Community Forum

HJT logfile PLEASE help - PC sending SPAM

Xfinity Forum Archive
About the archive project

Xfinity Forum Archive...

This is an archived section of the community.

Content in this area has been identified as outdated or irrelevant.

This change was done in an effort to make the forum easier to use and to keep only the most helpful and recent content active.

Post your questions in the Xfinity Community

Regular Contributor

HJT logfile PLEASE help - PC sending SPAM

COMCAST sent an email to me saying my computer is sending SPAM mail. I already have Notron antivirus,security, Microsoft spyware, spyguard, and ran all of those scans, plus: Ran Ad-Aware – found and deleted 8 critical objects, Ran CW Shreddre – coolwebSearch was not found and Installed and ran TREND MICRO SCAN – found and deleted some items. I keep my computer security items up to date and don't open attachments I don't know etc. If you can look at the HJT and let me know if there are issues in there that could be the cause of this spam being sent, please help me get rid of it.


Below is a copy of my HJT logfile.
Logfile of HijackThis v1.99.1
Scan saved at 8:51:16 AM, on 1/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\RFA\rfagent.exe
C:\PROGRA~1\REGIST~1\rbcs.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\07QFAHCP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: nwiz.exe /install
O4 - HKLM\..\Run: C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: "C:\Program Files\RFA\rfagent.exe"
O4 - HKLM\..\Run: "C:\PROGRA~1\REGIST~1\rbcs.exe" -autorun
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OFOTON~1.COM\OFUSBS.DLL,WatchForConnection OfotoNow for Amazon.com
O4 - HKCU\..\Run: C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://offers.e-centives.com
O15 - Trusted Zone: http://www.kodakgallery.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127231623516
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://amazon.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Bronze Problem Solver

Re: HJT logfile PLEASE help - PC sending SPAM

First, the good news, I don't see anything untowared in your HJT log, Now the bad news.. That still does not mean that you are not infected.. Let's try a few more tools to be sure:

1) Download Ewido (an antitrojan) from http://www.ewido.net .. Install it, update it and do a full system scan. At the end it will give you the option to save a log, please do, and pay attention to where you save it.. We'll need to see a copy of that log.
After you run Ewido and the can is finished.

2) Download SilentRunners from http://www.silentrunners.org/ Note the instructions at the site.. NAV may warn you about the script, but let it run.

Post both the Ewido log and the silentrunners log back into this thread.
TANSTAAFL!!


Regular Contributor

Re: HJT logfile PLEASE help - PC sending SPAM

Hello... thank you for your help..
I ran the two scripts you suggested.
Here are the outputs:


Ewido output:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:09:56 AM, 1/10/2006
+ Report-Checksum: 42F3242F

+ Scan result:

HKU\S-1-5-21-329068152-1078145449-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-329068152-1078145449-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{549F957E-2F89-11D6-8CFE-00C04F52B225} -> Spyware.Coolsavings : Cleaned with backup
HKU\S-1-5-21-329068152-1078145449-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
HKU\S-1-5-21-329068152-1078145449-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream.a : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@sales.liveperson.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@sec1.liveperson.txt -> Spyware.Cookie.Liveperson : Cleaned with backup


::Report End

"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background"
"OfotoNow for Amazon.com USB Detection" = "C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OFOTON~1.COM\OFUSBS.DLL,WatchForConnection OfotoNow for Amazon.com"
"OfotoNow USB Detection" = "C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow"
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background"
"CheckRegDefragService" = (empty string)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup"
"nwiz" = "nwiz.exe /install"
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"
"HPHmon03" = "C:\WINDOWS\System32\hphmon03.exe"
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime"
"DIGStream" = "C:\Program Files\DIGStream\digstream.exe"
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe"
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer"
"AcctMgr" = "C:\Program Files\Norton Password Manager\AcctMgr.exe /startup"
"ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe""
"rfagent" = ""C:\Program Files\RFA\rfagent.exe""
"CheckRegDefragService" = ""C:\PROGRA~1\REGIST~1\rbcs.exe" -autorun"
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe""

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll"
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll"
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security 2006"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll"
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll"

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll"
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll"
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL"
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll"
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll"
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll"
"{5EC3EA89-4453-4416-A78B-65F689DC2048}" = "Goback Drives"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton GoBack\GBDrvShX.dll"
"{6809E580-A3A7-11D1-9A00-00A0C945B006}" = "GoBack Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton GoBack\ShellExt.dll"
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Tmas\sshook.dll"

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll"
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll"
INFECTION WARNING! "{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Tmas\sshook.dll"
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll"

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll"
GoBack\(Default) = "{6809E580-A3A7-11D1-9A00-00A0C945B006}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton GoBack\ShellExt.dll"
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll"
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll"

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll"

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll"


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr"


