• Todas las Comunidades
    • Todas las Comunidades
    • Foros
    • Ideas
    • Blogs
Avanzado

Not what you are looking for? Ask the experts!

Kudos0

My pc sending spam

Hello,

I noticed slow internet performance on the PCs and MACs in my house. I discovered disconnecting the network cable on one PC solved the problem. I then purchased Norton AntiVirus 2010 (yesterday) and ran all the scans removing several viruses.

The PC still appears to be sending spam. When connected to my network it is really slow and un responsive. Once I disconnect the network cable I can use it again.

Also when connected I get a series of Noron popup messages: 

Norton AntiVirus Email Error 

Then there are messages such as "550 requested action not taken, "user not valid", "email address removed due to high levels of activity" etc.

Then the message details are 

From "Viagra (c) Best Online Store <random email address>

To <random email address>

Subject User fangsx special 80% off.

I have turned the WIndows XP firewall to on with no exceptions as well as run several Norton AnitVirus scans and I still continue to get these messages. Sometimes 10 or 20 in the 60 seconds the network cable is plugged in.

What is going on?

Thanks in advance!

Respuestas

Kudos1 Stats

Re: My pc sending spam

Hi barryware

Welcome to the Norton Community

Installing NAV on a computer which is already infected may not give you a good install and therefore the program may not work correctly either. Let's see if we can find any more malware and see if we can get it cleaned up. First of all, do you have any other security programs on your computer? What did you use as your antivirus program before you installed NAV 2010?

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos2 Stats

Re: My pc sending spam

Most likely (from the sounds of it), you have a bot type infection on your machine.  Can you

a)  Tell us the virii that Norton detected and removed?

b)  Tell us if you did a Norton scan in Safe Mode?  If not then disconnect from the internet, reboot your machine into Safe Mode (tap the F8 key while starting the system until the Advanced Options Menu displays and select Safe Mode (no command or network), then double click on the NAV2010 desktop Icon and follow the instructions in the pop ups to run a Full System Scan.  Please tell us the results.

c)  As a second defence, you could run Malwarebytes' Antimalware to see if a second scanner finds anything that was hidden from Norton.


Please download MalwareBytes' AntiMalware from this LINK . Choose the free version as this does not have a real time scanner that will interfere with Norton products. Install the program and update the definitions.

Once MBAM is loaded, run a full scan with it. Have the program fix / delete whatever it finds and make a log file. Please post the log file contents or attach the log file to a reply post here for review.

d)  Please run a HiJackThis log for review here to see what is running on your system.


Please download HiJackThis for this web site.  Choose the executable and save it on your desktop.  Run the file and select the first option on the main menu "Do a system scan and save a log file".  When this is finished, Notepad will open with the log file in it. Save the log file and attach it to a post here via the Add Attachments under the orange Post button.

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: My pc sending spam

Thanks

 floplot 

"Installing NAV on a computer which is already infected may not give you a good install and therefore the program may not work correctly either."

I didn't know virii were that sinister and that NAV could be affect that way!!


dbrisendine
A) a0095824.dll trojan,
overla.xul (Trojan.Gord)
~tmb3.tmp trojan horse
~tme8.tmp
~tme3.tmp
~tme2.tmp
srsdllpro.exe


B) yes, I did boot in safe mode, but NAV would not start without a network connection. Even when I booted in Safe Mode with Network support, it did not run and tookme to a troubleshooting page

C) Running MalwareBytes AntiMalware now (PC is in Normal boot up mode). 1 hour 3 min in it says 14 Objects Infected. Still running and I will let you know results when complete.
(honest question, what did I buy NAV for if AntiMalware could do the work instead?)

D) Here is the HIJACKTHIS.LOG that was run before running the AntiMalware application




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:41 PM, on 12/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Application Data\U3\0C415B503180D88D\LaunchPad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SearchSafe - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\SearchSafe\SearchSafe.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Bzowoganides] rundll32.exe "C:\WINDOWS\inogijanileriheh.dll",Startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: siszyd32.exe
O4 - Global Startup: cpeupdate.lnk = E:\Media\Xtras\ShareIns\cpeupdate.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.10.00/cab/aolpPlugins.10.6.0.6.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hsd1.mn.comcast.net
O17 - HKLM\Software\..\Telephony: DomainName = hsd1.mn.comcast.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hsd1.mn.comcast.net
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7498 bytes

Kudos0

Re: My pc sending spam

You are already receiving good advice. Please wait for response on your hijack log. I would be suspicious about

O4 - HKLM\..\Run: [Bzowoganides] rundll32.exe "C:\WINDOWS\inogijanileriheh.dll",Startup

unless you know what this is..

