something hidden is spamming from our network. How to find it?

Posted on 2007-04-01
Medium Priority
Last Modified: 2013-12-04
I know I have 2 PCs on the LAN that are infected with unknown viruses sending spam on port 25. PC1 is opening instances of iexplore.exe that is connecting to a russian server, probably getting data and then spamming. I haven't traced the exe that is spawining this but I think it can.

PC2 is a bigger problem. I see from my router's logs that it is spamming but using x-netstat I don't see a process running that's connecting on port 25. It must be hidden. I've used rootkit revealer and McAfee's rootkit detective, spybot, adaware and hijackthis. I've looked for unusual services also and nothing has been found at all.  I must have a hidden process or rootkit running.

How do I find the source? Any other tricks or tips?
Question by:RickNCN
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 3
  • +2
LVL 27

Assisted Solution

Tolomir earned 400 total points
ID: 18833221
take a look at www.superantispyware.com

Detects and Removes Spyware, Adware, Malware, Trojans, Dialers, Worms, KeyLoggers, HiJackers, Parasites, Rootkits and many other types of threats.

Free and trial version available.


LVL 47

Accepted Solution

rpggamergirl earned 1000 total points
ID: 18833420
You could also check your trusted zone, many times nasties hide there.
You can manually delete entry there or just reset it back to MS default using the .inf below:

Download DelDomains.inf
rightclick on the file and select "Install".

You could also check your hosts file for added suspicious entries, or reset hosts to MS default using Hoster.
Download the Hoster,
This will restore your Hosts file.
Press "Restore Original Hosts" and press "OK"
LVL 11

Assisted Solution

AnthonyP9618 earned 300 total points
ID: 18833423
Are PC1 and PC2 running SMTP?  Do you even know?
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!


Author Comment

ID: 18833481
Yes I even know. They ARE running SMTP. They must be because they are making smtp connections on port 25. If your question is "am I running a mail server on either PC", the answer is 'no'. Both computers are infected with something that has its own smtp engine. So - I'm looking for tools that help me find these hidden processes that are doing this. Do you have any suggestions?
LVL 11

Expert Comment

ID: 18833491
Do you know how to go trough Add/Remove Windows Components?


Author Comment

ID: 18833695
Yes, of course. Why do you ask?
LVL 11

Expert Comment

ID: 18833705
Sorry... Check to see if the SMTP service has been installed.  Let's just make sure it's not there in the first place.

Author Comment

ID: 18834220
on the main pc in question it has already been disabled. This one is a WIn2k server. The other is XP pro sp2. No smtp enabled. Ok - so any suggestions on finding hidden processes / rootkits?
LVL 47

Expert Comment

ID: 18834337
You mean similar to this site below?
ht*p.www.flb.ru & others, some variants of SDBot sending thousands of packets every minute to russian websites and injecting code into svchost.exe

Can we look at your hijackthis log please? just curious.

You could try these scanners to look for hidden nasties:
1.  Download (Download the GUI) version of BlackLight, and save it to your desktop.
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.

2.  Rootkit Revealer:
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.

3.  Download GMER from here:

Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.
LVL 32

Assisted Solution

r-k earned 300 total points
ID: 18834416
Install the free version of ZoneAlarm on both machines, and set it to block all outgoing traffic. It will alert you if any program tries to connect to the outside world.

Another useful program to see what network ports are in use:


Author Comment

ID: 18848194
I've been using the trial version of x-netstat which has been excellent. Is there anything else out there besides zonealarm? I find it a real b*tch to uninstall completely. I found the culprit on PC1. It was an infected winlogon.exe. I copied a good version from another XP pro pc and it was happy. I had to use ERD commander to do it of course because if you boot to safe mode or safe mode w/ command prompt, winlogon is in use. I suppose you could boot off the install CD and go toa recovery console but it takes forever. I fing ERD commander is quicker to boot.

PC 2 is still a mystery. I have tried blacklight and rootkit revealer with no result. I will try gmer now.
LVL 47

Expert Comment

ID: 18848231
usually a malware hook up with winlogon or replacing winlogon.exe will show up in the hijackthis log or in other diagnostic tools.

Can we look at a hijackthis log please?

More likely that it is not a rootkit, so any rootkit scanners won't find it.
Rootkit scanners will only look for hidden files and if that particular nasty is not hidden then no rootkit scanners will find it.

Or if it is a rootkit, it might have been monitoring well known rootkit scanners, that's why it didn't show up.
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

First, I would like to see what hijackthis shows up in the scan.

Author Comment

ID: 18854494
Ok - well, actually I was talking about two separate PCs that were both spamming out. PC1 I've now solved, that was the winlogon.exe infection. PC2 is the one I can't figure out what's sending the mail. PC2 is the WIn2k server I think has a rootkit on it.

Another piece of related evidence *may* be that I keep getting unexplained security / credentials and certificate windows popping up. Don't picture typical spyware / malware popups with ads, picture what look like legitimate windows logon prompts and web credentials prompts. I took a screenshot of them. Is there some place I can post a picture so you can see I wonder? I keep closing and pressing 'cancel' but they keep coming back at seemingly random times.

I ran gmer on PC2 but it crashes the OS to a blue screen. yuck

maybe I'll try safe mode for that.
LVL 11

Expert Comment

ID: 18854765
Word of advice -- Know when to give up and when you're hosed.

Try to save as much data as possible and rebuild BOTH PCs.  You'll be happier in the end knowing it's completely clean.

Author Comment

ID: 18854802
I know that only too well. I am going to wipe this thing eventually I just can't until we get a new server in a couple months. I was hoping to clean it up until then. And - I wanted to learn from  the situation instead of just wiping it.  You're right though - gotta know when to throw in the towel.
LVL 11

Expert Comment

ID: 18854832
I agree... Sometimes it's best to learn the hard way.  Makes us all stronger in the end.

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month10 days, 7 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question