Startup items in "User" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\User\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe"
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe"
"Image Transfer" -> shortcut to: "C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe"
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l"
"Norton GoBack" -> shortcut to: "C:\Program Files\Norton GoBack\GBTray.exe"
"Trend Micro Anti-Spyware" -> shortcut to: "C:\Program Files\Trend Micro\Tmas\Tmas.exe -autostart"


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Run Full System Scan - User" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca""
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE"
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE"


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll"
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll"
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll"
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll"

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL , (at) ## range:
%SystemRoot%\system32\mswsock.dll , 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll , 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security 2006"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll"

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll"

"{C4069E3A-68F1-403E-B40E-20066696354B}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll"

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll"

"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security 2006"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll"

"{C4069E3A-68F1-403E-B40E-20066696354B}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll"

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe"
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido anti-malware\ewidoguard.exe"
GoBack Polling Service, GBPoll, ""C:\Program Files\Norton GoBack\GBPoll.exe""
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" }
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe""
Norton Protection Center Service, NSCService, ""C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE""
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe"
Pml Driver, Pml Driver, "C:\WINDOWS\System32\HPHipm09.exe"
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe""
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe""
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe""
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe""
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe""
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe"
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe"


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 133 seconds, including 9 seconds for message boxes)
Bronze Problem Solver

Re: HJT logfile PLEASE help - PC sending SPAM

Hmm., Still nothing that should be causing you a problem like this.. Let's make darned sure though there is one more type of malware that may be causing this..

Download RootkitRevealer and unzip it..

Run the executable and save the log for this one too..

Post it back here..
http://www.sysinternals.com/Files/RootkitRevealer.zip
TANSTAAFL!!


Regular Contributor

Re: HJT logfile PLEASE help - PC sending SPAM

Here is the output of the RootkitReveal after the scan:

C:\Documents and Settings\User\Local Settings\Temp\Perflib_Perfdata_fcc.dat 1/10/2006 10:31 AM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\User\Local Settings\Temp\xx3612 1/10/2006 12:42 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\User\Local Settings\Temp\xx3613 1/10/2006 12:42 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\User\Local Settings\Temp\xx3614 1/10/2006 12:42 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\User\Local Settings\Temp\xx3615 1/10/2006 12:42 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\User\Local Settings\Temp\xx3616 1/10/2006 12:42 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\07QFAHCP\style.css 1/10/2006 12:39 PM 9.08 KB Hidden from Windows API.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\4LU3ST63\style2.css 1/10/2006 12:35 PM 365 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\V133RWWM\profile.htm 1/10/2006 12:39 PM 16.81 KB Hidden from Windows API.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\V133RWWM\style2.css 1/10/2006 12:39 PM 365 bytes Hidden from Windows API.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\V133RWWM\style.css 1/10/2006 12:35 PM 9.08 KB Visible in Windows API, but not in MFT or directory index.
Bronze Problem Solver

Re: HJT logfile PLEASE help - PC sending SPAM

Ok Anon102611,

I still don't see anything but, Just to be sure I've called in the big guns.. One LoPhatPhuud (forum name, here and in every major security forum on the net).. He will drop by soon and take a look and may have other suggestions..
TANSTAAFL!!


Expert

Re: HJT logfile PLEASE help - PC sending SPAM

A couple of things come to mind.

Did Comcast send an example, or just say you are spamming? Email addresses and IP addresses are easy to spoof in email although the true IP address of the sender will be there. Ask Comcast for an example, including full headers.

I notice you use Outlook.

Check to make sure only accounts you set up are active. Delete any others.

Check the 'Sent Items' folder for each account, looking for email you did not send. If you are indeed spamming, then either Outlook was used, or a spearate installed program was used. This step, and the info from Comcast will help.

If there is no email in the sent folder, then you need to turn the option on. Outlook default is on. In Outlook, Tools -> Options -> Preferences tab -> Email Options button -> check 'Save copies of messages in Sent Items folder. Do this for each account.

Check you Firewall logs to see if any information is there.

Silent Runners gave us some information, but there are others places to hide auto run programs that it does not cover. Do the following and post the log in this thread.

Download 'Autoruns' from here:
http://www.sysinternals.com/Utilities/Autoruns.html

Unzip to a folder and the double click on autoruns.exe

Wait until the program has finished running (the status line will show 'Ready')
Under the 'Options' menu, make sure that 'Include Empty Sections' is checked.
Wait again until ready.

Be sure the 'Everything' tab is selected.
Select 'File -> Save' and save the output file.

Copy the contents of the Autoruns text file and post its contents in this thread.


