I have a PC running windows xp, my boyfriend has a Mac. I only hook up to his internet account with a wireless router and his ISP sent him this message:

4th Incident

Dear Customer:

Another report of a spamvertised website/open proxy complaint (http://shefna=2Ecom/ ) has been received on November 1, 2007 at 21:34 pm HST. Please follow the instructions below to close the open proxy/relay and/or remove the virus/Trojan from your computer. If additional reports are received, we may be forced to temporarily suspend your Road Runner service to stem the spread of these viruses/Trojans. Your prompt attention to this matter is appreciated and will most likely prevent the need to interrupt your service.

Please keep the infected computer turned off until it can be cleaned by a computer repair shop or until the hard drive on the computer can be reformatted. If additional complaints are received, your internet service will be placed on temporary suspension until the infected computer can be cleaned.

[ SpamCop V640 ]
This message is brief for your comfort. Please use links below for details.
Email from 66.91.210.144 / Fri, 02 Nov 2007 07:34:07 +0000
Moderator Edit: Tracking URL inserted here to replace the "Abuse report response center" URL that should have been handle by RoadRunner staff ....
Tracking URL on the spam submittal: http://www.spamcop.net/sc?id=z1507097883z6...db95a429d31936z
66.91.210.144 is open proxy, see: http://www.spamcop.net/mky-proxies.html
[ Offending message ]
Return-Path: <marlin[at]dtiglobal.com>
Delivered-To: cqmail-net-x
Received: (qmail 10756 invoked from network); 2 Nov 2007 08:13:08 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blade1
X-Spam-Level: **********************
X-Spam-Status: hits=22.1 tests=HTML_MESSAGE,J_CHICKENPOX_22,J_CHICKENPOX_31,
RCVD_FORGED_WROTE,RCVD_FORGED_WROTE2,URIBL_AB_SURBL,URIBL_BLACK,
URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL version=3.2.3
Received: from unknown (192.168.1.107)
by blade1.cesmail.net with QMQP; 2 Nov 2007 08:13:07 -0000
Received: from mx53.cesmail.net (216.154.195.53)
by mx70.cesmail.net with SMTP; 2 Nov 2007 08:13:07 -0000
Received: from mail.daparr.co.uk [80.94.196.22]
by mx53.cesmail.net with POP3 (fetchmail-6.2.1)
for x (single-drop); Fri, 02 Nov 2007 04:13:07 -0400 (EDT)
Received: from cpe-66-91-210-144.hawaii.res.rr.com [66.91.210.144] by wolverine.serverdns.net
(SMTPD32-6.06) id A2EF68CD04A6; Fri, 02 Nov 2007 07:34:07 +0000
Received: from 216.206.209.36 (HELO cuda.dtiglobal.com)
by daparr.co.uk with esmtp (MMACKKEARIZ NOXEOT)
id OpMmac-Q52mBa-Jc
for x; Thu, 01 Nov 2007 21:34:05 -1000
Message-ID: <df27______________________5b42[at]Marlin>
From: "Marlin I. Contreras" <Marlin[at]dtiglobal.com>
To: "Noe N. Christian" <x>
Subject: Help yourself attain perfection in s'e_x with bigger di'ck
Date: Thu, 01 Nov 2007 21:34:05 -1000

Does that mean we have a virus? What virus? I have run Search and destroy many times, and symantec's VundoFix. I also have the hijackthis log.

What can I do to avoid someone using my computer to spam the universe? Or, is it the Mac that's doing it -is there a way to tell-? Is there a program I should have?

I will appreciate any help that doesn't have me format my hard drive.

As you can tell I'm no computer genius, so please be as clear as you can. sorry

Thanks.

Moderator Edit: Tracking URL inserted, replacing the posted Abuse report response center that should have been handled by RoadRunner staff

Hi, amelium!...Thanks to both Road Runner and to you for trying to address this (although I think Road Runner should do a better job of being proactive rather than waiting for its customers to start sending spam before they ask for preventive action).
...What machine has the IP address 66.91.210.144? That's the one with the problem. If I understand correctly, it could be the router, it could be your PC or it could be a machine owned by Road Runner.
...If it's your PC (and even if it isn't), you should read the SpamCop FAQ (see link near upper left corner of any SpamCop Forum page, such as this one) article labeled "Suggested Free Security Tools and Apps for Windows."
...If you're still left with questions after reading this reply, please don't hesitate to follow up with your own reply!...Unfortunately, that may not be possible, as your hard drive is almost certainly infected in a manner that's going to be VERY hard to disinfect. However, you should be able to safely back up any personal files first, such as Excel, Word, text files, etc, and then restore them to your reformatted hard drive (as long as you disable macros). Another possibility is to engage the services of a security professional who specializes in the operating system you are using on your PC.

