 2006
    #5
  6. JLDSystems

    JLDSystems Private E-2

    I extract the files to a directory c:\test using 7-zip and windows and both times I ran it, I got the same messages and no c:\runkeys.txt file.

    The whole thing is very strange.
     
    JLDSystems, Nov 13, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download the attached MGtools.zip and extract both the GetRunkey.bat and ShowNew.bat files from it into your C:\Program Files\ShowNew folder. Then try running both of these modified versions. Attach the logs if they run properly.

    You also must rename HijackThis.exe as requested in the READ ME and then attach a new log.

    Did you knowingly install UltraVNC? Is this on all your PCs? Is it password protected?
     

    Attached Files:

    chaslang, Nov 14, 2006
    #7
  8. JLDSystems

    JLDSystems Private E-2

    I have attached the txt files.

    I will rename the Hijack and attach it to my next post.

    I installed UltraVNC for a clients IT tech to setup a Cytrix instance. I was not aware it was running, it's only on this PC, I don't know if it is password protected.
     

    Attached Files:

    JLDSystems, Nov 14, 2006
    #8
  9. JLDSystems

    JLDSystems Private E-2

    I tried to use Startup Inspector for Windows to disable UltraVNC but it doesn't show as being on the list of items to run at start-up.

    Jeff
     

    Attached Files:

    JLDSystems, Nov 14, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It does not load as a normal startup process. It loads as a service. If you don't need it, you would be better off just uninstalling it via Add/Remove programs but before uninstalling it, stop using Startup Inspector to stop it. If you need it, then you should not be disabling it in any form but you must make sure that it is password protected.

    I'm not seeing any malware problems but I do see a few things that should be updated.


    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 4
    MarketResearch
    Mozilla Firefox (1.5.0.8)
    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Then install the current version of FireFox from: Mozilla Firefox


    Also you need to fix your DOS Path variable. It has a duplicate entry in it. The below appears twice:

    C:\Program Files\Microsoft USB Flash Drive Manager\

    You should delete the occurance.
     
    chaslang, Nov 14, 2006
    #10
  11. JLDSystems

    JLDSystems Private E-2

    Ok, I uninstalled UltraVNC, J2SE and FF 1.5.0.8.

    I could not find an uninstall for MarketResearch and where do I modify the Dos Path variable. My Config.sys and Autoexec.bat files are empty.

    I then installed the current versions of J2SE and FF.
     

    Attached Files:

    JLDSystems, Nov 15, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Goto Start --> Settings --> Control Panel

    Double click System (You may need to change to classice view on xp)

    Click on the Advanced tab

    Click Environment Variables at the bottom

    In the LOWER list, click on the PATH variable and click edit.

    Edit out the duplicate text and click OK!


    See if you can find and uninstall MarketResearch with the below:

    Your Uninstaller! 2006
     
    chaslang, Nov 16, 2006
    #12
  13. JLDSystems

    JLDSystems Private E-2

    I modified the path variable. "MarketResearch" did not show as a program I could uninstall with Your Uninstaller 2006 or SAFARP or Windows Add/Remove.

    Do you know what publisher it would be listed under?

    My IP is still being regularly blocked by spamcop. Do you know a way I could monitor my network and determine which computer is the culprit?

    Jeff
     
    JLDSystems, Nov 18, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't know! I would like to know myself where it is coming from and what it is for. I see it on a lot of PCs. I have a feeling it may be due to stuff people use on there PC like possibly eBay!! Do you use eBay.

    Run this Getting Uninstall Programs List From The Registry and attach the requested log.


    The below tool is one of the best tools to use for capturing and decoding packets.

    Wireshark (Formerly Ethereal)

    More useful tools like this can be found here:

    http://www.majorgeeks.com/download.php?det=4449
     
    Last edited: Nov 19, 2006
    chaslang, Nov 18, 2006
    #14
  15. JLDSystems

    JLDSystems Private E-2

    I found MarketResearch in the much shorter install list from my wife's notebook. I found it in Spybot - Search & Destroy -> Tools -> Uninstall Info.

    The info there:

    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    ----CUT HERE----

    MarketResearch 60.0.155.000 ({AAA11090-6E99-4655-AAF5-57EB5F677D0C})
    version: 1006633115
    version (major): 60
    estimated size: 3384
    install date: 20061020
    install source: D:\setup\MarketResearch\
    publisher: Hewlett-Packard

    ----CUT TO END----


    The install date shown would be when I purchased and installed my new HP Color LaserJet 2605dn.

    The Wireshark is really cool! I have to explore it more, but I would like to be able to show a realtime graphically display of the activity broken down into different IPs and protocols.

    Jeff
     
    JLDSystems, Nov 19, 2006
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Another stupid idea from a big company! They should know better. Whatever this is, it does not belong on your PC and they should not install it without your permission or knowledge and it should have an uninstall program. By the name it sounds like something they use for research but it could be a form of spyware (like checking up on things you use or do for their own research). Please get me the log I requested. It may give me some more info.

    Take a look thru the other tools in the link I gave you.

    You may also find some other useful tools here:

    http://www.majorgeeks.com/NetPeeker_d4557.html
     
    chaslang, Nov 19, 2006
    #16
  17. JLDSystems

    JLDSystems Private E-2

    GetUnkey file
     

    Attached Files:

    JLDSystems, Nov 19, 2006
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It looks like HP put a whole bunch of silly named stuff into your registry (you can see a bunch of stuff from them by looking in this file). It sure would be nice to know what all this crap is supposed to be used for and why it is necessary. And an even bigger question is why don't they put their name in front of it so it can be recognized as belonging to them.
     
    chaslang, Nov 19, 2006
    #18

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds