SPAM sent from laptop??

I'm hoping you guys will be able to help as a 'tech' wasn't able to solve the issue. I will give as much background on the problem as I can but since this is my mother's laptop. She knows very little about computers but likes to 'click' that's for sure. she wants to open everything to see what it is, especially email, even after I've tried to warn her.

anyway, the reason for this thread is her ISP has shut down her service several times now because of spam 'being sent from her computer'? I guess her ISP has gotten lots of complaints so they shut her down, this in turn also shuts down her phone. the first time was w/o warning and she had no idea she didn't have a phone. I don't know all that was said and I don't know exactly what they are talking about. spam being sent from her laptop? from her account? stuff going around with her name on it or what? I do know she's done everything she can to fix the problem. she worked with her ISP, that didn't help. she then took her laptop in to have a technician work on it. I don't know what he did other than supposedly clean the laptop and have new AV installed. I don't believe she has a firewall on this machine as the technician told her the hardware firewall on her router is better and all she needs? there doesn't seem to be any outright signs of malware from working on this laptop.

It looks like the technician ran mbam since there are logs already. not sure what else he did? I believe he did tell her if she was still having issues she'd be better off having her drive wiped and the OS reinstalled. I'm hoping we don't have to go there.

All steps of Read and Run Me done without issue (first time with Vista). nothing was found in the first few scans then one item was found with mbam, zmaogrds.sys and it said deleted successfully. But then Combo said it failed to delete zmaogrds.sys? All logs attached, rrlog was too big to be attached so I zipped it.

The only other thing, I went through and tried removing a few things I know she doesn't need, there's so much junk w/ Vista I'm not sure about most so I didn't mess with it. But, I do know she doesn't need any of the Earthlink stuff that's on here, that was her old ISP, when I tried to uninstall stuff it wouldn't let me. it says a TotalAccess program is running and needs to be closed first. I tried to manually close it and that didn't work either?

...and I already told her when she gets this back she needs to have her memory upgraded.

I believe that is it, any help and explanation of what is going on if known is greatly appreciated!!!

Thanks.

 

last log.

Thanks again.

 

Thanks for the quick response Tim! And, forgive me in advance for my ignorance. it's even tougher kind of being the middle man when I haven't talked to her ISP people and she just doesn't know anything about computers. (not that I know that much either).

first, thanks for the help w/ the earthlink stuff. I will get back to working on her machine tomorrow.

2nd, if her router has a decent firewall, is that all she needs, or should she have a software firewall?

lastly, this is where I'm confused and apologize and I'll try not to be long winded but probably will be. I just talked to her and she said her ISP said it's not coming from her email??????????? I asked her how she is responsible then. where is it coming from and how is she liable? she didn't know and didn't think to ask, she really has no idea and left it to her ISP and her 'technician'. if it's not coming from her email, yet they're getting complaints about spam and shutting down her access, what else could it be?

to your reply, you say to load the folder that contains the infection. how do I know which folder that is? do I right click and scan? the rest I believe I can follow and hopefully take care of this.

I am going to call her ISP tomorrow and get more info to try to find out what is going on or at least try to get a better understanding.

oh, one last thing, her ISP or the technician said that wiping her hard drive clean and reinstalling may not take care of the issue. if that's the case, is it really her issue? I understand it's her account but could it be something that is on one of her ISP's servers?

again, I apologize for the ignorance and I don't mean to waste your time, I just have no clue how all this works.

thanks so much!!

 

It's redundant but THANKS for the help Tim.

it got a little more 'interesting' today. when I got home from work and turned on our home PC and I tried to connect to the net I got a screen from my ISP stating (wish I would have wrote it down) basically that I'm abusing/violating their email policies. they noted that they understand it's usually a virus or something but made me click on a link stating I will work on resolving the issue before they would reinstate my connection. it also said I would receive an email with more info but I didn't. I wish I would have cuz it may have given me a little more info. so, now I'm afraid to even try to do anything w/ her PC until I talk to someone. my mom spoke with someone specifically many times, I'd like to talk to that person. of course when I called this evening no one at all was available.

just wanted to update what was going on. I'm going to try some more tonight but if not I'll talk to someone tomorrow during the day and hopefully make some progress.

 

UGH!!!!! here's the not so good update. I talked to a guy at her ISP (which is also our ISP) he was nice but not real helpful. basically it's just something sending emails from her PC w/ a fake email address on it. it's for Pfiserv sp? Viagra or something like that. go figure! he was going to send me a sample or whatever but I haven't gotten anything.

