Solved

something hidden is spamming from our network. How to find it?

Posted on 2007-04-01
17
186 Views
Last Modified: 2013-12-04
I know I have 2 PCs on the LAN that are infected with unknown viruses sending spam on port 25. PC1 is opening instances of iexplore.exe that is connecting to a russian server, probably getting data and then spamming. I haven't traced the exe that is spawining this but I think it can.

PC2 is a bigger problem. I see from my router's logs that it is spamming but using x-netstat I don't see a process running that's connecting on port 25. It must be hidden. I've used rootkit revealer and McAfee's rootkit detective, spybot, adaware and hijackthis. I've looked for unusual services also and nothing has been found at all.  I must have a hidden process or rootkit running.

How do I find the source? Any other tricks or tips?
0
Comment
Question by:RickNCN
  • 6
  • 5
  • 3
  • +2
17 Comments
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 100 total points
ID: 18833221
take a look at www.superantispyware.com

Detects and Removes Spyware, Adware, Malware, Trojans, Dialers, Worms, KeyLoggers, HiJackers, Parasites, Rootkits and many other types of threats.

Free and trial version available.

Tolomir


0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 250 total points
ID: 18833420
You could also check your trusted zone, many times nasties hide there.
You can manually delete entry there or just reset it back to MS default using the .inf below:

Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf
rightclick on the file and select "Install".


You could also check your hosts file for added suspicious entries, or reset hosts to MS default using Hoster.
Download the Hoster,
www.funkytoad.com/download/hoster.zip
This will restore your Hosts file.
Press "Restore Original Hosts" and press "OK"
Reboot.
0
 
LVL 11

Assisted Solution

by:AnthonyP9618
AnthonyP9618 earned 75 total points
ID: 18833423
Are PC1 and PC2 running SMTP?  Do you even know?
0
 

Author Comment

by:RickNCN
ID: 18833481
Yes I even know. They ARE running SMTP. They must be because they are making smtp connections on port 25. If your question is "am I running a mail server on either PC", the answer is 'no'. Both computers are infected with something that has its own smtp engine. So - I'm looking for tools that help me find these hidden processes that are doing this. Do you have any suggestions?
0
 
LVL 11

Expert Comment

by:AnthonyP9618
ID: 18833491
Do you know how to go trough Add/Remove Windows Components?

http://support.microsoft.com/kb/307894
0
 

Author Comment

by:RickNCN
ID: 18833695
Yes, of course. Why do you ask?
0
 
LVL 11

Expert Comment

by:AnthonyP9618
ID: 18833705
Sorry... Check to see if the SMTP service has been installed.  Let's just make sure it's not there in the first place.
0
 

Author Comment

by:RickNCN
ID: 18834220
on the main pc in question it has already been disabled. This one is a WIn2k server. The other is XP pro sp2. No smtp enabled. Ok - so any suggestions on finding hidden processes / rootkits?
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18834337
You mean similar to this site below?
ht*p.www.flb.ru & others, some variants of SDBot sending thousands of packets every minute to russian websites and injecting code into svchost.exe


Can we look at your hijackthis log please? just curious.

You could try these scanners to look for hidden nasties:
1.  Download (Download the GUI) version of BlackLight, and save it to your desktop.
https://europe.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.


2.  Rootkit Revealer:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.


3.  Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 75 total points
ID: 18834416
Install the free version of ZoneAlarm on both machines, and set it to block all outgoing traffic. It will alert you if any program tries to connect to the outside world.

Another useful program to see what network ports are in use:

 http://www.microsoft.com/technet/sysinternals/utilities/TcpView.mspx
0
 

Author Comment

by:RickNCN
ID: 18848194
I've been using the trial version of x-netstat which has been excellent. Is there anything else out there besides zonealarm? I find it a real b*tch to uninstall completely. I found the culprit on PC1. It was an infected winlogon.exe. I copied a good version from another XP pro pc and it was happy. I had to use ERD commander to do it of course because if you boot to safe mode or safe mode w/ command prompt, winlogon is in use. I suppose you could boot off the install CD and go toa recovery console but it takes forever. I fing ERD commander is quicker to boot.

PC 2 is still a mystery. I have tried blacklight and rootkit revealer with no result. I will try gmer now.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18848231
usually a malware hook up with winlogon or replacing winlogon.exe will show up in the hijackthis log or in other diagnostic tools.

Can we look at a hijackthis log please?

More likely that it is not a rootkit, so any rootkit scanners won't find it.
Rootkit scanners will only look for hidden files and if that particular nasty is not hidden then no rootkit scanners will find it.

Or if it is a rootkit, it might have been monitoring well known rootkit scanners, that's why it didn't show up.
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.


First, I would like to see what hijackthis shows up in the scan.
0
 

Author Comment

by:RickNCN
ID: 18854494
Ok - well, actually I was talking about two separate PCs that were both spamming out. PC1 I've now solved, that was the winlogon.exe infection. PC2 is the one I can't figure out what's sending the mail. PC2 is the WIn2k server I think has a rootkit on it.

Another piece of related evidence *may* be that I keep getting unexplained security / credentials and certificate windows popping up. Don't picture typical spyware / malware popups with ads, picture what look like legitimate windows logon prompts and web credentials prompts. I took a screenshot of them. Is there some place I can post a picture so you can see I wonder? I keep closing and pressing 'cancel' but they keep coming back at seemingly random times.

I ran gmer on PC2 but it crashes the OS to a blue screen. yuck

maybe I'll try safe mode for that.
0
 
LVL 11

Expert Comment

by:AnthonyP9618
ID: 18854765
Word of advice -- Know when to give up and when you're hosed.

Try to save as much data as possible and rebuild BOTH PCs.  You'll be happier in the end knowing it's completely clean.
0
 

Author Comment

by:RickNCN
ID: 18854802
I know that only too well. I am going to wipe this thing eventually I just can't until we get a new server in a couple months. I was hoping to clean it up until then. And - I wanted to learn from  the situation instead of just wiping it.  You're right though - gotta know when to throw in the towel.
0
 
LVL 11

Expert Comment

by:AnthonyP9618
ID: 18854832
I agree... Sometimes it's best to learn the hard way.  Makes us all stronger in the end.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now