Active Spamhaus.org blocked my email account 1000s emails a day?

[Active] Spamhaus.org blocked my email account 1000s emails a day?

I don't know if I'm infected, but I don't know what else would cause this problem. My Outlook Express sent emails are being bounced back:
'has been rejected due to poor reputation' is what the recepient is getting.

I have run NOD32AV, Ad-aware, Spybot, CWshredder, Superantispyware, Malwarebytes, Panda Anti-rootkit tool and all came up clean.

I have a sygate firewall and honestly don't know how to make heads or tails of it's logs.

My ISP has told me that my cable modem is showing a problem, losing connection sporadically for the last month. I don't have a router and I am not using a wireless connection. On their end it looks like I'm sending 1000s of emails a day!!

I am up to date in all patches of windows and applications.

I will be happy to provide any logs etc requested, as long as my internet connection is working.

I have my specs info filled out, but I don't see it showing here????

XP Home edition SP3 I.E.7

 

Hi Alicia,

To display your system specs, go into your User CP>Edit Options
Scroll down to the Thread Display Options section then set System Specifications to yes.
Save and exit.

I'd like to get a rootkit scan first. Download GMER Rootkit Scanner from here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in ark.txt

Save it where you can easily find it, such as your desktop then post the contents here.

**Caution**
Rootkit scans often produce false positives. Do NOT take action on any <---- ROOKIT entries

Note - Please close all other programs, and all open browser windows prior to starting the scan.

 

I followed your instructions. I made sure Sections and IAT/EAT and Show all
were all unchecked. The only Drive showing was C so I left it checked. I hit scan and the scan started. I walked away when it was scanning program files folder and when I came back the computer had rebooted itself and was waiting for my sign on password. I tried again, and got called away, and again came back to my computer that had rebooted and was waiting for my sign on password. The third time I stayed glued to the screen. It hesitated after recycler so I clicked save just incase. The attached file is from this save. Then it carried on scanning thru windows folder. In the middle of scanning windows folder, the screen went black and rebooted itself, and again ended up at the point of loading windows and waiting for my password to log on. Logged on with no issues. Call me paranoid but it's almost like something does not want me to scan the windows files!

 

Please download gmer again from this link. It will arrive as a random named file. Please do not change the name. Try running this new copy as described above. If it fails again, please boot to safe mode and run the scan, then post the log when back in normal mode.

 

I tried to run it in normal mode and it stopped about the same place, the screen went black and the computer rebooted itself.

I tried in safe mode, it won't even run. In safe mode Acronis try and decide is listed. Should I try disabling it?

 

Yes, try disabling Acronis. If it still crashes, run the initial scan again but uncheck the Files option as well. If that fails, try unchecking another section. Once you've positively identified which section is causing the crash, run with all but that section checked (except those sections my initial post said to uncheck) and save then post the log.

 

Disabling Acronis didn't work. Unchecking files worked.

 

Nothing out of the ordinary there. Lets see what kind of traffic is moving through your system. Download TCPView from Microsoft Sysinternals.
Run the program, wait for it to populate then click File>Save As
Save the file as TCPView.txt on your desktop and post it's contents here for review.

 

Here it is. I ran the tcpview.exe

 

Oddly, that TCPView log doesn't show any connections. Please leave the program open and watch it for a while. You need to look for connections that are reported as Established. Connections to the 127.0.0.1:* address (where * = a port number) are normal. We're interested in connections to outside IP addresses, and particularly connections by any process which might be suspicious. When/if you observe a number of such Established connections, save another log and attach it here.

I would also like for you to send me the sygate log(s) in and around the time your ISP reported the unusually high traffic.

 

I sent you the logs. Thanks. Nothing too exciting in TCPview yet.
ekern.exe established which is my NOD32AV. I'll keep it running for awhile.

 

I called my ISP back. The tech guy said that from his end everything looks normal today. The issue we had with Outlook Express sending out thousands of emails is no longer a problem. Apparently the other tech gal at Shaw cable that I talked to the other day 'did not get the memo'. Apparently the problem was with my ISP and generated some false positives for spam like behaviour. A few customers reported issues. I told him that I didn't get the memo either! Grrr.

Thanks so much for all your help! Shall we send a bill to my ISP?

 

Your firewall logs looked quite normal too. Good to hear it was ISP related, and not your machine. I'll mark this topic resolved.

Cheers!

PS. - send a bill if you like, but I won't be holding my breath.

 

Thanks again for all your help.