RickNCN
asked on
something hidden is spamming from our network. How to find it?
I know I have 2 PCs on the LAN that are infected with unknown viruses sending spam on port 25. PC1 is opening instances of iexplore.exe that is connecting to a russian server, probably getting data and then spamming. I haven't traced the exe that is spawining this but I think it can.
PC2 is a bigger problem. I see from my router's logs that it is spamming but using x-netstat I don't see a process running that's connecting on port 25. It must be hidden. I've used rootkit revealer and McAfee's rootkit detective, spybot, adaware and hijackthis. I've looked for unusual services also and nothing has been found at all. I must have a hidden process or rootkit running.
How do I find the source? Any other tricks or tips?
PC2 is a bigger problem. I see from my router's logs that it is spamming but using x-netstat I don't see a process running that's connecting on port 25. It must be hidden. I've used rootkit revealer and McAfee's rootkit detective, spybot, adaware and hijackthis. I've looked for unusual services also and nothing has been found at all. I must have a hidden process or rootkit running.
How do I find the source? Any other tricks or tips?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, of course. Why do you ask?
Sorry... Check to see if the SMTP service has been installed. Let's just make sure it's not there in the first place.
ASKER
on the main pc in question it has already been disabled. This one is a WIn2k server. The other is XP pro sp2. No smtp enabled. Ok - so any suggestions on finding hidden processes / rootkits?
You mean similar to this site below?
ht*p.www.flb.ru & others, some variants of SDBot sending thousands of packets every minute to russian websites and injecting code into svchost.exe
Can we look at your hijackthis log please? just curious.
You could try these scanners to look for hidden nasties:
1. Download (Download the GUI) version of BlackLight, and save it to your desktop.
https://europe.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.
You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
2. Rootkit Revealer:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.
3. Download GMER from here:
http://www.gmer.net/gmer.zip
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.
Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.
If you're having problems with running GMER.exe, try it in safe mode.
ht*p.www.flb.ru & others, some variants of SDBot sending thousands of packets every minute to russian websites and injecting code into svchost.exe
Can we look at your hijackthis log please? just curious.
You could try these scanners to look for hidden nasties:
1. Download (Download the GUI) version of BlackLight, and save it to your desktop.
https://europe.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.
You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
2. Rootkit Revealer:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.
3. Download GMER from here:
http://www.gmer.net/gmer.zip
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.
Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.
If you're having problems with running GMER.exe, try it in safe mode.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've been using the trial version of x-netstat which has been excellent. Is there anything else out there besides zonealarm? I find it a real b*tch to uninstall completely. I found the culprit on PC1. It was an infected winlogon.exe. I copied a good version from another XP pro pc and it was happy. I had to use ERD commander to do it of course because if you boot to safe mode or safe mode w/ command prompt, winlogon is in use. I suppose you could boot off the install CD and go toa recovery console but it takes forever. I fing ERD commander is quicker to boot.
PC 2 is still a mystery. I have tried blacklight and rootkit revealer with no result. I will try gmer now.
PC 2 is still a mystery. I have tried blacklight and rootkit revealer with no result. I will try gmer now.
usually a malware hook up with winlogon or replacing winlogon.exe will show up in the hijackthis log or in other diagnostic tools.
Can we look at a hijackthis log please?
More likely that it is not a rootkit, so any rootkit scanners won't find it.
Rootkit scanners will only look for hidden files and if that particular nasty is not hidden then no rootkit scanners will find it.
Or if it is a rootkit, it might have been monitoring well known rootkit scanners, that's why it didn't show up.
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
First, I would like to see what hijackthis shows up in the scan.
Can we look at a hijackthis log please?
More likely that it is not a rootkit, so any rootkit scanners won't find it.
Rootkit scanners will only look for hidden files and if that particular nasty is not hidden then no rootkit scanners will find it.
Or if it is a rootkit, it might have been monitoring well known rootkit scanners, that's why it didn't show up.
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
First, I would like to see what hijackthis shows up in the scan.
ASKER
Ok - well, actually I was talking about two separate PCs that were both spamming out. PC1 I've now solved, that was the winlogon.exe infection. PC2 is the one I can't figure out what's sending the mail. PC2 is the WIn2k server I think has a rootkit on it.
Another piece of related evidence *may* be that I keep getting unexplained security / credentials and certificate windows popping up. Don't picture typical spyware / malware popups with ads, picture what look like legitimate windows logon prompts and web credentials prompts. I took a screenshot of them. Is there some place I can post a picture so you can see I wonder? I keep closing and pressing 'cancel' but they keep coming back at seemingly random times.
I ran gmer on PC2 but it crashes the OS to a blue screen. yuck
maybe I'll try safe mode for that.
Another piece of related evidence *may* be that I keep getting unexplained security / credentials and certificate windows popping up. Don't picture typical spyware / malware popups with ads, picture what look like legitimate windows logon prompts and web credentials prompts. I took a screenshot of them. Is there some place I can post a picture so you can see I wonder? I keep closing and pressing 'cancel' but they keep coming back at seemingly random times.
I ran gmer on PC2 but it crashes the OS to a blue screen. yuck
maybe I'll try safe mode for that.
Word of advice -- Know when to give up and when you're hosed.
Try to save as much data as possible and rebuild BOTH PCs. You'll be happier in the end knowing it's completely clean.
Try to save as much data as possible and rebuild BOTH PCs. You'll be happier in the end knowing it's completely clean.
ASKER
I know that only too well. I am going to wipe this thing eventually I just can't until we get a new server in a couple months. I was hoping to clean it up until then. And - I wanted to learn from the situation instead of just wiping it. You're right though - gotta know when to throw in the towel.
I agree... Sometimes it's best to learn the hard way. Makes us all stronger in the end.
ASKER