I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Regular Contributor

Re: HJT logfile PLEASE help - PC sending SPAM

IN Response to your questions:

***The email I got from COMCAST said in part:

We have confirmed that your computer has been involved in transmitting unsolicited email, an activity that is in violation of the Comcast Terms of Service Agreement. The reporting parties have provided email header information, which identifies the IP address of the computer that was
transmitting the email. The IP address listed was one that was assigned to your computer at the date and time in question.
If you cannot account for this activity, the email being sent from your computer may be due to a virus, Trojan infection or other compromise to the health and security of your computer system.

*** I did a CHAT with COMCAST to see if I could get the FULL HEADERS of an example.. but he was not able to help me.. he said to reply to the email.. which I did.. but who knows when I will hear back ***

*** I had already checked my SENT folder, and didn't see anything except emails we had sent. Since the note said it came from my IP address, I did not check our other computers.

*** Here is the output of the AUTORUNS ***

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

+ C:\WINDOWS\system32\userinit.exe Userinit Logon Application Microsoft Corporation c:\windows\system32\userinit.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

+ Explorer.exe Windows Explorer Microsoft Corporation c:\windows\explorer.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ AcctMgr Password Manager Controller Symantec Corporation c:\program files\norton password manager\acctmgr.exe

+ ccApp Symantec User Session Symantec Corporation c:\program files\common files\symantec shared\ccapp.exe

+ CheckRegDefragService Registry Compressor Systweak Inc c:\program files\registry compressor\rbcs.exe

+ DIGStream File not found: C:\Program Files\DIGStream\digstream.exe

+ gcasServ Microsoft AntiSpyware Service Microsoft Corporation c:\program files\microsoft antispyware\gcasserv.exe

+ HPDJ Taskbar Utility HP c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe

+ HPHmon03 HPHa3mon Hewlett-Packard c:\windows\system32\hphmon03.exe

+ NvCplDaemon NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll

+ nwiz NVIDIA nView Wizard, Version 45.23 NVIDIA Corporation c:\windows\system32\nwiz.exe

+ QuickTime Task Apple Computer, Inc. c:\program files\quicktime\qttask.exe

+ rfagent Registry First Aid, the easy powerful registry cleanup program KsL Software c:\program files\rfa\rfagent.exe

+ SunJavaUpdateSched c:\program files\java\j2re1.4.2_01\bin\jusched.exe

+ Symantec NetDriver Monitor Symantec Security Drivers Install Monitor Symantec Corporation c:\program files\symnetdrv\sndmon.exe

+ ViewMgr ViewMgr Viewpoint Corporation c:\program files\viewpoint\viewpoint manager\viewmgr.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

+ Adobe Gamma Loader.lnk Adobe Gamma Loader Adobe Systems, Inc. c:\program files\common files\adobe\calibration\adobe gamma loader.exe

+ Adobe Reader Speed Launch.lnk Adobe Acrobat SpeedLauncher Adobe Systems Incorporated c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

+ Image Transfer.lnk c:\program files\sony corporation\image transfer\sonytray.exe

+ Microsoft Office.lnk Microsoft Office XP component Microsoft Corporation c:\program files\microsoft office\office10\osa.exe

+ Norton GoBack.lnk Norton GoBack Tray Icon Symantec Corporation c:\program files\norton goback\gbtray.exe

+ Trend Micro Anti-Spyware.lnk Anti-Spyware Main Module Trend Micro Incorporated c:\program files\trend micro\tmas\tmas.exe

C:\Documents and Settings\User\Start Menu\Programs\Startup

+ SpywareGuard.lnk SpywareGuard c:\program files\spywareguard\sgmain.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ MSMSGS Windows Messenger Microsoft Corporation c:\program files\messenger\msmsgs.exe

+ MsnMsgr MSN Messenger Microsoft Corporation c:\program files\msn messenger\msnmsgr.exe

+ OfotoNow for Amazon.com USB Detection Run a DLL as an App Microsoft Corporation c:\windows\system32\rundll32.exe

+ OfotoNow USB Detection Run a DLL as an App Microsoft Corporation c:\windows\system32\rundll32.exe

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

+ Address Book 6 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe

+ Browser Customizations Microsoft Internet Explorer Customization DLL Microsoft Corporation c:\windows\system32\iedkcs32.dll

+ Internet Explorer Windows NT User Data Migration Tool Microsoft Corporation c:\windows\system32\shmgrate.exe

+ Internet Explorer Windows Setup API Microsoft Corporation c:\windows\system32\setupapi.dll

+ Internet Explorer 6 IE 5.0 Per-User Install Utility Microsoft Corporation c:\windows\system32\ie4uinit.exe

+ Microsoft Outlook Express 6 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe

+ Microsoft Windows Media Player ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll

+ NetMeeting 3.01 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll

+ Outlook Express Windows NT User Data Migration Tool Microsoft Corporation c:\windows\system32\shmgrate.exe

+ Themes Setup Microsoft(C) Register Server Microsoft Corporation c:\windows\system32\regsvr32.exe

+ Windows Desktop Update Microsoft(C) Register Server Microsoft Corporation c:\windows\system32\regsvr32.exe

