Hi all
first post and not a techie so any laymans help appreciated
running xp with norton antivirus, spybot and ad-aware and spyware blaster all upto date and showing no problems but as on broadband keep finding emails been sent but blocked by symanted. about 500 an hour!! have tried all sorts of suggestions latest being hijack this so here is log, can anyone decipher it and tell me what to do next in simple language please as this driving me mad.

thanks
c.pastyLogfile of HijackThis v1.98.2
Scan saved at 13:30:55, on 21/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msfr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\wmuagrd.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\ll.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\IExplore32b.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Giles\Local Settings\Temporary Internet Files\Content.IE5\6PH9A23M\hijackthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] wmuagrd.exe
O4 - HKLM\..\Run: [Windows Registry Express Loader] regexpress.exe
O4 - HKLM\..\Run: [Win32 FRT Driver] msfr32.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IExplorer32 Java Scripting] IExplore32b.exe
O4 - HKLM\..\Run: [Win32] C:\ll.exe
O4 - HKLM\..\Run: [PrevxHome] C:\Program Files\PREVX\Prevx Home\SAGUI.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\RunServices: [OEM32 Tools] sres32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] wmuagrd.exe
O4 - HKLM\..\RunServices: [Windows Registry Express Loader] regexpress.exe
O4 - HKLM\..\RunServices: [Win32 FRT Driver] msfr32.exe
O4 - HKLM\..\RunServices: [IExplorer32 Java Scripting] IExplore32b.exe
O4 - HKLM\..\RunOnce: [Win32 FRT Driver] msfr32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update Machine] wmuagrd.exe
O4 - HKCU\..\Run: [Windows Registry Express Loader] regexpress.exe
O4 - HKCU\..\Run: [Win32 FRT Driver] msfr32.exe
O4 - HKCU\..\Run: [IExplorer32 Java Scripting] IExplore32b.exe
O4 - HKCU\..\RunOnce: [Win32 FRT Driver] msfr32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1098371060140
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tec...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tec.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFAF3A91-4D90-47E6-9C12-7E934EFE5888}: NameServer = 212.74.114.129 212.74.114.193

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O4 - HKLM\..\Run: [Microsoft Update Machine] wmuagrd.exe
O4 - HKLM\..\Run: [Windows Registry Express Loader] regexpress.exe
O4 - HKLM\..\Run: [Win32 FRT Driver] msfr32.exe
O4 - HKLM\..\Run: [IExplorer32 Java Scripting] IExplore32b.exe
O4 - HKLM\..\Run: [Win32] C:\ll.exe
O4 - HKLM\..\RunServices: [OEM32 Tools] sres32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] wmuagrd.exe
O4 - HKLM\..\RunServices: [Windows Registry Express Loader] regexpress.exe
O4 - HKLM\..\RunServices: [Win32 FRT Driver] msfr32.exe
O4 - HKLM\..\RunServices: [IExplorer32 Java Scripting] IExplore32b.exe
O4 - HKLM\..\RunOnce: [Win32 FRT Driver] msfr32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] wmuagrd.exe
O4 - HKCU\..\Run: [Windows Registry Express Loader] regexpress.exe
O4 - HKCU\..\Run: [Win32 FRT Driver] msfr32.exe
O4 - HKCU\..\Run: [IExplorer32 Java Scripting] IExplore32b.exe
O4 - HKCU\..\RunOnce: [Win32 FRT Driver] msfr32.exe

Click Fix Checked

Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

Delete the following files and folders. Search for the ones that don't have a specific location:
C:\ll.exe
C:\WINDOWS\System32\msfr32.exe
C:\WINDOWS\System32\wmuagrd.exe
C:\WINDOWS\System32\IExplore32b.exe
regexpress.exe

Reboot and post a fresh log

thanks owen, have followed all instructions and enclose log, only point to add is re finding file
wmuagrd.exe only could find file listed as wmuagrd.exe-2BUDE12E.pf and so assumed this was the one and deleted.

also regexpress.exe could not be found under any search!!

here is new log, will wait to hear what next.

many thanks again in anticipation

Logfile of HijackThis v1.98.2
Scan saved at 22:41:28, on 22/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\windows\system32\windra.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Giles\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PrevxHome] C:\Program Files\PREVX\Prevx Home\SAGUI.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [Spool] C:\windows\system32\windra.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098371060140
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFAF3A91-4D90-47E6-9C12-7E934EFE5888}: NameServer = 212.74.114.129 212.74.114.193

Thats a clean log, how are things running?

still no better, overnight with broadband left connected norton/symantec stopped 800 attempted spam emails!!

any ideas?

Could you give me an example of one of these messages? Which email program are you using? Do you leave your email program open? What version of Norton are you running?

just rtnd to pc and further 300 messages failed to be sent, hate to think how many getting through!!

error messages vary but come up in a symantec email proxy prompt box with messages such as "your email message was unable to be sent because your mail server rejected your message" or "because connection to user was interrpted" or "user does not have a yahoo.com account".the messages vary per email and not constantly same nor is subject constantly same

they are for viagra, other prescriptions, porn etc!!

am running internet explorer 6, sometimes leave email open but sometimes not, doesnt seem to matter, these emails get sent anyway!!

am running norton antivirus 2003(dell copy) but all updated weekly with autoupdate and doing more frequently at the moment to try and trace problem but it finds nothing ,also plus got spybot search and destroy and ad-aware se personal and spyware blaster also all running, up to date and generally say all clear other than the odd cookie spotted.also doe some online virus checks that generally seem to come up clean

any other ideas??
thanks

Unfortunately, spam email is something you can't stop, you have to rely on filtering software to stop these bad emails. This is not something affected by you. I am quite lucky because I hardly ever receive spam, but when I do, I try to report the person who sent it to their email provider, etc, depending on circumstances. Yahoo are perhaps the best email provider because they really do take action. If you report spam to them, they will shut the account immediately.

Have a read of this small bit of information about Antispam software.

As for the error messages, Norton Antivirus will collect your emails instead of your email application. This means that sometimes it will have trouble with server timeouts and sometimes email software can be a bit temperamental. When I had a Norton trial, whatever I did, it would not connect to my email server. I reinstalled Norton and the problem was solved.

sorry owen, maybe i was a bit unclear in my message, the problem is that I am sending the spam!!! my filtering on incoming spam is good and i get v little incoming spam but somehow something is i assume hijacking(not sure if this correct terminology) my pc to send out spam from my pc, it just fired up now mid way through me typing this and tried to send out another 80(tried to, but again symantec stopped it but means computer gets locked and i have to reboot everytime i return to pc.


i go to outlook and it doesnt show from there and my purpose in trying to show you the spam subjectline (such as viagra, prescriptions porn etc) was merely to show that every message that i am sending out that symantec is blocking is different

any other ideas?is this a file or trojan somewhere within my pc that keeps launching??

thanks and sorry to be a pain but it is incredibly frustrating.