I haven't made it as far as trying to look at/clean her email. after I talked to him to be sure our service wouldn't be shut down again I got on her PC and downloaded the firewall. I didn't know where to put it so I was just going to put it on C: but it said I didn't have permission to save it there. it ended up in a documents and setting folder I believe. I got that up and running and unfortunately it's not telling me much. I'm not sure exactly what to set settings at. there is stuff being sent out but I don't enuff to decipher everything.

anyway, that's not where the headaches began, I then downloaded Avenger, extracted and followed your instructions. (damn it! missed the CC cleaner and MG tools steps. had an issue w/ Avenger, kids buzzin in my ear w/ homework help and then all kinds of issues w/ the laptop. I will try to run them in a little bit).

first w/ Avenger, after it started it popped up an error stating invalid registry syntax in command HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | E6TaskPanel .... skipping line (registry value deletion mode). I clicked to continue and it finished and asked to reboot. I rebooted and it said there was an error at start up. 'system unable to start up' or something similar. there was some start up repair thing goin on, took a long time then asked if I wanted to go to a restore point, maybe I should have but I didn't. it continued to search for a repair but took forever and did nothing but show the line goin across the screen as if it was scanning or whatever. I tried to cancel and it said I couldn't. I let this run for a long time then just shut down the PC. started back up and chose normal start, not repair mode. that time it said windows explorer was not responding and locked but it did pop up the Avenger log. then I got a message saying windows was not responding. I shut down several times since, it 'seems' most things are working now but I have no internet connection at all. I've tried safe mode, I've tried shutting down the firewall, I've tried Firefox, IE, etc. nothing. in Firefox it literally does nothing. when it opens there's nothing in the addy. when I type something in try to go there it's a nano-second and says 'done' at the bottom but does absolutely nothing. the wireless connection says I'm connected.

I copied the avenger.txt file to a disk and will post it here from our home PC, after I did that and removed the disk from her laptop, windows explorer froze big time. waited forever, nothing, tried to end task and nothing so I just shut down again.

I will try CC cleaner and MGtools and see what happens. here's the avenger log.

sorry this is going backwards!!!

 

here's the log from MGtools

 

Hey Tim. sorry but I haven't had a lot of time to work on my mom's laptop. unfortunately not making a lot of progress.

I'm not seeing anything now in add/remove programs ('programs and features' in Vista?) for any Earthlink stuff. Earthlink use to be her ISP and email service. She now has (as do I) Time Warner Cable RoadRunner. Her email is through them also. she uses the RoadRunner Webmail url shortcut on her desktop, she does not use Outlook.

I haven't removed any of her emails as I can't get into her email since I have no connection with her laptop. I tried the SAS repair but that didn't do anything. I still have the same issue, IE says it can't connect and Firefox just does nothing, it's just blank. blank addy, blank body, if I type in an addy nothing happens.

our access has not been shut off, my home PC (that I'm on now) has no connection issues. I'm connecting wirelessly w/ hers, it tells me I'm connected but then nothing. I"m going to play w/ that more after I submit this.

I ran Avenger again w/ the text you supplied and got the same error that is noted in the log (along with folders instead of files notes?), that popped up right away, I continued instead of aborted. then rebooted and ran GetLogs.

here are the logs.

and again, thanks for any and all help!!

 

one more thing about the internet connection. when I unplug my connection from my laptop and plug it into my mom's, there's no orange light?? this may be a real dumb observation, I have no clue. but when it's connected to my laptop it's lit up. the other connection to my desktop is lit up. when connected to hers, nothing??

 

I'll look into disabling the wireless and enabling wired. Not sure where to go but will find it. I will also try to find her mail program.

C:\Users\dorothy\AppData\Local\temp\Low .... it says the folder is empty.

I deleted those 4 files but there is also one ....
C:\Users\dorothy\AppData\Local\temp\MAR532E.tmp .... that says it was updated today. should I delete that also?

I ran analyse.exe and got this message...

"HijackThis cannot repoar O10 Windsock LSP entries.
You should use LSPFix for that which is available from http://www.cexx.org/lspfix.htm

If the O10 item belongs to WebHancer, New.Net or CommonName,
Spybot S&D can remove it automatically. "

I got a success message for fixME.reg.

what setup should I be checking? I haven't done anything else other than the instructions on your last post. I will be looking into the other things to see if I can find anything throughout the day and will update here later.

Thanks.

Rob

 

quick update, taking a break as I'm making no progress.

in c/users/dorothy/AppData/Roaming there is an earthlink folder, I tried to delete it but it said I needed permission. I'm also gettin access denied to c/documents and settings?

everything I'm seeing says I'm connected. from the PC to the router and the router to the net. this after disabling the wireless. yet no light on the cable and no access?

I can find nothing mail related on her laptop except for Windows Mail which is not the default. yet in the 'set defaults' app, that is the only thing that shows up as a choice? sorry for being such an idiot with this stuff. wish I had more to offer but not coming up with anything.

 

Ok, I'll try the LSPfix.

On the firewall application list the only mail listing is Windows Mail and it's set to ask. although none of that matters until I can actually get connected w/ the laptop. :banghead:banghead:banghead:

as I was going through more stuff in windows explorer, a lot of folders are telling me I don't have access under c/users/dororth...local settings, My Documents, start menu.....

 

I ran LSPFix on her machine and it says

Winsock 2 Registry key
(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters) is missing or could not be accessed.

If using Windows NT/2000/XP, please make sure you are logged in as Administrator and try again.

If you are still receiving this message as Administrator, it may be necessary to re-install Winsock 2.

....after typing all that I remembered several instructions here for Vista, I tried again and right clicked and ran as Administrator. it renumbered several things and removed one. I restarted and what do ya know, I have internet access again!! :celebrate

 

now that I have access I'm going to try her webmail url shortcut and see where that takes me. I won't bother you anymore unless I can come up with something useful. thanks for all the help. I do wish I could get rid of the earthlink folders.