outlook express has been hacked and sends out junk emails

My outlook express has been hacked. It sends out millions of spam emails from email addresses that dont exist but that use my domain name. My domain name is www.ablazegraphics.co.uk and I use a couple of email addresses to do with this. I also have a 'catch all' email address, this catchall has been filling up with 'bounced' emails from these spammers. For example I get returned emails from names like: aseffefwF@ablazegraphics.co.uk or simalair rubbish.
This all started in the summer after my outlook express mysteriously crashed and I lost all of my emails from the past 5years (although the address book etc was still there and working fine). I literally spend about an hour or two a day deleting these bounced junk emails.
I use a send mail program that allows me to send emails from outlook express using any internet service provider (useful as i am often out and about using wi-fi etc), sometimes this crashes from the shear volume of junk emails that my outlook is trying to send out and I can see a long list of emails in it. This makes me certain that my computer is definately doing the sending and its not just someone using my domain name as a fake email address.

Can I take someone to court about this? How do I find out who has hacked me? I can see what the emails are advertising, so this would point to an obvious villian. But does this prove anything?
Also how can I stop this and how did it happen in the first place?

Any information at all would be greatly appreciated as this is driving me mad.

 

Hello and welcome to WindowsBBS Forums.

As Arie stated, lets get some info about what may be on your system.

Please download HijackThis! SetUp from here. Save the file to your desktop.

Double-click the HijackThis! SetUp icon to begin the installation. Follow the prompts for the default install location of:'C:\Program Files\HijackThis'. Tick the 'Create a desktop' button when the option appears. Select next, then allow HijackThis! to start.

Then press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Click the [Save Log] button and notepad will open up with the contents of the scan. Right-click in the saved log, and select 'copy'. Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed. Do not make any modifications to the log or perform any 'fixes' until told to do so.

 

Logfile of HijackThis v1.99.1
Scan saved at 16:15:46, on 17/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Launch Manager\QtDTAcer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\TP-LINK\TWCU\TWCU.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtDTAcer.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TWCU] "C:\Program Files\TP-LINK\TWCU\TWCU.exe" -nogui
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [OBSWATCH] C:\PROGRA~1\OrangeBs\Watch.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB002" /M "Stylus Photo R340 "
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "rich "
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Canon LBP-810 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: ConferenceRoom Java Client - http://www.mtv.co.uk/mtv.co.uk/chat/java/cr.cab
O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://www.xzoomy.com/media/hoover/fullgames2.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab50997.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/03c31e3d2cef81b1f906/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab50997.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: TP-LINK Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

Below you will find my results and recommendations from your HijackThis! log file analysis. Please read ALL instructions carefully BEFORE proceeding.


Ok, I'm seeing two ActiveX components which do not belong. We'll remove them and also install Port Explorer so we can see what process is doing what and it will show where each is connecting to as well.

Port Explorer

Just follow the install prompts to get it running. To see what each one is connecting to, you can hi-light an entry, right-click it and it will give you several options to track the IP. Needless to say, this is something you'll have to do on your own. Anything going to any far off country, like Romania, Russia and those type of places is likely to be rogue.


Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157



O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://www.xzoomy.com/media/hoover/fullgames2.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/03c31e3d...p/RdxIE601.cab


Reboot post a new HJT log back into this thread please.

 

thank you so much for taking the time and trouble to help me out. you are a real life saver.

I have installed and run the port explorer program.
I dont really know what to do with the information it is showing me. I have read the help file and apparently the ones highlighted in red are invisible programs that may be trojans. I have spotted a few reds but the seem to keep disapearing and reappearing. i also get some highlighted in green, but i dont know what that means.
All of them seem to be in either the UK or the USA or some dont have a country.

btw what is svchost?

 

most of the programs running seem to be coming from either:



OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 224.0.0.0 - 239.255.255.255
CIDR: 224.0.0.0/4
NetName: MCAST-NET
NetHandle: NET-224-0-0-0-1
Parent:
NetType: IANA Special Use
NameServer: FLAG.EP.NET
NameServer: STRUL.STUPI.SE
NameServer: NS.ISI.EDU
NameServer: NIC.NEAR.NET
Comment: This block is reserved for special purposes.
Comment: Please see RFC 3171 for additional information.
Comment:
RegDate: 1991-05-22
Updated: 2002-09-16

