Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
3 replies to this topic

#1 kameel


  • Members
  • 10 posts
  • Local time:01:02 PM

Posted 22 August 2005 - 09:23 PM

in the past few months i have been receiving a lot of spam. i reported some of it to my mail client (Tiscali). since then it has deminished. but now everytime i send out an email from my main email address i get a bounce. i even opened a yahoo.co.uk account to send the ones that bounced. now that one is bouncing as well. i went into msconfig and disabled (ie.exe, gosoxo.exe, and etytojacu.exe) only because i didn't recognize them. ie.exe was the only file to come up with info on google. the other two files i couldn't find anything on other than in german. :thumbsup: below is an example of a bounced email. can anyone help me please? i don't know how i was put in this database. i don't send out mass mails or spam (that i'm aware of)

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

SMTP error from remote mailer after RCPT TO:<info@commercialsuicide.org>:
host smtpin.commercialsuicide.org []:
550 5.7.0 Your server IP address is in the SORBS DNSBL database, bye

------ This is a copy of the message, including all the headers. ------

Return-path: <stephanie_thomas@tiscali.co.uk>
Received: from dsl-80-41-163-223.access.as9105.com ([]:4034 helo=robbcff8b2b9e1)
by mk-smarthost-8.mail.uk.tiscali.com with smtp (Exim 4.30)
id 1E7Lp6-000IIb-Bg
for info@commercialsuicide.org; Mon, 22 Aug 2005 23:35:24 +0000
Message-ID: <007901c5a772$1303be90$dfa32950@robbcff8b2b9e1>
From: "Stephanie Brierley" <stephanie_thomas@tiscali.co.uk>
To: <info@commercialsuicide.org>
Subject: vocals
Date: Tue, 23 Aug 2005 00:34:43 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1506
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506

This is a multi-part message in MIME format.

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

Would you be interested in another vocalist?=20

Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<META http-equiv=3DContent-Type content=3D"text/html; =
<META content=3D"MSHTML 6.00.2800.1515" name=3DGENERATOR>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Would you be interested in another =
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>SB</FONT></DIV></BODY></HTML>


No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.13/78 - Release Date: 19/08/2005

BC AdBot (Login to Remove)



#2 Leurgy


    Voted most likely

  • Members
  • 3,831 posts
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:01:02 PM

Posted 23 August 2005 - 09:37 AM

I suspect that you have some malware problems. The best idea is to submit a HiJack This log for our team to review, in order to rule this in or out. See How to submit a Hijackthis Log and follow the instructions. Please wait after posting your log to receive a reply as our team is very busy and by posting a reply your log will move to the back of the line again.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool

#3 jgweed


  • Staff Emeritus
  • 28,473 posts
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:01:02 PM

Posted 23 August 2005 - 02:46 PM

550 5.7.0 Your server IP address is in the SORBS DNSBL database, bye

This may explain the blocking:


Whereof one cannot speak, thereof one should be silent.

#4 kameel

  • Topic Starter

  • Members
  • 10 posts
  • Local time:01:02 PM

Posted 23 August 2005 - 05:12 PM

I've already posted my log on the Log forum. I've also been to the SORBS website and searched my own email addresses and i have searched my IP. they are not listed. I don't quiet understand what IP they are sending back in the bounced email. that IP is not mine but some other IP which is listed in SORBS.

correction from first post... the file is called "ip.exe" i'm not sure if it has changed it's name since i re enabled the files in msconfig or not. i still can't find any of the files listed in msconfig in my harddrive file search (with hidden files viewable)

here is my log file as well so you don't have to search it.

Logfile of HijackThis v1.99.1
Scan saved at 14:38:41, on 24/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\Rob\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\USBMonit.exe
O4 - HKLM\..\Run: [qgqqft] C:\WINNT\SYSTEM32\etytojacu.exe
O4 - HKLM\..\Run: [ip] ip.exe
O4 - HKLM\..\Run: [fqfeqajw] C:\WINNT\SYSTEM32\gosoxo.exe
O4 - HKLM\..\RunServices: [ip] ip.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Startup: Shortcut to dslmon.exe.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9589F3FD-C998-4058-B5C7-9F9AC4C35B6A}: NameServer =
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: rarvd - Unknown owner - \\\ADMIN$\ip.exe" -service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Thanks in advance.

Edited by kameel, 24 August 2005 - 08:46 AM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users