Kudos0

Re: My pc sending spam

These are the results, but it did not fix the problem. After reboot, I connected the network cable and instantly started getting Norton AntiVirus email errors.

I ran NAV quick scan and it did not find anything.


 

This really stinks. I can't believe that I am being used by some a$$ somewhere. I want to pop'em in the nose!!

 

 
Here are the logs from Malware and HiJackThis after the Malware scan was completed.

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/18/2009 4:24:36 PM
mbam-log-2009-12-18 (16-24-36).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 443847
Time elapsed: 3 hour(s), 29 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\inogijanileriheh.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{7d3f5de4-e980-4407-a10f-9ac771abaae6} (Adware.SearchIt) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4982d40a-c53b-4615-b15b-b5b5e98d167c} (Adware.SearchIt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4982d40a-c53b-4615-b15b-b5b5e98d167c} (Adware.SearchIt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{4982d40a-c53b-4615-b15b-b5b5e98d167c} (Adware.SearchIt) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4982d40a-c53b-4615-b15b-b5b5e98d167c} (Adware.SearchIt) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bzowoganides (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{4982d40a-c53b-4615-b15b-b5b5e98d167c} (Adware.SearchIt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4982d40a-c53b-4615-b15b-b5b5e98d167c} (Adware.SearchIt) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{4982d40a-c53b-4615-b15b-b5b5e98d167c} (Adware.SearchIt) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: vmomax5.dll  -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\vmomax5.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\inogijanileriheh.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\AOL Toolbar\toolbar.dll (Adware.SearchIt) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP916\A0093790.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\~TMB1.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
G:\WINDOWS\SYSTEM\JGAW400.DLL (Trojan.Hiloti) -> Quarantined and deleted successfully.








-------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:45 PM, on 12/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SearchSafe - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\SearchSafe\SearchSafe.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: siszyd32.exe
O4 - Global Startup: cpeupdate.lnk = E:\Media\Xtras\ShareIns\cpeupdate.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.10.00/cab/aolpPlugins.10.6.0.6.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hsd1.mn.comcast.net
O17 - HKLM\Software\..\Telephony: DomainName = hsd1.mn.comcast.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hsd1.mn.comcast.net
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6965 bytes
 

Kudos0

Re: My pc sending spam

Hi berryware

I would be suspicious of this line in hijackthis. I think that this .dll could have something to do with the spam emails. I'm not an expert, so please wait for someone to look at the logs.

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

I did notice that you are running a very old version of adobe acrobat. The adobe programs are always being updated for security reasons.

Please run a scan with SuperAntiSpyware next.

We are suggesting these other scans because each program's engine is made differently and they are good for cleaning up certain malware and these other programs have logs which can be posted here and can show symptoms of malware or give us hints of other problems. They don't take the place of an antivirus program and a good firewall.

Here is a free on demand antimalware scanner. It is safe to use on demand with your Norton product. Alfter the scan, please post the log using the add attachment right under the post button.


http://www.superantispyware.com/

Message Edited by floplot on 12-18-2009 06:06 PM
Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos3 Stats

Re: My pc sending spam

berryware,

<< (honest question, what did I buy NAV for if AntiMalware could do the work instead?) >>

An understandable question but one for which there is a valid answer:

You were infected before you installed NAV and if you had had NAV, or better yet NIS, installed then they well could have stopped the infection taking place.

Malwarebytes is a specialized application that in the free version only identifies existing infections (and even it is not perfect) and removes most of them. Similarly for SuperAntiSpyware in the free version.

It is usually much easier to remove something that is by nature out of the ordinary than it is to keep ahead of the malware producers so there is a place for both kinds of utility.

Personally I have a high respect for Norton's protection and I do rely on it but I still have to remember that the biggest danger to the computer lies between the left ear and the right ear of the user and I have to be careful where I go on the internet and how I treat enticing advertisements or emails .... <s>

Good luck with the clean up. You are in good hands here but don't get distracted by the way we cooks all get busy stirring the recipe pot!

