HELP- my ISP says I am sending spam

Welcome to Majorgeeks!


As Hijackthis is not a full malware scanner and can only pick out certain browser hijacks and a few malwares, its best to run the full guide below in the order laid out, this way it will not only remove some malware along the way but it will collect some valuable logs in which our malware experts here will be able to see whats causing your problem and then they will post some manual removal instructions for you if needed.

I have removed the Hijackthis log you have already posted as we need it installed, renamed and run as per the steps below.


Our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.




​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Download and run the below to remove Windows Messenger!

Disable/Remove Windows Messenger


Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {5B6C10A2-AE40-A4CB-4ED5-F1CA9F5BE59D} - (no file)
O2 - BHO: (no name) - {471AC4C7-2FF8-4E52-942E-A20BCC998C7E} - (no file)
O2 - BHO: (no name) - {5B6C10A2-AE40-A4CB-4ED5-F1CA9F5BE59D} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: http://*.bankofamerica.com
O15 - Trusted Zone: http://www.drbronner.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\Program1.EXE
C:\WINDOWS\eqppl.dll
C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll


Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode
Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now locate the below folder and delete it if found:
C:\Program Files\Common Files\{3CE4E695-0BFB-1033-0907-050112170001}

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Kathie\Local Settings\Temp

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

When you can get back online, you need to do the below!

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 9
Mozilla Firefox (1.5.0.8)

Now install the current version of Sun Java from: Sun Java Runtime Environment

 

Sorry about that. I meant to give you a tool to locate that file. You cannot find files in the Downloaded Program Files folder using Windows Explorer or even Windows Search. It is just another stupid idea from Microsoft that gives malware creators an easy hiding place since it is not easily viewable. The file is gone now anyway.

We are almost done!

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now use Windows Explorer to delete:
C:\WINDOWS\pss\svchost.exe

I see you did not do my last steps in the previous message to update Sun Java and FireFox. You need to do them now if you can get online!

Then attach new logs from GetRunKey and ShowNew.

How is everything working now?

 

What did you do to Spybot's SDHelper? The below is from it:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

It was fine in your previous log and now it is missing the file. The only way to fix is to uninstall, reboot, and reinistall.


Your logs are clean. Are you sure your ISP said you were spamming or did they complain because you are acting like a server?

 

Was that their exact words? Or did they say something different. You may need to call them and ask them for specific details. Like what IP address or address are being spammed? Is it spam or is it that you are using P2P applications that act like a server which cause lots of activity upstream towards your ISP. I don't see anything that would cause spamming and spamming comes from an email application. So unless you have some script hooked into your email application that would not show via these scans, I don't see anything.

This is for the Bitdefender Online scan that was done. HijackThis is incorrect! The files are not missing.

 

Kathy, just a quick question as something went through my head earlier, while assisting someone on the phone with a wireless setup, is that DO you have wireless router/modem?

If so have you set a WEP or WPK encryption key on the router/modem to stop anyone else connecting to your internet ( how to set these will be in your router/modems instruction manual ), if you have not protected your wireless and if someone did connect to your connection they maybe the ones infected and sending out spam/data, and to your ISP it would be on your IP address, thus you get the blame.

 

OK good stuff and hope all goes well

 

Do you have a DSL connection or Cable? And you said you use a hub? Are you sure it is a hub and not a router? DSL and cable providers only give you one IP address for one single PC. If you want to use multiple PCs, you need to use a router with DHCP enabled or you could setup static IP address on the PCs but you still would need to define them based upon the network setup by your router. The router would be the single physical device connected to your ISP's network and acts as the translator from your home network addresses to the ISP's network.