Occasionally I get a message from an organization that I subscribed to sometime ago. Last night, I forwarded on of the messages to two people. However, I found out that it actually went out to every person in my address book. I've checked for spy ware and ran my anti-virus and came up with nothing. I'm going to run it again to see if I have some sort of spy ware on my system that caused it to do that. I use Outlook Express for my e-mail. Do you think that the organization that I subscribed to does this purposely? Or maybe some sort of spy ware on my system is doing it? Thanks. ~Frank~

Were you trying to CC or BCC send it?

I have noticed, that if you aren't careful, sometimes, OE will just add everyone in your address book, if you try to CC...more than once I've had to 'trim' out the addresses I didn't want it to go to. (The last time I used OE was over a year ago...I don't even have it set up with the ISP I signed up for last March...so it was before then.)

If you want, go ahead and post a HJT log.

Were you trying to CC or BCC send it?


If you want, go ahead and post a HJT log.
I didn't CC OR BCC. I just clicked on send. Actually, when I said I sent it to two persons, I actually only sent it to one at a time. I sent one to my grandson only. I then went back and sent one to a friend of mine.
I think I will post a HJT log in a little while.

Here's my log. When someone has the time, I'd appreciate it if you would look it over. Thanks
Logfile of HijackThis v1.99.1
Scan saved at 12:13:36 PM, on 2/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WordWeb\wweb32.exe
G:\Installed Utilities, etc_2\HiJack This_Nov.26-06\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.winsupersite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - [url]http://www.drivershq.com/DD_v4.CAB[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - [url]http://www.alternatiff.com/install/00/alttiff.cab[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://files.member.yahoo.com/dl/installs/sbc/yinst.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159535976218[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - [url]http://www.live365.com/players/play365.cab[/url]
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - [url]http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab[/url]
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - [url]http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?321[/url]
O18 - Protocol: schmap-help - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

If it wasn't a CC or BCC operation, then yeah, I'd say chances are there is something else up...

I don't see anything in your log. Let's run a couple of scans:

Click here (http://support.f-secure.com/enu/home/ols3.shtml) to use the F-Secure Online Scanner
It's explained there with images how to allow the ActiveX to start the scan, so read that first.
Then click the F-Secure Online Scanner Next Generation Beta link.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.


Please download, install, and update Ewido anti-spyware (http://www.ewido.net/en/download/)



Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.

After the update finishes (the status bar at the bottom will display "Update successful")

Close ewido. Do not run it yet.


Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.


In Safe Mode, load Ewido and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.

Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.

Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Restart back into Normal Mode.


Post back with results from these scans...

OK--I'll run that a little later on today. I've got to go out side now and shovel snow from the sidewalk. We had a couple of inches this morning. I can't wait until summer for some nice warm weather....

Wow! You were certainly correct when you told me to have patience as it would take a while to scan. I did both as you suggested and did a copy/paste of what I got. The top portion is from Ewido and the bottom is what I got from F-Secure.
VG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:39:47 PM 2/13/2007

+ Scan result:



C:\Program Files\PestPatrol\Quarantine\20041216210750.zip/Documents and Settings/Owner/Cookies/owner@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Program Files\PestPatrol\Quarantine\20040831083319531.zip/Documents and Settings/Owner/Cookies/owner@casalemedia[2].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Program Files\PestPatrol\Quarantine\20040712215659750.zip/Documents and Settings/Owner/Cookies/owner@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20040915191412968.zip/Documents and Settings/Owner/Cookies/owner@com[2].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20040926182825062.zip/Documents and Settings/Owner/Cookies/owner@com[2].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20041216210750.zip/Documents and Settings/Owner/Cookies/owner@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20041231092925.zip/Documents and Settings/Owner/Cookies/owner@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20050212095431.zip/Documents and Settings/Owner/Cookies/owner@com[2].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20050602120340.zip/Documents and Settings/Owner/Cookies/owner@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20050624211330.zip/Documents and Settings/Owner/Cookies/owner@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20050817202920.zip/Documents and Settings/Owner/Cookies/owner@com[2].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20050904213459.zip/Documents and Settings/Owner/Cookies/owner@com[2].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20051005195019.zip/Documents and Settings/Owner/Cookies/owner@com[2].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20051025125814.zip/Documents and Settings/Owner/Cookies/owner@com[2].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20051216222150.zip/Documents and Settings/Owner/Cookies/owner@com[2].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20060422212649.zip/Documents and Settings/Owner/Cookies/owner@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20061028232902.zip/Documents and Settings/Owner/Cookies/owner@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20061114201627.zip/Documents and Settings/Owner/Cookies/owner@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20061201093723.zip/Documents and Settings/Owner/Cookies/owner@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20070211110103.zip/Documents and Settings/Owner/Cookies/owner@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20070211110103.zip/Documents and Settings/Owner/Cookies/owner@com[2].txt -> TrackingCookie.Com : No action taken.
C:\Program Files\PestPatrol\Quarantine\20041216210750.zip/Documents and Settings/Owner/Cookies/owner@hypertracker[2].txt -> TrackingCookie.Hypertracker : No action taken.
C:\Program Files\PestPatrol\Quarantine\20040831090834921.zip/Documents and Settings/Owner/Cookies/owner@stat.onestat[2].txt -> TrackingCookie.Onestat : No action taken.
C:\Program Files\PestPatrol\Quarantine\20040913153134406.zip/Documents and Settings/Owner/Cookies/owner@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Program Files\PestPatrol\Quarantine\20040831090834921.zip/Documents and Settings/Owner/Cookies/owner@specificclick[1].txt -> TrackingCookie.Specificclick : No action taken.
C:\Program Files\PestPatrol\Quarantine\20040904173235937.zip/Documents and Settings/Owner/Cookies/owner@specificclick[1].txt -> TrackingCookie.Specificclick : No action taken.
C:\Program Files\PestPatrol\Quarantine\20040913153134406.zip/Documents and Settings/Owner/Cookies/owner@specificclick[1].txt -> TrackingCookie.Specificclick : No action taken.
C:\Program Files\PestPatrol\Quarantine\20040915191412968.zip/Documents and Settings/Owner/Cookies/owner@specificclick[1].txt -> TrackingCookie.Specificclick : No action taken.
C:\Program Files\PestPatrol\Quarantine\20040831090834921.zip/Documents and Settings/Owner/Cookies/owner@statcounter[1].txt -> TrackingCookie.Statcounter : No action taken.
C:\Program Files\PestPatrol\Quarantine\20040915191412968.zip/Documents and Settings/Owner/Cookies/owner@statcounter[2].txt -> TrackingCookie.Statcounter : No action taken.
C:\Program Files\PestPatrol\Quarantine\20041231092925.zip/Documents and Settings/Owner/Cookies/owner@statcounter[1].txt -> TrackingCookie.Statcounter : No action taken.
C:\Program Files\PestPatrol\Quarantine\20060422212649.zip/Documents and Settings/Owner/Cookies/owner@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Program Files\PestPatrol\Quarantine\20060428111218.zip/Documents and Settings/Owner/Cookies/owner@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Program Files\PestPatrol\Quarantine\20060428111218.zip/Documents and Settings/Owner/Cookies/owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.


::Report end

Below is the report I got from F-Secure
Scanning Report
Tuesday, February 13, 2007 18:00:57 - 20:15:53
Computer name: HP
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ G:\ H:\ I:\


--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 46982
System: 5385
Not scanned: 3
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
G:\PAGEFILE.SYS

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-02-13
F-Secure AVP: 7.0.171, 2007-02-13
F-Secure Orion: 1.2.37, 2007-02-13
F-Secure Blacklight: 1.0.53, 0000-00-00
F-Secure Draco: 1.0.35, 0260-02-44
F-Secure Pegasus: 1.19.0, 2007-01-12
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL?
RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI
TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World
Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of
our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make
available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure
public web site by clicking on underlined links. While doing this, your access will be logged to our private
access statistics with your domain name.This information will not be given to any third party. You agree not
to take action against us in relation to material that you submit. Unless you have clearly stated otherwise,
by submitting material you warrant
that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without

I'd keep your eye on the e-mail, but I don't see anything in your logs....

I'd keep your eye on the e-mail, but I don't see anything in your logs....

I'll do that. Thanks for the time you spent on this...