Roadrunner Complaint

[bonkers72]

I got this e-mail from my service provider. Is this lagit? I have three computers in my home. Using a router. I check them all everyweek or so for spyware, malware, etc. Using Malwarebytes, spybot, super anti spyware,running virus scans, keeping them clean. How can I find out, or know for sure if one of them is in fact infected? Is there a program I can use to test one of my PC'S? Thanks for the help.


Road Runner has received complaints (with data) showing that a computer connected to
the cable modem assigned to your Road Runner account has been used to send mass
quantities of SPAM or UCE (unsolicited commercial email).

After reviewing the complaint data, it appears that your PC may be infected with malicious
software and is being hijacked and used as a "zombie" mail relay (or as part of a "botnet").
A botnet is a network of zombie computers that are infected with code that allows an unauthorized user
to control them via the Internet. These computers can be used to spread spam, launch denial-of-service
attacks against web sites, and conduct fraudulent activities.

The following news link provides addtional information:

http://www.rrsecurity-abuse.com/index.php


NOTE: If you are experiencing problems with the links provided in this message, try copying
and pasting them into the address bar of your browser window.

If you're sure no one has used your computer to send SPAM, then your PC is probably infected
with malware and is actively being exploited.

Please note that these messages are most often NOT being sent from your email address or
email application, but rather from a piece of malicious software running on your PC. You many have also noticed your PC running slowly or acting strangely due to this activity. Here's a Link that might be helpful.

http://vil.nai.com/vil/averttools.aspx

Due to the difficulty in locating and identifying these malware components, we recommend that you
reinstall your operating system or have your computer professionally serviced as most antivirus programs
rarely detect these types of problems.


Because this activity does put our network at risk, as well as the service of our other customers, we do ask that you
reply to this email indicating action has been taken to resolve this issue. Additional complaints of this type may result
in the temporary interruption (without prior notice) of your service until the PC has been secured.

Thank you in advance for your cooperation in helping stop the spread of this problem.

Sincerely,

TW Wisconsin Road Runner Abuse Team

 

[zigzag3143]

I got this e-mail from my service provider. Is this lagit? I have three computers in my home. Using a router. I check them all everyweek or so for spyware, malware, etc. Using Malwarebytes, spybot, super anti spyware,running virus scans, keeping them clean. How can I find out, or know for sure if one of them is in fact infected? Is there a program I can use to test one of my PC'S? Thanks for the help.


Road Runner has received complaints (with data) showing that a computer connected to
the cable modem assigned to your Road Runner account has been used to send mass
quantities of SPAM or UCE (unsolicited commercial email).

After reviewing the complaint data, it appears that your PC may be infected with malicious
software and is being hijacked and used as a "zombie" mail relay (or as part of a "botnet").
A botnet is a network of zombie computers that are infected with code that allows an unauthorized user
to control them via the Internet. These computers can be used to spread spam, launch denial-of-service
attacks against web sites, and conduct fraudulent activities.

The following news link provides addtional information:

http://www.rrsecurity-abuse.com/index.php


NOTE: If you are experiencing problems with the links provided in this message, try copying
and pasting them into the address bar of your browser window.

If you're sure no one has used your computer to send SPAM, then your PC is probably infected
with malware and is actively being exploited.

Please note that these messages are most often NOT being sent from your email address or
email application, but rather from a piece of malicious software running on your PC. You many have also noticed your PC running slowly or acting strangely due to this activity. Here's a Link that might be helpful.

http://vil.nai.com/vil/averttools.aspx

Due to the difficulty in locating and identifying these malware components, we recommend that you
reinstall your operating system or have your computer professionally serviced as most antivirus programs
rarely detect these types of problems.

Because this activity does put our network at risk, as well as the service of our other customers, we do ask that you
reply to this email indicating action has been taken to resolve this issue. Additional complaints of this type may result
in the temporary interruption (without prior notice) of your service until the PC has been secured.

