blocked ISP due spam

[SirDice]

Originally posted here by steve.milner
Were you really online from 5.42am to 22.00pm - it seems a long time to be online for a dial up. Did you expect to be online for that time. If not this could suggest a number of things.

Logon (utc): 20031121100542
Logoff (utc): 20031121132200

I may be wrong here but isn't this from 10:05:42 till 13:22:00?
Also make sure you calculate your local time using the correct timezone as these times are UTC.

[steve.milner]

Originally posted here by SirDice
I may be wrong here but isn't this from 10:05:42 till 13:22:00?
Also make sure you calculate your local time using the correct timezone as these times are UTC.

I am being mega-dense today!

You are correct.

Steve

[steve.milner]

It is possible you have been infected by this :http://www.sophos.com/virusinfo/anal...32spybotw.html

You will note in the details it spreads via MSN and kazza and email.

It can also disable antivirus.

Read this and and check out some of the infection symptoms. If this is the case, you could easily have had your account passwords keylogged, as well as anything else you use! If you think you have this, clean it up & change all your passwords for local and online services.

And edit your post that has an email address in it, if not the person that owns it is going to be very very annoyed.

It would be wise to remove your home phone number and IP Addresses as well.

Steve

[nebulus200]

Ok, sorry, just now saw this. antares65, I think you misunderstood a little about what I meant. When d.e.pollard sent you that email complaining about spam, he should have been able to send you the email he received, with its complete headers intact.

What I want should look something like this:

Received: from xx.xx.xx.xx ([xx.xx.xx.xx]) by xxx.xx.xx.xx with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72)
id CZVHLN7P; Mon, 12 Jan 2004 12:07:14 -0600
Return-Path: <bounce+xxxx=xxx.xxx.xxx.xxx@listserv.ihigh.com>
Received: from yy.yy.yy.yy ([yy.yy.28.5] [yy.yy.28.5]) by zz.zz.zz.zz with ESMTP for xxxxxx@xxxxxxxxxxxxx; Mon, 12 Jan 2004 18:07:08 Z
Received: from listserv.ihigh.com (listserv.ihigh.com [63.106.143.29])
by yy.yy.yy.yy (8.12.10/8.12.10) with SMTP id i0CI63SG028136
for <xxxx@xxxxxxxxxxxxxxxxx>; Mon, 12 Jan 2004 12:06:04 -0600 (CST)
Received: (from nobody@localhost)
by listserv.ihigh.com (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) id MAA19537;
Mon, 12 Jan 2004 12:57:18 -0500
Date: Mon, 12 Jan 2004 12:57:18 -0500
X-Authentication-Warning: listserv.ihigh.com: nobody set sender to bounce+xxxxx=xxxxxxxxxxxxxxxxxxxx@mailer.hostinteractive.com using -f
To: xxxxxxxxxxxxxx@xxxxxxxxxxxxxxxxx
Subject: WHITE OUT TOMORROW NIGHT
MIME-Version: 1.0
From: bulldogupdate@mstateathletics.com
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-Id: <hre1vi.wl7cfr@mailer.hostinteractive.com>

This will usually provide enough information to determine who actually sent the spoofed email.

/nebulus

[steve.milner]

nebulus - I have a feeling that the complaint sent by Mr Pollard was to antares' ISP, not to him.

Steve.

[nebulus200]

Originally posted here by steve.milner
nebulus - I have a feeling that the complaint sent by Mr Pollard was to antares' ISP, not to him.

Steve.

I am sure it was, but his ISP should be able to provide that information, or else they have no justification for revoking his access.

/nebulus\

EDIT: Heh heh, just started thinking about the subject of the example email I used, and what that was, was an announcement from my alma mater, to show up to the kentucky basketball game in all white (our school colours are maroon and white) to show team support...just in case anyone was wondering

[antares65]

I dont have any more info about Pollard e-mail etc. this is what ISP gave me, but I will contact them to find out more. I run again Norton and 2 other AV scans, installed Adware and Spybot@Destroy and everything looks clean.
How can I check I have the w32spybot virus?

Ps. I edited the previous post. Sorry about that.
Mr. Pollard will go after me for sure now..... hope not

[steve.milner]

To check if you have this worm you need to read around the subject, type W32/Spybot- Removal into Google.

A quote by Rybad here http://www.computing.net/security/ww...orum/5902.html

states

I am pretty sure I have a variation of the W32.Spybot.Worm that infects the task manager and other system tools such as msconfig and regedit, causing them to close automatically. I have all of the same symptoms of this worm (I hit ctrl, alt, delete and it closes by itself no matter what) but Norton DOES NOT detect any viruses. I have done a full system scan twice in safe mode with Norton 2003 completely updated with the latest definitions, and it does not detect anything.

When I looked further into the issue, I noticed when I took a screenshot of my task manager, it shows an odd EXE running called "msconfig35.exe". I also did a search for this file, and found it in the windows prefetch folder and deleted it, but my problems still continue whenever I come out of safe mode and reboot into windows.

I have followed the instructions that were posted on this message board and deleted the registry keys that it instructed but the problem still persists. I have already been to the Symantec removal instruction page for the W32.Spybot.Worm but seeing as Norton cannot find the infection, it doesn't help me.

Does anyone have any information on a possible variation to this infection, and what I can do to get rid of it?

I would appreciate ANY help right now.

So symptoms include shutting down straight after CTRL-ALT_DEL and an odd EXE in taskmanager msconfig35.exe

I have found this removal tool later on in that thread, which may be of use if you have it.

http://www.trendmicro.com/download/tsc.asp

Steve

[antares65]

Thanks Steve for info . I did a search on Google as well, so far I dont have any of the symptoms regarding W32 Spybot or the above mentioned msconfig35.