Advertisement

05.14.2008 at 01:46PM PDT, ID: 23403082
[x]
Attachment Details

Router shows computer is spamming, but no signs of it on computer.

Asked by kendalltech in Networking Security Vulnerabilities, Miscellaneous Security, Anti-Virus

Tags: Microsoft, Windows XP, SP2

Hi all, I've run TCPView, autoruns, hijackthis, 2 different good virus scanners (CA Antivirus and Trend Micro), netstat -ab (got some unknown components, but I've seen those before with rpcss.dll), and even looked in msconfig for anything unusual on a system on our network and it doesn't show anything suspicious, but when I looked at the firewall log on the router, I saw that the computer is repeatedly trying to send spam mail to, what it seems, every mail server on the planet within a few seconds (it's trying to connect on port 25 but I have it blocked going out). When I shut down the computer, the router stops receiving attempts.  It starts back up when I turn the computer back on, so I know there is something wrong with this computer.

The first virus scan found some mild viruses that it deleted, but it hasn't found any since, even after a restart. Does anyone have some tips on finding out what's causing this, or eliminating it?

I've attached the "Everything" autoruns log (with verify code sig and hide microsoft entries) in the code snippet just in case.Start Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run			
+ Adobe Photo Downloader	Adobe Photoshop Album Starter Edition 3.0 component	(Not verified) Adobe Systems Incorporated	c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe
+ Adobe Reader Speed Launcher	Adobe Acrobat SpeedLauncher	(Verified) Adobe Systems, Incorporated	c:\program files\adobe\reader 8.0\reader\reader_sl.exe
+ CAVRID	CA Anti-Virus Realtime Infection Report	(Verified) CA	c:\program files\ca\etrust internet security suite\etrust ez antivirus\cavrid.exe
+ cctray	CA Common Tray	(Verified) CA	c:\program files\ca\ca internet security suite\cctray\cctray.exe
+ IntelAudioStudio	Intel(R) Audio Studio	(Not verified) Intel Corporation	c:\program files\intel audio studio\intelaudiostudio.exe
+ NeroFilterCheck	NeroCheck	(Not verified) Ahead Software Gmbh	c:\windows\system32\nerocheck.exe
+ QOELOADER	QOELoader Application	(Verified) CA	c:\program files\ca\ca internet security suite\ca anti-spam\qsp-6.0.1.33\qoeloader.exe
+ QuickBooksDB17	Adaptive Server Anywhere Network Server	(Verified) Intuit, Inc.	c:\program files\intuit\quickbooks enterprise solutions 6.0\qbdbmgrn.exe
+ SunJavaUpdateSched	Java(TM) Platform SE binary	(Verified) Sun Microsystems, Inc.	c:\program files\java\jre1.6.0_01\bin\jusched.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup			
+ QuickBooks Update Agent.lnk	QuickBooks Automatic Update	(Verified) Intuit, Inc.	c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
HKLM\SOFTWARE\Classes\Protocols\Filter			
+ application/octet-stream	Microsoft .NET Runtime Execution Engine	(Not verified) Microsoft Corporation	c:\windows\system32\mscoree.dll
+ application/x-complus	Microsoft .NET Runtime Execution Engine	(Not verified) Microsoft Corporation	c:\windows\system32\mscoree.dll
+ application/x-msdownload	Microsoft .NET Runtime Execution Engine	(Not verified) Microsoft Corporation	c:\windows\system32\mscoree.dll
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components			
+ n/a	Microsoft .NET IE SECURITY REGISTRATION	(Not verified) Microsoft Corporation	c:\windows\system32\mscories.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved			
+ Display Panning CPL Extension			File not found: deskpan.dll
+ CA_AntiVirus	CA Anti-Virus Shell Extension Handler	(Verified) CA	c:\program files\ca\etrust internet security suite\etrust ez antivirus\avshlext.dll
+ Fusion Cache	Microsoft .NET Runtime Execution Engine	(Not verified) Microsoft Corporation	c:\windows\system32\mscoree.dll