Hugh
Kudos0

Re: My pc sending spam

Try booting your computer from the Norton CD then running a full scan?

After booting from the CD, connect your computer to the router directly to allow the boot tool to update itself.  Then follow the instructions for a full scan.

“ We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard ”--President John F. Kennedy
Kudos0

Re: My pc sending spam


Well, it is still happening. Norton AntiVirus captures the Email Error, but does not stop the offending source, or even let me know what it is.
SUPERAntiSpyware did find other virus that were missed before.

One thing to note is all of these emails have the same FROM

VIAGRA © Best Online Store <randomemailaddress>

Is there are way I could search for just that string in processes that are running?

I have attached an image of several of the email errors. They only appear one at a time, this is a collection of 3 recent ones.


Thanks



 Wikipedian- I purchased NAV online and don't have a bootable CD.



huwyngr, thank you for the explanation.


Thanks floplot,

Here are the logs from SuperAntiSpyware.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/18/2009 at 09:22 PM

Application Version : 4.32.1000

Core Rules Database Version : 4379
Trace Rules Database Version: 1978

Scan type       : Quick Scan
Total Scan Time : 00:39:09

Memory items scanned      : 445
Memory threats detected   : 0
Registry items scanned    : 596
Registry threats detected : 36
File items scanned        : 22956
File threats detected     : 20

AdwareFilter Toolbar
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1028F737-81E7-452B-A860-E50CAD90A08C}
    HKCR\CLSID\{1028F737-81E7-452B-A860-E50CAD90A08C}
    HKCR\CLSID\{1028F737-81E7-452B-A860-E50CAD90A08C}
    HKCR\CLSID\{1028F737-81E7-452B-A860-E50CAD90A08C}\InprocServer32
    HKCR\CLSID\{1028F737-81E7-452B-A860-E50CAD90A08C}\InprocServer32#ThreadingModel
    HKCR\CLSID\{1028F737-81E7-452B-A860-E50CAD90A08C}\ProgID
    HKCR\CLSID\{1028F737-81E7-452B-A860-E50CAD90A08C}\Programmable
    HKCR\CLSID\{1028F737-81E7-452B-A860-E50CAD90A08C}\TypeLib
    HKCR\CLSID\{1028F737-81E7-452B-A860-E50CAD90A08C}\VersionIndependentProgID
    HKCR\SearchSafe.SearchSafeToolbar.1
    HKCR\SearchSafe.SearchSafeToolbar.1\CLSID
    HKCR\SearchSafe.SearchSafeToolbar
    HKCR\SearchSafe.SearchSafeToolbar\CLSID
    HKCR\SearchSafe.SearchSafeToolbar\CurVer
    HKCR\TypeLib\{193FC180-7E97-467E-8CDD-B4385F6D20C4}
    HKCR\TypeLib\{193FC180-7E97-467E-8CDD-B4385F6D20C4}\1.0
    HKCR\TypeLib\{193FC180-7E97-467E-8CDD-B4385F6D20C4}\1.0\0
    HKCR\TypeLib\{193FC180-7E97-467E-8CDD-B4385F6D20C4}\1.0\0\win32
    HKCR\TypeLib\{193FC180-7E97-467E-8CDD-B4385F6D20C4}\1.0\FLAGS
    HKCR\TypeLib\{193FC180-7E97-467E-8CDD-B4385F6D20C4}\1.0\HELPDIR
    C:\PROGRAM FILES\SEARCHSAFE\SEARCHSAFE.DLL
    HKU\S-1-5-21-1800473919-1003661161-478248697-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1028F737-81E7-452B-A860-E50CAD90A08C}
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1028F737-81E7-452B-A860-E50CAD90A08C}
    HKLM\Software\Microsoft\Internet Explorer\Toolbar#{1028F737-81E7-452B-A860-E50CAD90A08C}
    HKCR\Interface\{6BAF0C72-19B4-46E7-A9B0-C272C79442C0}
    HKCR\Interface\{6BAF0C72-19B4-46E7-A9B0-C272C79442C0}\ProxyStubClsid
    HKCR\Interface\{6BAF0C72-19B4-46E7-A9B0-C272C79442C0}\ProxyStubClsid32
    HKCR\Interface\{6BAF0C72-19B4-46E7-A9B0-C272C79442C0}\TypeLib
    HKCR\Interface\{6BAF0C72-19B4-46E7-A9B0-C272C79442C0}\TypeLib#Version
    HKCR\Interface\{82B382FD-F0CB-444F-9C9C-1ED4AB39E5C0}
    HKCR\Interface\{82B382FD-F0CB-444F-9C9C-1ED4AB39E5C0}\ProxyStubClsid
    HKCR\Interface\{82B382FD-F0CB-444F-9C9C-1ED4AB39E5C0}\ProxyStubClsid32
    HKCR\Interface\{82B382FD-F0CB-444F-9C9C-1ED4AB39E5C0}\TypeLib
    HKCR\Interface\{82B382FD-F0CB-444F-9C9C-1ED4AB39E5C0}\TypeLib#Version