It's most likely your PC that's infected. The programs you mentioned won't necessarily do the trick, especially if your computer isn't fully protected all the time by a good anti-virus program. Which one are you using, and is it fully updated? There are multiple online scan sites where you can check your PC, but some of them want to charge you to actually remove anything they find.

According to the SpamCop reporting logs and information on the CBL site, it appears that this was happening about a week or so ago, and someone (you or your boyfriend?) requested that the IP address be "delisted" from the CBL, but you're back on it again. Your IP is also on the SCBL, the blocking list maintained by SpamCop, for sending to "spamtrap" addresses, but also for these incidents:

Submitted: Friday, November 02, 2007 10:25:34 AM -0700:
Help yourself attain perfection in s'e_x with bigger di'ck

* 2595330462 ( 66.91.210.144 ) To: abuse[at]rr.com

Submitted: Friday, October 26, 2007 7:26:13 AM -0700:
We shall lead you to your new s'e_xual life

* 2582056923 ( 66.91.210.144 ) To: abuse[at]rr.com

I personally recommend and use Avast! Antivirus, and have never had an infection of any kind on my PC.

DT

Not to be rude but...... YES!
your computer is infected. Not necessarily with a virus but a trojan. It could also be your wireless router. This is not to be taken lightly seems someone has more control of your system than you do and as long as you are connected to the internet you are sending spam without knowing it. Worse, nothing on your computer (any information) is safe. I suggest following the FAQ but another good place to start is http://www.safer-networking.org/en/spybotsd/index.html Spybot Search & Destroy. Also, have someone that knows about wireless networking setup a wep key if you are not using one yet and closing the holes in your router.

I should have mentioned this before, but if there are other computer users within range of the wireless router, then it might actually be *their* computers that have been hijacked by spammers and are transmitting the spam. Make sure that "wireless security" is enabled on the router, and use WPA, not WEP, which is less secure.

DT

I wouldn't say that is necessarily true. It all depends on what kind of infection it it and how deeply the infection has gotten into the system (and how much time the user wants to spend trying to disinfect themselves).

• Malware Removal Guide - Optimize Guides
• Recover from a Virus or Trojan Attack (PDF) - US CERT
• Unexplained computer behavior may be caused by deceptive software - Microsoft
• Malware Removal and Prevention - CastleCops
• Step by Step Malware Removal Guides - Google

Try and run one of the many online virus scanners to identify (if not remove) the threat you have. Once you have it identified, it becomes much easier to discover a guide or even a tool that will help you remove it. HiJackThis and the many forums that help analyze the logs and guide users through removal and repair can also be of great help. Make sure and secure yourself once you've gotten rid of the problem, however you choose to do so.

Make sure and always apply the latest patches for your OS and any other software you run, use both a software and hardware firewall. Download or purchase an anti-virus and keep it up to date and scan your system at least once a week, as well as one or more of the spy/ad/malware and rootkit solutions. Finally, take great precaution in what you download off the internet and through email. Here's a few more helpful links for that:

• Secure XP
• Basic Home Computer Security
• Home Network Security

Good luck!

I'm going to start with what I can see at the moment.

You posted from the same IP address as in question, 66.91.210.144 which currently points to cpe-66-91-210-144.hawaii.res.rr.com, which is roughly translated to 'customer purchased equipment' at a 'resedential' address .... your description of 'one boyfriend, two computers, and a router' woud also suggest that you're not paying business rates for a cable connection that would allow the 'use of servers' at this IP address.

http://www.spamcop.net/w3m?action=checkblo...p=66.91.210.144 currently says;
66.91.210.144 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours.

Causes of listing
System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
SpamCop users have reported system as a source of spam less than 10 times in the past week

That both spamtrap hits and reports are involved is significant. Please see the Why am I Blocked? FAQ and Pinned entry.

Listing History
In the past 75.1 days, it has been listed 27 times for a total of 32.2 days

This is also pretty significant.

http://www.senderbase.org/senderbase_queri...g=66.91.210.144
Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ...... 3.5 .. -32%
Last month .. 3.6

SenderBase's "Magnitude" Explained would seem to suggest that traffic flow is 'seen' running somewhere around 7-8,000 e-mails a day. That's quite a bit of traffic for the 'me, a boyfriend, and two computers' ....

Date of first message seen from this address 2007-08-22

No idea how long you've had this IP address signed (again noting that it is 'yours' at present) ... could this date add anything to the mix? The day the wireless router was installed, the day the boyfriend moved in, something significant????

As stated by others, your scanning software selection is pretty limited. The security issues remain to be answered. If you're going to wait for some other 'expert' to get involved, I'd suggest reading a previous poster's query/story that travels the same scenario .. please see [Resolved] 213.93.21.64 is blocked .. as stated, she may very well have been waving 'good morning' everyday to the actual lowlife/ignoramous neighbor involved in causing her problems, which boiled down to the wide-open wireless router .... However, the troubleshooting sequences seen there should be easily accomplished by yourself.

Good point, just thought it would be easier