+ Windows Media Player Microsoft Windows Media Player Setup Utility Microsoft Corporation c:\windows\inf\unregmp2.exe

+ Windows Messenger 4.7 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

+ Browseui preloader Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Component Categories cache daemon Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

+ CDBurn Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll

+ PostBootReminder Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll

+ SysTray Systray shell service object Microsoft Corporation c:\windows\system32\stobject.dll

+ WebCheck Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

+ ewido shell guard c:\program files\ewido anti-malware\shellhook.dll

+ Microsoft AntiSpyware Service Hook Microsoft AntiSpyware Shell Extension Microsoft Corporation c:\program files\microsoft antispyware\shellextension.dll

+ shell32.dll Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll

+ SpywareGuard SpywareGuard Protection c:\program files\spywareguard\spywareguard.dll

+ Trend Micro Anti-Spyware Shell Extension Anti-Spyware Shell Extension Trend Micro Incorporated c:\program files\trend micro\tmas\sshook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ %DESC_PublishDropTarget% Photo Printing Wizard Microsoft Corporation c:\windows\system32\photowiz.dll

+ &Address Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ .CAB file viewer Cabinet File Viewer Shell Extension Microsoft Corporation c:\windows\system32\cabview.dll

+ Accessible Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ ActiveX Cache Folder Object Control Viewer Microsoft Corporation c:\windows\system32\occache.dll

+ Address Bar Parser Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Address EditBox Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Administrative Tools Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Audio Media Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll

+ Augmented Shell Folder Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Augmented Shell Folder 2 Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Auto Update Property Sheet Extension Automatic Updates Control Panel Microsoft Corporation c:\windows\system32\wuaucpl.cpl

+ Avi Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll

+ BandProxy Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Briefcase Windows Briefcase Microsoft Corporation c:\windows\system32\syncui.dll

+ CDF Extension Copy Hook Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Channel File Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll

+ Channel Handler Object Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll

+ Channel Menu Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll

+ Channel Properties Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll

+ Channel Shortcut Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll

+ Code Download Agent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ Compatibility Page Compatibility Tab Shell Extension DLL Microsoft Corporation c:\windows\system32\slayerxp.dll

+ Compressed (zipped) Folder Compressed (zipped) Folders Microsoft Corporation c:\windows\system32\zipfldr.dll

+ Compressed (zipped) Folder Right Drag Handler Compressed (zipped) Folders Microsoft Corporation c:\windows\system32\zipfldr.dll

+ Compressed (zipped) Folder SendTo Target Compressed (zipped) Folders Microsoft Corporation c:\windows\system32\zipfldr.dll

+ ConnectionAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ Crypto PKO Extension Crypto Shell Extensions Microsoft Corporation c:\windows\system32\cryptext.dll

+ Crypto Sign Extension Crypto Shell Extensions Microsoft Corporation c:\windows\system32\cryptext.dll

+ Custom MRU AutoCompleted List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Darwin App Publisher Shell Application Manager Microsoft Corporation c:\windows\system32\appwiz.cpl

+ Desktop Explorer NVIDIA Desktop Explorer, Version 45.23 NVIDIA Corporation c:\windows\system32\nvshell.dll

+ Desktop Explorer Menu NVIDIA Desktop Explorer, Version 45.23 NVIDIA Corporation c:\windows\system32\nvshell.dll

+ DfsShell Distributed File System shell extension Microsoft Corporation c:\windows\system32\dfsshlex.dll

+ Directory Context Menu Verbs Directory Service Common UI Microsoft Corporation c:\windows\system32\dsuiext.dll

+ Directory Object Find Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll

+ Directory Property UI Directory Service Common UI Microsoft Corporation c:\windows\system32\dsuiext.dll

+ Directory Query UI Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll

+ Directory Start/Search Find Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll

+ Disk Copy Extension Windows DiskCopy Microsoft Corporation c:\windows\system32\diskcopy.dll

+ Disk Quota UI Windows Shell Disk Quota UI DLL Microsoft Corporation c:\windows\system32\dskquoui.dll

+ Display Adapter CPL Extension Advanced display adapter properties Microsoft Corporation c:\windows\system32\deskadp.dll

+ Display Monitor CPL Extension Advanced display monitor properties Microsoft Corporation c:\windows\system32\deskmon.dll

+ Display Panning CPL Extension File not found: deskpan.dll

+ Display TroubleShoot CPL Extension Advanced display performance properties Microsoft Corporation c:\windows\system32\deskperf.dll

+ Download Status Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ DS Security Page Directory Service Security UI Microsoft Corporation c:\windows\system32\dssec.dll

+ E-mail Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Explorer Band Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Extensions Manager Folder Extensions Manager Microsoft Corporation c:\windows\system32\extmgr.dll

+ Favorites Band Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Fonts Windows Font Folder Microsoft Corporation c:\windows\system32\fontext.dll