Adware.Tracking Cookie
    C:\Documents and Settings\Owner\Cookies\owner@www.hrsaccount[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@ads.ak.facebook[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@adserver.aopa[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@secure-media-sf2p.facebook[1].txt
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ads.cnn[1].txt
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@fastclick[2].txt
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@media.fastclick[1].txt
    C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ads.x10[2].txt
    G:\WINDOWS\Cookies\hp authorized customer@servedby.advertising[1].txt
    G:\WINDOWS\Cookies\hp authorized customer@advertising[1].txt
    G:\WINDOWS\Cookies\hp authorized customer@atdmt[2].txt
    G:\WINDOWS\Cookies\hp authorized customer@netfastmedia[1].txt
    G:\WINDOWS\Cookies\hp authorized customer@mediaplex[1].txt
    G:\WINDOWS\Cookies\hp authorized customer@hitbox[2].txt
    G:\WINDOWS\Cookies\hp authorized customer@ehg-reunion.hitbox[2].txt
    G:\WINDOWS\Cookies\hp authorized customer@ehg-bestbuy.hitbox[2].txt
    G:\WINDOWS\Cookies\hp authorized customer@doubleclick[1].txt

Adware.Avenue Media/Internet Optimizer
    HKU\S-1-5-21-1800473919-1003661161-478248697-1003\SOFTWARE\Policies\Avenue Media
    HKLM\SOFTWARE\Policies\Avenue Media
    HKU\S-1-5-21-1800473919-1003661161-478248697-1003\Software\Microsoft\Internet Explorer\URLSearchHooks#_{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

Trojan.Dropper/Start-NV
    C:\DOCUMENTS AND SETTINGS\OWNER\START MENU\PROGRAMS\STARTUP\SISZYD32.EXE
    C:\WINDOWS\Prefetch\SISZYD32.EXE-16E0F528.pf
 
Kudos0

Re: My pc sending spam

Hi berryware

You really should get a good firewall to use other than just the Windows firewall. I believe that is only a one way firewall. Since this appears to be an email problem, what ports are you using for outgoing and incoming emails and also what email program are you using.?

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: My pc sending spam

Well,

I have a band-aid on the problem.

I downloaded Sunbelt Firewall and that is stopping the outgoing and incoming spam.

Before I installed the firewall here are some of the things I tried that were unsuccessful.

I uninstalled just about every application that connected to the internet; AOL, bittorrent, limewire, Google Chrome, etc. Still had the problem.

Changed my IP address, still had the problem,

Ran Netstat-ano and watched a ton of messages on port 25 working with ccSVCHst.exe (Norton AntiVirus). This is when I started looking for how to block port 25

Went through my services, I don't have SMTP service of any kind on Windows XP Home.

Since the firewall stopped the problem, I am sure the malware is still residing on my PC. It is possible new definitions will find it in a few weeks or months.

Here is the final Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:17 PM, on 12/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\IPSBHO.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hsd1.mn.comcast.net
O17 - HKLM\Software\..\Telephony: DomainName = hsd1.mn.comcast.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D67A976-E67A-40C2-948E-0F871FEDFA34}: NameServer = 68.87.77.134,68.87.72.134
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hsd1.mn.comcast.net
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

--
End of file - 3670 bytes
 

If anyone has any insight, it would be appreciated.

Thanks!!

Kudos0

Re: My pc sending spam

Hi berryware

I notice that you have one care live on your computer.Is this one care live a real time antivirus scanner?  I wonder if that isn't a conflict with NAV. What email program are you using and what email ports are you required to use by your ISP? Are you using a web based program or something like Outlook Express?