Thank you in advance for your cooperation in helping stop the spread of this problem.

Sincerely,

TW Wisconsin Road Runner Abuse Team

TBH, It does sound legit. Botnets are notoriously difficult to find even with current AV defs, and knowledge. It is often the best course of action to format and re-install.

Ken

 

[stormy13]

Give them a call. If it is legit they'll tell you one way or the other.

Also if it is legit and you don't get it fixed, the next time they contact you will probably be to tell you that you have been disconnected until such a time as it is fixed.

How can I find out, or know for sure if one of them is in fact infected?

From the looks of it you have pretty much covered the basics and now time for some expert help. If you don't have it grab Hijackthis,

HijackThis - Trend Micro USA

and post the logs at any of the forums listed on the left.

Also if you haven't yet, check your router logs and see which of the computers is generating an unusual amount of traffic.

 

[Krispy1]

well it could be legit or it could be totally bs.

i had a issue my isp were they banned my internet and they said i had a virus which i did not.

how they determine these things is by port scanning, which is a very old method and its not accurate and u get many false positive results. they usually monitor the ports and when certain ports open they deam that as a virus or a hacker when lots of cases it could be from certain software or home networking devices. an example would be there are programs for the iphone which let u use the screen as a touchpad mouse on the pc. the software opens specific ports to connect to your network. the isp may look at this and think u are being hacked or a virus is doing it. when they port scan they send packets threw to see wats going on and if the port is in use by a legit use they will get a packet loss and think its something bad.

but again this method could be right, the isp will always claim they are 100% right when even if there not so the best option is to just reformat your pc.

 

[antharr]

I have to issue these all the time for the ISP I work for.

 

[Corrine]

Hi, bonkers72.

A search on the URL in the e-mail you received does show that it belongs to Time Warner and a DNS check of the domain name shows it as belonging to Time Warner Cable (Tools).

Although it may be possible to clean your computer (HijackThis will not be of much help in this case) it is most likely that you have one or more backdoor trojans on the computer. In which case, I agree with Ken that your best option is a format/reinstall of the operating system.

If you do banking or other secure operations on the infected computer, I suggest you go to a clean computer and change your passwords. Also change the password for your e-mail account.

 

[bonkers72]

Well.......it looks like I found the infected pc. My sons WAS the culprit. I had replies to this thread before I could cancel it. Thanks for all the responses. It had a trojan and some other malware on it. Looks like I need to follow up daily on his PC. Malwarebytes removed some trojans, superantispyware removed some as well and Housecall virus scan removed a hard one as well. Re-scaned the whole system and everything seems clean...except 1 TROJAN.ROOTKIT/GEN.PROCESS Anyway I can get rid of this? Don't want to reinstall!! Thanks. Oh....and I just thought of something...his O.S. is XP Home. Sorry for posting it here.

 

[CarlTR6]

I'm glad you found the offending computer. I hope you got it all.

 

[Corrine]

Re-scaned the whole system and everything seems clean...except 1 TROJAN.ROOTKIT/GEN.PROCESS Anyway I can get rid of this? Don't want to reinstall!! Thanks. Oh....and I just thought of something...his O.S. is XP Home. Sorry for posting it here.

A rootkit is not trivial. Let's see if we can see what is happening.

Download DDS and save it to your desktop from here.

Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
• Save both reports to your desktop.

-----------------------------------------------------

Please include the following logs in your thread:

• Contents of the DDS.txt posted as text in your reply
• Post a copy of the Attach.txt to your post as well. It may be necessary to create a second reply if the Attach.txt is lengthy.

 

[Jacee]

http://www.rootkiton...om/rootkit.html

Definition
Rootkit can be defined as a group of utilities that hackers can manipulate to keep access into a computer system once they have hacked into it. It gives them admission rights to find out usernames and passwords, allow strike against remote systems, remain hidden by erasing history from the system logs, and overabundance of various surreptitious tools.