+ Fonts Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ For &People... Find People Microsoft Corporation c:\program files\outlook express\wabfind.dll

+ FTP Folders Webview Microsoft Internet Explorer FTP Folder Shell Extension Microsoft Corporation c:\windows\system32\msieftp.dll

+ GDI+ file thumbnail extractor Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll

+ Get a Passport Wizard Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll

+ Global Folder Settings Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Goback Drives c:\program files\norton goback\gbdrvshx.dll

+ GoBack Shell Extension GoBack Shell Extension Symantec Corporation c:\program files\norton goback\shellext.dll

+ Help and Support Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Help and Support Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ History Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ HTML Thumbnail Extractor Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll

+ HyperTerminal Icon Ext HyperTerminal Applet Library Hilgraeve, Inc. c:\windows\system32\hticons.dll

+ ICC Profile Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll

+ ICM Monitor Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll

+ ICM Printer Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll

+ ICM Scanner Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll

+ IE4 Suite Splash Screen Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ In-pane search Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Installed Apps Enumerator Shell Application Manager Microsoft Corporation c:\windows\system32\appwiz.cpl

+ Internet Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Internet Name Space Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ InternetShortcut Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ ISFBand OC Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Microsoft Agent Character Property Sheet Handler Microsoft Agent Property Sheet Handler Microsoft Corporation c:\windows\msagent\agentpsh.dll

+ Microsoft AutoComplete Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Microsoft Browser Architecture Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Microsoft BrowserBand Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Microsoft Data Link Microsoft Data Access - OLE DB Core Services Microsoft Corporation c:\program files\common files\system\ole db\oledb32.dll

+ Microsoft DocProp Inplace Calendar Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll

+ Microsoft DocProp Inplace Droplist Combo Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll

+ Microsoft DocProp Inplace Edit Box Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll

+ Microsoft DocProp Inplace ML Edit Box Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll

+ Microsoft DocProp Inplace Time Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll

+ Microsoft DocProp Shell Ext Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll

+ Microsoft History AutoComplete List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Microsoft Internet Toolbar Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Microsoft Multiple AutoComplete List Container Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Microsoft Office HTML Icon Handler Microsoft Office XP component Microsoft Corporation c:\program files\microsoft office\office10\msohev.dll

+ Microsoft Outlook Custom Icon Handler Outlook Shell Hook for Start/Find Microsoft Corporation c:\program files\microsoft office\office10\olkfstub.dll

+ Microsoft Shell Folder AutoComplete List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Microsoft Url History Service Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Microsoft Url Search Hook Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Midi Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll

+ MMC Icon Handler MMC Shell Extension DLL Microsoft Corporation c:\windows\system32\mmcshext.dll

+ MRU AutoComplete List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Multimedia File Property Sheet Control Panel Drivers Applet Microsoft Corporation c:\windows\system32\mmsys.cpl

+ MyDocs Copy Hook My Documents Folder UI Microsoft Corporation c:\windows\system32\mydocs.dll

+ MyDocs Drop Target My Documents Folder UI Microsoft Corporation c:\windows\system32\mydocs.dll

+ MyDocs Properties My Documents Folder UI Microsoft Corporation c:\windows\system32\mydocs.dll

+ Network Connections Network Connections Shell Microsoft Corporation c:\windows\system32\netshell.dll

+ Network Connections Network Connections Shell Microsoft Corporation c:\windows\system32\netshell.dll

+ NTFS Security Page Security Shell Extension Microsoft Corporation c:\windows\system32\rshx32.dll

+ Offline Files Folder Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll

+ Offline Files Folder Options Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll

+ Offline Files Menu Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll

+ OLE Docfile Property Page OLE DocFile Property Page Microsoft Corporation c:\windows\system32\docprop.dll

+ PlusPack CPL Extension Windows Theme API Microsoft Corporation c:\windows\system32\themeui.dll

+ Portable Media Devices Portable Media Devices Shell Extension Microsoft Corporation c:\windows\system32\audiodev.dll

+ Portable Media Devices Menu Portable Media Devices Shell Extension Microsoft Corporation c:\windows\system32\audiodev.dll

+ PostAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ Previous Versions Previous Versions property page Microsoft Corporation c:\windows\system32\twext.dll

+ Previous Versions Property Page Previous Versions property page Microsoft Corporation c:\windows\system32\twext.dll

+ Print Ordering via the Web Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll

+ Printers Security Page Security Shell Extension Microsoft Corporation c:\windows\system32\rshx32.dll

+ Registry Tree Options Utility Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Remote Sessions CPL Extension Remote Sessions CPL Extension Microsoft Corporation c:\windows\system32\remotepg.dll

+ Run... Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll

+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll

+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll

+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll

+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll

+ Scheduled Tasks Task Scheduler interface DLL Microsoft Corporation c:\windows\system32\mstask.dll

