ISP said they're shutting me off!

[MyOwnDemon]

Okay, so last week I made that thread about my internet running slow. I had a tech come out here, they found no problems. Today I got a letter from my ISP saying

"... we have received complaints of unnacceptable use from your high speed data service from your IP address. This activity has been investigated and logged..." etc, etc

So I called them up and they told me if it doesn't stop, they will cut my service off.

So I followed their instructions and used the programs they recommended and of course, no scan is showing anything! I am banging my head against my desk. I have no idea. Before I do a full reformat, here's the HiJack this log. If anyone has any clues, please let me know. I'd like to avoid a full reformat if possible.

------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:31 PM, on 7/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Dell Start Page
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Dell Laptops, Desktop Computers, Monitors, Printers & PC Accessories
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Dell Laptops, Desktop Computers, Monitors, Printers & PC Accessories
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = Dell Start Page
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [avg8_tray] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM95\aim.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 5730 bytes

-----------

 

[dactylmedia]

More importantly, did they even tell you what kind of "bad things" you are being logged as doing? It's kind of crazy to think an ISP is just going to shut you down because of a simple virus or spyware. Someone could have a privately written backdoor sitting on your computer using it in a botnet or something. I would use WireShark and take some reports to see what type of traffic and packets are coming in and out of your network.

 

[WritingSolution]

They sent me something similar when I downloaded a Wii game. It was totally my fault for not checking to see if it was a damn game haha.

I reformated and went down to trade in my modem. It changed my IP address and now all my ads say "Grand Junction, Colorado" which is 2 states away haha.

 

[m0rtal]

I've seen something similar happen to some friends and it was some kind of bot running on their comp and the ISP shut them down temporarily till they cleaned their comps due to "security" concerns since it was sending out a bunch of shit.

I haven't looked at the other thread but I'm wondering if you have tried formatting already and if not then why not? Seems like some grimey shit.

How secure is your wireless network?

And have you spoken to the ISP about someone possibly spoofing your IP? I'm pretty sure it's very difficult but it can be done. This actually happened to me a long time ago and my internet was at a crawl. Got me a new ip and all was good. Should be easy to check too, disconnect your modem completely and they can watch and see if there's still a problem with that same IP.

 

[nachoninja]

Google evey item on that list

 

[LogicFlux]

Goddammit more than one person told you to reinstall.

 

[amanda11]

Pretty simple -- just reformat. You know you're a digital pack rat

 

[xmcp123]

Get out of normal mode.
Most viruses getting distributed nowadays have root kits. Safe mode is your friend.

 

[rawbones]

C:\Format

 

[rawbones]

Pre dated system restore first

 

[tortuous]

You should also be using XP SP3

 

[Deliguy]

Here's what i see:

C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe (possibly your scanner's one touch but is running from the Common folder which makes it possible spyware which happens to also be named Viewpoint).
C:\WINDOWS\system32\wscntfy.exe
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

Dude! You have spyware up the ass and coming out your ears. Clear those through msconfig (disable those nonwindows owned services listed above and clear them from your startup list) and run an antispyware program. A restore is not required because none of them are major and I don't see any actual viruses or replicating malwares. It should be an easy cleanup in safemode. Also, you have bitcommet running with no peer guardian installed, so their complaint might be from disney n shit about your torrenting (they've been emailing ISPs in mass lately).

If you want detailed instructions on how to get rid of the ones listed above pm me and i'll be happy to help ya out. I normally write them out on all these computer help threads but no one ever listens to me.

 

[MyOwnDemon]

Hey Eli, I uninstalled bitcomet... I thought. My old roommate installed it on my computer like a year ago but I never use it.

Called again and my ISP said my IP is sending out spam email and some people have complained to them about it, which is why they sent the letter.

So, I'm guessing there's a backdoor mailer or something. Some of those services you quoted, I know what some of them are (like C:\WINDOWS\system32\PSIService.exe is the downloader for my graphics software), but some I don't.

Going go into safe mode, scan again, and do what you said Eli. I really don't want to reformat my HD, but if it comes down to that, I guess I'll have to.

 

[subigo]

I reformat like every three months...

/just sayin'

 

[Fatbat]

1st one is Broadcom, and so is the second.

3rd one is Apple's Bonjour. Nothing malicious there.

4th one is licensing most likely for a Corel application (like Corel Draw).

I can't be arsed to go through the rest...

 

[LogicFlux]

I reformat like every three months...

/just sayin'

I make an image copy of my os after I've installed it and have installed all the important programs I use. I shrink the partition to just be big enough to hold what's on it then I make the copy.
Whenever I want a clean install I just format and copy the image files to the c drive partition. I disable system restore although I'm not sure if relying on system restore would be just as good(it might require a bit more disc space, though).
It's a pretty painless process(a lot easier than actually reinstalling) and gives you peace of mind.
I guess when you can reinstall without actually reinstalling it makes you biased towards giving advice like "just fucking reinstall".

 

[directresponse]

Check out bleepingcomputer.com those guys are really great over there. Follow their directions and they will have it fixed for you in no time.

 

[BigWill]

no need to format just unstall the virus's you installed on there
look at the quote above

viewpoint comes with aim btw

 

[Deliguy]

Hey Eli, I uninstalled bitcomet... I thought. My old roommate installed it on my computer like a year ago but I never use it.

Called again and my ISP said my IP is sending out spam email and some people have complained to them about it, which is why they sent the letter.

So, I'm guessing there's a backdoor mailer or something. Some of those services you quoted, I know what some of them are (like C:\WINDOWS\system32\PSIService.exe is the downloader for my graphics software), but some I don't.

Going go into safe mode, scan again, and do what you said Eli. I really don't want to reformat my HD, but if it comes down to that, I guess I'll have to.

yeah bcmwltry.exe may also be a component of a wireless card. Try disabling it and if it turns off your wireless then reenable it do the same for the viewpoint and test to see if your onetouch still works. bonjour is one of those annoying companion programs it'll also cause your browser to pull urls you searched for but didn't click on. If PSIService.exe is for your video card keep it but definitely get rid of the gotoassist. wscntfy.exe is a windows update process but is not needed if the windows update service is running. It's best to turn it off because several trojans use that filename to hide themselves then put themselves on your startup registry.

 

[MyOwnDemon]

Well, I did what Eli and everyone else said. Disabled all non-microsoft services via msconfig, rebooted in safe mode, and ran all the scans. Nothing came up.

I decided to try Zone Alarm firewall/anti-spyware just for kicks, and whaddya know... right after I installed it, it popped up a warning that a program was trying to send emails! I clicked deny and that seemed to fix the problem. The lights on my router aren't going crazy anymore and the internet is faster.

Now, I am doing the full zonealarm scan... which is probably going to take a couple hours. I'll see what it comes up with. In the meantime, I just have to figure out how to remove the program (services.exe) that I blocked from sending emails. Where is the real services.exe supposed to be? I could probably use hijack this to delete the fraud on reboot if I can find it.