Root Kit, RAT, Remote Access Trojan

Rootkit is a combination of two words, “root” and “kit”. Root means supreme or omnipotent, “Administrator” of the Linux and Unix operating systems. Kit means a group of programs or utilities providing access to a user to retain a constant root-level contact to a terminal. A presence of rootkit should remain untraceable

 

[bonkers72]

Thanks. Here are the logs:

 

[Corrine]

Thanks for the logs, bonkers72. I'm going to paste them here as it is much easier to see what it going on.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Mat at 15:38:50.95 on Wed 05/19/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1623 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mat\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Sfedulofos] rundll32.exe "c:\windows\iduvokoxaxeda.dll",Startup
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-10 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-8-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-10 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-10 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-10 56816]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 12872]

=============== Created Last 30 ================

2010-05-18 00:12:18 10752 ----a-w- c:\windows\DCEBoot.exe
2010-05-09 07:05:47 120 ----a-w- c:\windows\Hpenetogum.dat
2010-05-09 07:05:47 0 ----a-w- c:\windows\Wpokijumaf.bin
2010-05-09 07:04:55 755200 ----a-w- c:\windows\system32\drivers\evpqk.sys
2010-05-09 07:04:48 20864 -c--a-w- c:\windows\system32\dllcache\ipinip.sys
2010-05-09 07:04:48 20864 ----a-w- c:\windows\system32\drivers\ipinip.sys
2010-05-09 07:04:42 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-05-09 07:04:42 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-05-09 07:04:33 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-09 07:04:33 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-09 07:04:32 2944 -c--a-w- c:\windows\system32\dllcache\drmkaud.sys
2010-05-09 07:04:32 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2010-05-09 07:04:00 20 ----a-w- c:\docume~1\mat\applic~1\qvjsge.dat

==================== Find3M ====================

2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 09:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 15:39:08.18 ===============

 

[Corrine]