+ Search Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Search Assistant OC Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Search Band Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Sendmail service Send Mail Microsoft Corporation c:\windows\system32\sendmail.dll

+ Sendmail service Send Mail Microsoft Corporation c:\windows\system32\sendmail.dll

+ Set Program Access and Defaults Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Shell Application Manager Shell Application Manager Microsoft Corporation c:\windows\system32\appwiz.cpl

+ Shell Automation Inproc Service Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Shell Band Site Menu Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Shell DeskBar Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Shell DeskBarApp Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Shell DocObject Viewer Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Shell extensions for Microsoft Windows Network objects Network object shell UI Microsoft Corporation c:\windows\system32\ntlanui2.dll

+ Shell extensions for sharing Shell extensions for sharing Microsoft Corporation c:\windows\system32\ntshrui.dll

+ Shell extensions for sharing Shell extensions for sharing Microsoft Corporation c:\windows\system32\ntshrui.dll

+ Shell extensions for Windows Script Host Microsoft (r) Shell Extension for Windows Script Host Microsoft Corporation c:\windows\system32\wshext.dll

+ Shell Image Data Factory Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll

+ Shell Image Property Handler Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll

+ Shell Image Verbs Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll

+ Shell properties for a DS object Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll

+ Shell Publishing Wizard Object Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll

+ Shell Rebar BandSite Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Shell Scrap DataHandler Shell scrap object handler Microsoft Corporation c:\windows\system32\shscrap.dll

+ Shell Search Band Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ SpywareGuard SpywareGuard Protection c:\program files\spywareguard\spywareguard.dll

+ Subscription Folder Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ Subscription Mgr Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ Summary Info Thumbnail handler (DOCFILES) Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll

+ Taskbar and Start Menu Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll

+ Tasks Folder Icon Handler Task Scheduler interface DLL Microsoft Corporation c:\windows\system32\mstask.dll

+ Tasks Folder Shell Extension Task Scheduler interface DLL Microsoft Corporation c:\windows\system32\mstask.dll

+ Temporary Internet Files Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Temporary Internet Files Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ The Internet Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

+ Track Popup Bar Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ TrayAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ Trend Micro Anti-Spyware Shell Extension Anti-Spyware Shell Extension Trend Micro Incorporated c:\program files\trend micro\tmas\sshook.dll

+ TridentImageExtractor Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ User Accounts Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll

+ User Assist Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ Video Media Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll

+ Video Thumbnail Extractor Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll

+ Wav Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll

+ Web Folders Microsoft Web Folders Microsoft Corporation c:\program files\common files\microsoft shared\web folders\msonsext.dll

+ Web Printer Shell Extension Print UI DLL Microsoft Corporation c:\windows\system32\printui.dll

+ Web Publishing Wizard Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll

+ Web Search Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll

+ WebCheck Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ WebCheck SyncMgr Handler Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ WebCheckChannelAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ WebCheckWebCrawler Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll

+ Windows Media Player Add to Playlist Context Menu Handler Windows Media Player Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll

+ Windows Media Player Burn Audio CD Context Menu Handler Windows Media Player Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll

+ Windows Media Player Play as Playlist Context Menu Handler Windows Media Player Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll

+ Yahoo! Mail YMMAPI Module Yahoo! Inc. c:\program files\yahoo!\common\ymmapi.dll

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers

+ PDF Shell Extension PDF Shell Extension Adobe Systems, Inc. c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll

+ {0D2E74C4-3C34-11d2-A27E-00C04FC30871} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll

+ {24F14F01-7B1C-11d1-838f-0000F80461CF} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll

+ {24F14F02-7B1C-11d1-838f-0000F80461CF} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll

+ {66742402-F9B9-11D1-A202-0000F81FEDEE} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ AcroIEHlprObj Class Adobe Acrobat IE Helper Version 7.0 for ActiveX Adobe Systems Incorporated c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll

+ CNavExtBho Class Norton AntiVirus Shell Extension Module Symantec Corporation c:\program files\norton internet security\norton antivirus\navshext.dll

+ CNisExtBho Class NIS Shell Extension Symantec Corporation c:\program files\common files\symantec shared\adblocking\nisshext.dll

+ SpywareGuardDLBLOCK.CBrowserHelper SpywareGuard Download Protection c:\program files\spywareguard\dlprotect.dll

+ {53707962-6F74-2D53-2644-206D7942484F} Bad download blocker Safer Networking Limited c:\program files\spybot - search & destroy\sdhelper.dll

HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks

+ shdocvw.dll Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll

HKLM\Software\Microsoft\Internet Explorer\Toolbar

+ Norton AntiVirus Norton AntiVirus Shell Extension Module Symantec Corporation c:\program files\norton internet security\norton antivirus\navshext.dll

+ Norton Internet Security 2006 NIS Shell Extension Symantec Corporation c:\program files\common files\symantec shared\adblocking\nisshext.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions

+ Windows Messenger Windows Messenger Microsoft Corporation c:\program files\messenger\msmsgs.exe

Task Scheduler

+ Norton AntiVirus - Run Full System Scan - User.job Norton AntiVirus Scanner Module Symantec Corporation c:\program files\norton internet security\norton antivirus\navw32.exe

+ Symantec Drmc.job c:\program files\common files\symantec shared\symdrmc.exe

+ Symantec NetDetect.job Symantec NetDetect Symantec Corporation c:\program files\symantec\liveupdate\ndetect.exe

HKLM\System\CurrentControlSet\Services

+ AudioSrv Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ Browser Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ ccEvtMgr Event propagation and logging service Symantec Corporation c:\program files\common files\symantec shared\ccevtmgr.exe

+ ccProxy Symantec Proxy Service Symantec Corporation c:\program files\common files\symantec shared\ccproxy.exe

+ ccSetMgr Settings storage and management service Symantec Corporation c:\program files\common files\symantec shared\ccsetmgr.exe

+ CryptSvc Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ DcomLaunch Provides launch functionality for DCOM services. Microsoft Corporation c:\windows\system32\svchost.exe

+ Dhcp Manages network configuration by registering and updating IP addresses and DNS names. Microsoft Corporation c:\windows\system32\svchost.exe

+ Dnscache Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ ERSvc Allows error reporting for services and applictions running in non-standard environments. Microsoft Corporation c:\windows\system32\svchost.exe

+ Eventlog Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. Microsoft Corporation c:\windows\system32\services.exe

+ ewido security suite control ewido control ewido networks c:\program files\ewido anti-malware\ewidoctrl.exe

+ ewido security suite guard guard ewido networks c:\program files\ewido anti-malware\ewidoguard.exe

+ GBPoll GoBack Polling Service Symantec Corporation c:\program files\norton goback\gbpoll.exe

+ helpsvc Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ lanmanserver Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ lanmanworkstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

+ LmHosts Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Microsoft Corporation c:\windows\system32\svchost.exe

+ navapsvc Handles Norton AntiVirus Auto-Protect events. Symantec Corporation c:\program files\norton internet security\norton antivirus\navapsvc.exe

+ NVSvc NVIDIA Driver Helper Service, Version 45.23 NVIDIA Corporation c:\windows\system32\nvsvc32.exe

+ PlugPlay Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. Microsoft Corporation c:\windows\system32\services.exe

+ PolicyAgent Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Microsoft Corporation c:\windows\system32\lsass.exe

+ ProtectedStorage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or use
Valued Contributor

Re: HJT logfile PLEASE help - PC sending SPAM

Anon,

Please explain this:

"Since the note said it came from my IP address, I did not check our other computers. "

1. Do you have multiple computers hooked up to Comcast from the same location? Normally Comcast provides only one IP address per customer and all computers you have would share that same IP address. If that is the case, one of the other computers may be infected.

2. Are you using a router to connect these computers to the Comcast modem?
Regular Contributor

Re: HJT logfile PLEASE help - PC sending SPAM

yes, I do have a LinkSys router and multiple computers at home. (kids computers and our computer). I guess, I thought each PC had its own IP address. We only use email on this one computer (the one I have been scanning and checking things on).
Most Valued Poster

Re: HJT logfile PLEASE help - PC sending SPAM

Anon,

You only have one public IP address, each of the computers on your network have an internal IP address that is assigned by your router. Comcast only sees the public IP address, not the internal IP addresses.

You should run HijackThis on each of the other computers and post the logs here.
Expert

Re: HJT logfile PLEASE help - PC sending SPAM

Now it gets clearer. My guess is one of your children's computers is infected.

FYI, Comcast issues one IP address, which is shared by all computers connected to the router.

You will need to check each computer. Check each computer for email accounts (Outlook Express is usually installed on all Windows computers). See if you can find which computer in infected, but still check them all.

Best would be to run AdAware and Spybot S&D on each one, then run HiJackThis for each computer. Post each log in separate thread. I know that seems cumbersome, but from this side it gets impossible to deal with more than one computer per thread. Be sure to mark each post so you can tell which computer each log belongs too.

Now, FYI, the common;y used Linksys routers can be provisioned to provide logging. In this case, you would know very quickly, which computer was sending spam. TO use logging requires a modified firmware and a logging program. All is available free.

If you want to set it up after we get the email issue settled, then I can point you in the right direction and we can discuss the issues involved and where to get the software needed.

BTW, I have a small network here at home (2 Desktops, 2 laptops), behind a Linksys WRT54GS with logging to my computer.
Message was edited by: LoPhatPhuud


I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Regular Contributor

Re: HJT logfile PLEASE help - PC sending SPAM

me too.. I ALSO have a small network here at home (3 Desktops, 2 laptops), behind a Linksys WRT54G.

I would like to do the logging.