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: My pc sending spam

Hi berryware

Please run a GMER scan so we can rule out any rootkit activity that may still be lurking on your computer. You had previous malware on your computer and that malware may have entered your computer thanks to a rootkit. The other malware may have been cleaned up, but the original rootkit if there is one, may still be lurking around in your computer. Please just run the scan and don't try to fix any of it by yourself. Thanks

http://www.gmer.net/

After it is downloaded to your desktop, right click on the icon, go to properties, and click unblock and apply. For Vista, right click and run as administrator.



Make certain that auto protect in Norton is disabled while running the scan. If your machine crashes, try running it with all of the boxes unchecked, except for Registry and files.



You will be able to post the log here using the "add attachments" link below the orange post button.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: My pc sending spam

Hi,

I did download that application. In the summary it did say there was an issue. Something like "BSMSG". The malware/virus was definalty living in the services considering the outbound network traffic and random addresses reported by the firewall.

When attempting to do a detailed scan, it failed several times so I rebooted in safe mode with no network support. I ran the scan all day. When I came back to check on it, my computer screens were blank. I did a forced shutdown and restart, however the PC no longer turns on. The harddrive is there and I can get to an F8 safe mode boot menu. But any further in the start up process I just see a black screen.

It is OK, I have had the PC for several years and I am due for a new one.

My new question is this. After I get my new PC and have a good install of NAV on it, I would like to install the old harddrive as a slave in my new PC. This way I can get files etc off of it.

Any foreseable issues as the drive will still have the Malware residing on it? 

Thanks

Kudos0

Re: My pc sending spam

floplot

Hi, I ried this GMER on two machines. It seems when you execute the program is carries out a very short scan. It seems this is inadequate and the user actually needs to then select "scan" to carry out a proper scan of the drives. Do you concur?

BTW on my main machine GMER always crashes the machine, I have not found a solution yet. It seems that GMER must be used with caution.

Can I also just clarify that when you say turn autoprotect off you are referring to real time protection. Is it also necessary to turn off the sub sets Caching. early load, removable media scan.

Kudos2 Stats

Re: My pc sending spam

Hi,

I've been having a similar problem to this, which has taken me 2 days to find and solve.

I've posted the details on my blog if you'd like to look here :

http://leitrimbrian.blogspot.com/2010/01/virus-fixed.html

Kudos0

Re: My pc sending spam

Here is the text from leitrimBrian's blog post:

I just had the worst virus in the history of the world.

When I plugged in my network cable/started wireless I could see that something was hitting the line pretty hard with loads of uploads and downloads. Running wireshark, I found that there was all sorts of crap getting fired to random email addresses, mostly about viagra and the like. Typical malware.

No problem I'll run, SuperAntiSpyware - nothing showed up. I then tried MS Malicious Software removal tool - nothing. Then tried Malwarebytes Anti-Malware, again nothing. Onto MS Security Essentials, you guessed it, nothing. I dug around with "HijackThis", and cleaned up a load of crap, but still the same thing. Tried a few others anti spy/mal/virus ware just in case they'd hit the target, but still no luck.

Finally, I dug out my credit card and got a 30-day trial copy of Norton Antivirus. Upon starting the software, it told me that an email I was trying to send (or rather the spam that the virus was trying to send) could not be sent. It was generating all sorts of random recipients with subject "Notification to xzy special 80% off Pfizer" , and the sender was "Authorized VIAGRA Distributer". 

I came across another chap on the Norton website who was having similar problems, and the suggestion was to boot into safe mode (hit F8 like crazy when the windows splash screen appear), and run a Norton full scan. When I tried this I found that there was a file called "zxlqxqg.sys" in my c:\windows\system32\drivers\ directory which was detected to be a "Hacktool.Rootkit". Well done Norton! The only problem was that he wasn't able to remove it. Screw this, I've been fighting this for a few days now, so I did this manually by booting into the rescue system and moved the file to a USB disk.

Booted back into normal windows, plugged in the ethernet cable, and at long, long, long last, no more spam clogging up my line !

Hope this is of help to someone. If you need more details on what I did I'd be glad to post more details.

Now I have the offending sys file on my linux box, I'm going to play about with it under wine.

Thanks for sharing your experience, Brian!

This thread is closed from further comment. Please visit the forum to start a new thread.