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 8/10/2009 11:22:33 AM
System Uptime: 5/19/2010 3:33:52 PM (0 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | G41M-ES2L
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Socket 775 | 3000/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 596 GiB total, 549.19 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP120: 2/17/2010 5:06:26 PM - System Checkpoint
RP121: 2/19/2010 1:44:49 PM - System Checkpoint
RP122: 2/20/2010 1:51:18 PM - System Checkpoint
RP123: 2/21/2010 2:47:22 PM - System Checkpoint
RP124: 2/22/2010 3:05:01 PM - System Checkpoint
RP125: 2/23/2010 3:27:16 PM - System Checkpoint
RP126: 2/23/2010 5:46:34 PM - Installed Windows Internet Explorer 8.
RP127: 2/23/2010 5:47:27 PM - Software Distribution Service 3.0
RP128: 2/24/2010 7:01:02 PM - System Checkpoint
RP129: 2/25/2010 12:10:53 AM - Software Distribution Service 3.0
RP130: 2/26/2010 11:06:49 AM - System Checkpoint
RP131: 2/27/2010 11:43:29 AM - System Checkpoint
RP132: 2/28/2010 1:51:26 PM - System Checkpoint
RP133: 3/1/2010 3:01:52 PM - System Checkpoint
RP134: 3/2/2010 3:40:53 PM - System Checkpoint
RP135: 3/3/2010 4:13:02 PM - System Checkpoint
RP136: 3/4/2010 4:39:18 PM - System Checkpoint
RP137: 3/5/2010 8:37:08 PM - System Checkpoint
RP138: 3/6/2010 8:49:39 PM - System Checkpoint
RP139: 3/7/2010 9:34:03 PM - System Checkpoint
RP140: 3/8/2010 10:21:39 PM - System Checkpoint
RP141: 3/9/2010 10:23:38 PM - System Checkpoint
RP142: 3/10/2010 4:46:31 PM - Software Distribution Service 3.0
RP143: 3/10/2010 5:06:38 PM - Software Distribution Service 3.0
RP144: 3/11/2010 5:28:37 PM - System Checkpoint
RP145: 3/12/2010 10:41:22 PM - System Checkpoint
RP146: 3/14/2010 12:24:02 PM - System Checkpoint
RP147: 3/15/2010 12:47:18 PM - System Checkpoint
RP148: 3/16/2010 2:38:19 PM - System Checkpoint
RP149: 3/17/2010 3:17:44 PM - System Checkpoint
RP150: 3/18/2010 3:59:10 PM - System Checkpoint
RP151: 3/19/2010 6:00:26 PM - System Checkpoint
RP152: 3/20/2010 7:37:06 PM - System Checkpoint
RP153: 3/21/2010 7:51:14 PM - System Checkpoint
RP154: 3/23/2010 2:48:25 PM - System Checkpoint
RP155: 3/24/2010 9:42:58 PM - System Checkpoint
RP156: 3/26/2010 12:25:11 PM - System Checkpoint
RP157: 3/27/2010 1:00:15 PM - System Checkpoint
RP158: 3/28/2010 1:37:35 PM - System Checkpoint
RP159: 3/29/2010 2:11:08 PM - System Checkpoint
RP160: 3/30/2010 4:29:59 PM - System Checkpoint
RP161: 3/31/2010 4:38:11 PM - System Checkpoint
RP162: 4/1/2010 4:58:28 PM - System Checkpoint
RP163: 4/3/2010 1:18:41 PM - System Checkpoint
RP164: 4/3/2010 4:11:15 PM - Software Distribution Service 3.0
RP165: 4/3/2010 4:38:11 PM - Installed Java(TM) 6 Update 19
RP166: 4/4/2010 4:42:23 PM - System Checkpoint
RP167: 4/5/2010 4:45:43 PM - System Checkpoint
RP168: 4/6/2010 4:49:53 PM - System Checkpoint
RP169: 4/7/2010 5:47:28 PM - System Checkpoint
RP170: 4/8/2010 6:03:40 PM - System Checkpoint
RP171: 4/9/2010 6:20:28 PM - System Checkpoint
RP172: 4/10/2010 9:03:02 PM - System Checkpoint
RP173: 4/11/2010 10:34:59 PM - System Checkpoint
RP174: 4/12/2010 10:37:50 PM - System Checkpoint
RP175: 4/13/2010 9:06:23 PM - Software Distribution Service 3.0
RP176: 4/15/2010 12:02:39 PM - System Checkpoint
RP177: 4/16/2010 1:08:27 PM - System Checkpoint
RP178: 4/17/2010 2:13:42 PM - System Checkpoint
RP179: 4/18/2010 2:30:00 PM - System Checkpoint
RP180: 4/19/2010 3:23:59 PM - System Checkpoint
RP181: 4/20/2010 3:30:38 PM - System Checkpoint
RP182: 4/21/2010 3:39:41 PM - System Checkpoint
RP183: 4/22/2010 4:04:29 PM - System Checkpoint
RP184: 4/23/2010 4:40:01 PM - System Checkpoint
RP185: 4/24/2010 5:47:39 PM - System Checkpoint
RP186: 4/25/2010 9:09:36 PM - System Checkpoint
RP187: 4/27/2010 12:50:04 PM - System Checkpoint
RP188: 4/28/2010 2:51:15 PM - System Checkpoint
RP189: 4/29/2010 3:50:36 PM - System Checkpoint
RP190: 4/30/2010 5:12:59 PM - System Checkpoint
RP191: 5/1/2010 6:31:55 PM - System Checkpoint
RP192: 5/2/2010 7:12:28 PM - System Checkpoint
RP193: 5/3/2010 7:55:23 PM - System Checkpoint
RP194: 5/5/2010 3:12:34 PM - System Checkpoint
RP195: 5/6/2010 4:41:07 PM - System Checkpoint
RP196: 5/7/2010 8:56:52 PM - System Checkpoint
RP197: 5/8/2010 9:12:28 PM - System Checkpoint
RP198: 5/10/2010 9:29:10 AM - System Checkpoint
RP199: 5/11/2010 12:50:49 PM - System Checkpoint
RP200: 5/12/2010 3:48:04 PM - System Checkpoint
RP201: 5/13/2010 4:10:59 PM - System Checkpoint
RP202: 5/14/2010 4:23:56 PM - System Checkpoint
RP203: 5/15/2010 4:42:44 PM - System Checkpoint
RP204: 5/16/2010 5:49:07 PM - System Checkpoint
RP205: 5/16/2010 10:07:30 PM - Software Distribution Service 3.0
RP206: 5/18/2010 2:09:33 PM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Adobe Shockwave Player 11.5
AOL Instant Messenger
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
ATI Display Driver
Auslogics BoostSpeed
Avira AntiVir Personal - Free Antivirus
Bonjour
Browser Configuration Utility
CCleaner
CleanUp!
DirMS-S
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab Ghosthunter release 5.3.0.5 Beta
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
iTunes
Java Auto Updater
Java(TM) 6 Update 19
LimeWire 5.3.6
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Nero PhotoShow Express
Nero Suite
QuickTime
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
SpywareBlaster 4.3
SUPERAntiSpyware Free Edition
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
WeatherBug
WebFldrs XP
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
WinZip 12.0
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

