Have been blacklisted (spam) after getting the new virus

My computer got infected (over and over and over again) despite having the Windows XP Firewall and Zone Alarm Firewall active along with AVG Anti-Virus and Norton Anti-Virus active and now my IP address has been listed on a few spam lists as a spammer.

What can I do?

 

Windows Firewall is not a true firewall, you should not be running 2 firewalls, disable the Windows Firewall, Zone Alarm is much better. You should never have more than one Antivirus application installed on your computer. They will conflict with each other. Pick one AV application uninstall the other.

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

 

After running everything I was supposed to, here are all the problems that remain on my computer (it's an HTML report from the virus scanner Bit Defender that I've put on my web site)...

http://www.peterbaptista.net/viruses_dec0305.html

What on god's green earth can I do??

 

Finish the steps in the tutorial and post a HijackThis log as an attachment.

 

Ran all the steps and now here is my Hijack This! log

 

This log appears to be from Safe Mode. I need a log from Normal Mode.

 

Sorry about that... see attached.

 

You have 2 AntiVirus programs and 2 Firewalls installed, you only need 1 of each. Having more than one AV and Firewall installed on your system will create conflicts.

You have Norton Antivirus and AVG Antivirus installed as well as Norton Personal Firewall and ZoneAlarm. Either uninstall Norton and keep AVG and ZoneAlarm, or uninstall AVG and ZoneAlarm and keep Norton.

You should not be using MSCONFIG to disable any services or startups. Whatever you are disabling reenable.

Uninstall Weatherbug using Add or Remove Programs in the Control Panel.

Scan with HijackThis and fix the following:

Download
- Pocket Killbox

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

I followed all your steps and now here is a fresh Hijack This log...

Thanks for all your help by the way!!

 

Your HijackThis log is clean.

I want to take a deeper look at your system.

Follow the directions for Running Spy Sweeper.

Post the Spysweeper log when finished.

 

Here is the Spy Sweeper log and also a fresh Hijack log

 

Spy Sweeper is reporting a possible RooKit.

Just as a precaution please download Rootkit Revealer 1.56

Once download is complete, run the utility and click SCAN to begin scanning your system.

If you need any help with this utility please see the site below...
http://www.sysinternals.com/Utilities/RootkitRevealer.html

After you complete a scan, attach the log to your next post.

 

Here is my rootkit log

 

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments

 

Followed all of your instructions and here we go...

 

and here is the last log

 

You have 2 Thunderbird email attachments that are infected. The attachments are:
File-packed_dataInfo.exe
12.exe

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

Here's the WinPFind log

 

I can't seem to locate those viruses to remove... how can I get rid of them?

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

You're going to have to go through your emails till you find the ones with those attachments.

 

Done and the viruses are gone, just deleted the data file since it wasn't in an actual e-mail but somehow had embedded itself into the inbox data file.

Next step?

 

Your system should now be Malware free. How is your computer running?

 

System seems to be running good however I did a Spy Sweeper scan last night and it reported it found some root kit files.

 

I think those may be False Positives. You can run BlackLight from F-Secure to double-check.