spam subject looks like recent email subjects

Hi,

I am wondering if any one has a fix for spam that seems to be generated with some knowledge of email I receive\send. This is a home setup where there are 2 computers on a broadband modem with Linksys Router. The XP is a Dell laptop that utilizes wireless and the W2K uses Ethernet. There are 2 active users on the W2K using MS Outlook 2000 and both of them have the same thing happening. The laptop has Outlook 2002. On the Dell laptop I no longer use preview and I have Norton Internet Security 2005 enabled, as well as only receiving email from addresses that are in my address book. So all the spam email goes to the Spam Folder; however it appears to be generated by emails I have just received. What I mean is that if I am emailing with a thread about selling a house, the subject and or the user is now similar to the ones I just sent. User and subject are often almost correct.

Examples are:
User Name = "Kathleen Fitzpatrick" Subject = "So look go angry "

User Name = "Josie Delaney" Subject = "And watch granite canopy "


I suspect that some form of spy ware or ad tracking\data miner is present on my computer. I also understand that the user name is display only. The options shows invalid ip addresses and senders.

I use Spybot and Ad-Aware both with updated DAT files. I have tried the usual scans (including ones from the internet @ Symantec) Nothing shows up, however these annoying emails seem to be ever other email I receive.

Was wondering if any one else has\is experiencing this and if they found a fix. By the way, this is the only type of spam we receive.

Thanks for any help.

Dmack9185

 

Dmack9185--The following is my very personal take on spam--especially the type you describe. I expect/hope someone else will chime in.

Not sure I understand. Does the spam message itself have to do with selling a house (for example), or do you feel those subjects do? " "Kathleen Fitzpatrick" Subject = "So look go angry" " does not seem to have much to do with selling a house to me. But if you have just emailed someone named Kathleen Fitzpatrick, then I would be concerned along the lines you suspect.
(BTW--It is best not to open spam messages, but you can see the text and coding in the message from OE|File|Properties|Details|Message Source. This does not actually "open" the email. When you do that, you will probably see a bunch of gibberish and at some point reference to a .gif file. The .gif file is the purpose of such a spam email. If you were to actually open the email, the .gif file would automatically open (unless you had made settings in OE to not permit images to be shown) and you would see an advertisement. You might also get spyware.)
The subjects for such emails are also usually nonsensical, since their purpose is to avoid spam filters that are looking for references to words like "Free ", "Money ", "Sex ", "Viagra ", etc. that spammers used to use in the old days to get you interested.
You can try to trace and report this type of spam using the following procedure
http://email.about.com/cs/spamgeneral/a/spam_headers.htm
However, it is a pretty long-winded process, and who knows how diligent some webmaster in Poland, for example, will be in pursuing the spammer. And these spammers rarely send mail more than once from the same IP address, so blocking the source, even if you find it, will not stop them from sending more spam.
I do not think there is a good fix for such spam emails for non-commercial PC users, other than to do what you have done--allow only messages from those in your address book or some other Whitelist.
If you want to pursue the possibility that you have spyware on your PC try the procedures here
http://www.windowsbbs.com/showthread.php?t=37074

 

Thank you for your response Welshjim. I knew I would confuse the issue with my examples.

I am familiar with the typical nonsensical subjects, however these seems to almost have a relationship between the nonsense subjects and the emails I am receiving or sending. Thus leading me to believe this is a form of adware and or spyware on our computers that NIS, Ad-Aware or Spybot do not detect.

A worm, or something? This has been going on for several months. I have done many typical removal utilities and procedures. Any way I was hoping someone might have experienced this and figured out a way to kill it

Oh yea, the spam all seems to be advertising the same stuff

 

We can certainly help you poke around for baddies lurking on your PC.

From quicklinks in my signature, get the latest version of Hijackthis, save it to a regular folder (so not a temp folder and not your desktop). Run a scan & log then post the log contents here.

From http://www.sysinternals.com/Utilities/RootkitRevealer.html get the RootkitRevealer utility and run a scan. Set to ignore NTFS metadata files and set to scan the registry. If you see any possible problems from the scan, post the results here as well.

 

Thanks for your response Newt, I have read many a thread with you posting helpful information.

The link to Hijackthis seems to be broken.

I downloaded from C/NET download.com and will try and get a chance to run today.

Dmack9185

 

Here is Hijackthis log. Appears to be some issues. Would appreciate any advice as to what to delete.

Oh Clickyes is:

This program is working very well with OutLook 2002 security prompt; however if it also contains "something" not wanted, I will delete. I really like it, so I hope it isn't an issue.


Logfile of HijackThis v1.99.1
Scan saved at 2:27:38 PM, on 10/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Express ClickYes\ClickYes.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\DownloadsMama\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\Toolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Express ClickYes] C:\Program Files\Express ClickYes\ClickYes.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://www.bor-mls.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: G7PS - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\WINDOWS\system32\G7PS.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

End log


Will await advice.......

Thanks,

Dmack9185

 

Hi,

Was wondering why after I posted my Hijackthis log no one responded. Did I post incorrectly or offend anyone? Hopefully not.

Thanks,

Dmack9185