5/17/2010 8:27:33 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL ssmdrv Tcpip WS2IFSL
5/17/2010 8:27:33 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
5/17/2010 8:27:33 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/17/2010 8:27:33 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/17/2010 8:27:33 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/17/2010 8:27:33 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/17/2010 8:27:33 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/17/2010 8:26:42 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/17/2010 8:26:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

==== End Of File ===========================

 

[Corrine]

Hi, bonkers72.

Although our recommendation was -- and remains -- a clean install of the Operating System, you indicated you wanted to avoid a reinstall.

P2P WARNING

Going over your logs I noticed that your son has Limewire installed.

• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
• They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
• Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
• The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if he continues to use P2P programs, he will get infected again.

I would recommend that you uninstall Limewire, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2


!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. (Note: If you use AVG, you must also open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar.
  • Click on Tools.
  • Select Advanced Settings.
  • In the left hand pane, scroll down to "Resident Shield".
  • In the main pane, deselect the option to "Enable Resident Shield."
  • To re-enable AVG 8, please select "Enable Resident Shield" again.
• If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
• Double-click ComboFix.exe on your desktop and follow the prompts.
• As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  
  
  
• After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
• Click "Yes" to continue scanning for malware.
• When finished, a log will be produced. Please copy/paste a copy of C:\ComboFix.txt in your next reply.

 

[bonkers72]

Well I was actually deal with some one from Techsupportguy as well. He told me to do everything you did EXCEPT to run GMER ROOTKIT scanner. I ran it in safe mode. Ran ok. Now I tried to reboot in nomal mode and it won't boot. In safe OR normal mode. Gets to the screen Verifying DMI pool data..... then stays blank. Any help on this? Sorry. Thanks.

 

[Corrine]

Hi, bonkers72.

You should have told us you were getting help from TSG. Getting/following instructions from multiple sources not only takes the time of multiple people it can also result in conflicting instructions.

As we already recommended a reinstall, I suggest you consider the instructions at Clark76 Blog Archive Saving files on a corrupt OS which will walk you through the steps necessary to save any files from your son's computer and then reinstall the OS.

That said, you should wait to see what RPMcMurphy advises in reply to your last post at Trojan.rootkit/gen.process - Tech Support Guy Forums .

 

[Jacee]

bonkers 72, Corrine and I are both familiar with TSG, so if you started a topic there, you should stay with the advisor who is already helping you.

Edit >>> cross post

 

[bonkers72]

Ok........thank-you for the time and effort you have put fourth on this. B-72

 

[Corrine]

Edit >>> cross post

But fortunately on the same page.

bonkers72, you are in good hands at TSG.