Greg Mason
asked on
MX Record Querys from my system
Gentlemen;
I have a system on my LAN that seems to be generating a ton of outbound traffic. I put a packet analyzer on the system and found it was generating a ton of outbound MX queries. I have used:
Free AVG,
NOD32,
Free AVG Anti-Spyware,
SpySweeper,
HiJack This
Search and Destroy and even MS Defender.
None of these has found a thing. What is going on with this box?
Thanks in advance
I have a system on my LAN that seems to be generating a ton of outbound traffic. I put a packet analyzer on the system and found it was generating a ton of outbound MX queries. I have used:
Free AVG,
NOD32,
Free AVG Anti-Spyware,
SpySweeper,
HiJack This
Search and Destroy and even MS Defender.
None of these has found a thing. What is going on with this box?
Thanks in advance
jako
reasoning points to a spamnode but honestly based on this information I have no idea. What I would do, though, is block those queries and see what breaks.
ASKER
You're right, I didn't include:
Windows XP Professional, SP2 fully patched.
How do I block these queries?
Windows XP Professional, SP2 fully patched.
How do I block these queries?
A recent analysis of SpamBots showed that 45%+ were XP SP2. "Fully patched" doesn't mean much when you've got Windoze.
I agree with jakopriit, the activity sounds like the machine has been 'botted. Best place to block the traffic is at the router, assuming its going off the local segment for the resolution.
I agree with jakopriit, the activity sounds like the machine has been 'botted. Best place to block the traffic is at the router, assuming its going off the local segment for the resolution.
ASKER
It's going off a 2K3 Small Business Server, so I can't block at the router. If the system's been 'botted, what do I look for application wise? Surly, there must be something in the market for this stuff.
If the system's been 'botted, your best bet is to wipe it out and reload from scratch.
There was an interesting article on Slashdot a few months ago. Seems a personal friend of Steve Ballmer went to Steve - the friend's personal Windoze PC was infested with malware, had constant pop-ups, etc. etc. The friend asked Steve for help.
Steve turned the PC over to a *team* of M$ engineers. They tried for a *week* to disinfect the PC and remove all the malware.
They were unable to do so.
If you think you're going to run out and grab a little $19.95 utility that'll clean up everything and give you a system that you can be even mildly sure is no longer compromised...well, I have this bridge in Brooklyn I'd like to sell you.
Wiping and reloading makes sure that whatever it was is gone. Also give you the chance to install a better OS, one that doesn't let any pimple-faced 14-year-old on the 'Net exercise more control over your PC than you do.
There was an interesting article on Slashdot a few months ago. Seems a personal friend of Steve Ballmer went to Steve - the friend's personal Windoze PC was infested with malware, had constant pop-ups, etc. etc. The friend asked Steve for help.
Steve turned the PC over to a *team* of M$ engineers. They tried for a *week* to disinfect the PC and remove all the malware.
They were unable to do so.
If you think you're going to run out and grab a little $19.95 utility that'll clean up everything and give you a system that you can be even mildly sure is no longer compromised...well, I have this bridge in Brooklyn I'd like to sell you.
Wiping and reloading makes sure that whatever it was is gone. Also give you the chance to install a better OS, one that doesn't let any pimple-faced 14-year-old on the 'Net exercise more control over your PC than you do.
Before you go through the process of reinstalling everything (and this may ultimately be your only option) you should try the following:
Go to the avast! web site and request the avast! BARD CD evaluation. They will send you a license file and location to download the application. Install the application on a clean PC, do the updates, then generate the ISO file. Use that ISO file to make a bootable CD that you will boot the infected computer from, do the scan and see if you cant resolve the problem. You can find the page at:
http://www.avast.com/eng/avast_bart_cd.html
I am very interested to see how well this works. I started my evaluation a few days ago and have discovered this to be a highly effective way of dealing with really nasty infections. Overall I am not a fan of the avast! antivirus but the BART CD seems to be a great tool.
Let me know how this works because I am contemplating the purchase of a full license (it is very expensive).
If you get the system clean (no matter how you do it) I reccomend a very good Anti Virus to help prevent this from happening again. So far, im my many years of experience, the most reliable has become Trend, you can get this product by following the link below:
http://www.trendmicro.com/en/home/us/home.htm
You should know that removing an infection is much harder than preventing it. So installing any tool after the infection happens is much less likely to resolve the problem (no matter how good the Anti Virus is).
It is also critical to make sure you keep the system fully patched and shut down any service that is not actually in use (like do not run a web server if you are not using it).
I hope this helps.
Jon
Go to the avast! web site and request the avast! BARD CD evaluation. They will send you a license file and location to download the application. Install the application on a clean PC, do the updates, then generate the ISO file. Use that ISO file to make a bootable CD that you will boot the infected computer from, do the scan and see if you cant resolve the problem. You can find the page at:
http://www.avast.com/eng/avast_bart_cd.html
I am very interested to see how well this works. I started my evaluation a few days ago and have discovered this to be a highly effective way of dealing with really nasty infections. Overall I am not a fan of the avast! antivirus but the BART CD seems to be a great tool.
Let me know how this works because I am contemplating the purchase of a full license (it is very expensive).
If you get the system clean (no matter how you do it) I reccomend a very good Anti Virus to help prevent this from happening again. So far, im my many years of experience, the most reliable has become Trend, you can get this product by following the link below:
http://www.trendmicro.com/en/home/us/home.htm
You should know that removing an infection is much harder than preventing it. So installing any tool after the infection happens is much less likely to resolve the problem (no matter how good the Anti Virus is).
It is also critical to make sure you keep the system fully patched and shut down any service that is not actually in use (like do not run a web server if you are not using it).
I hope this helps.
Jon
ASKER
Jon: I'll give this a shot - let you know.
PSICop: Don't believe everything you read on Slashdot.
PSICop: Don't believe everything you read on Slashdot.
1) try using a restore point from before this started happening.
2) see https://www.experts-exchange.com/questions/22139247/Computer-with-spyware-issues-needs-help.html for more options
3) Wipe and reinstall if nothing else works.
I hope this helps !
2) see https://www.experts-exchange.com/questions/22139247/Computer-with-spyware-issues-needs-help.html for more options
3) Wipe and reinstall if nothing else works.
I hope this helps !
gem555: Actually, Slashdot referenced an interview with Jim Allchin in an Aussie IT magazine early last year.
ASKER
Hmmmm.
I can't find it. Send me the link?
I can't find it. Send me the link?
the link is here but it is with a twist (give a fish to a hungry man and you feed him for a day...) http://www.google.com/search?q=Jim+Allchin+Steve+Ballmer+malware+site%3Aslashdot.org
ASKER
Gentlemen:
I found it, I fixed it.
Backdoor.Rustock.B.
It's a clever little bugger that buries itself in an ADStream and then launches a hidden service called pe386. Does other things too, none of them helpful.
Check Symantec for more info...
Boot the box in Recovery Console and type "DISABLE pe386", then reboot the system. Once up, goto HK_LM\SYSTEM\CurrentContro
Use an App. that will scan ADStreams to find and kill LZX32.sys file.
I found it, I fixed it.
Backdoor.Rustock.B.
It's a clever little bugger that buries itself in an ADStream and then launches a hidden service called pe386. Does other things too, none of them helpful.
Check Symantec for more info...
Boot the box in Recovery Console and type "DISABLE pe386", then reboot the system. Once up, goto HK_LM\SYSTEM\CurrentContro
Use an App. that will scan ADStreams to find and kill LZX32.sys file.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.