something hidden is spamming from our network. How to find it?

I know I have 2 PCs on the LAN that are infected with unknown viruses sending spam on port 25. PC1 is opening instances of iexplore.exe that is connecting to a russian server, probably getting data and then spamming. I haven't traced the exe that is spawining this but I think it can.

PC2 is a bigger problem. I see from my router's logs that it is spamming but using x-netstat I don't see a process running that's connecting on port 25. It must be hidden. I've used rootkit revealer and McAfee's rootkit detective, spybot, adaware and hijackthis. I've looked for unusual services also and nothing has been found at all.  I must have a hidden process or rootkit running.

How do I find the source? Any other tricks or tips?
Who is Participating?
You could also check your trusted zone, many times nasties hide there.
You can manually delete entry there or just reset it back to MS default using the .inf below:

Download DelDomains.inf
rightclick on the file and select "Install".

You could also check your hosts file for added suspicious entries, or reset hosts to MS default using Hoster.
Download the Hoster, 
This will restore your Hosts file.
Press "Restore Original Hosts" and press "OK"
take a look at

Detects and Removes Spyware, Adware, Malware, Trojans, Dialers, Worms, KeyLoggers, HiJackers, Parasites, Rootkits and many other types of threats.

Free and trial version available.


Are PC1 and PC2 running SMTP?  Do you even know?
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

RickNCNAuthor Commented:
Yes I even know. They ARE running SMTP. They must be because they are making smtp connections on port 25. If your question is "am I running a mail server on either PC", the answer is 'no'. Both computers are infected with something that has its own smtp engine. So - I'm looking for tools that help me find these hidden processes that are doing this. Do you have any suggestions?
Do you know how to go trough Add/Remove Windows Components?
RickNCNAuthor Commented:
Yes, of course. Why do you ask?
Sorry... Check to see if the SMTP service has been installed.  Let's just make sure it's not there in the first place.
RickNCNAuthor Commented:
on the main pc in question it has already been disabled. This one is a WIn2k server. The other is XP pro sp2. No smtp enabled. Ok - so any suggestions on finding hidden processes / rootkits?
You mean similar to this site below?
ht* & others, some variants of SDBot sending thousands of packets every minute to russian websites and injecting code into svchost.exe

Can we look at your hijackthis log please? just curious.

You could try these scanners to look for hidden nasties:
1.  Download (Download the GUI) version of BlackLight, and save it to your desktop.
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.

2.  Rootkit Revealer:
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.

3.  Download GMER from here:

Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.
Install the free version of ZoneAlarm on both machines, and set it to block all outgoing traffic. It will alert you if any program tries to connect to the outside world.

Another useful program to see what network ports are in use:
RickNCNAuthor Commented:
I've been using the trial version of x-netstat which has been excellent. Is there anything else out there besides zonealarm? I find it a real b*tch to uninstall completely. I found the culprit on PC1. It was an infected winlogon.exe. I copied a good version from another XP pro pc and it was happy. I had to use ERD commander to do it of course because if you boot to safe mode or safe mode w/ command prompt, winlogon is in use. I suppose you could boot off the install CD and go toa recovery console but it takes forever. I fing ERD commander is quicker to boot.

PC 2 is still a mystery. I have tried blacklight and rootkit revealer with no result. I will try gmer now.
usually a malware hook up with winlogon or replacing winlogon.exe will show up in the hijackthis log or in other diagnostic tools.

Can we look at a hijackthis log please?

More likely that it is not a rootkit, so any rootkit scanners won't find it.
Rootkit scanners will only look for hidden files and if that particular nasty is not hidden then no rootkit scanners will find it.

Or if it is a rootkit, it might have been monitoring well known rootkit scanners, that's why it didn't show up.
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

First, I would like to see what hijackthis shows up in the scan.
RickNCNAuthor Commented:
Ok - well, actually I was talking about two separate PCs that were both spamming out. PC1 I've now solved, that was the winlogon.exe infection. PC2 is the one I can't figure out what's sending the mail. PC2 is the WIn2k server I think has a rootkit on it.

Another piece of related evidence *may* be that I keep getting unexplained security / credentials and certificate windows popping up. Don't picture typical spyware / malware popups with ads, picture what look like legitimate windows logon prompts and web credentials prompts. I took a screenshot of them. Is there some place I can post a picture so you can see I wonder? I keep closing and pressing 'cancel' but they keep coming back at seemingly random times.

I ran gmer on PC2 but it crashes the OS to a blue screen. yuck

maybe I'll try safe mode for that.
Word of advice -- Know when to give up and when you're hosed.

Try to save as much data as possible and rebuild BOTH PCs.  You'll be happier in the end knowing it's completely clean.
RickNCNAuthor Commented:
I know that only too well. I am going to wipe this thing eventually I just can't until we get a new server in a couple months. I was hoping to clean it up until then. And - I wanted to learn from  the situation instead of just wiping it.  You're right though - gotta know when to throw in the towel.
I agree... Sometimes it's best to learn the hard way.  Makes us all stronger in the end.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.