+ NeroDigitalIconHandler	Nero Digital Shell Extension	(Not verified) Nero AG	c:\program files\common files\ahead\lib\nerodigitalext.dll
+ NeroDigitalPropSheetHandler	Nero Digital Shell Extension	(Not verified) Nero AG	c:\program files\common files\ahead\lib\nerodigitalext.dll
+ QBVersionTool	QBVersionTool	(Verified) Intuit, Inc.	c:\program files\common files\intuit\quickbooks\qbversiontool.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers			
+ NeroDigitalColumnHandler Class	Nero Digital Shell Extension	(Not verified) Nero AG	c:\program files\common files\ahead\lib\nerodigitalext.dll
+ PDF Shell Extension	PDF Shell Extension	(Not verified) Adobe Systems, Inc.	c:\program files\common files\adobe\acrobat\activex\pdfshell.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects			
+ Adobe PDF Reader Link Helper	Adobe PDF Helper for Internet Explorer	(Verified) Adobe Systems, Incorporated	c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll
+ SSVHelper Class	Java(TM) Platform SE binary	(Verified) Sun Microsystems, Inc.	c:\program files\java\jre1.6.0_01\bin\ssv.dll
Task Scheduler			
+ CAAntiSpywareScan_Daily as Jeremy at 12 01 PM.job	CAAntiSpyware Application	(Verified) CA	c:\program files\ca\ca internet security suite\ca anti-spyware\caantispyware.exe
HKLM\System\CurrentControlSet\Services			
+ CAISafe	CA ISafe Service	(Verified) CA	c:\program files\ca\etrust internet security suite\etrust ez antivirus\isafe.exe
+ DCSLoader	OPHALDCS	(Not verified) Oki Data Corporation	c:\windows\system32\spool\drivers\w32x86\3\ophaldcs.exe
+ ITMRTSVC	Service component for CA Pest Patrol Realtime Protection	(Verified) CA	c:\program files\ca\sharedcomponents\pprt\bin\itmrtsvc.exe
+ VETMSGNT	CA Anti-Virus Realtime Messaging Service	(Verified) CA	c:\program files\ca\etrust internet security suite\etrust ez antivirus\vetmsg.exe
HKLM\System\CurrentControlSet\Services			
+ ACPI	ACPI Driver for NT	(Not verified) Microsoft Corporation	c:\windows\system32\drivers\acpi.sys
+ NAL	Intel(R) Network Adapter Diagnostic Driver	(Not verified) Intel Corporation 	c:\windows\system32\drivers\iqvw32.sys
+ VET-FILT	CA Antivirus File Protection Driver	(Verified) CA	c:\windows\system32\drivers\vet-filt.sys
+ VET-REC	CA Antivirus File Protection Driver	(Verified) CA	c:\windows\system32\drivers\vet-rec.sys
+ VETEBOOT	RealTime Anti-Virus Protection Driver	(Verified) CA	c:\windows\system32\drivers\veteboot.sys
+ VETEFILE	RealTime Anti-Virus Protection Driver	(Verified) CA	c:\windows\system32\drivers\vetefile.sys
+ VETFDDNT	CA Antivirus File Protection Driver	(Verified) CA	c:\windows\system32\drivers\vetfddnt.sys
+ VETMONNT	CA Antivirus File Protection Driver	(Verified) CA	c:\windows\system32\drivers\vetmonnt.sys
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9			
+ CA ISafe LSP	CA ISafe LSP DLL	(Verified) CA	c:\windows\system32\vetredir.dll
+ CA ISafe LSP over [MSAFD Tcpip [RAW/IP]]	CA ISafe LSP DLL	(Verified) CA	c:\windows\system32\vetredir.dll
+ CA ISafe LSP over [MSAFD Tcpip [TCP/IP]]	CA ISafe LSP DLL	(Verified) CA	c:\windows\system32\vetredir.dll
+ CA ISafe LSP over [MSAFD Tcpip [UDP/IP]]	CA ISafe LSP DLL	(Verified) CA	c:\windows\system32\vetredir.dll
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors			
+ Microsoft Document Imaging Writer Monitor	Microsoft® Document Imaging	(Not verified) Microsoft Corporation	c:\windows\system32\mdimon.dll
[+][-]05.14.2008 at 03:10PM PDT, ID: 21569144

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Networking Security Vulnerabilities, Miscellaneous Security, Anti-Virus
Tags: Microsoft, Windows XP, SP2
Sign Up Now!
Solution Provided By: r-k
Participating Experts: 1
Solution Grade: A
 
 
[+][-]05.14.2008 at 06:07PM PDT, ID: 21569928

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.14.2008 at 06:22PM PDT, ID: 21569999

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.14.2008 at 08:50PM PDT, ID: 21570550

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628