Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

something hidden is spamming from our network. How to find it?

Posted on 2007-04-01
17
Medium Priority
?
195 Views
Last Modified: 2013-12-04
I know I have 2 PCs on the LAN that are infected with unknown viruses sending spam on port 25. PC1 is opening instances of iexplore.exe that is connecting to a russian server, probably getting data and then spamming. I haven't traced the exe that is spawining this but I think it can.

PC2 is a bigger problem. I see from my router's logs that it is spamming but using x-netstat I don't see a process running that's connecting on port 25. It must be hidden. I've used rootkit revealer and McAfee's rootkit detective, spybot, adaware and hijackthis. I've looked for unusual services also and nothing has been found at all.  I must have a hidden process or rootkit running.

How do I find the source? Any other tricks or tips?
0
Comment
Question by:RickNCN
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 3
  • +2
17 Comments
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 400 total points
ID: 18833221
take a look at www.superantispyware.com

Detects and Removes Spyware, Adware, Malware, Trojans, Dialers, Worms, KeyLoggers, HiJackers, Parasites, Rootkits and many other types of threats.

Free and trial version available.

Tolomir


0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1000 total points
ID: 18833420
You could also check your trusted zone, many times nasties hide there.
You can manually delete entry there or just reset it back to MS default using the .inf below:

Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf
rightclick on the file and select "Install".


You could also check your hosts file for added suspicious entries, or reset hosts to MS default using Hoster.
Download the Hoster,
www.funkytoad.com/download/hoster.zip 
This will restore your Hosts file.
Press "Restore Original Hosts" and press "OK"
Reboot.
0
 
LVL 11

Assisted Solution

by:AnthonyP9618
AnthonyP9618 earned 300 total points
ID: 18833423
Are PC1 and PC2 running SMTP?  Do you even know?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:RickNCN
ID: 18833481
Yes I even know. They ARE running SMTP. They must be because they are making smtp connections on port 25. If your question is "am I running a mail server on either PC", the answer is 'no'. Both computers are infected with something that has its own smtp engine. So - I'm looking for tools that help me find these hidden processes that are doing this. Do you have any suggestions?
0
 
LVL 11

Expert Comment

by:AnthonyP9618
ID: 18833491
Do you know how to go trough Add/Remove Windows Components?

http://support.microsoft.com/kb/307894
0
 

Author Comment

by:RickNCN
ID: 18833695
Yes, of course. Why do you ask?
0
 
LVL 11

Expert Comment

by:AnthonyP9618
ID: 18833705
Sorry... Check to see if the SMTP service has been installed.  Let's just make sure it's not there in the first place.
0
 

Author Comment

by:RickNCN
ID: 18834220
on the main pc in question it has already been disabled. This one is a WIn2k server. The other is XP pro sp2. No smtp enabled. Ok - so any suggestions on finding hidden processes / rootkits?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18834337
You mean similar to this site below?
ht*p.www.flb.ru & others, some variants of SDBot sending thousands of packets every minute to russian websites and injecting code into svchost.exe


Can we look at your hijackthis log please? just curious.

You could try these scanners to look for hidden nasties:
1.  Download (Download the GUI) version of BlackLight, and save it to your desktop.
https://europe.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.


2.  Rootkit Revealer:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.


3.  Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 300 total points
ID: 18834416
Install the free version of ZoneAlarm on both machines, and set it to block all outgoing traffic. It will alert you if any program tries to connect to the outside world.

Another useful program to see what network ports are in use:

 http://www.microsoft.com/technet/sysinternals/utilities/TcpView.mspx
0
 

Author Comment

by:RickNCN
ID: 18848194
I've been using the trial version of x-netstat which has been excellent. Is there anything else out there besides zonealarm? I find it a real b*tch to uninstall completely. I found the culprit on PC1. It was an infected winlogon.exe. I copied a good version from another XP pro pc and it was happy. I had to use ERD commander to do it of course because if you boot to safe mode or safe mode w/ command prompt, winlogon is in use. I suppose you could boot off the install CD and go toa recovery console but it takes forever. I fing ERD commander is quicker to boot.

PC 2 is still a mystery. I have tried blacklight and rootkit revealer with no result. I will try gmer now.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18848231
usually a malware hook up with winlogon or replacing winlogon.exe will show up in the hijackthis log or in other diagnostic tools.

Can we look at a hijackthis log please?

More likely that it is not a rootkit, so any rootkit scanners won't find it.
Rootkit scanners will only look for hidden files and if that particular nasty is not hidden then no rootkit scanners will find it.

Or if it is a rootkit, it might have been monitoring well known rootkit scanners, that's why it didn't show up.
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.


First, I would like to see what hijackthis shows up in the scan.
0
 

Author Comment

by:RickNCN
ID: 18854494
Ok - well, actually I was talking about two separate PCs that were both spamming out. PC1 I've now solved, that was the winlogon.exe infection. PC2 is the one I can't figure out what's sending the mail. PC2 is the WIn2k server I think has a rootkit on it.

Another piece of related evidence *may* be that I keep getting unexplained security / credentials and certificate windows popping up. Don't picture typical spyware / malware popups with ads, picture what look like legitimate windows logon prompts and web credentials prompts. I took a screenshot of them. Is there some place I can post a picture so you can see I wonder? I keep closing and pressing 'cancel' but they keep coming back at seemingly random times.

I ran gmer on PC2 but it crashes the OS to a blue screen. yuck

maybe I'll try safe mode for that.
0
 
LVL 11

Expert Comment

by:AnthonyP9618
ID: 18854765
Word of advice -- Know when to give up and when you're hosed.

Try to save as much data as possible and rebuild BOTH PCs.  You'll be happier in the end knowing it's completely clean.
0
 

Author Comment

by:RickNCN
ID: 18854802
I know that only too well. I am going to wipe this thing eventually I just can't until we get a new server in a couple months. I was hoping to clean it up until then. And - I wanted to learn from  the situation instead of just wiping it.  You're right though - gotta know when to throw in the towel.
0
 
LVL 11

Expert Comment

by:AnthonyP9618
ID: 18854832
I agree... Sometimes it's best to learn the hard way.  Makes us all stronger in the end.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question