I was working on some computers the last couple of days - 6 networked together on one internet connection. The place (a non-profit health care society extended care centre) had gotten a call saying that the ISP has been getting spam originating from that location (the router's IP address), and could they please do something about the problem (or else).
The router and hub led's were blinking at a furious clip, even when no one was using the computers - I unplugged network cables to determine which ones were extremely network active, and which weren't - in the following "Active" indicates the ones that were extremely active.
The router is a D-Link DI-604, probably set to default firewall setting - it connects to two hubs, downstream from it, then to the computers.

The ISP has a spam blocker that works pretty well. All the computers are checked every day automatically with AVG and there are no viruses. Three of them have XP Home SP2 and are checked every day with Microsoft's anti spyware program automatically and it finds them clean of what it looks for (one is "Active"). One has XP Home and has no anti-spyware protection other than the Windows Firewall (it's "Active"). One has Win98SE and has no anti-spyware protection (it's "Active"). One has Win98 and has no anti-spyware protection (it's fine).

On the one of the XP Home SP2 computers that was NOT extremely "Active" (it was running really slow), I ran SpyBot (it also runs automatically every day on that computer) - only cookies found. Then I ran Adaware - cookies and some Critical stuff found - I had it get rid of the Critical stuff. After I re-booted, there was a message the Windows Firewall is not enabled (that wasn't apparent previously) - I clicked on the baloon and tried to enable the Windows Firewall - it wouldn't load - an error message - said try doing it through Control Panel - Firewall. I tried that - it said can't load Firewall because ICS (Internet Connection Sharing) is not running - would I like Windows to try enabling ICS (or some such)? - I answered yes - it tried - cannot load ICS.

Today I ran an XP Repair Setup on that computer, then ran the SP2 CD install (all the computers with SP2 had been upgraded that way).
The Firewall is still disabled. ICS still will not load. Everything else seems fine, at least without digging around yet.
Does this problem sound familar to anyone out there? Is there a way of fixing it without having to install Windows from scratch?
There are a lot of programs on these computers that they probably don't have the original CD's for anymore, so I'd rather not do that.

The XP Home computer that is "Active" hasn't got a lot on it so we will just re-load Windows from scratch. The Win98SE computer that is "Active" may be dealt with the same way.

I have run SpyBot on the other two XP Home SP2 computers - on the one "Active" one it found a Firewall disabler - I let it remove it - the Windows Firewall is okay, but the computer is still "Active" when the Network cable is plugged in.

Any suggestions regarding good anti-Adware/Spyware/Trojan programs other than SpyBot and AdAware that are freeware or shareware/nagware? Or a program that specifcally finds spamming programs?

I downloaded and installed Trojan Hunter, but I haven't been able to get it to connect to it's servers (2) so far to update it.

Hi, Tubesanwires ...

You might want to try HijackThis; it's free, and you can d/l it at Merijn.org downloads, and you can have your log file evaluated here: HijackThis Log File .

Regarding the Windows Firewall and ICS will not load problem, I found a solution that works in this case.

That computer has the Microsoft AntiSpyware installed on it - Microsoft Windows Defender Beta, the first one, which is no longer updateable. Apparently in some circumstances, you can get the Windows Firewall and ICS will not load problem after it has been installed.

The solution: Reset the Windows winsock.

Go to the command prompt and then type the command: Netsh winsock reset

(Start - Run - type: netsh winsock reset, OK)

You are prompted to re-boot.
The Windows Firewall and ICS loaded and the firewall was working when Windows loaded again.
.........

Regarding the malware that was sending spam - I found a comparison of 5 top antispyware programs ( http://www.defeatspyware.org )
, downloaded the best rated one, Spyware Detector, installed it, and scanned some of the offending computers.
It found things AdAware, SpyBot, and Windows Defender did not. It yields you a detailed list, many of which are low risk cookies, but finds medium and high risk ones. On one computer that had been checked with AdAware, SpyBot, and Windows Defender, the list has about 335 entries, about 65 of which are medium or high risk.
One of the ones listed it names
W32.Spam trojan - one registry entry instance. That computer is not extremely network active and is probably not sending spam.

On another computer that is extremely network active (that Microsoft Windows Defender and SpyBot had already been run on), the same program finds 2xx entries, two of which are registry enrties it calls W32.Spam trojan that are different from one another - that computer is probably sending spam.
So far it appears to be this case: one registry entry the program labels W32.Spam trojan - it can't send spam; two entries, it can.

As usual with the better anti-adware/spyware/trojan programs the scan is free, but you must buy the program to have it get rid of the stuff it finds.
It shows you the offending registry entries but you can't scroll enough to see the end of the string. The cookies and other shorter entries display fine.