OK.. I'll start checking the other PCs.

One other interesting note.. I have been receiving alot of spam (more then usual).. all the same 3 or 4 msgsg.. but from different email addresses. I always tell Norton to block it next time.. and then the msg comes back from a different email.
Expert

Re: HJT logfile PLEASE help - PC sending SPAM

Addendum:

To avoid further issues with Comcast since the spamming computer has not been found or fixed, I suggest you disconnect each one from the router for the time being.

Your computer (the one posted here) is clean, as best we can tell, and should be ok to leave connected.

Tis better to incur the rath of internet-less kids, rather than the rath of Comcast and possible jeopardize your account.


I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Expert

Re: HJT logfile PLEASE help - PC sending SPAM

For ISP with non-proprietary email systems (ala AOL), in my opinion, the best friend you can have is a program called Mailwasher Pro (www.firetrust.com). Its not free, but worth every penny. I have been using it from the early days when it was free.

MW sits between Comcast and Outlook (my email program) and is the program that actually checks for email. It has excellent filters and a learning mode. It catches about 90% of all the junk mail I get. I have it set to mark for deletion, rather than auto delete. I review the list of emails and then delete the junk on the server. It never makes it to my computer!! If I goof and delete a good email by accident, MW has kept a copy (for a while) so I can get it back! I then run Outlook to download the good email.


I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Regular Contributor

Re: HJT logfile PLEASE help - PC sending SPAM

That sounds wonderful (MW) . I went to their website. I am getting tired of all the junk mail that does seem to come through. Since I have 3 PCs and 2 laptops hooked to my router... then I need to buy this for each one? Though our main computer (the one I have open on this thread).. is the one we do 80% of our email.

Thank you for your advice and time in helping me.
There sure are a lot of nice computer people out there.
Expert

Re: HJT logfile PLEASE help - PC sending SPAM

Firetrusts offers a discount for multiple licenses. You can check the website for details.

The hard part, with children, is to educate them to use Mailwasher to preview all their email before using the mail program to download the good mail.


I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Expert

Re: HJT logfile PLEASE help - PC sending SPAM

I took a look at your son's log and it does indeed appears to be missing a lot of entries.

One other possible cause came to mind. Your wireless network may be exposed and un-authorized connections being made. It is a remote possibility, but possible none the less.

Be sure you have the wireless links encrypted. Log in to your Linksys, then go to Wireless, then Wireless Security. You wnat to use WAP, TKIP -- pick a password. Then you will have to adjust each computer that connect wirelessly and add the password. I found a reboot is best. I am running a 3rd party firmware, so my router screens will differ in some places.


BTW, can you give me the start of hte serial number of your router. It start sometihng like, CGNxxx. Some version of hte Linksysy WRT54G use a default software that is a bear to modify. The V5 is a general waste of time. Hopefully you will not have one of them.

YOu can get some good info on Linksys and 3rd party firmware here: http://www.linksysinfo.org/


I use the firmware form here; http://www.hyperspacehome.com/hyperwrt/

It meets my needs and so far I see no reason to update. This one is stable.



Note that this is just info am posting before I forget to. First order of business is to eliminate the spam issue.


I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Regular Contributor

Re: HJT logfile PLEASE help - PC sending SPAM

Yes, I am working on trying to find which computer our problem is at.

When I set up my wireless network.. I did encrypt and set a password.. I will have to look that up again. My laptops connect via wireless, my PCs by wired.

I am opening a new posts for my daughter's laptop.
She does send a lot of email, way more then my son.
My son just got a new hard drive a month ago.
My daughter's laptop is 2 years old.

Thanks for the other info in you last note to.

I changed my name to Zipper5.
Regular Contributor

Re: HJT logfile PLEASE help - PC sending SPAM

BTW, can you give me the start of hte serial number of your router. It start sometihng like, CGNxxx. Some version of hte Linksysy WRT54G use a default software that is a bear to modify. The V5 is a general waste of time. Hopefully you will not have one of them.


*** forgot to answer your question ***
The start of the serial number is CDF8xxx
Expert

Re: HJT logfile PLEASE help - PC sending SPAM

Good News

The CDF8 identifies your WRT54G as a v3.0.

But the V5 begins CDFB. Unless you have a recent purchase, the CDF8 seems correct.

I would suggest using the Hyperwrt software, last beta release, even though the Lijnksys base firmware is more recent. This is the one I use and it has been rock stable.


I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Most Valued Poster

Re: HJT logfile PLEASE help - PC sending SPAM

This is a double-posted topic.

This one is the latest:

PC sending SPAM? HJT log
"Neo, you must understand, there's a difference between knowing the path and walking the path." Morpheus - The Matrix
Bronze Problem Solver

Re: HJT logfile PLEASE help - PC sending SPAM

No, it is not a double post.. It is over 3 different PC's
TANSTAAFL!!