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org

# ARIN WHOIS database, last updated 2007-01-16 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.



or




% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag

% Information related to '158.152.0.0 - 158.152.255.255'

inetnum: 158.152.0.0 - 158.152.255.255
netname: DEMON-NET
descr: DEMON INTERNET
country: GB
admin-c: DHG5-RIPE
tech-c: DIHD-RIPE
rev-srv: ns0.demon.co.uk
rev-srv: ns1.demon.co.uk
rev-srv: ns2.demon.net
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
source: RIPE # Filtered

role: Demon Hostmaster Group
address: Thus plc
address: Gateway House
address: 322 Regents Park Road
address: Finchley
address: N3 2QQ London
address: UNITED KINGDOM
phone: +44 845 272 0666
fax-no: +44 845 270 0097
e-mail: hostmaster@demon.net
admin-c: AP6129-RIPE
admin-c: MB4
admin-c: EJ343-RIPE
admin-c: CO401-RIPE
admin-c: GF3634-RIPE
tech-c: MD1601-RIPE
nic-hdl: DHG5-RIPE
mnt-by: AS2529-MNT
source: RIPE # Filtered

role: Demon Internet Helpdesk
address: Demon Internet / Thus plc
address: Anchorage House
address: 2 Clove Crescent
address: East India Dock
address: E14 LONDON
address: UNITED KINGDOM
remarks: 24x7 Operations Helpdesk
phone: +44 800 027 6166
fax-no: +44 20 7517 3438
e-mail: dsoc@demon.net
admin-c: DHG5-RIPE
tech-c: AF10693-RIPE
tech-c: JB222-RIPE
nic-hdl: DIHD-RIPE
mnt-by: AS2529-MNT
source: RIPE # Filtered

% Information related to '158.152.0.0/16AS2529'

route: 158.152.0.0/16
descr: DEMON-NET
origin: AS2529
remarks: *********************************************************
remarks: * ABUSE CONTACT: abuse@demon.net IN CASE OF INTRUSIONS, *
remarks: * ILLEGAL ACTIVITY, ATTACKS, SCANS, PROBES, SPAM, ETC. *
remarks: *********************************************************
mnt-by: AS2529-MNT
source: RIPE # Filtered


When I visisted the ripe website, it had various articles on it to do with spoofing. I am pretty confused as to what it is I need to do to work out who has hacked my outlook express. I guess it is something to do with the companies advertised

 

the ones highlighted in red (and green sometimes) appear and disappear very quickly. the IP address associated with them is 127.0.0.1
This corresponds to the info in the above post:

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

 

OK, well what programs are going to those sites?

Btw, where are you located?

And I don't think you're going to be able to fix this, as it's not coming from your machine. If it were, your ISP would have shut you down.

You can see in a blog post by Alex Eckleberry of Sunbelt Software that he had it happen as well. then read the comments, several others had similar thing happen and there is no resolution really.

 

I am even more convinced that they are being sent from outlook express on my computer, because I use a separate SMTP (send mail program http://www.softstack.com/freesmtp.html) to my ISP's one, as I work from a laptop and am always out and about using different internet connections. Sometimes this SMTP program gets so bogged down with spam emails that its sending that it crashes and freezes, when I click over to it I can see a load of spam emails waiting to be sent.
Actually this makes me think that maybe its my SMTP program that has been hacked, this would explain why i only see the emails there and not in outlook (except the bounced ones)

Is there any kind of legal action that can be taken against this kind of thing? Obviously the companies being advertised must have something to do with it, even if its an affliate, they must be able to identify who it is.
If anyone has any further info on this, please let me know.

Also I havent completed using the hijack this a second time, is there anything else i should do before i do this?
Regards
Rich

 

Well it's likely you will never find out who is doing this, I don't think I have ever heard of anyone being tracked down.

They are in some backwash country with no regulation at all.

Your only solution is to reformat the machine. But I'm still of the mind if your machine was sending out that level of spam, your ISP would have already closed the account.

Good luck.

 

i think my isp is probly unaware of the level of spam being sent as i dont use its SMTP details, I use a separate SMTP program which allows me to send emails regardless of what ISP i am using to connect to the internet with
http://www.softstack.com/freesmtp.html

 

Hi Richie, just found this site and joined today. I'm having the same problem as yourself, although probably to a lesser degree.

I thought my email programme (outlook) had been hijacked, as I was getting bounced back mail just like yourself.

I decided to do a complete reinstall of Windows XP and start afresh.

After a reformat and new Windows XP install, I went onto Windows Update to make sure I had everything set up just right.

I then set up my email, but this time set up Outlook Express instead of Outlook, and guess what.........


I still have the same problem!!!!


So it seems logical to me that the problem is not within my system at all.

Somewhere, someone must be using my mail address, using different prefixes, and when they get bounced they come back to me.

Other than abandoning this email address (which has been my main for the last 5 or 6 years) I'm not sure there is anything else that can be done.

Hope this experience of mine helps you in some way.

Frank.