Blocked spammer but cannot remove virus

[dundee]

Hi,

2 days ago I got my IP blocked by a web site because I was identified as a spammer. This was obviously due to a non-detected virus on my PC (I was using AVG). I downloaded Avast. It detected one or two Trojan and remove them.

I felt safe after the removal and requested my IP to be delisted from the anti-spam web site. But 6 hours later my IP got listed again !...

So I installed ZoneAlarm to control the outgoing traffic and I finally got a process that tried to access the internet. The program was something like 65xcsshd65.sm.exe and was located under C:\Documents and Settings\francis\Local Settings\Temp. In that folder I found around 40 .EXE of the same kind (name always starting with 2 digits, then a string of 5-6 characters and again two digits). I deleted them all but as expected the process was still running somewhere. This morning I saw 10 of these processed requesting the access to the Internet.

As Avast does not detect this virus, what should I do ?

I tried also stinger with not much success ...

Is that a brand new one ?

Thanks for your help.

[FreewheelinFrank]

Hi dundee,

There are a couple of stand alone scanners you could try besides Stinger.

I recommend you try DrWeb CureIT! first, and then Trend Micro Sysclean: go for the Controlled Pattern Release definitions as these contain the most recent malware. You will need to temporarily disable avast! while scanning.

You can find links to both programs here:

http://www.geocities.com/dontsurfinthenude/antivir2.htm

You could also try Ewido:

http://www.ewido.net/en/download/

As your IP is blocked I guess you'll be downloading from another computer, so don't forget to download the signature database so you can update the program when you install it.

If you do have Internet access, you could try some online scanners listed on the page above: I'd recommend Panda and Trend (if you don't use Sysclean) and also F-Secure, but you will need to disable avast! during a Panda scan.

Good luck!

[dundee]

I'll try all that tonight (I'm at work at present).
My IP was blocked for emails only and since I blocked the spammer with ZoneAlarm my IP remains unlisted.

I'll let you know how it went.

Thanks for the quick reply.

[mauserme]

Hi dundee,

You should turn off system restore, clear your temporary files, and reboot.  Then run the scans Frank suggests.

[dundee]

So it worked pretty well. I was infected by Spambot and MedBot.

However, hopefully Avast was installed on my Media Center. I ran DrWeb CureIt on the MCE PC and it did not find anything so I re-opened the internet access for Media Center and continued to watch my movie ... when I heard in the movie "Alert ! Alert ! too many emails sent in a short while". I quickly switched back to Windows and saw Avast blocked emails going out from my PC. In fact for some reason the scan by CureIt did not find the SpamBot virus. I did the meticulous clenaning again and now it seems to run fine.

I really like Avast and I found it much more powerfull than AVG.

I also found this detailed procedure (in French !...) I have applied and I found a couple of others worms hidden!
http://pcparadise.fr/Forum-informatique/ftopic449-0-0-asc-.php

Thanks for your help.